Patent Application
20090126029
The present invention relates to the field of making data secure in an electronic component.
The present invention relates more particularly to a method and to an architecture for protecting a hardware integrated circuit against fault attack.
Smart cards, and more generally certain portable electronic components, are often used as units for computing and storing secret and/or sensitive data with the aim of making an application secure. Identity, mobile telephones, payment, transport, or indeed access control are all fields of application in which the smart card has an essential role to play.
That role consists, inter alia and non-limitingly, in authenticating the holder of the card and/or the issuer of the card. The card can also contain “units” that can correspond to loyalty points, money (e.g. telephone units), or indeed subway tickets, depending on the application.
The smart card thus represents, for certain dishonest individuals and organizations, a target of predilection for acting fraudulently or for damaging the brand image of a company.
Since being deployed, smart cards have had to deal with threats from power or current consumption observation (side channel analysis) and, more recently, from attacks by injecting transient faults. Such attacks are relatively complex to detect, and it is difficult to implement responses to such attacks. Currently, electronic components do not guarantee correct operation regardless of the external disturbances. As a result, the software embedded in the card must protect itself from any component failure generated by injecting a fault.
Solutions are already known from the prior art for detecting disturbances, e.g. glitches (voltage spikes), that might give rise to a fault in operation of the electronic component. It should be noted that hardware solutions exists that consist in integrating environmental sensors (for sensing temperature, clock frequency, power supply voltage, or light) that detect a disturbance (a voltage that is abnormally low, a light intensity that is too high) in order to react before the component enters an operating zone deemed to be unstable and thus risky in terms of faults. Those solutions are costly because they require specific sensors to be developed (economic cost) and such sensors to be integrated into circuits that are sometimes very small in size (sizing cost).
Solutions are also known that detect the effect of the disturbance suffered, e.g. by the presence of a modified data bit.
Among others, there exist software or hardware solutions of the type providing redundancy for a process. The redundancy consists simplistically in performing the same operation (computation, transmission, etc.) twice in order to compare the results of the two actions. In software mode, the redundancy can be a double computation on data. In hardware mode, this redundancy can be manifested by the presence, for example, of two duplicate registers that store, a priori, the same values. If the results are different, then it can reasonably be concluded that one of the actions did not take place properly, probably consequent upon a disturbance (fault). The drawback with those solutions lies in the fact that the protection or detection is provided at a point only, and in the fact that performance is lost due to operations being repeated. Redundancy offers a guarantee only for the operation that is performed in duplicate.
Software or hardware solutions also exist that are of the integrity check type. An item of data stored in a non-volatile memory has a checksum added to it, that checksum making it possible to detect whether the data is corrupted by a fault and then to verify the checksum in the event of inconsistency between the data and the checksum. Adding integrity data is in widespread use in software layers, e.g. for transmitting data. Hardware checksums, as found in the prior art, are implemented only at memory block level, and are often referred to as “parity bits”. The elementary machine word (8 bits on an 8-bit component) is stored on 9 bits in the memory, the 9th bit being a parity bit positioned such that the parity of the word is systematically even/odd. On reading, the parity is verified and the 8-bit word is positioned on the data bus. On writing, the 8-bit world positioned on the data bus is written in the memory and the parity bit is generated at the same time. The problem is that, on the data bus, the transmitted word does not include any integrity data: there is no way of verifying that that value, once transferred to the memory, to the central processing unit (CPU), or to the cache, is still correct.
It should be noted that, with concern for optimum security, the ideal situation would be to be able to detect a fault regardless of the effect thereof. Unfortunately, that is not possible at a reasonable cost with the above-described prior art systems (redundancy, and checksum).
Generally, the prior art solutions do not make it possible to perform integrity checking permanently on the data. No solution is proposed for permanent integrity checking of data at hardware level.
A need therefore exists for faults to be detected systematically and for permanent integrity of data to be guaranteed during manipulations by the hardware elements.
An object of the present invention is to remedy the drawbacks of the prior art by proposing a method of processing data for detecting faults, and a hardware architecture that is also provided for that purpose. The method and the architecture make it possible to work on words including integrity data systematically; the number of bits of the words is greater than the number lX of initial data items X so as to incorporate integrity functionalities Y permanently into all of the hardware processing steps.
The method of the present invention satisfies particularly well the needs for fault detection because it guarantees integrity for the data throughout the processing chain, and throughout the life of the data, while also maintaining processing performance.
Each hardware component is designed to work systematically with lX+lY bits in order to make detection optimal and systematic. This means that each software word X is stored in a memory in lX+lY cells, and that the software word X is transferred from one hardware module to another with its associated checksum on a bus of lX+lY lines. In this way, the software word is protected regardless of its type: address, data, instruction, operand, etc.
To this end, in its most general acceptation, the invention provides a method of processing digital data X of software that is coded on a number lX of bits for detecting faults in an electronic circuit comprising at least a bus, a processor unit, and a memory for executing the software, the method comprising:
In an implementation, said data Z consists in the concatenation of the data X with the integrity data Y resulting from the integrity function f applied to the data X: Z=X|Y=X|f(X). Below “|” is the operation indicating concatenation of two elements (X and Y in the above).
In another implementation, said integrity function f computes the number of bits set to “1” or to “0” in said digital data X.
More particularly, said processing step for processing the digital data Z is performed by an arithmetic and logic unit (ALU), and comprises:
and said integrity function f complies with the following:
f(X1OPX2)=f(X1)OPf(X2).
In an implementation, said processing step for processing the digital data Z is performed by an arithmetic and logic unit (ALU), and comprises:
Particularly, said function f is defined by f(X)=X/lX, where: lX is the length in number of bits of the binary word X.
The invention also provides a hardware architecture for detecting faults in an electronic circuit, the architecture comprising:
In an embodiment, said bus is provided with at least one means for verifying the integrity of said data Z transferred by said bus.
In a particular embodiment, said hardware resources comprise at least a memory that stores said data Z in the form of words of size lX+lY bits (size of the software word+size of the integrity check word).
In an embodiment, said hardware resources comprise at least at least registers associated with a central processing unit (CPU), said registers storing the data Z in the form of words of size lX+lY bits, and said central processing unit (CPU) performing operations separately on said data X and on the additional integrity bits Y.
Particularly, said hardware resources comprise at least one arithmetic and logic unit (ALU) computing an operation OP separately on said data X of the data Z and on the additional integrity bits of the data Z, and said integrity function f complies with the following:
f(X1OPX2)=f(X1)OPf(X2).
Optionally, said material resources comprise at least one arithmetic and logic unit (ALU), said ALU:
In an implementation, said integrity function f computes the number of bits set to “1” or to “0” in said software word X, or said function f is defined by f(X)=X/lX, where lX is the length in bits of the binary word X.
The invention also provides an electronic component, e.g. a smart card, including one of the preceding hardware architectures.
The invention can be better understood from the following description of an embodiment of the invention, given merely by way of explanation and with reference to the accompanying figures, in which:
In the following description, the term “data” is used to mean any digital information that passes through or that is executed, stored, or processed in the integrated circuit, regardless of whether such data is constituted by binary variables, memory addresses, instructions, etc. In the invention, every item of data is assigned a checksum.
Similarly, the terms “checksum”, “parity bits”, “integrity bits/data” or indeed “check word” are considered to be synonyms and represent additional items of data in addition to an item of data, which additional items of data are determined as a function of the item of data, e.g. by a function. Such integrity data makes it possible to check the integrity of a file or of a block of data, and to verify with more or less precision whether data has been transmitted correctly. A conventional method is Cyclic Redundancy Checking (CRC).
The term “software word” is used to mean the binary succession representative of an item of data used by a piece of software, e.g. a variable, and considered as a whole for any particular processing. A software word can have a size of 8, 16, or 32 bits, for example. In the description below, the letter “X” represents such a software word and “lX” represents the size of the software word.
The term “hardware word” or “machine word” is used to mean the binary succession used by the hardware elements of the electronic circuit to manipulate the software words during a software command. The electronic circuit comprises at least a data/address bus, a memory, and a processor unit (CPU, ALU, etc.). the machine words can have the same size as the software words but, in the present invention, they are of larger size, e.g. 10, 18, or 36 bits for software words of respectively 8, 16, or 32 bits. The additional or “overhead” bits are integrity bits for encoding a checksum that can be constituted by a single bit or by a plurality of bits in order to increase the probability of detecting a fault. In the description below, the letter “Z” designates the hardware word, and the letter “Y” designates the integrity bits, so that Z=X|Y; and “lz” and “lY” designate the associated sizes.
The integrity data items Y are computed on the basis of the software word X by a function f referred to as an “integrity function” so that Y=f(X). An example of an integrity function f is the number of bits at “1” (at “0”) in the software word X.
The software word X on its own is considered to be unprotected because any inopportune modification of a bit of it cannot be detected. Conversely, in the machine word Z=X|Y, the software word X is protected because any modification of it implies inconsistency between the integrity data Y and the word X.
With reference to
Regardless of the hardware path taken or of the storage, integrity data items are associated permanently with the software words.
The address and data buses are of size lX+lY, the words in the memory use memory cells of size lX+lY, and the central processing unit (CPU) uses registers and data items of size lX+lY.
Storage memories of the Non-Volatile Memory (NVM) type or of the Read-Only Memory (ROM) type 10 and 11 store data and computer programs in the form of machine words of lX+lY bits. These items of data are recorded from an external computer station 12 after the transmitted data items have been verified by an integrity check unit 13. The check unit 13 verifies that the data transmitted by the station 12 do not contain any inconsistency. With reference to
Returning to
Data items in the form of a machine word X|Y are also transmitted over a data/address bus 16 of lX+lY bits. Thus, the data bus 16 conveys data protected by the integrity information. In order to compartmentalize each functional hardware structure (e.g. the read-only memory zone, the bus, and the Random Access Memory (RAM)), an integrity check unit 13 can be used for each link between two different functional hardware structures. This applies between the memory zone 10 and the data bus 16: the integrity of the data is checked prior to transmission over the bus and/or on reception from the bus.
Peripherals 17 and read/write memories of the RAM type 18 all working with machine words of size lX+lY are also part of the architecture and they converse with the data bus 16 via an access control bus 19 and via a check unit 13.
General registers 20 are also available and they store data delivered, for example, by a central processing unit (CPU) in cells of size lX+lY. These registers 20 feed an arithmetic and logic unit (ALU) 21 with data items X|Y. This ALU 21 works on hardware words X|Y and implements logic and/or arithmetic operations in order to deliver an item of data also on lX+lY bits.
The ALU 21 receives two hardware words as input: Z1=X1|Y1 and Z2=X2|Y2, and delivers one hardware word Z=X|Y as output. The ALU 21 performs an operation OP on the software words X1 and X2 in compliance with its own function, delivering one result word X=X1 OP X2. The integrity data items are processed similarly by an operation OP′: Y=Y1 OP′ Y2.
It should be noted that, in order to guarantee the integrity of the machine word Z output from the ALU 21, it is necessary for:
f(X1OPX2)=Y1OP′Y2=f(X1)OP′f(X2)
Each digital data item X is associated with an integrity data item Y, also referred to as a “redundancy check data item”. Each operation performed on the digital data item X is also associated with an integrity function or operation on the digital data item X.
Since the integrity verification and obtaining the resulting data at the end of the operation take place in parallel and/or consecutively, a fault attack effected at the level of any operation causes inconsistency between the resulting data obtained at the end of the operation and the corresponding integrity data obtained in parallel.
Thus, mere verification between the data obtained at the end of a predetermined operation and an integrity verification at the end of execution of the operation in question is sufficient for detecting the presence of a fault attack throughout and/or after execution of the operation.
In the following paragraphs, a known algorithm, namely the Montgomery modular multiplication algorithm, is taken as an example of an operation OP.
It should be recalled that operation of the hardware implementation is based on the difficulty of manipulating large integers, e.g. integers having a size of about 1024 bits.
Due to the nature of the Montgomery modular multiplication, verifying the integrity of the data obtained at the end of a Montgomery modular multiplication can be performed efficiently.
It should be recalled that a Montgomery modular multiplication, known to the person skilled in the art, for multiplying two integers x and y mod m, has as input the following three items of data (or operands), where the function “mod. m” represents the remainder from a division of a number by the number m:
The Montgomery modular algorithm then proceeds as follows:
1. A←0 (notation A=(anan-1 . . . a1a0)b); where the sign “←” known to the person skilled in the art corresponds to assignment of the value of the computation or of the data item on the right of the sign to the left of the sign;
2. for i in the range 0 to (n−1) do:
(a) ui←(a0+xi y0) M mod b;
(b) A←(A+xi y+ui m)/b;
3. If A≧m then A←A−m; and
4. Return of A.
At the output of the Montgomery modular multiplication algorithm, the following result is obtained:
A=xyR
−1 mod m.
In the invention, the data items that are to perform the Montgomery modular multiplication perform in parallel the following integrity function applied to a data item x: f(x)=x mod(b−1); such a function also represents the sum of all of the words in the representation of x modulo (b−1), i.e.:
The inputs m, x, and y are subjected in parallel to the integrity function:
Such an integrity function is homomorphous modulo (b−1), i.e. f(x+y)=f(x=+f(y)mod(b−1); and f(x*y)=f(x)*f(y)mod(b−1)
When a data word is modified, the modification is thus detected. When more than one word is modified, the modification is detected with a probability of:
1−(1/(b−1).
Since the data words are summed, the latest modification presents a probability of (1/(b−1)) of being the inverse of all of the modifications that have already been taken into account.
Other than during one or more fault attacks, the integrity verification fails in a single case only: when the two results obtained in parallel, namely the data resulting from the Montgomery modular multiplication and the data resulting from the integrity function, are reinitialized to the initial values, i.e. when all of the bytes are reset to the value “0x00”. However the zero data item then conveys no significant information, in particular as seen by an attacker.
The Montgomery modular algorithm as modified in accordance with the invention then proceeds as follows:
1. A←0 (notation A=(anan-1 . . . a1a0)b.)
2. A′←0 (notation A′=(a′0)b.);
3. For i in the range 0 to (n−1) do:
(a) ui←(a0+xiy0) M mod b;
(b) A←(A+xiy+uim)/b;
(c) A′←A+uim′)mod(b−1);
4. A′←(A′+x′y′ mod(b−1);
5. If A≧m then A←A−m; A′←(A′−m′ mod(b−1);
6. Return of A and A′.
At the end of the Montgomery modular multiplication operation and of the integrity function that are executed simultaneously, the following results are respectively obtained:
A=xyR
−1 mod m and A′.
The verification of the integrity function where f(A) corresponds to A′ is then still verifiable. Thus, if the correspondence of f(A) and A′ is verified, then no fault attack is taking place or has taken place. Conversely, if the correspondence of f(A) and A′ is not verified, then one or more fault attacks are taking place or have taken place on the electronic circuit.
It should be noted that processing the digital data items X associated with the integrity data items Y, in general, of the hardware word Z, can be reading from and/or writing in a memory, manipulation in a processor unit, transfer of the hardware word Z via a bus specific to the resources of the electronic circuit.
It should be noted that the correspondence between the present notation and the notation used, in generic manner, previously, is as follows:
X1=X; X2=y; another operand not yet introduced X3=m; OP is the Montgomery modular multiplication operation; Y1=x′; Y2=y′; and Y3=m′; A=X and A′=Y.
It can be understood that any computation, in particular within a Rivest-Shamir-Adleman (RSA) cryptographic computation (not shown) involving at least one Montgomery modular multiplication of data can, at any time, during and/or after the Montgomery modular multiplication operation, be the subject of the verification of the integrity function Y=f (X), where X is the subject of the Montgomery modular multiplication operation.
Such an RSA computation is performed, for example, with the purpose of accelerating the hardware implementation of the RSA cryptography computation.
An operation OP is chosen identical to OP′, e.g. an arithmetic addition. The choice of the integrity function f cannot then be free. It is conditioned by f(X1 OP X2)=f(X1) OP f(X2).
For example, if OP is an arithmetic addition, it is possible to choose f(X)=|X/8|: if X is a value on 8 bits, Y is a value on 5 bits (thus Z is on 13 bits). In general, it is possible to choose, as an example of the function f: f (X)=X/lX where lX is the number of bits (length) of the word X.
In such an implementation, the operations on the software words Xi and on the integrity data Yi are performed in parallel. Thus, the final circuit is as fast as in a version in which the data items are not protected by integrity information. Conversely, the hardware implementation of the ALU 21 (like all of the hardware elements) requires a larger quantity of silicon (proportional to the ratio between X and Y) for equivalent performance.
With reference to
This embodiment is less secure because the integrity data items at the output are recomputed on the basis of the software word X resulting from the operation. There are therefore no means of detecting any error during the operation OP.
The CPU (not shown in
| Number | Date | Country | Kind |
|---|---|---|---|
| 0552237 | Jul 2005 | FR | national |
| Filing Document | Filing Date | Country | Kind | 371c Date |
|---|---|---|---|---|
| PCT/EP2006/064425 | 7/19/2006 | WO | 00 | 7/17/2008 |
