According to one aspect, a method for compiling by a compilation tool a source code into a computer-executable code comprises receiving the source code as input of the compilation tool, translating the source code into an object code comprising machine instructions executable by a processor, then introducing, between machine instructions of the object code, additional instructions selected from illegal instructions and no-operation instructions so as to obtain the executable code, then delivering the executable code as output of the compilation tool.

A calculation is performed on a first number and a second number. For each bit of the second number a first function is performed. The first function inputs include contents of a first register, contents of a second register and the first number. A result of the first function is placed in a third register. For each bit of the second number, a second function is performed which has as inputs contents of the third register and the contents of a selected one of the first and the second register according to a state of a current bit of the second number. A result of the second function is stored in the selected one of the first and second register.

Some embodiments are directed to a circuit compiling device for compiling a function into a binary circuit and a function evaluation device for evaluating a function using such a binary circuit. The binary circuit comprises conjunction subcircuits each computing a conjunction of function input bits and XOR subcircuits each computing a function output bit. Each function output bit may be represented as a sum of interpolation terms, the plurality of function input bits and the interpolation terms of the one or more function output bits together forming a plurality of interpolation terms. A conjunction subcircuit computes an interpolation term as a conjunction of two interpolation terms. A XOR subcircuit computes a function output bit as a XOR of interpolation terms. Thereby, the first interpolation term and second interpolation term are also used in XOR subcircuits, hence the binary circuit has a smaller number or likelihood of ineffective faults.

A device for detecting perturbation attacks performed on a digital circuit is provided. The device comprises: a first metallic layer and a second metallic layer arranged on the digital circuit, the first metal layer comprising a plurality of signal transmission lines routed horizontally, the second metal layer comprising a plurality of signal transmission lines routed vertically, the device comprising one or more transmitter buffers and one or more receiver buffers, a transmitter buffer and a receiver buffer being connected by each signal transmission line; a random number generator configured to generate random signal values; the device further comprising a transmitter manager connected to one or more transmitter buffers and a receiver manager connected to one or more receiver buffers, wherein: the transmitter manager is configured to transmit random signal values generated by the random number generator over the signal transmission lines of the first metallic layer and the second metallic layer, the receiver manager is configured to receive random signal values from the transmitter manager through the one or more receiver buffers connected to the receiver manager, measure a transmission time corresponding to a time of transmission of the received random signal values, and compare the transmission time to a predefined timing interval to detect perturbation attacks.

A system-on-chip (SoC) is provided that includes security control registers, the security control registers including security flags for security critical assets of the SoC, wherein each security flag includes multiple bits.

Various embodiments of the invention implement countermeasures designed to withstand attacks by potential intruders who seek partial or full retrieval of elliptic curve secrets by using Various embodiments of the invention implement countermeasures designed to withstand attacks by potential intruders who seek partial or full retrieval of elliptic curve secrets by using known methods that exploit system vulnerabilities, including elliptic operation differentiation, dummy operation detection, lattice attacks, and first real operation detection. Various embodiments of the invention provide resistance against side-channel attacks, such as simple power analysis, caused by the detectability of scalar values from information leaked during regular operation flow that would otherwise compromise system security. In certain embodiments, system immunity is maintained by performing elliptic scalar operations that use secret-independent operation flow in a secure Elliptic Curve Cryptosystem.

This detection device detects an attack in an on-vehicle network that includes a bus in which a frame including identification information that allows recognition of at least one of a transmission source and a destination is transmitted. In the bus, a plurality of the frames including pieces of the identification information different from each other are transmitted. The detection device includes: a monitoring unit configured to monitor a communication error in the bus; an aggregation unit configured to aggregate a communication error occurrence state regarding each piece of the identification information on the basis of a monitoring result by the monitoring unit; and a detection unit configured to detect the attack on the basis of an aggregation result by the aggregation unit.

Methods, systems, and apparatuses for defending against cryptographic attacks using clock period randomization. The methods, systems, and apparatuses are designed to make side channel attacks and fault injection attacks more difficult by using a clock with a variable period during a cryptographic operation. In an example embodiment, a clock period randomizer includes a fixed delay generator and a variable delay generator, wherein a variable delay generated by the variable delay generator is based on a random or pseudorandom value that is changed occasionally or periodically. The methods, systems, and apparatuses are useful in hardware security applications where fault injection and/or side channel attacks are of concern.

A method for cryptographic signature of a datum comprises determining: a signature point equal to the addition of elements equal to a derived first point and of number equal to a first scalar; a second scalar by subtracting, from the product of the first scalar and of a selected scalar, the product of a third and of a fourth scalar; another signature point equal to the addition of elements equal to a selected point and of number equal to the second scalar, and of elements equal to a derived second point and of number equal to the fourth scalar; and a signature portion based on a private key, on the first scalar, on a coordinate of the signature point and on the datum. The derived first and second point are respectively equal to the addition of elements equal to a generator point and of number equal to a fifth and to the third scalar.

There is provided a device for protecting the execution of a cryptographic operation from attacks, the cryptographic operation being implemented by a cryptographic algorithm, the cryptographic operation comprising at least one modular operation between a main base (m) representing a data block and at least one scalar (d) in at least one finite starting group. The device is configured to determine at least one intermediary group (E′) different from the at least one starting group (E), the number of intermediary groups being equal to the number of starting groups E. The device is further configured to determine at least one final group (E″) from the at least one starting group E and the at least one intermediary group E′. The base m being mapped to an auxiliary element (x) in the at least one intermediary group and to an auxiliary base (m″) in the at least one final group E″. The device performs a first elementary operation in each final group (E″i), the first elementary operation consisting in executing the modular operation between the auxiliary base (m″) and an auxiliary scalar (d.sub.a) in each final group E″, which provides at least one result, the auxiliary scalar (d.sub.a) being determined from the auxiliary element (x) and from the main scalar (d). The device further performs a second elementary operation in each starting group E, the second elementary operation consisting in executing the modular operation between an additional auxiliary base and an additional auxiliary scalar d′.sub.b in each starting group, at least one of the additional auxiliary base and of the additional scalar being derived from the result of the first elementary operation.