1. Technical Field
The present invention relates to a method and a device for checking the integrity of a clock tree, and more particularly a method and a device for detecting synchronization errors between clock signals present in a same clock tree.
2. Description of the Related Art
The logic circuits present in secured integrated circuits, like integrated circuits for chip cards, are subject to various attacks from defrauders who attempt to discover their structure and/or the secrets they comprise. They are for example encryption circuits of the types DES, AES, RSA . . . , microprocessors programmed to execute encryption algorithms, register banks comprising secret keys, etc.
At the present time, the most advanced hacking methods consist in injecting errors in an integrated circuit during the execution of so-called sensitive operations, for example operations of authentication or operations of execution of an encryption algorithm.
Such attacks, called attacks by error injection or by fault injection, can occur during so-called sensitive phases of calculations, for example during phases of calculation of an identification code, or during the reading of an encryption key in a memory. They make it possible, in combination with mathematical models and from wrong results obtained intentionally thanks to perturbations, to define a secret element like an encryption key or a password, to deduce the structure of an encryption algorithm and/or the secret keys the algorithm uses, etc.
In particular, the localized attacks consist in introducing perturbations into a determined point of the circuit, for example by means of a laser beam or an X-ray beam. A localized attack may concern the supply voltage, a data path, or the clock signal of the integrated circuit.
FIG. 1 schematically shows a synchronous circuit SCT comprising four synchronous modules SM1, SM2, SM3, SM4 clocked by a clock signal CKr. The synchronous modules SM1-SM4 are simplified in block form, each comprising a set of synchronous flip-flops FFi. Each module receives the clock signal through conduction paths of various lengths forming a clock tree. More precisely, each synchronous module receives a clock signal CK1, CK2, CK3, CK4 which comes from the signal CKr but which is susceptible of having proper time differences in relation to the signal CKr, in particular in the event of error injection.
At the time of designing the synchronous circuit, the clock tree is balanced by means of delay circuits TBCT so that the clock signals CK1 to CK4 are in phase, as shown in FIGS. 2A to 2D that represent each clock signal CK1 to CK4. Thus, the signals CK1 to CK4 have the same phase, the same cycles T1, T2, T3 . . . and the same period T. Despite this balance, the various clock signals CK1 to CK4 can have, one relatively to the other, a residual time shift SKW” (skew) subsequently called “tolerated error”. The tolerated error is not represented here and is very inferior to the clock period T. It does not cause any error in the operation of the synchronous modules.
Due to its dispersion in the various branches of the clock tree, the clock signal CKr is particularly subject to localized error injections. This vulnerability lies in the fact that an attack can switch only a part of the tree, and consequently only a part of the synchronous flip-flops of the synchronous circuit. More particularly, the conceivable localized attacks can be classified into four different types, and consist in:                delaying a clock edge (slowing down),        advancing a clock edge (advance),        adding a clock square wave, or        deleting a clock square wave.        
An example of attack of the first type is shown in FIG. 3. The error injection is applied to the clock signal CK2 during the cycle T3, and causes a delay −dt in the apparition of the rising edge of the clock signal CK2, which should normally occur at the beginning of the cycle T3.
An example of attack of the second type is shown in FIG. 4. The error injection is applied to the clock signal CK2 and causes an advance +dt in the apparition of the rising edge of the clock signal CK2, which appears here before the end of the cycle T2 instead of appearing at the beginning of the cycle T3.
An example of attack of the third type is shown in FIG. 5. The error injection is applied to the clock signal CK2 during the cycle T2 and causes the apparition of an additional clock square wave at an instant t2 between the falling edge of the clock square wave emitted during the cycle T2 and the rising edge of the clock square wave emitted at the beginning of the cycle T3.
An example of attack of the fourth type is shown in FIG. 6. In this example, the error injection is applied to the clock signal CK2 and causes the clock square wave disappearing at the beginning of the cycle T3.
To counter such attacks, the methods usually implemented consist in detecting an anomaly in the data supplied by the synchronous circuit. These methods lay for example on a software or hardware redundancy of the synchronous circuit. The software redundancy consists in the fact of recalculating by means of a program the result supplied by the synchronous circuit, the redundant calculation being carried out by a microprocessor. In addition, the hardware redundancy consists in reproducing in several examples the “sensitive” parts of the synchronous circuit, and in comparing the results supplied by the redundant circuits, the majority result may be retained as reliable result in the event of an inconsistency of results. Globally, these methods involve an important occupation of the available semiconductor surface (hardware redundancy) or a noteworthy slowing down of the operation of the synchronous circuits (software redundancy).