An execution method comprises the following operations: every time an instruction to be protected of a preceding basic block is loaded, constructing a new value of a signature of this preceding basic block from the value of this instruction to be protected and the preceding value of the signature. The method further includes loading an initialization vector contained in a subsequent basic block and calculating, from said loaded initialization vector, a value reached for signing the preceding basic block. The method also includes comparing the constructed value of the signature with the expected value of this signature, and only if these values do not match, triggering the signaling of a fault during the execution of the machine code.

Various embodiments of the invention implement countermeasures designed to withstand attacks by potential intruders who seek partial or full retrieval of elliptic curve secrets by using Various embodiments of the invention implement countermeasures designed to withstand attacks by potential intruders who seek partial or full retrieval of elliptic curve secrets by using known methods that exploit system vulnerabilities, including elliptic operation differentiation, dummy operation detection, lattice attacks, and first real operation detection. Various embodiments of the invention provide resistance against side-channel attacks, such as simple power analysis, caused by the detectability of scalar values from information leaked during regular operation flow that would otherwise compromise system security. In certain embodiments, system immunity is maintained by performing elliptic scalar operations that use secret-independent operation flow in a secure Elliptic Curve Cryptosystem.

This execution method comprises the supplying of the machine code, this machine code being formed by a succession of base blocks, each base block being associated with a signature and comprising instructions to be protected, each instruction to be protected being immediately preceded or followed by an instruction for constructing the value of the signature associated with this base block, wherein: each construction instruction is coded on strictly less than N bits, and each word of the machine code which comprises at least one portion of one of said instructions to be protected also comprises one of said construction instructions so that it is not possible to load an instruction to be protected into an execution file, without at the same time loading a construction instruction which modifies the value of the signature associated with this base block when it is executed.

According to various embodiments, a control device is described including an application core including a processor, a memory and a direct memory access controller and a security module coupled to the application core via a computer bus. The direct memory access controller is configured to read data from the memory, generate a hash value for the data and provide the hash value to the security module via the computer bus. The security module is configured to process the hash value.

A data processing system includes a host processor that executes an operating system and an accelerator operable to process data under the control of the operating system executing on the host processor. The accelerator can be switched between a normal mode of operation and a protected mode of operation in which the side channel information that can be provided by the accelerator to the host processor is restricted. The data processing system also includes a mechanism for switching the accelerator from its normal mode of operation to the protected mode of operation, and from its protected mode of operation to the normal mode of operation.

A secure electronic chip including a plurality of biased semiconductor wells and a well biasing current detection circuit. Each of the wells includes a transistor and a bias contact electrically isolated from the transistor. The detection circuit is electrically coupled to each bias contact and is configured to detect a bias current passing through the bias contact that is indicative of an attempt to tamper with the electronic chip.

A system and method for minimizing the likelihood that the secret key used by a bootloader is compromised is disclosed. A bootloader is installed on the device. The bootloader is a software program that performs many functions. These functions may include checking the checksum of the incoming software image for integrity, decrypting the incoming software image using a secret key, deleting data in the FLASH memory, installing the new software image in the FLASH memory and other functions. The bootloader utilizes various techniques to track the versions of the software image being installed. The method also counts the number of incomplete attempts that are made when trying to update the software image. By monitoring these parameters, the bootloader can determine when a malicious actor is attempting a side channel attack. In response, the bootloader may not allow a new software image to be loaded or the secret key to be accessed.

A cryptographic device (100) calculates a block cipher (500) on a block cipher input (105) and produces a block cipher output (106). The block cipher calculation operates on encoded values (210). The cryptographic device includes a round function unit (140; 300) for applying the final round (118) of the multiple rounds of cryptographic processing implementing the block cipher. A first output unit (160) and second output unit (180) decodes encoded output data (132, 152).

Various embodiments of the invention implement countermeasures designed to withstand attacks by potential intruders who seek partial or full retrieval of elliptic curve secrets by using known methods that exploit system vulnerabilities, including elliptic operation differentiation, dummy operation detection, lattice attacks, and first real operation detection. Various embodiments of the invention provide resistance against side-channel attacks, such as sample power analysis, caused by the detectability of scalar values from information leaked during regular operation flow that would otherwise compromise system security. In certain embodiments, system immunity is maintained by performing elliptic scalar operations that use secret-independent operation flow in a secure Elliptic Curve Cryptosystem.

A secure computing device, including: a processor configured to carry out a secure operation; a memory in communication with the processer configured to store secure data; and a memory controller configured control storage of data in the memory and reading data from the memory, wherein the secure data is split into shares before being stored in the memory and wherein the memory controller is configured to: apply a masking storage transform (MST) to one of the shares to produce a masked share before storing the shares in the memory, wherein the MST is a permutation without a fixed point; apply an inverse MST to the masked share when reading the shares from the memory; and combine the read shares to reconstruct the secure data.