Circuits implementing cryptographic algorithms can comprise a central processing unit (CPU), and a circuit dedicated to cryptographic computing, for example a cryptographic co-processor. These circuits may comprise thousands of logic gates that switch differently according to the operations executed. These switching operations create short variations in current consumption, for example of a few nanoseconds, and those variations can be measured. In particular, Complementary Metal Oxide Semiconductor CMOS-type integrated circuits include logic gates that only consume current when they switch, i.e., when a logic node changes its state to 1 or to 0. Therefore, the current consumption depends on data handled by the central processing unit CPU and on its various peripherals: memory, data and address buses, cryptographic co-processor, etc.
Furthermore, certain software programs using encryption or obfuscation techniques, such as the White-box Cryptography technique, may integrate secret data in such a way that it is very difficult to determine data by reverse engineering. Certain software programs may also receive a secret data from outside through a secure communication channel.
Such circuits may be subjected to so-called side channel-analysis attacks based on observing current consumption, or magnetic or electromagnetic radiation. Such attacks provide secret data, in particular encryption keys. Current side channel attacks implement statistical analysis methods such as SPA (“Single Power Analysis”), DPA (“Differential Power Analysis”), CPA (“Correlation Power Analysis”) or EMA (“ElectroMagnetic Analysis”). SPA analysis normally only requires the acquisition of a single current consumption trace. SPA analysis obtain information about the activity of the integrated circuit by observing part of the current consumption trace corresponding to a cryptographic computation, since the current trace consumption varies according to operations executed and data handled. Software may also undergo such side channel attacks during its execution by a circuit.
DPA and CPA analyses enable the key of an encryption algorithm to be found by acquiring numerous circuit consumption traces and by statistically analyzing these traces to find a target information. DPA and CPA analyses can be based on the premise that the consumption of a CMOS-type integrated circuit varies when a bit changes from 0 to 1 in a register or on a bus, and does not vary when a bit remains equal to 0, remains equal to 1 or changes from 1 to 0 (discharge of a stray capacitance of a MOS transistor). Alternatively, the consumption of a CMOS-type integrated circuit varies when a bit changes from 0 to 1 or changes from 1 to 0 and does not vary when a bit remains equal to 0 or remains equal to 1. This second hypothesis enables the conventional “Hamming distance” or “Hamming weight” functions to be used in order to develop a consumption model that does not require knowledge of the structure of the integrated circuit in order to be applicable. DPA analysis involves amplifying this consumption difference using statistical processing on numerous current consumption traces, aiming to highlight a measurement difference between two types of consumption traces distinguished according to formulated hypotheses.
CPA analysis is based on a linear current consumption model and involves computing a correlation coefficient between, firstly, the consumption points measured that form the captured consumption traces and, secondly, an estimated consumption value computed from a linear consumption model and a hypothesis on data to be discovered that is handled by the microcircuit and on the value of the encryption key.
Electromagnetic analysis (EMA) is based on the principle that an integrated circuit may send information in the form of near or far field electromagnetic radiation. Given that transistors and the wires connecting the transistors emit electromagnetic signals when their state changes, these signals can be treated like the current consumption variation signals by an analysis such as one of the SPA, DPA and CPA analyses.
Other side channel analyses exist, such as “Template analysis” and “Mutual Information Analysis” (MIA). All of the above-mentioned analyses are based on a time alignment of all the analyzed traces. In other words, all the measurements performed at a given time, e.g., from the time the execution of a command is activated by the circuit, must correspond to the same data handled by the algorithm.