The aims of cryptography are notably to protect:                either the confidentiality of an item of information, by means of encryption and of the dual operation: decryption;        or only the authenticity of an item of information, by the operations of signature and verification, by the operations of signature and of verification of signatures.        
Cryptography uses mathematical procedures, which have been demonstrated to lead to secure systems. For example, an encryption is presumed secure when it is proven that there do not exist, in the current state of the published knowledge, any procedures of attack significantly faster than exhaustive attack, corresponding to the trying of all the possible keys.
In general, encryption procedures involve complex computations, necessary for the security of systems. This complexity does not pose any particular problems to computers but is a serious drawback in the case of devices that do not have high computational power, generally driven by low-cost “8-bit” microprocessors. The consequences may be of several kinds, such as:                an impediment to proper use, a typical example would be a bank card taking several minutes to sign a bill;        a denial of service, a typical example would be a pay-per-view television decoder not being able to track the throughput of information delivered.        
To alleviate this difficulty without increasing the price of systems, it is customary to append a system for aiding the central unit of the device used, in the form of a coprocessor dedicated to cryptography.
However, whether it be implemented by the central unit or by a specialized coprocessor, the cryptography algorithm is implemented by a physical device, currently of electronic type. These physical devices exhibit inevitable imperfections, related to properties inherent in the basic laws of electricity.
Thus, cryptography systems that are secure from the mathematical point of view may be attacked by exploiting the inherent imperfections of the physical systems implementing the algorithm, thus:                the duration of the computations may depend on the values of the data, in particular on speed-optimized software systems, this having given rise to the attacks of the “Timing attack” type described notably in the document by P. Kocher et al: Timing Attack on Implementation of Diffie-Hellman, RSA, DSS and other systems, In Proceedings of CRYPTO'96, volume 1109 of LNCS, pages 104-113, Springer-Verlag, 1996, these attacks making it possible in certain cases to retrieve the entirety of the secret keys on the basis of simple measurements of execution time;        the instantaneous consumption may also depend on the data, this having given rise to a series of attacks such as:                    the SPA (Simple Power Analysis) attack described notably in the document by Thomas S. Messerges et al: Investigations of Power Analysis Attacks on Smartcards, In USENIX—Smartcard'99, pages 151-162, May 10-11, 1999, Chicago USA, this attack attempting to differentiate the operations executed by a central unit on the basis of a measurement of its electrical consumption measured during a cryptographic operation;            the DPA (Differential Power Analysis) attack described notably in the document by S. Guilley et al: Differential Power Analysis Model and some Results, In Proceedings of WCC/CARDIS, pages 127-142, August 2004, Toulouse, France, this attack using statistical operations on numerous measurements of electrical consumption, which are performed during cryptographic operations on random messages and with a constant key, in order to validate or invalidate an assumption made about a limited part of the key;                        any electric current flowing in a conductor produces an electromagnetic field whose measurement can give rise to attacks of the EMA (ElectroMagnetic Attack) type which are identical in their principle to attacks pertaining to electrical consumption;        certain attacks intentionally disturb the operation of systems so as to exploit the erroneous results in order to retrieve the secrets of the system, these attacks being known by the term fault injection attacks.        
Any imperfection of a physical device implementing a cryptography algorithm and liable to leak information related to the secrets held in the memory of the device is called a hidden channel.
Protections against these attacks on the hidden channels have been proposed, on the basis notably:                of concealment, which involves rendering the leakage constant, in this instance independent of the secret;        of masking, which involves rendering the leakage random, unpredictable and therefore unexploitable.        
These two techniques make it possible to increase the difficulty of attacks aimed at retrieving information, but they remain vulnerable, however, to attacks which would profit from implementational defects. There exist numerous examples of potential or substantiated vulnerabilities, for example:                concealment based on differential logic (such as WDDL) may be vulnerable to an attack on differences in cumulative combinatorial lags between one or the other of the phases of the calculation, evaluation phase and precharge phase;        masking, which may be sensitive to high-order attacks, termed HO-DPA.        