MXPA01003747A - Countermeasure method in an electronic component using a secret key cryptographic algorithm - Google Patents

Abstract

The invention concerns a countermeasure method in an electronic component using a secret key K cryptographic algorithm, wherein the algorithm implementation comprises the use of first means TC0 for supplying output data from input data, the output information and/or derived data being manipulated by critical instructions. Said countermeasure method provides for the use of other means TC1 and/or TC2, such that the output information and the derived data are unpredictable.

Description

COUNTERMEASURE PROCEDURE IN AN ELECTRONIC COMPONENT USING A CRYPTOGRAPHY ALGORITHM OF SECRET PASSWORD The present invention relates to a countermeasure method in an electronic component that puts into operation a secret key cryptography algorithm. These are used in applications where access to services or data is severely controlled. This has an architecture formed around a microprocessor and memories, where a programmed memory contains the secret key. These components are mainly used in microcircuit cards, for certain applications of these. These are for example applications of access to certain data banks, banking applications, electronic toll applications, for example for television, the distribution of gasoline, or even the passage of motorway tolls. These components or these cards then put into operation a secret key cryptography algorithm, where the best known is the DES algorithm (for Da ta Encrypti on Standard in the Anglo-Saxon literature).

There are other secret key algorithms, such as the RC5 algorithm or even the COMP128 algorithm. This list is of course not exhaustive. Generally and succinctly, these algorithms have the function of calculating an encrypted or encoded message from a message applied to the input (of the card) by a guest system (server, banking distributor, etc.) and the secret key contained on the card, and provide this encrypted message back to the host system, which allows for example the guest system to authenticate the component or the card, exchange data, etc. Now, it is apparent that these components or these cards are vulnerable to attacks that consist of a differential analysis of current consumption and that allow malicious third parties to find the secret word. These attacks are called DPA attacks, acronym Anglosajon for Differential Power Analyzes (Analysis of Differential Power). The principle of these DPA attacks lies in the fact that the current consumption of the microprocessor that executes the instructions varies according to the data manipulated.

Primarily, a microprocessor instruction that manipulates a data bit generates two different current profiles according to whether this bit is "1" or "0". Typically, if the instruction manipulates a "0", at this instant of execution a first current amplitude is consumed, and if the instruction manipulates a "1", there is a second current amplitude consumed, different from the first. The characteristics of the cryptography algorithms are known: the calculations made, the parameters used. The only unknown is the secret key contained in the program memory. This can not be deduced from the only knowledge of the message applied in the input and from the encrypted message provided with return. However, in a cryptography algorithm, some calculated data depends only on the message applied in clear to the card entry and the secret key contained in the card. Other data calculated in the algorithm can also be recalculated only from the encrypted message (generally provided in clear at the output of the card to the guest system) and from the secret key contained in the card. More precisely, each bit of this particular data can be determined from the input and output message, and from a limited number of particular bits of the key. Thus, each bit of a particular data corresponds to a subkey formed by a particular group of bits of the key. The bits of this particular data that can be predicted are referred to below as target bits. The basic idea of the DPA attack is thus to use the difference of the current consumption profile of an instruction whether it manipulates a "1" or a "0" and the possibility of calculating a target bit by the instructions of the algorithm from a known message of input or output, and of a hypothesis about the corresponding subkey. The principle of the DPA attack is therefore to test a given sub-class hypothesis, applying a large number of current measurement curves, each related to a known input message from the attacker, a Boolean selection function, a function of the hypothesis of subkey, and defined for each curve by the predicted value for a target bit. By making assumptions about the subkey in question, one is able to predict the value of "O" or "1" that this target bit will take for a given input or output message. It is then possible to apply the predicted value "0" or "1" for the target bit for the hypothesis of the subkey considered, to choose these curves in two packages: a first package regroups the curves that have been considered the manipulation of the target bit to "0" and a second packet regroups the curves that have considered the manipulation of the target bit to "1" according to the hypothesis of the subkey. By making the average current consumption in each package, we obtain an average consumption curve M0 (t) for the first package, and an average consumption curve Ml (t) for the second package. If the hypothesis of the subkey is correct, the first package really regroups all the curves between the N curves that have considered the manipulation of the target bit at "0" and the second package realmly regroups all the curves between the N curves that have considered the manipulation of the target bit to "1". The average consumption curve M0 (t) of the first packet will therefore have an average consumption everywhere except at the time of execution of the critical instructions, with a current consumption profile characteristic of the manipulation of the target bit at "0" (profile) In other words, for all these curves all the manipulated bits have had as many opportunities to be worth "0" as to be "1", except for the objective bit that has always had the value of "0". This can be written: MO (t) = [(profile + profile) / 2] t? Tc? + [Profile0] tci or MO (t) = [Vmt] t? Tc? + [Profile] tci where tci represents the critical instants, to which a critical instruction has been executed. Likewise, the average consumption curve Ml (t) of the second packet corresponds to an average consumption everywhere except for the moments of execution of the critical instructions, with a current consumption profile characteristic of the manipulation of the bit target to "1" (profile). It can be written: Ml (t) = [(profile + profilei) / 2] t? Tcl + [profilei] tci or Ml (t) = [Vmt] t? TCi + [profilei] tci It has been seen that the two profiles profile and profile are not the same. The difference of the curves M0 (t) and Ml (t) then gives a signal DPA (t) whose amplitude is equal to profile0-profilei at the critical instants tci of execution of the critical instructions that manipulate this bit, that is, in the example shown in Figure 1, at the sites tcO to tc6 and therefore the amplitude is a little more equal to 0 outside the critical instants. If the hypothesis of the subkey is false, the selection does not correspond to reality. Statistically, there are so many curves in each packet that have considered the manipulation of the target bit to "0" as curves that have considered the manipulation of the target bit to "1". The resulting average curve M0 (t) is then placed around a mean value given by (profile0 + profilei) / 2 = Vm, since for each of the curves, all the manipulated bits, and including the target bit, have had the opportunities to be "0" as worth "1". The same reasoning on the second packet leads to an average curve of current consumption Ml (t) whose amplitude is situated around a mean value given by (profile + profile) / 2 = Vm. The signal DPA (t) provided by the difference M0 (t) -Ml (t) is in this case substantially equal to zero. The signal DPA (t) in the case of a false subkey hypothesis is represented in Figure 2. In this way, the DPA attack exploits the difference of the current consumption profile during the execution of an instruction that follows the value of the bit manipulated, to make a selection in the curves of current consumption according to a Boolean selection function for a given subkey hypothesis. By performing a differential analysis of the average current consumption between the two curve packages obtained, an information signal DPA (t) is obtained. The development of a DPA attack then consists globally: a- in firing N random messages (for example N equal to 1000); b- to have the algorithm executed by the card for each of the N random messages, restoring the current consumption curve each time (measured on the component power supply terminal); c- make a hypothesis about a subkey; d- predict, for each of the random messages, the value taken by one of the target bits whose value depends only on the message bits (input or output) and the subkey taken in the hypothesis, to obtain the Boolean selection function; e- selecting the curves according to this Boolean selection function (ie according to the value "0" or "1" predicted for this target bit for each curve under the hypothesis of the subkey); f- calculate in each package the resulting curve of average current consumption; g- make the difference of these average curves, to obtain the signal DPA (t). If the hypothesis about the subkey is correct, the Boolean selection function is successful and the curves of the first package really correspond to the curves for which the message applied to the input or the output has given a target bit of "0" on the card and the curves of the second packet actually correspond to the curves for which the message applied to the input or the output has given a target bit of "1" on the card. One has in the case of Figure 1: the signal DPA (t) which is therefore not null in the instants tcO to tcß corresponding to the execution of the critical instructions (those that manipulate the target bit).

It will be noted that the attacker does not need to know precisely critical moments. It is sufficient that there is at least one critical moment in the acquisition period. If the hypothesis of the subkey is not correct, the selection does not correspond to reality and therefore in each packet there are as many curves corresponding to an objective bit of "0" as curves corresponding to a target bit of "1". The signal DPA (t) is substantially zero everywhere (case shown in Figure 2). You have to go back to stage c- and make a new hypothesis about the subkey. If it is verified that the hypothesis is correct, it can be passed to the evaluation of other sub-keys, until the key has been fully constituted. For example, with a DES algorithm, a 64-bit key is used, where only 56 bits are useful. With a DPA attack, it is capable of reconstituting at least 48 bits of the 56 useful bits. The object of the present invention is to put into operation in an electronic component, a countermeasure method that involves a null DPA (t) signal, even in the case where the hypothesis of the subkey is correct.

In this way, nothing distinguishes the case from the successful subclause hypothesis from the cases of false subclause hypotheses. Through this countermeasure, the electronic component is prepared against DPA attacks. According to the invention, the countermeasure method allows the target bits to be made unpredictable, ie the data manipulated by the critical instructions. In fact, due to the fact of the countermeasure, for each message applied in the input, an objective bit manipulated by a critical instruction takes the value of 0 or 1 with an equal probability. In each packet of curves that the attacker will make under a given subkey hypothesis, by means of the Boolean selection function that he will have calculated, there will be so many curves that have actually manipulated a target bit "0" as curves that have actually been manipulated a target bit "1". The DPA (t) signal will always be null, whether the subkey hypothesis is correct or not. As it is characterized, the invention thus relates to a countermeasure method in an electronic component, which puts into operation a secret key cryptographic algorithm, the operation of the algorithm comprises the use of first means to provide an output data to Starting from an input data, the output data and / or the derived data are manipulated by the critical instructions. According to the invention, the countermeasure method provides for the use of other means, in such a way that the output data and the derived data are unpredictable. According to the invention, the use of different media is administered according to a statistical law of probability of a medium. Other features and advantages of the invention are detailed in the following description made in an indicative and null and limiting manner and with reference to the accompanying drawings, in which: Figures 1 and 2 already described represent the signal DPA (t) that can be obtained depending on a hypothesis about a subkey of the secret key K, according to a DPA attack; - Figures 3 and 4 are flowcharts representing the first laps and the last laps of the DES algorithm; Figure 5 is a block diagram of the SBOX operation used in the DES algorithm; Figure 6 shows an example of an elementary constant table with an input and an output used in the SBOX operation; Figures 7 and 8 show an exemplary flow chart of execution of the first and last rounds of the DES algorithm, according to one embodiment of the countermeasure method according to the invention; Figures 9 and 10 show respectively a second and a third tables of elementary constants according to the invention. Figure 11 represents a general flowchart of execution of DES according to an embodiment of the countermeasure method according to the invention; and Figure 12 represents a simplified block diagram of a microcircuit card including an electronic component in which the countermeasure method according to the invention is put into operation. The present invention is going to be explained in an application example with the cryptographic algorithm DES. The invention is not limited to this single example. This applies to secret key cryptographic algorithms in general.

The cryptographic algorithm DES (hereinafter referred to simply as DES or the LES algorithm) includes 16 rounds of calculation, annotated Tl to T16, as represented in Figures 3 and 4. The DES begins with an initial IP permutation on the input message M (Figure 3). The input message M is a 64-bit word f. After the permutation, a 64-bit e-word is obtained, which is cut in two to form the input parameters LO and RO of the first round (Tl). LO is a 32 bit word that contains the 32 bits of strong weight of the word e. RO is a 32-bit word h that contains the 32 bits of weak weight of the word e. The secret key K, which is a 64-bit word q, suffers this same permutation and compression to provide a word r of 56 bits. The first round comprises an EXP PERM operation on the parameter RO, consisting of an expansion and a permutation, to provide a word 1 of 48 bits at the output. This word 1 is combined with a parameter Kl, in an operation of the EXCLUSIVE type O annotated XOR, to provide a word b of 48 bits. The parameter Kl which is a 48-bit word m is obtained from the word r by a lag of a position (operation noted SHIFT in Figures 3 and 4) followed by a permutation and a compression (operation noted COMP PERM). The word b is applied to an operation SBOX annotated, in the output of which a word a of 32 bits is obtained. This particular operation will be explained in more detail in relation to Figures 5 and 6. The word a undergoes a permutation P PERM, giving the word c of 32 bits at the output. This word c is combined with the input parameter LO of the first round Tl, in a logical operation of the EXCLUSIVE type O, annotated XOR, which provides the word g of 32 bits in the output. The word h (= R0) of the first round provides the input parameter Ll of the next round (T2) and the word g of the first round provides the input parameter Rl of the next round. The word p of the first round provides the entry r of the next round. The other rounds T2 to T16 are developed in a similar way, except as regards the operation of the SHIFT phase shift that is done on one or two positions according to the rounds considered. Each round Tl receives the parameters Ll-1, Ri-1 and r in the input and supplies the parameters Li and Ri and r for the next round Ti + 1 at the output. At the end of the DES algorithm (Figure 4), the encrypted message is calculated from the parameters L16 and R16 provided by the last round T16. This calculation of the encrypted message C comprises in practice the following operations: the formation of a word e 'of 64 bits by inverting the position of the words L16 and R16, and then concatenating them; - the application of the permutation IP_i inverse of that of the beginning of DES, to obtain the word f of 64 bits that forms the encrypted message C. The operation SBOX is detailed on Figures 5 and 6. This comprises a table of constants TCo for provide an output data a based on an input data b. In practice, this table of constants TC0 is present in the form of eight tables of elementary constants TC01 to TC08, each receiving in the input only 6 bits of the word b, to provide in the output only 4 bits of the word to . In this way, the elementary constant table TC01 shown in Figure 6 receives the bits bl a b6 of the word b as input, and outputs the bits a a4 of the word a. In practice, these eight tables of elementary constants are memorized in the program memory of the electronic component. In the SBOX operation of the first round Tl, a particular bit of the output data a of the constant table TC0 depends' only on 6 bits of the data b applied to the input, ie only 6 bits of the secret key K and the input message (M). In the SBOX operation of the last round T16, a particular bit of the output data of the constant table TCo can be recalculated from only 6 bits of the secret key K and the encrypted message (C). Now, if you take the beginning of the attack DPA, if a bit of the output data is chosen as a target bit, it is enough to make a hypothesis on 6 bits of the K key, to predict the value of a target bit for an input (M) or output message (C) given. In other words, for DES, it is sufficient to make a hypothesis about a 6-bit subkey. In a DPA attack on such an algorithm for a given target bit, it is then necessary to discriminate a successful subkey hypothesis from 64 possible ones. In this way, taking only eight bits of the word a as target bits (one output bit per table of elementary constants TC01 to TCo8), up to 6x8 = 48 bits of the secret key can be discovered, making the DPA attacks on each one of these target bits. In the DES, there are thus the critical instructions in the sense of the DPA attacks at the beginning of the algorithm and at the end. At the beginning of the DES algorithm, the data that can be predicted from an input message M and a subkey hypothesis, are the data a and g calculated in the first round (Tl). The data a of the first round Tl (Figure 3) is the output data of the SBOX operation of the considered round. The data g is calculated from the data a, per permutation (P PERM) and the EXCLUSIVE OR operation with the input parameter LO.

In fact, the data c of the first round is a data derived from the data a of the first round. The derived data c corresponds to a simple bit permutation of the data a. The data 1 of the second round is a data derived from the data g of the first round, since it corresponds to a permutation of bits of the word g, certain bits of the word g are also duplicated. Knowing a and g, these derived data can also be known. The critical instructions of the beginning of the algorithm are the critical instructions that manipulate either the data that can be predicted, such as the data a of the first round, or a derived data. The critical instructions that manipulate the data a of the first round Tl or the derived data c are also the instructions of the end of operation SBOX, of the operation P PERM and of the beginning of the XOR operation of the first round Tl. The critical instructions that manipulate the data and the derived data are all the instructions of the XOR operation end of the end of the first round Tl until the instructions of the start of operation SBOX of the second round T2, and of the beginning of the XOR operation at the end of the third round T3 (L2 = h (T2) = g (Tl)). At the end of the DES algorithm, the data that can be predicted from an encrypted message c and a subkey hypothesis are the data a of the sixteenth round T16 and the data L15 equal to the word h of the fourteenth round T14. The critical instructions that manipulate the data of the sixteenth round or the derived data are the instructions of the sixteenth round of the end of operation SBOX, of the permutation operation P PERM and of the beginning of the XOR operation. For the data L15, the critical instructions that manipulate this data or the derived data, are all the instructions from the instructions of the end of operation XOR of the fourteenth round T14, to the instructions of the start of operation SBOX of the fifteenth round T15, more the instructions of the beginning of operation XOR of the sixteenth round T16. The countermeasure method according to the invention, applied to this DES algorithm, consists of having, for each critical instruction, so many opportunities that the critical instruction has to manipulate a data as its complement. In this way, whatever the target bit on which the DPA attack can be performed, there are as many opportunities as critical instructions that manipulate this bit, manipulate a "1" or a "0". In practice, this must be true for each of the potential target bits: in other words, the attacker who has the choice between several possible attacks, ie between several possible Boolean selection functions to effect their choice of curves, for a given subkey hypothesis, the operation of the countermeasure procedure according to the invention must be dedicated to the data manipulated by each of the critical instructions, take at random, once over two, a value or its complement. As far as the application of the countermeasure method according to the invention for the DES algorithm is concerned, the countermeasure must therefore be applied to the critical instructions of the beginning of DES and to the critical instructions of the end of DES, in order to be fully protected. In the DES, all the data manipulated by the critical instructions is an output data or data derived from an output data of an SBOX operation. Indeed, at the beginning of DES, the data that can be predicted are the data a and g of the first round Tl. The data a is the output data of the SBOX operation of the first round. The data g is calculated from the data a, since g = P PERM (a) XOR LO. g is therefore a data derived from the output data of the SBOX operation of the first round. In this way, all the data manipulated by the critical instructions of the beginning of DES are derived directly or indirectly from the output data of the SBOX operation of the first round. Concerning the end of DES, the data that can be predicted are the data a of the sixteenth round T16 and the data g of the fourteenth round tL4, with g equal to L15. The data a is the output data of the SBOX operation of the sixteenth round T16. As for the data L15, this is calculated, in the normal execution of the DES algorithm, from the output data of the SBOX operation of the fourteenth round TL4: L15 = P PERM (a) XOR L14. If the output data of these particular SBOX operations becomes unpredictable, all the derived data are also unpredictable: all the data manipulated by the critical instructions of the DES algorithm become unpredictable.

The SBOX operation corresponds therefore to the first means, which consist of a table of constants TC0. and which are used in each d to provide an output data E from an input data S. One embodiment of the countermeasure method applied to the DES algorithm may be to use at least one other constant table as other means of making unpredictable the exit data to, in such a way that this output data and / or the derived data manipulated by the critical instructions, are all unpredictable. In the execution of the algorithm, the use of the different means, that is, in the example, of the different tables of constants, is administered according to a statistical law of probability of a medium (1/2). The other table of constants or the other tables of constants are such that one and / or another of the data of input d and of output of the first table of constants TC0, correspond the supplemented data. Figures 7 and 8 thus represent an embodiment of the countermeasure method of the invention applied to the DES algorithm.

Figure 7 represents the beginning of the algorithm. The operations and data not modified by the countermeasure procedure according to the invention carry the same references as in Figure 3 already described. At the beginning of the DES algorithm, a second constant table TCi is provided in the SBOX operation of the first d Tl. All the data affected by this second table of TCi constants are affected by a sign "or a sign" in these figures It is observed that the critical instructions of the beginning of DES manipulate all the data affected by the countermeasure procedure. the first constants table is in fact formed of eight first constants tables, the second constants table is equally formed of eight second constants tables In the embodiment shown, the first constants table TCL, and the second constancy table constants TCi are such that for the same input data E, the second one provides in the output the complement / S of the output data S provided by the first one.

Figure 9 shows a second table of this type, elementary TCil that provides an output complemented in relation to the first elementary table TCol shown in Figure 6. With a second table of constants TCi of this type, it is obtained, in the output of SBOX operation of the first d Tl the complement / a of the data obtained with the first constant table TC0. Similarly, in the first d Tl the supplemented data / g is obtained and in the second d T2 the complemented data / h, / L2, / l and / b. Using the first table or the second table to provide the output data according to a statistical probability law of a means, all the potential target bits of the DES start, manipulated by the critical instructions, have so many opportunities to take the value "1" as to take the value "0". At the end of the DES algorithm, the embodiment of the countermeasure method according to the invention requires the use of several tables of constants different from the first one, since the output data to be calculated in the fourteenth d must be considered at the same time. T14, and the output data to calculated in the sixteenth d T16, to make unpredictable all the data manipulated by the critical instructions of this end of DES. An exemplary embodiment of the countermeasure method applied for this purpose of the DES algorithm is shown in FIG. 8. The use of two tables of constants TCi and TC2 is provided. In operation SBOX of the fourteenth d T14, the second table of constants TCi already used for the beginning of DES is used. And a third table of CT constants is used in the SBOX operations of the fifteenth and sixteenth ds. This third table of constants TC2 is such that it provides the complement / S of the output data S to the complement / E of the input data E of the first table of constants TC0. An example of a third corresponding TC 1 elementary constant table, from the first table of elementary constants TCo is shown in Figure 10. Using such tables of constants, it appears in Figure 8 that all the critical instructions manipulate the complemented data. The invention is not limited to these unique examples of TCi and TC2 constant tables. There are other possibilities. For example, for the countermeasure procedure applied at the end of DES, it is also possible to combine the use of the table of constants TCi with another table of constants defined in relation to the first table of constants TCo as providing the output data S to the complement / E of the entry data. In general, the end of DES requires the use of different tables of constants, depending on the rounds considered, so that all data manipulated by the critical instructions of this end of DES are unpredictable. The embodiment described in relation to Figures 7 and 8, however, has a drawback. The countermeasure procedure applied at the input of DES produces calculated intermediate results L3 'and R3' which are not successful. All the following intermediary results are therefore not entirely successful. Similarly, at the end of DES, the countermeasure procedure applied at the DES input produces calculated intermediate results L16 'and R16' which are not successful. In all cases, the encrypted message is false.In this embodiment of the invention, it must be foreseen to be able to take each time the subsequent algorithm with the good intermediary results, once the critical instructions have passed. In practice, as it has been observed that the critical instructions of the beginning of DES are in the first three rounds, these first three rounds will be split. In other words, it is envisaged to execute two sequences each comprising the first three rounds T1, T2, T3 at least. A first SEQA sequence uses the first table of TCo constants in each round. The other sequence SEQB uses the second table of constants TCi at least in the first round Tl. In the example shown, the first table of constants is used in the next two rounds T2 and T3. It has been found that in the countermeasure procedure according to the invention, the use of different means, that is, in the example, the use of different tables of constants, is administered according to a statistical law of probability of a medium. This statistical law of probability of a medium is thus more particularly applied to the order of use of these different means, that is to say in the example, to the order of execution of two sequences SEQA and SEQB. Likewise, in order to have the good parameters L16 and R16 at the end of DES to elaborate the encrypted message C, the three rounds T14, T15 and T16 (Figure 7) containing the critical instructions for the end of DES are also split. Therefore, two sequences comprising at least the last three rounds T14, T15 and T16 will be executed. A first sequence SEQA 'uses in each round the first table of constants TC0. The other sequence SEQB 'uses the other tables of constants TCi and TC2. As indicated above, the statistical law of probability of a medium is then applied to the order of execution of these two sequences SEQA 'and SEQB'. The critical instructions are then executed twice, once in each sequence. But at the time of execution no matter which of the critical instructions of one or the other of the sequences, the probability of manipulating a data will be equal to the probability of manipulating its complement. The DES calculation program put into operation in the electronic component must therefore be modified to include the countermeasure method according to the invention. An exemplary execution diagram according to the invention and putting into operation the countermeasure method at the beginning and at the end of DES, according to the embodiment described in relation to Figures 7 and 8, is shown in Figure 11. In this example, the sequences SEQA and SEQB comprise the first three rounds and the sequences SEQA 'and SEQB' comprise the last three rounds. The calculation program then consists mainly, at the beginning of the calculation, in safeguarding the entered DATAIN and KEY input parameters, which correspond in practice to the parameters LO, RO and r, in a temporary memory area annotated CONTEXT. According to this calculation program, a first loop counter or cycle FR to 0 is placed immediately, and an RND1 value equal to 0 or to 1 is randomly thrown. If RND1 is 1, in the example, the sequence SEQB of Tl, T2, T3, in which the second table of constants TCi is used in the round Tl, and the first table TCo for the rounds T2 and T3. The output parameters L3 ', R3' (which have false values) are safeguarded in a temporary memory area denoted CONTEXT2.

If FR is not equal to 1, it is set to 1, the CONTEXT input parameters are restored and the value of RND1 is complemented. In the example, RND1 = 0 is obtained. The other sequence SEQA of Tl, T2, T3 is then executed in which the first table of constants is used in the three rounds Tl, T2 and T3. The output parameters (correct values) are saved in an annotated temporary memory area CONTEXT 1. If RF is set to 1, that is to say that the two sequences have been carried out. CONTEXT1 is then restored to provide the intermediate results L3, R3 that have the correct values, to the next round (T4) If RND1 is zero, it starts with Tl (TCo) r T2 (TC0), T3 (TC0) and ends with Tl (TC?), T2 (TC0), T3 (TCo) • Arriving at the end of round T13, the parameters provided by this round, L13, R13, are safeguarded. in the temporary memory CONTEXT, and proceeds for the remaining rounds T14, T15 and T16 in a manner similar to the first rounds. In all cases, the number of instructions must be exactly the same, regardless of the calculation path. This is mainly why in the described application example, it is also expected to safeguard the false values (L3 ', R3' or L16 ', RL6') in the temporary memory area C0NTEXT2. In fact, if there were any difference between the two possible paths, then there would be a possibility of a successful DPA attack. The countermeasure method according to the invention is not limited to the particular example of embodiment described with reference to the DES algorithm. This applies to any secret key cryptography algorithm. In general, for any start-up of an algorithm comprising the use of first means to provide an output data from an input data, the output data and / or the derived data are manipulated by the critical instructions, the countermeasure procedure according to the invention comprises the use of other means, in such a way that the output data and the derived data are unpredictable. The use of different means, that is to say of the first means and of the other means, is administered according to a statistical law of probability of a medium (1/2). The other means may comprise several different means. These are such that in one or the other of the input and output data of the first media, they match the complemented data. In the example of an application method of the DES countermeasure method, more particularly described, the first means consist of the first table of constants TCo. The other means consist, at the beginning of DES, in the first table of constants TCi. At the end of DES, these consist of two different constant tables, TCi and TC2 in the example. In order to apply the countermeasure method according to the invention to a given secret key cryptography algorithm, it is first necessary to determine all the data of this algorithm that can be predicted and all the critical instructions in the sense of the DPA attack by manipulating this data or the derived data. It is then necessary to identify in the algorithm of the first means and of the other means in the sense of the invention, in such a way that all the data manipulated by the critical instructions are unpredictable. The first means are, for the DES algorithm, the table of constants TCo. The other means are in the example, other tables of constants. These means can be different operations for other algorithms. For the same algorithm, these means may consist of different operations according to the critical instructions identified. The electronic component 1 that puts into operation a method of this type of countermeasure in a secret key cryptography algorithm, typically comprises, as shown in Figure 12, a microprocessor μP, a programmed memory 2 and a working memory 3. To be able to manage the use of different means according to the invention, which are, in the described example, the different tables of constants stored in the program memory, the means 4 for generating a random value between 0 and 1, it is provided that, if reference is made to Figure 11, they will provide the value of RND1 in each DES execution. Such a component can more particularly be used in a microcircuit card CP, to improve its inviolability.

Claims (12)

1. A countermeasure procedure against attacks by differential analysis of current consumption in an electronic component that puts into operation a secret key cryptographic algorithm, the operation of the algorithm includes the use of first means of the numerical treatment to provide an output data to Starting from an input data, the output data and / or the data derived from this output data are manipulated by the instructions of the algorithm, which are critical in the sense of the attacks, characterized in that the countermeasure procedure foresees the use of other means (TCi) of numerical treatment, alternatively with the first means, the other means of the first means being obtained by complementing the input data and / or the output data, in such a way that the output data and the Derived data is unpredictable.

2. The countermeasure procedure according to claim 1, characterized in that the use of the different media is administered by a statistical probability law of a medium (1/2).

3. The countermeasure method according to claim 2, the start-up of the algorithm comprises sixteen rounds of calculation, characterized in that it comprises the execution of a first sequence and a second sequence consisting of at least three first rounds, the order of execution being function of the statistical law of probability of a medium, the first sequence that uses the first means in each round, the second sequence that uses the other means in the first round at least.

4. The co-measurement method according to claim 3, characterized in that the first and second sequences are each formed of three first rounds.

5. The countermeasure method according to claim 3 or 4, characterized in that the other means consist of two means such that for the same input data, they provide in the output the complement of the output data of the first means.

6. The countermeasure method according to claim 2, the start-up of the algorithm comprises sixteen rounds of calculation, characterized in that it comprises the execution of a first sequence and a second sequence formed each of three last rounds at least, the order of Execution of the sequences is a function of the law of probability statistics of a medium, the first sequence uses the first means in each round, the second sequence uses the other means.

7. The countermeasure method according to claim 6, characterized in that the first and second sequences are formed each of the last three rounds, and because the other means used in the second sequence comprise the second means and the third means.

8. The COJI compliance countermeasure procedure of any of claims 6 or 7, characterized in that the second means are such that for the same input data, they provide in the output the complement of the output data of the first means and because the second means are used in the second sequence for the fourteenth round.

9. The countermeasure method according to claim 8, characterized in that the third means are such that for the complement of the input data, they provide in the output the complement of the output data of the first means, and are used in the second sequence for the fifteenth round and the sixteenth round.

10. The countermeasure method according to any of the preceding claims, characterized in that the different means are constant tables.

11. An electronic component comprising a microprocessor, a program memory and a working memory that allows the operation of a secret key cryptographic algorithm, the first numerical processing means are provided to provide an output data from an input data, the output data and / or the data derived from this output data are manipulated by critical instructions of said algorithm in the sense of the attacks by the differential analysis of current consumption, characterized in that it comprises means for putting into operation a countermeasure procedure against said attacks, according to any of the preceding claims 1 to 10, comprising other means of numerical treatment fixed with the first program memory means of the component, and means for generating a random value at 0 or 1 to manage the use of the first means and other means.

12. The microcircuit card comprising an electronic component according to claim 11.