Technical Field
The present disclosure relates to the field of fault detection, and in particular to a device and method for executing a computing function protected against fault attacks.
Description of the Related Art
Integrated circuits may comprise circuitry that is considered sensitive in view of the security of the data that it processes, such as authentication keys, signatures, etc., or of the algorithms it uses, such as encryption or decryption algorithms. Such information should not be communicated to or otherwise be detectable by third parties or unauthorized circuits.
A common process for fraudulently discovering information manipulated by an integrated circuit involves detecting, within the circuit, the zones that are used during the processing of that information. For this, the circuit is activated or otherwise placed in a functional environment, and data to be processed by the circuit is introduced at an input. Then, while the data is processed, for example, the surface of integrated circuit is swept by a laser to inject faults in the functioning of the circuit, and in particular to flip the voltage state stored at one or more nodes of the circuit. While analyzing in parallel the outputs of the circuit, the zones that are used to process the data may be determined. Having localized such zones, the pirate can then concentrate the attacks on these zones in order to discover the secret information.
The injection of faults can also be used to bypass security checks or to infer secret information through the modification of the data being processed.
One solution for protecting against faults attacks is to provide two processing devices arranged to operate in parallel on the same input data. By comparing the results generated by these two devices, the injection of a fault can be detected. However, such a solution comes at a relatively high hardware cost.
An alternative solution that avoids the use of two processing devices is to execute the sensitive function twice using the same processing device and with the same input data. However, a drawback of existing implementations of this type of solution is that they are implemented with relatively high memory resources.