The activity of the electronic circuits can be observed during their operation through the physical quantities such as the power consumption, the computation time or electromagnetic radiation.
These physical quantities depend both on the computation architectures and on the data manipulated within the circuit. Information concerning the processed data is therefore indirectly available on the outside of the circuit by observation of said quantities called hidden channels or auxiliary channels.
The dissipation of these physical quantities can compromise the security of systems processing secret data protected notably by cryptography methods. Thus, if secret data are protected by using a symmetrical cryptography algorithm, the robustness of the protection lies in the capacity to keep the encryption key secret. The dissipation of the physical quantities may allow a third party to obtain said key by implementing suitable attacks and, consequently, to access the secret data. An attack by observation of physical quantities dissipated by said circuit is usually qualified simply as an attack by observation. Hereinafter in the description, a third party using attack by observation methods to access data not intended for him is called attacker, and the dissipated physical quantities are called leaks or hidden channels.
There are, today, powerful observation attacks making it possible to access data processed by protected circuits.
Thus, attacks by observation of leaks representative of the data processing times of the circuit exist, as described in the article by P. C. Kocher, J. Jaffe and B. Jun entitled Timing Attack on Implementations of Diffie-Hellman, RSA, DSS and Other Systems, Proceedings of CRYPTO '96, volume 1109 LNCS, pages 104-113, Springer-Verlag, 1996.
Attacks by observation of the consumption of the circuits can also be used by an attacker, by using, for example, DPA-type methods, these type of attacks being described in the article by P. C. Kocher, J. Jaffe and B. Jun entitled Differential Power Analysis, Proceedings of CRYPTO '99, volume 1666 LNCS, pages 388-397, Springer-Verlag, 1999.
These methods make it possible to circumvent the security conferred at the mathematic level by cryptography.
It is relatively simple to balance a time-related algorithm of processing times. It is more difficult to protect the circuits against instantaneous observation of the wave form of the electrical consumption.
There are various countermeasure methods for protecting an electronic circuit against attacks on the hidden channels. Their characteristics are notably specified by common criteria defined at the international level or by standards, such as, for example, the American FIPS standard 140, the acronym FIPS standing for “Federal Information Processing Standardization”.
Some countermeasures merely increase the number of measurements necessary for an attack to succeed. Such is the case, for example, for the countermeasure methods using a non-functionalized noise generator implemented alongside the computation logic. For example, a pseudorandom number generator PRNG, randomly initialized, can serve this purpose. In this case, any measurement collected by an attacker is disturbed by a noise which is overlaid on the hidden channel. The attacks become more complex because it is necessary, in practice, to perform more measurements in order to amplify the expected signal-to-noise ratio for the countermeasure technique to be effective.
Other countermeasure techniques protect against the attacks by observation by masking the hidden channels and usually involve, during the processing operation to be protected, a random or pseudorandom variable m called mask. Said variable is used in such a way that the result of the computation does not depend on said mask, but on the leaks of information through the hidden channels that depend thereon.
Thus, the masking-based countermeasure techniques are implemented by interleaving the sensitive data flowing within the cryptography circuit with the mask variable m, this interleaving being used to prevent the hidden channel from being analyzed by an attacker. The sensitive data or variables x correspond to variables that are both entirely predictable and share non-zero mutual information with the secret. This technique amounts to modifying the representation of the sensitive data x, to the quantity x⊕m corresponding to the Vernam encryption of x by applying the key m using the operation ⊕ designating an exclusive-OR type operation, also designated by the acronym XOR hereinafter in the description.
The mask may be conditioned by a signature specific to each circuit, in which case it is shown that the leak of the key is encrypted by said mask. This specific feature avoids so-called “cataloguing” attacks, in which circuit clones can be used to model the leaks.
The usual countermeasure techniques involving a random masking withstand direct attacks on the prediction of the attack registers of the first order, such as, for example, the attacks of DPA type or the attacks of CPA type, CPA standing for “Correlation Power Analysis”. They are implemented, for example, by duplicating the data processing paths in the circuit.
This duplication implies a significant increase in the complexity of the circuit compared to an unmasked implementation.
Moreover, these countermeasures are bad at withstanding attacks of an order greater than or equal to two. As an example, the second order attacks exploit the fact that the variance of the leak depends on the sensitive variable x. The estimation of the variance is performed either by combining the leaks of information on the two occasions when x⊕m and also m are used, or by estimating the combined distribution of the pair (x⊕m, m) when the mask and the masked datum are used simultaneously. The attacks of second order based on the estimation of the variance are called “zero-offset” attacks, and are described in the article by E. Peeters, F. Standaert, N. Donckers and J-J. Quisquater entitled Improved Higher Order Side-Channel Attacks with FPGA experiments, Josyula R. Rao and Berk Sunar editors, Cryptographic Hardware and Embedded Systems—Proceedings of CHES, volume 3659 LNCS, pages 309-323. Springer-Verlag, 2005.