Technical Field
The present disclosure generally relates to electronic circuits and, more specifically, to circuits executing operations of modular exponentiation or of multiplication by a scalar on elliptic curves. The present disclosure more specifically relates to the protection of such calculations against attacks aiming at discovering quantities manipulated by the calculations.
Description of the Related Art
In many applications, electronic circuits implement algorithms of encryption, authentication, signature calculation, and more generally algorithms manipulating data, called secret data, that is, the access to which is desired to be reserved to certain users or circuits. Among such algorithms, some use modular exponentiation operations, for example, RSA-type algorithms, or operations of multiplication by a scalar on elliptic curves (ECC), for example EC-DSA.
There exist many methods, called attacks, to attempt discovering or pirating secret data manipulated by such calculations. Among such attacks, so-called fault injection attacks comprise disturbing the circuit operation at specific times of the execution of the operation. The interpretation of the consequences of such fault injections on the circuit operation or on the supplied results gives the pirate information relative to the secret data. The interpretation is performed either by examining the results provided by the circuit executing the calculation or by so-called side channel attacks, which use indirect information such as the circuit power consumption (SPA, DPA attacks), its radiation, etc.
Among side-channel attacks, one can in particular distinguish attacks called vertical and attacks called horizontal. Vertical attacks comprise using the variations of a same secret quantity on a plurality of successive traces, for example, of power consumptions, recorded by having made different assumptions as to the secret quantity. Horizontal attacks comprise processing the different operations of a same trace and relative to the secret quantities. The countermeasures which are generally efficient against vertical side channel attacks are generally not efficient against horizontal attacks.