Systems, methods, and apparatuses for protecting a secret on a device with limited memory, while still providing tamper resistance, are described. To achieve security, an encoding computer can apply a memory-hard function MHF to a secret S and determine a result Y, then determine a proof π for the result Y. Then, the encoding computer can send a codeword C comprising the secret S and the proof π to a decoding computer. The decoding computer can retrieve the codeword C from persistent memory and parse the secret S and the proof π. The decoding device can use transient memory to decode the codeword C by verifying the proof π was generated with the secret S and the result Y. When the correctness of the result Y is verified, the decoding device can apply a cryptographic function to input data using the secret S then reset the transient memory.

Countermeasures against fault injection attacks of a cryptographic integrated circuit, and more specifically laser fault injection attacks are provided. The invention consists in generating sequences of bits belonging to a set of allowed sequences, and storing these sequences on a set of Flip-Flops. Then the sequences stored on the Flip-Flops are checked and, if they do not belong to the allowed sequence, this is the sign that a fault injection attack occurred and caused a bit flip in one of the flip-flops. An alarm signal is then generated.

An integrated circuit having a plurality of field-effect transistors, wherein at least a proportion of the field-effect transistors implement a plurality of logic cells, a substrate, a well which is arranged in the substrate, and a supply circuit which is designed to connect the well to a supply potential, wherein the supply circuit is constituted by one or more field-effect transistors of the plurality of field-effect transistors.

A first address bus may be located in an upper layer of an integrated circuit that is associated with a memory and a memory controller. The first address bus may receive a first portion of a memory address. A second address bus may be located in a lower layer of the integrated circuit where the second address bus is to receive a second portion of the memory address. Furthermore, a data bus may be located in an intermediate layer where the data bus is to receive data corresponding to the memory address from the memory and may transmit the data to the memory controller. The intermediate layer may be between the upper layer and the lower layer. A layout of the signals of the data bus may vertically overlap with a layout of signals of the first address bus and a layout of signals of the second address bus.

The present invention relates to a shift register protected against physical attacks, comprising a coding module, a decoding module, a plurality of basic shift registers of which the respective inputs receive the bits of a codeword supplied by the coding module using an input bit at each clock cycle, and of which the respective outputs are connected to the decoding module in order to supply an output bit, with the codewords being chosen in such a way as to have the same non-zero Hamming weight and two successive codewords having a constant non-zero Hamming distance. The codewords are generated using an internal state machine and/or an external state machine to the coding module.

A detection circuit of electromagnetic fault injection includes: a shielding layer configured to shield interference; at least one group of metal-oxide semiconductor MOS transistors, where a source end of the at least one group of MOS transistors is connected to the shielding layer; at least one latch, where a drain end of the at least one group of MOS transistors is connected to an input end of the at least one latch; and a signal output module, where an input end of the signal output module is connected to an output end of the at least one latch. The detection circuit could detect in real time and alarm electromagnetic fault injection in time to ensure robustness and safety of a chip.

A method for executing a function secured by time synchronisation, comprising the random choice of a value of a delay from a group G2,k of n2,k possible values, the random choice being performed according to a probability law Sk, the values of the group G2,k fulfilling the following condition: wherein x0 to Xn2,k−1 are the n2,k values of the group G2,k, Sk[xI] is the probability of occurrence associated with the value Xi by the law Sk, SSk is the statistical distribution of the possible values of the accumulated delays already introduced between times tref and tsk, tsk is the time at which the microprocessor executes the first instruction of a sequence Seqk, tref is the reference time when the microprocessor executes a particular instruction, SSmaxk is the largest value of the statistical distribution SSk, and p is a real number greater than 1.3.

An optical electromagnetic radiation (EM) emitter and receiver are located upon a printed circuit board (PCB) glass security layer. A predetermined reference flux or interference pattern, respectively, is an expected flux or reflection pattern of EM emitted from the EM emitter, transmitted by the glass security layer, and received by the EM receiver. When the PCB is subject to an unauthorized access thereof the optical EM transmitted by glass security layer is altered. An optical monitoring device that monitors the flux or interference pattern of the optical EM received by the EM receiver detects a change in flux or interference pattern, in relation to the reference flux or reference interference pattern, respectively, and passes a tamper signal to one or more computer system devices to respond to the unauthorized access. For example, one or more cryptographic adapter card or computer system functions or secured crypto components may be disabled.

A host device includes a power supply unit configured to supply power to a SoC, a current measurement circuit configured to measure a current from the power supply unit to the SoC, a detection unit configured to detect a power supply glitch in the host device, on the basis of a result of current measurement by the current measurement circuit, and a controller configured to suspend transmission of encrypted command from the host device to the memory device if the detection unit detects a power supply glitch in the host device.

A system with fault injection attack detection can include a circuit block; at least one independent power network; a detector coupled to the at least one independent power network to detect a change in a power characteristic of the independent power network; and sensors coupled to the at least one independent power network and located in an active layer of a chip with the circuit block. The sensors are responsive to at least one type of fault injection attack. In some cases, the sensors can be inverters.