1. Technical Field
The present disclosure relates to a countermeasure method to protect sensitive data circulating in an electronic circuit from attacks aiming to discover these data. The present disclosure applies, for example, to microcircuit cards, to decoder boxes (“set top box”), and more generally to any device manipulating secret data or implementing cryptographic functions.
2. Description of the Related Art
The sensitive data may be in particular encryption or decryption keys, and more generally cryptographic data used or generated during cryptographic calculations, such as intermediate data of such calculations, and identifiers which must be kept secret.
Electronic circuits manipulating sensitive data are sometimes subjected to attacks aiming to determine these data. Among the known attacks, attacks of the SPA (Simple Power Analysis) or DPA (Differential Power Analysis) types comprise performing numerous measurements of currents and of voltages entering and leaving the circuit during the execution of a program or during the processing of data by the circuit, with different input data. The obtained measurements are exploited by statistical analyses aiming to reveal correlations in order to deduce the secret data processed or used by the circuit. With this same goal, attacks of the EMA (Electromagnetic Analysis) and DEMA (Differential Electromagnetic Analysis) types are based on the analysis of electromagnetic radiation emitted by the circuit.
In order to fight against these varied types of attacks, numerous solutions all different from each other have been developed. This disclosure relates particularly to those that aim to prevent statistical analysis attacks from discovering secret data by means of correlation.
To this end, it is known to use random numbers to mask the cryptographic calculations. For example, during a modular exponentiation of the form (Md mod N, M being a data to encrypt and d being secret data), currently used in certain cryptographic calculations, it is known to add a random number r to the secret data d and then using it as an exponent in the modular exponentiation calculation (Md+r mod N). To obtain the result of the sought exponentiation operation (Md mod N), the component resulting from the introduction of the random number is removed by applying a modular exponentiation calculation to the random number with the sign changed beforehand (M−r mod N), then multiplying the results obtained by the two modular exponentiations.
Instead of adding a random number to the secret data, it is also known to multiply it by a random number r. In this case, the result of the sought modular exponentiation (Md mod N) is obtained by calculating the inverse of the random number 1/r and by performing a second modular exponentiation calculation to power 1/r, applied to the result of the first modular exponentiation calculation ((Mdr mod N)1/r mod N).
These solutions have the disadvantages of requiring a high-quality random number generator, of storing temporarily the result of the first modular exponentiation calculation, and of adding a second modular exponentiation calculation and a multiplication or an inverse calculation.
It is also known to add to the secret data d used as an exponent, a term of the form r·φ(N) such that the modular exponentiation calculation using the obtained sum as exponent (Md+r·φ(N) mod N), supplies a result identical to the modular exponentiation calculation using only the secret data as exponent (Md mod N). This solution also requires a high-quality random number generator to determine the value of r. It is also necessary to know the factor φ(N) which allows the result of the modular exponentiation to not change, which is not always the case according to the application.
Instead of modifying the secret data before proceeding with the modular exponentiation calculation, it has also been envisaged to modify the data to encrypt M before the exponentiation calculation by multiplying it by a random number r. The modular exponentiation calculation thus supplies the value ((M·r)d mod N). To obtain the sought calculation result, it is therefore necessary to calculate the quantity (r−d mod N) and to multiply this quantity by the result of the first modular exponentiation calculation. This solution has the same disadvantages of the previously-described solutions.