The logic circuits present in secured integrated circuits, like integrated circuits for chip cards, are subject to various attacks from defrauders who attempt to discover their structure and/or the secrets they comprise. They are for example encryption circuits of the types DES, AES, RSA . . . , microprocessors programmed to execute encryption algorithms, register banks comprising secret keys, etc.
At the present time, the most advanced hacking methods involve injecting errors in an integrated circuit during the execution of so-called sensitive operations, for example operations of authentication or operations of execution of an encryption algorithm.
Such attacks, called attacks by error injection or by fault injection, may occur during so-called sensitive phases of calculations, for example during phases of calculation of an identification code, or during the reading of an encryption key in a memory. They make it possible, in combination with mathematical models and from wrong results obtained intentionally thanks to perturbations, to define a secret element like an encryption key or a password, to deduce the structure of an encryption algorithm and/or the secret keys the algorithm uses, etc.
In particular, the localized attacks involve introducing perturbations into a determined point of the circuit, for example by using a laser beam or an X-ray beam. A localized attack may concern the supply voltage, a data path, or the clock signal of the integrated circuit.
FIG. 1 schematically shows a synchronous circuit SCT comprising four synchronous modules SM1, SM2, SM3, SM4 clocked by a clock signal CK. The synchronous modules SM1-SM4 are simplified in block form, each comprising a set of synchronous flip-flops FFi, and each receives the clock signal CK through conduction paths of various lengths forming a clock tree. Each synchronous module is also connected to one or more data paths DP that may be shared by other modules. At the time of designing the circuit SCT, the clock tree is balanced by means of delay circuits TBCT, for example buffers formed by inverting logic gates. The balance of the clock tree is made so that the variation edges of the clock signal CK are substantially in phase at the input of each module.
Due to its effect on data transitions in the various synchronous modules, the clock signal CK is particularly subject to error injections. This vulnerability resides in the fact that an attack may allow a datum to be transferred in flip-flops which inputs are connected to data paths with low propagation time whereas flip-flops which inputs are connected to data paths having a longer propagation time have not received the datum yet.
This problem is illustrated in FIG. 2 as well as by chronograms shown in FIGS. 3A to 3E. FIG. 2 shows some synchronous circuit present in any one of the synchronous modules SM1-SM4. The synchronous circuit comprises three flip-flops FF1, FF2, FF3 clocked by rising edges of the clock signal CK, which is shown in FIG. 3A. The synchronous circuit also comprises an asynchronous data path P1 linking the output of the flip-flop FF1 to the input of the flip-flop FF2, and an asynchronous data path P2 linking the output of the flip-flop FF1 to the input of the flip-flop FF3. Each data path P1, P2 conventionally comprises several asynchronous logic gates (not shown). Each data path P1, P2 thus has its own propagation time or delay, respectively DLYa, DLYb, in relation to the transmission, at the input of the corresponding flip-flop FF2, FF3, of a datum supplied by the flip-flop FF1.
When a datum DT is applied to the input of the flip-flop FF1, for example during a cycle T1 of the clock signal CK, the datum is copied out by the output of the flip-flop during a cycle T2 and then propagates to the inputs of the flip-flops FF2, FF3 to be copied out by the outputs of the flip-flops FF2, FF3 during a cycle T3. The propagation of the datum is shown in FIGS. 3B to 3E. The chronogram of FIG. 3B shows the datum DT(A) in a point “A” located at the input of the flip-flop FF1, the chronogram of FIG. 3C shows the datum DT(B) in a point “B” located at the output of the flip-flop FF1, the chronogram of FIG. 3D shows the datum DT(C) in a point “C” located at the input of the flip-flop FF2, and the chronogram of FIG. 3E shows the datum DT(D) in a point “D” located at the input of the flip-flop FF3.
The datum DT is supplied at the point B by the flip-flop FF1 at an instant t2 corresponding to the beginning of the cycle T2. It thus is at the point C at an instant t2′=t2+DLYa and at the point D at an instant t2″=t2+DLYb. The instants t2′ and t2″ must imperatively be in the cycle T2 or, failing that, the datum may not be copied out by the flip-flops FF2 and FF3 at the beginning of the cycle T3.
In the light of this example, it appears that the longest propagation time of a datum, through an asynchronous path linking two synchronous elements, determines the maximum frequency of the clock signal, i.e., the minimum period T thereof, this rule being well-known to integrated circuits designers. It also appears that if a defrauder injects a parasitic clock edge into the clock signal at an instant between the instant t2′ and t2″, an error on the datum DT occurs in the synchronous circuit because the flip-flop FF2 copies out the datum whereas the flip-flop FF3 does not copy it out, since the datum has not arrived to its input yet.
The chronograms of FIGS. 4A to 4D show four types of attacks on the clock signal CK that may lead to an error of datum:                injecting a positive square wave: in FIG. 4A, a parasitic positive square wave is injected into the clock signal at the instant te,        advancing a clock edge: in FIG. 4B, the rising edge of the clock square wave of the cycle T4 appears in anticipation at the instant te during a cycle T3,        delaying an edge: in FIG. 4C, the rising edge of the clock square wave CK of the cycle T3 appears late at an instant te′ during the cycle T3, instead of appearing at an instant t3 at the beginning of this cycle, and        injecting a negative square wave: in FIG. 4A, a parasitic negative square wave is injected in a clock square wave, which causes the division of the clock square wave into two different positive square waves, the second one appears at an instant te″ of the cycle T3 and may be considered as a parasitic positive square wave.        
Generally, these various attacks aim at bringing two active edges of the clock signal closer in order to cause the successive triggering of the synchronous circuit with a time interval inferior to the longest propagation time of a datum inside the circuit. Each case shown thus corresponds to an acceleration of the clock signal beyond a threshold of closeness of the square waves that may be tolerated, and to an operation frequency superior to the maximum operation frequency of the synchronous circuit.
To counter such attacks, the methods usually implemented involve detecting an anomaly in the data supplied by the synchronous circuits concerned. These methods rely for example on a software or hardware redundancy of the circuits likely to be attacked. The software redundancy involves recalculating by using a program the result supplied by a synchronous circuit, the redundant calculation being carried out by a microprocessor. In addition, the hardware redundancy involves reproducing in several exemplaries the “sensitive” parts of a synchronous circuit, and in comparing the results supplied by the redundant circuits, the majority result may be retained as reliable in the event of an inconsistency of results. Globally, these methods involve an important occupation of the available semi-conductor surface (hardware redundancy) or a noteworthy slowing down of the operation of the synchronous circuits (software redundancy).