Conventionally, electronic transactions carried-out on a terminal via a smart card are protected via an authentication procedure for the card, which involves an encryption algorithm. During such an authentication procedure, a terminal sends a random code to the card, and the smart card must respond by generating an authentication code, which is transformed into a random code by the encryption algorithm. The terminal calculates, on its side, the transformed random code and compares the obtained result with the one sent by the card. If the authentication code sent by the card is valid, the transaction is authorized.
In a smart card integrated circuit, an encryption algorithm is generally executed by a hard-wired logic circuit, or an encryption coprocessor, to which is attributed a secret key or an encryption key, which is stored within a protected area of the integrated circuit memory. It is therefore essential to guarantee an absolute protection of this secret key, since the encryption algorithms implemented within the authentication procedures are well known and only the secret key guarantees the tamperproof character of the authentication procedure.
However, in recent years, techniques for pirating of integrated circuits have considerably improved and nowadays involve sophisticated analysis methods based on the observation of the current used by the elements in the integrated circuit during the execution of confidential operations. Presently, there are two types of methods for analyzing the current used, namely the SPA analysis methods (Single Power Analysis) and the DPA analysis methods (Differential Power Analysis) DPA analysis methods, which are more efficient than the former methods, allow a secret key to be revealed via a single observation of changes in the current used by the encryption circuit, without having to read the data flowing in the integrated circuit internal bus and to identify the memories that are read. Such a method relies upon a correlation of samples of the current used with a mathematical model of the encryption circuit and assumptions about the secret key's value. The correlation allows the dc-component in the used current to be suppressed and consumption peaks to be revealed which show the operation performed by the encryption circuit and confidential data values. With such a method, only about 1000 samples need to be recorded for a Data Encrytpion Standard (DES) secret key to be obtained.
To counteract such piracy methods, various countermeasure methods have been suggested that allow variations in the power consumption to be hidden or scrambled, at least during the execution of confidential operations. Such countermeasures only allow increasing the number of necessary samples up to 200,000 which can still be reached by automating measurements.