1. Field of the Invention
The present invention relates to the field of integrated circuits and, more specifically, to the protection of data or secret quantities processed by integrated circuits against fraud attempts aiming at pirating these data.
2. Discussion of the Related Art
An example of an application of the present invention relates to the field of smart cards in which secret quantities used to cipher or encrypt data coming from the outside are contained in the integrated circuit chip.
Among possible frauds, the present invention is more specifically concerned with fraud attempts based on an examination of the signature of a physical parameter of the integrated circuit executing the ciphering function or more generally an operation involving a secret quantity. This physical signature on the integrated circuit may correspond, for example, to a variation of its temperature, of its current consumption, or of its electromagnetic radiation. Attacks by statistical analysis of the current consumption of an integrated circuit are known as DPA (differential power analysis) attacks. Such attacks consist of making hypotheses about the handled secret key(s) while the data input into the algorithm (coming from the outside) and the algorithm itself are known. Since the algorithm is known, the way in which the secret quantity is mixed with the input data by this algorithm is known. By varying the input data on the basis of a same key hypothesis, the leakage source (for example, the current consumption) of the integrated circuit can be analyzed and an average signature (trace), which can lead to the discovery of the secret quantity by determining the right hypothesis, can be obtained.
DPA-type current consumption attacks are described, for example, in an article “Differential Power Analysis” by Kocher, Jaffe, and Jun, published by Springer Verlag LNCS 1666, in 1999, in the context of the CRYPTO 99 conference (pages 388-397).
More generally, an article “Side Channel Cryptoanalysis of Product Ciphers” by J. Kelsey, P. Schneier, D. Wagner, and C. Hall, published in the Journal of Computer Security, Vol. 8, No. 2-3, 2000, pp. 141-158, describes the principle of attacks to which the present invention applies.
In practice, the data sensitive to physical signature analysis attacks are present at the level of the registers of temporary data and key storage in the form of rising or falling switching edges (from 0 to 1, or from 1 to 0), that is, upon introduction of the data in the registers.
FIG. 1 illustrates a conventional example of an algorithmic function of the type to which the present invention applies.
Input data X are combined by a function f (block 1, f(X,K), with a secret quantity K contained in the integrated circuit executing function f. The provided result is data Y corresponding, in this example, to data X ciphered by key K.
FIG. 2 arbitrarily illustrates as an example two successive steps of execution of a ciphering function (for example, function f of FIG. 1). Such an execution uses registers for storing the digital data. These registers have been symbolized in FIG. 2 in the form of two input registers 2 (Rs1) and 3 (Rs2) forming source registers for an operator 4 (OP) executing a logic or arithmetic function on the contents of registers 2 and 3. The result of operator 4 (OP) is stored in a destination register 2′ (Rd1) and, if operator OP provides two result words, in a second destination register 3′ (Rd2) shown in dotted lines in FIG. 2.
If function f to be executed comprises several successive operations, destination registers 2′ and 3′ of the first step or operator 4 generally become the source registers 2 and 3 of a second step or operator 4′ (operator OP′). In FIG. 2, the two successive operations have been separated by a dotted line 5. Similarly to the first step, operator 4′ provides its result in one or several destination registers 2′ and 3′.
Conventionally, for each new execution of an algorithm, the source and destination registers, whether they are common or separate according to applications, are reset to a predetermined value (for example, zero). Afterwards, the states that they contain depend on the introduction of the different data and especially on the secret quantity which is likely to be pirated. The most sensitive register is the destination register since the source register, if it has not yet been reset, corresponds to a destination register transformed by a preceding operation.