A Feistel algorithm performs a block symmetric encryption and is characterized, in particular, by similar or indeed identical encryption and decryption operations. An exemplary Feistel algorithm is the DES algorithm and its diverse variations. Other algorithms are known by the names LOKI and GHOST.
The components used to implement a secure method relate to, in particular, applications where access to services and/or to data is severely controlled. These components usually have an architecture formed around a microprocessor and a program memory comprising, in particular, the secret key.
Such components are, for example, used in chip cards. In particular, these components may be used for banking type applications by way of a control terminal or remotely. Such components use one or more methods of encipherment employing a secret or private key to calculate output data on the basis of input data. Such a method is, for example, used to encrypt, decrypt, sign an input message or else verify the signature of the input message.
To ensure the security of transactions, secret or private key encipherment methods are constructed so that it is not possible to determine the secret key used on the basis of the knowledge of the input data and/or of the output data of the algorithm. However, the security of a component relies on its ability to keep hidden the secret key that it uses.
A frequently used method is the DES (Data Encryption Standard) type method. It makes it possible, for example, to provide an encrypted message MS (or output data) coded on 64 bits, on the basis of a plaintext message ME (input data) also coded on 64 bits and of a 56-bit secret key K0.
The algorithm of the DES type is well known to the person skilled in the art. The latter may refer, for example, for all useful purposes to the document entitled DATA ENCRYPTION STANDARD (DES), FIPS PUB 46-3, FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION, 25 Oct. 1999, U.S. DEPARTMENT OF COMMERCE, National Institute of Standards and Technology.
Various types of attacks on an implementation (of DES, for example) of a cryptography algorithm are possible. An attack of the DFA (Differential Fault Analysis) type may be cited. This type of attack has formed the subject of several publications. It is, in particular, possible to refer to the article by Shamir and Biham entitled “Differential Fault Analysis of Secret Key Cryptosystems”, lecture note in computer science, 1294: pages 513-525, 1997.
A DFA attack uses fault injection, for example, by way of a laser ray, so as to reach one or more bits of a temporary result of the calculation in a register so as to modify the value thereof.
A DFA attack using double fault injection makes it possible to circumvent protection by a method of cryptographic calculation which provides for verification of the calculation by a recalculation and a verification step. An inverse calculation and a verification step may be performed instead.
A summary description of this type of attack is as follows. The successive DESs (where DES DES−1 according to the counter-measure implemented) may be logged. This step is done using tools, such as the tracing of current or the electromagnetic radiation of the attacked component.
Disturbances may be generated, for example, with the aid of the laser beam (repeated until enough spoiled digits or bits are obtained to conduct a DFA attack). A first first disturbance a) may be on the penultimate round of the first DES (or the second round of the DES−1). A second disturbance b) may be on the penultimate round of the second DES (or the second round of the DES−1) with the same disturbance characteristics as in a).
In exploitation, the attacker conducts a DFA attack with the messages collected during the repetition of the second disturbance mentioned above. Disturbances a) and b) need to induce the same effect so that the verification cannot detect the error introduced. This requires that the attacker reproduce the same error, exactly twice, at locations which correspond in the algorithm and in the verification algorithm.
Another type of attack by injections of faults on a register or a storage element is known by the term unidirectional disturbance (Safe Error Attack). Patent application FR No. 10/51205 filed Feb. 19, 2010 in the name of the applicant describes such an attack and a corresponding protection approach.
Other approach to protecting against such an attack is described in patent application FR No. 09/57783 filed on Nov. 4, 2009 and patent application FR No. 08/53198 filed on May 16, 2008.
Another type of attack well known to the person skilled in the art is a side channel attack, known by the term DPA (Differential Power Analysis). Reference may be made to the article by P. Kocher and others entitled Differential Power Analysis.
An approach for protecting oneself against an attack of the DPA type includes performing a random masking of the data path, and in particular, of the SBOX operator present in this data path. Such an approach is, for example, described in European patent no. 1358732.
Currently, it is possible for an attacker to produce at two precise instants the same disturbance which might perhaps foil the counter-measures described in patent application FR No. 09/57783 or in patent application FR No. 08/53198.
Moreover, in spite of the random masking of the SBOX operator described in EP no. 1358732, it is possible for an attacker to conduct a physical attack of the DFA (Differential Fault Analysis) type whether it uses a simple or a double fault.