1. Field of the Invention
The present invention generally relates to electronic circuits and, more specifically, to checking the integrity of programs executed by a processor or checking the sequencing of a state machine in wired logic.
The present invention, for example, applies to processing circuits of microcontroller type capable of manipulating digital quantities intended to remain secret. It may, for example, apply to ciphering calculations.
2. Discussion of the Related Art
FIG. 1 very schematically shows a smart card 1 of the type to which the present invention applies. Such a card is for example formed of a plastic support 2 on or inside of which is placed an electronic circuit chip 10 capable of communicating with the outside by means of contacts 3 or by means of contactless transmission/reception elements.
FIG. 2 very schematically shows, in the form of blocks, a conventional example of an electronic circuit 10 of the type to which the present invention applies. This circuit comprises a central processing unit 11 (CPU) capable of executing programs contained in one or several memories. In this example, a single memory 12 (MEM) is shown, but the circuit may comprise several memories, respectively volatile and non-volatile, reprogrammable or not. One or several data, control, and address buses 13 are used as a communication support between the different components of circuit 10 and with an input/output interface 14 (I/O) for communication with or without contact with the outside. Most often, circuit 10 comprises other functions (block 15, FCT) depending on the application, and even a coprocessor 16 (CPROC), for example dedicated to cryptographic calculations.
On execution of programs manipulating secret quantities, the introduction of a disturbance in the processor operation (for example, by disturbing the circuit power supply) may enable finding the manipulated digital quantities by analysis of the generated results. Such attacks are generally called fault-injection attacks.
A known solution to protect calculations against such attacks is to condition the provision of the result on the electronic circuit output to a test on the calculated result, to check that the execution of the calculation has not been disturbed.
FIG. 3 shows, in simplified fashion, an example of a conventional flowchart of execution of a cryptographic calculation OP protected against fault injections. A digital quantity I to be processed is submitted to calculation OP. Then, the obtained result R is submitted to the inverse calculation (block 21, OP−1). The quantity I′ obtained at the output of block 21 is then compared with input data I (block 22, I′=I?). If the two quantities are identical (output Y of block 22), this means that the calculation has not been disturbed and the electronic circuit then outputs the result (block 23, OUTPUT R). In the opposite case (output N of block 22), the electronic circuit applies an error processing procedure (ERROR) to protect its content. For example, in the case of a smart card, this consists of muting the smart card.
A problem which remains in an integrity check mechanism of the type illustrated in FIG. 3 is that, if a fault is introduced at the time of test 22, said test is not executed and result R can still be provided.
A known solution to fight this type of attacks is to calculate a signature of the executed opcode to check this signature against a prerecorded signature before providing the result.
A disadvantage is that, for the signature to be predictable, the executed program code needs to be deterministic (the executed codes and their order need to be determinable in advance to calculate the reference signature). In particular, this prevents adding of random steps in the calculation to desynchronize it, unless a tolerance is accepted on the calculated signature, which then adversely affects the security. Currently, deterministic programs are more vulnerable to another category of attacks, that is, statistic power analysis attacks of the circuit on execution of the calculations.
Another disadvantage is that this complicates the updating of the programs contained in the circuit, since such updatings should in principle respect the original signature, which is in practice almost impossible.
Similar problems are posed for state machines in wired logic (for example, cells of execution of ciphering algorithms or the state machine of a microprocessor core) which are also sensitive to fault injection attacks, be the state machines reprogrammable (FPGA) or not.