1. Field of the Invention
The present invention relates to the field of encryption algorithms, in particular of DES type (Data Encryption Standard), executed by integrated circuits. The present invention more specifically relates to the protection of the execution of a DES algorithm against a differential power analysis (DPA) attack of the circuit which executes the algorithm.
2. Discussion of the Related Art
DES or triple DES algorithms are symmetrical encryption algorithms (with a secret key) used in cryptography, for example, to encrypt data before having them transited on unprotected supports (Internet, connection between a smart card and a card reader, between a processor and an external memory, etc.). Such algorithms are described, for example, in standards FIPS PUB 46-2 (DES) and FIPS PUB 46-1, and operating modes (known as Electronic Codebook—ECB, Cipher Block Chaining—CBC, Cipher Feedback—CFB, Output Feedback—OFB) are described in FIPS PUB 81.
These algorithms perform an encryption by blocks (of 64 bits) by using keys (of 64 bits for the DES and of 128 bits for the triple DES) from which are derived sub-keys of 48 bits. The decryption is performed based on the same key (symmetrical algorithm). In the following description, the DES algorithm will be taken as an example.
A block to be encrypted designated as M is submitted to an initial permutation, designated as IP, then to sixteen iterations of a calculation depending on a key, designated as KEY, and finally to a permutation inverse to the initial permutation, designated as IP−1.
The calculation depending on key KEY can be expressed with the following notations:                i for the rank of the iteration ranging between 1 and 16;        LiRi for a 64-bit data block, resulting from the application of function f to a block Ri-1 with sub-key Ki, formed of a word or sub-block Li of the 32 left-hand bits b1 to b32 and of a word or sub-block Ri of the 32 right-hand bits b33 to b64;        Ki for a 48-bit block extracted from 64-bit key KEY and used in the encryption function of rank i; and        f for an encryption function.        
With the above notations, the result of the initial permutation IP is a block L0R0 and each iteration applies:                Li=Ri-1; and        Ri=Li-1(+)f(Ri-1,Ki), where (+) designates a bit-to-bit addition modulo 2 (bit-to-bit XOR).        
The result of the last iteration is a block R16L16 which is submitted to the inverse permutation IP−1 to provide an encrypted block designated as M′.
Function f comprises three successive steps.
A first step is an expansion, designated as E, of the 32 bits of sub-block Ri-1 in 48 bits to combine them, by a bit-to-bit XOR function (+), with the 48 bits of sub-key Ki of the concerned iteration. The result of this expansion and combination provides eight groups of six bits, designated as B1i to B8i, such that:B1iB2iB3iB4iB5iB6iB7iB8i=Ki(+)E(Ri-1).
A second step applies to the 48 bits provided by the previous step a substitution table, designated as S or SBOX. In this step, each group of six bits resulting from the previous expansion is transformed, by one of eight substitution functions (primitive functions), noted S1 to S8, substituting each group B1i to B8i with a group S1(B1i) to S8(B8i), each over 4 bits, to obtain eight groups of four bits, or again 32 bits. The result can be noted S1(B1i)S2(B2i)S3(B3i) . . . S8(B8i), substitution functions S1 to S8 being independent from the rank of the iteration.
A third step is a permutation, noted P, of the 32 bits resulting from the previous step. This permutation provides a 32-bit result sub-block corresponding to the result of function f and that may be expressed as:f(Ri-1,Ki)=P(S1(B1i)S2(B2i)S3(B3i) . . . S8(B8i)).
Each sub-key Ki is obtained by applying a key function KS which is a function specific to key KEY, function KS depending on rank i of the iteration, that is:Ki=KS(i,KEY).
The details of primitive functions KS, S1 to S8 and P, as well as of functions E are described in the mentioned standards.
The encryption is performed by submitting a block to be decrypted M′ to initial permutation IP, then to 16 calculation iterations identical to those of the encryption, with the only difference that the sub-keys are used in an inverse order (it is started from sub-key K16 to end with sub-key K1). The first block resulting from the inverse permutation is block R16L16 and the block resulting from the last iteration to be submitted to inverse initial permutation IP−1 is block L0R0. Permutation IP−1 provides decrypted block M.
A weakness of DES-type algorithms appears in attacks by differential power analysis of a circuit executing the algorithm. Such attacks consist of making assumptions about the key to correlate an intermediary result during the iterations to the power consumption of the integrated circuit. Such attacks enable discovering the secret formed by the key. Indeed, function f is known (DES standard), as well as the input data applied to the algorithm. Supposing a portion of sub-key K by assumption, an intermediary result LiRi is obtained. If a correlation between the intermediary result and the circuit consumption is obtained at a time t, the assumption as to the key is verified. Computing means enables the hackers to make assumptions in a sufficient number, and thus to hack the secret of the circuit (the key).
A first known solution to attempt to protect a secret handled by a DES algorithm is to mask the execution by introduction of random numbers in the iterations. This solution has the disadvantage of requiring a modification of the actual algorithm and is thus not applicable to circuits in which the DES execution cell already exists in non-reconfigurable wired logic. Indeed, for rapidity reasons, the algorithm is generally executed, at least partially, by a cell in wired logic integrated to the circuit using the data. The key is generally stored in a secure circuit area, for example, in an integrated circuit personalization phase. Its loading into the cell of execution of the algorithm is performed in protected fashion, for example, by applying the methods described in patents FR-A-2802668 and FR-A-2802669, which are incorporated herein by reference.
A second known solution consists of masking the execution of the algorithm with the secret key by having it execute among several executions (some ten) using false keys. These keys are permanently stored in a non-volatile memory associated with the algorithm execution processor or directly hardwired in the circuit. The right key is generally written on personalization of the circuit (for example, of the smart card) by a person different from the circuit manufacturer, in a generally inaccessible area (secure area of the circuit). Thus, a hacker cannot know, when an assumption about a key is verified, whether the right key has been used or not. A disadvantage of this solution is that, to preserve the masking, it is necessary to protect all the keys (the false ones as well as the right one) in their loading into the algorithm execution cell. This takes time and lengthens, in a manner incompatible with the desired fast data manipulation, the algorithm execution. Another disadvantage of this solution is that it only brings white noise, which is thus easily filterable by the hacker.