Method for securing a conditional jump, information carrier, program, secured system and security processor for this method

The invention concerns a method for securing a conditional jump against fault injection attacks, an information carrier and a secured system against such attacks.

The term "conditional jump" designates an instruction which permits the execution of a specific processing operation on a data element D only if a Boolean expression between one or more operands is verified and which, if not, prohibits the execution of the specific processing operation on the data element D. In high-level programming languages, this instruction is often written in the following form: "if [Boolean expression], then [specific processing of D], else [default processing]". In particular cases, there is no default processing so that the "else" clause can be omitted. However, there are many conditional jumps in instructions that are not necessarily written in the form "if ... then ... else ...". For example, a "switch" instruction can be broken down into several conditional jumps even though no "if... then ... else ..." type instructions appear when it is written in high-level language. More specifically, in high- level language, a switch instruction can be written as follows: switch(V)[

case Vc: specific processing 1, case V'c: specific processing 2
default: break ]

The term "Boolean expression" designates an expression which, when evaluated, returns either the value "true" or the value "false". A Boolean expression is said to be verified if the result is equal to "true" and it is said to be not verified if the result is equal to "false". The result of the evaluation of the Boolean expression is therefore a Boolean value, i.e. a value enclosable by means of a single information bit.

A Boolean data element is defined as being a data element whose value is equal to either "true" or "false". The value of a Boolean data element is therefore systematically enclosable by means of a single information bit. Conversely, a non-Boolean data element is a data element that can take strictly more than two different values. A non-Boolean data element is therefore not systematically enclosable by means of a single information bit.

A conditional jump therefore has an associated Boolean expression comprising one or more operands. For example, the Boolean expression can be written as follows:

an expression of equality which returns the value "true" if the operands are equal and the value "false" if not,

an expression of inequality which returns the value "true" if the operands ^e different and the value "false" if not.

an expression of superiority which returns the value "true" if the first operand is greater than the second operand and the value "false" if not,

an expression of inferiority which returns the value "true" if the first operand is smaller than the second operand and the value "false" if not.

Finally, here, the terms "enciphered" or "enciphering" also designate any operation aimed at making a data element unintelligible to a third party who does not have the information needed to rebuild the original data element. Typically, complex enciphering operations, i.e. those that use a substantial quantity of computer resources, use an enciphering algorithm parameterized by an enciphering key. In the case of a symmetrical algorithm, the enciphering key can also be used for deciphering. In the case of an asymmetrical algorithm, the deciphering key is distinct from the key used for the enciphering. The enciphering algorithm is either public or secret. The enciphering key is always secret when the algorithm is a symmetrical enciphering algorithm and at least one of the keys, called a private key, is secret when it is an asymmetrical enciphering algorithm. For a given enciphering algorithm, the lengthier the enciphering key, the higher the security. For example, the keys are coded on at least 32 bits and preferably on more than 128 bits for the AES (Advanced Encryption Standard) symmetrical algorithm or more than 1024 bits for the RSA (Rivets, Shame, & Alderman) asymmetrical algorithm. There are also simple enciphering operations, i.e. enciphering requiring fewer computer resources in order to be executed. An example of simple enciphering is the masking of a data element. Masking consists for example in combining the data to be masked with a random number that is kept secret.

A fault injection attack, also known as a "fault attack", consists in forcing a processor not to execute instructions or to execute them badly. For example, to this end, the environmental conditions of the processor are deliberately disturbed. For example, the processor is subjected to sudden increases in temperature or the electrical power supply signal or the clock signal is modified. It is also possible to expose the processor to laser pulses, electromagnetic emission or radiation of radioactive particles.

The faults thus prompted during the execution of a program lead to modifications, especially random modifications, of the data bits or instruction jumps. For example, these faults may prompt a modification of the address passed as an argument to a jump instruction or a modification of the jump instruction itself.

The conditional jumps are particular vulnerable to this type of attack. Indeed, a fault injection attack may enable activation of the execution of specific processing independently of the evaluation of the Boolean expression associated with the conditional jump. These jumps are all the more liable to be attacked by this type of method as they are situated or made within a decision security routine such as for example the verification of a digital signature, the verification of a MAC (Message Authentication Code) or a consistency check made through hash functions.

Various approaches have been proposed to secure a jump against fault injection attacks. These approaches essentially use the redundancy of the instructions to make non- execution of a conditional jump more difficult in a program. The patent application WO 2007/006 887 describes an example of a solution of this kind.

However, the implementation of these solutions is still difficult especially because they often require a particular organization of the memory of the processor.

The invention seeks to overcome this drawback by proposing a method for securing a conditional jump against fault injection attacks that is easier to implement.

An object of the invention therefore is a method of this kind in which the execution of the conditional jump is done by means of the following succession of operations:

a) computing a non-Boolean data element D' from the data element D and from the operands of the Boolean expression so that the data element D' is identical to the data element D if and only if the Boolean expression is verified and so that the data element D' has another value, called an invalid value, if the Boolean expression is not verified, the data element D' being encoded on several bits, and

b) using the data element D' instead of the data element D during any execution of the specific processing operation.
In the above method, the conditional jump is replaced by a sequence of operations a) and b) whether or not the Boolean expression is verified. This amounts therefore to replacing the two jumps (the jump taken if the Boolean expression gives the result "true" and the jump taken if the Boolean expression gives the result "false") of a conditional jump implemented in the form of an "if... then ... else ..." by a single jump. Thus, it is possible to systematically execute the specific processing. However, in the above method, this does not bring the security of the program into question, heeded, if the Boolean expression between the operands is verified, then the specific processing is executed on the valid data element D. If not, if the Boolean expression is not verified or if a fault injection attack has taken place, then, in the worst case, the specific processing is executed on another value and gives a result that is unexplainable or useless. This execution of the specific processing operation on such an invalid value of the data element D' does not give more information than if this specific processing operation had not been executed. This invalid value of the data element D' may possibly even block the execution of the specific processing operation if this processing operation does not have a proper format.

Thus, a fault attack on this part of the program is necessarily doomed to failure. Indeed, by modification of the instruction code to be executed or modification of the value of the ordinal pointer indicating the instruction to be executed, such an attack is liable to modify the value of the data element D'. If the value of the data element D' is modified by fault injection attack, the value thus obtained is in all probability invalid. Thus, the fact that the specific processing operation is executed on an invalid value of the data element D' does not have any importance and does not harm the security of the program.

Finally, the operations a) and b) may very easily be implemented in a high-level programming language such as the C, C-H- or Java languages. Thus, the implementation of the above method is particular simple and requires no particular addressing of the memory.

The embodiments of this method may comprise one or more of the following characteristics:
the computation of the data element D' comprises:
c) the conversion, by means of a reversible function, of the data element D to produce a different data element D* fi-om which it is not possible to rebuild the data D without any other information,
d) the building of the data element D' from the data element D* and from the operands of the Boolean expression so that the data element D' is identical to the data element D if and -only if the Boolean expression is verified and so that the data element D' has another value, called an invalid value, if the Boolean expression is not verified;
the method comprises the combination of the operands used to evaluate the Boolean expression so as to obtain a non-Boolean result R having a value X if and only if the Boolean expression is verified, the result R being encoded on several bits;
the operation c) is an operation of enciphering the data element D using an enciphering algorithm and the value X as an enciphering key to obtain the data element D*, and during the operation d), the data element D* is deciphered using the deciphering algorithm and the result R as a deciphering key to build the data element D*;
the value X is a function of the data element D; the operation c) is an operation for masking the data element D by means of a random number;
the method comprises:
- before the computation of the data element D*, the adding to the data element D of additional bits according to a known syntax to obtain a data element D with an identifiable syntax;
- the computation of the data element D' from the data element D with an identifiable syntax,
- before the execution of the specific processing operation or during its execution, the verifying of the syntax of the data element D' to detect the execution of a fault injection attack;
the Boolean expression associated vdth the conditional jump is an expression of equality among several operands.
These embodiments of the method furthermore have the following advantages:
the conversion of the data element D into a data element D* protects the data element D, thus increasing the security of the method,
the enciphering of the data element D by means of an enciphering algorithm and an enciphering key enables the result of the operation to be transmitted a) to a processor by means of a non-secured information transmission network,
the generation of an enciphering key which is a function of the data element D during the operation a) increases the security of the method,
the use of a masking operation as an enciphering operation accelerates the speed of execution of this method,
the counting of the occurrences of syntax errors activates a counter-measure in the event of repeated fault injection attacks or in the event of recurrent errors in the Boolean expression without causing the errors in the internal format of the data element D, produced during the generation of this data element, to also lead to the activation of this counter measure. An object of the invention is also an information recording carrier and a computer program comprising instructions for the execution of the operations a) and b) of the above method when these instructions are executed by an electronic computer.
An object of the invention is also a system secured against fault-injection attacks on a conditional jump, this system comprising:
means for computing a data element D' from the data element D and from the operands of the Boolean expression so that the data element D' is identical to the data element D if and only if the Boolean expression is verified and so that the data element D' has another value, called an invalid value, if the Boolean expression is not verified, the data element D' being encoded on several bits, and
a module (20) capable of executing this specific processing operation on the data element D' instead of the data element D whenever the specific processing operation has to be executed.
The embodiments of this system may comprise the following characteristic:
the computation means comprise a security processor capable of executing at least one of the operations for computing the data element D'. These embodiments of the system furthermore have the following advantage:
the use of a secunty processor increases the secunty oi the system. An object of the invention is also a security processor that can be implemented in the above-mentioned secured system.
The invention will be understood more clearly from the following description, given purely by way of a non-exhaustive example and made with reference to the drawings of which:
figure 1 is a schematic illustration of the architecture of a system secured against fault-injection attacks against a conditional jump,
figure 2 is a flowchart of a method for securing a conditional jump against fault-injection attacks implemented in the system of figure 1,
figure 3 is a schematic illustration of another architecture of a system secured against fault-injection attacks against a conditional jump, and
figure 4 is a flowchart of another method for securing a conditional jump against fault-injection attacks implemented in the system of figure 3. In these figures, the same references are used to designate the same elements. Here below in this description, the characteristics and flmctions well-known to those skilled in the art shall not be described in detail.
Figure 1 shows a system 2 secured against fault-injection attacks on a conditional jump. Here, this system 2 has a remote server 4 connected to a computation unit 6 by means of an information transmission network 8.
The server 4 has an enciphering module 10. This module 10 is especially capable of making a signature-with-appendix of a data element D. The server 4 is capable of sending the data D accompanied by its signature to the unit 6 through the network 8.
The network 8 is a non-secured information fransmission network such as the network known as the "Internet".
The unit 6 is for example a non-secured computation unit such as a computer or a multimedia program decoder. The unit 6 is said to be non-secured because the program that it executes can be decompiled without difficulty.
The unit 6 is connected to a security processor 12. In such a processor, access to the instructions and to the code to be executed is made difficult. In particular, the decompilation of the program to be executed is deliberately made very difficult. For example, the security processor 12 is a chip card.
" The processor 12 has an electronic computer 14 connected to a memory 16. The computer 14 is capable of executing the instructions recorded in the memory 16. To this end, the memory 16 has the instructions needed to execute the method of figure 2. The computer 14 is especially capable of executing the following modules: a deciphering module 17,
a module 18 to combine operands of a Boolean expression, and
a module 20 capable of executing a specific processing operation on a data element.
The module 10 and the computer 14 form means for computing a data element D' described in greater detail with reference to the method of figure 2.
The working of the system 2 shall now be described in greater detail with
reference to the method of figure 2.
The method of figure 2 is described in the particular case of the transmission and verification of a digital signature-with-appendix. This digital signature is represented in the form of the following triplet of information elements: (D, D*, Dc) where:
- D is the data element to be signed encoded on several bits,
- D* is a cryptogram of the data element D,
- Dc is a control data element which corresponds here to the signature of the data element D.
The method starts at a step 30 for signing the data element D. To this end, in an operation 32, the module 10 generates a key Ki from the data element D to be signed. To this end, the following relationship is used for example: i
Ki = G(H(D)) where:
- G is any unspecified function that is preferably secret,
- H is a hash function which builds a digital imprint of the data element D.
Here below in this example, the function G is for example the identity function. The function H is for example the RSA-SHAl hash function.
Then, during the operation 34, the data element D is formatted so that its syntax complies with particular rules. For example, this formatting is done by carrying out a padding operation. Here, this padding operation consists of the concatenation of the bytes whose values are known before and after the data element D in itself. For example, after this operation 34, the formatted data element is the following: 0x29||0x09||D||0xl9|)0x80 where:
- the notation Ox designates a figure in hexadecimal notation, and
- "II" is the concatenation function.
Once the data element has been formatted, it is enciphered in an operation 36 to obtain the cryptogram D*. Here, the cryptogram D* is obtained by means of the following relationship: - ' i
D*=ESki(D) ^ j
where: i
- ES is an symmetrical enciphering algorithm such as the AES or 3DES, and .
- Ki is the key generated during the operation 32.
The algorithm ES is a reversible ftmction and achieves a conversion of the data demerit D to obtain a different data element, i.e. the cryptogram D*.
Finally, in an operation 38, the signal Dc is built. Here, this signature is built by means of the following relationship: Dc = EAKpriv(H(D)) where:
- D is the data element formatted during the operation 34,
- Kpriv is a private enciphering key of a pair of asymmetrical keys,
and
- H is the same hash ftmction used to generate the key Ki, and
- EA is an asymmetrical enciphering algorithm.
At the end of the step 30, the signature-with-appendix (D, D*, Dc) is transmitted in a step 40 to the unit 6 by means of the network 8.
At a step 42, the unit 6 receives this signature and transmits it to the processor 12 for verification in a step 44 of the signature of the data element D.
If the verification confirms the authenticity of this signature, a specific processing operation is executed on the data element D. If not, the specific processing operation on the data element D must be prevented. This is therefore a particular sensitive conditional jump. Here, the Boolean expression associated with this conditional jump is that the digital imprint H(D) should be equal to another digital imprint H'(Dc). The imprints H(D) and H'(Dc) are therefore operands of this Boolean expression.
This step 44 is executed by the processor 12. At the beginning of the step 44, at an operation 46, the processor 12 computes the digital imprints H(D) and H'(Dc). Here, the imprint H'(Dc) is obtained by means of the following relationship: H'(Dc) = EA-Vpub(Dc) where:
- EA"' is the deciphering algorithm associated with the asymmetrical enciphering algorithm EA used in the operation 38,
- Kpub is the public enciphering key corresponding to the private enciphering key Kpriv.
Once the imprints H(D) and H'(Dc) have been computed, at a step 48, the module 18 combines these two imprints by means of a function F to obtain a result R such that the value of R is equal to the key Kj if the imprints H(D) and H'(Dc) are equal and is different fi-om the key Ki if these imprints H(D) and H'(Dc) are not equal. The result R is a non-Boolean value encoded on as many bits as the key Ki. i.e. on at least 2 bits and
preferably on more than 32 bits. For example, the resuU R is encoded on at least 128 bits for an AES algorithm and on at least 1024 bits for the RSA algorithm.
The following is one example of a fimction F having these properties:
R=F(D, Dc) = L(H(D))eL(H'(Dc))eG(H(D))
where:
- L is a secret function such as a hash function (for example the RSA-SHAl algorithm), and
- © is the exclusive-or operation.
It will be imderstood that a function F(D, Dc) returns the value G(H(D)) when H(D) is equal to H'(Dc) and a completely different value when the imprints H(D) and H'(Dc) are different.
Then, in an operation 50, the module 16 deciphers the cryptogram D* in using the result R obtained at the end of the operation 48 to obtain a new non-Boolean data element D'. This deciphering operation is also an operation for building the data element D'. For example, the data element D' is obtained by means of the following relationship: D' = ES\(D*) where:
ES"^ is the deciphering algorithm associated with the symmetrical enciphering algorithm ES used in the operation 36. Thus, if the result R is equal to the key Ki, then the data element D' is identical to the data element D. On the contrary, if the result R is different from the key Ki, then the data, element D' is different fi-om the data element D. The operations 36, 38 and 50 therefore form an operation for computing a data element D' from the data element D and the operands H(D) and H'(Dc) so that the data element D' is identical to the data element D if and only if the Boolean expression is verified. If not, the data element D' has another value called an invalid value.
Furthermore, since the data element D' is obtained by a deciphering operation, the syntax of the data element D' is different from the syntax of the data element D when the result R is different from the key Ki.
Consequently, if the data element D is accurately authenticated from its signature, i:e. if the values H(D) and H'(Dc) are equal, then the data element D' delivered at the end of the step 44 is identical to the data element D. On the contrary, if this is not the case, i.e. if at the step 44, the data element D has not been successfully authenticated from the signature Dc, then the data element D' obtained at the end of the step 44 is invalid and different from the data element D.
Then, at a step 52, the processor 12 verifies the syntax of the data element D'. If this syntax does not correspond to the formatting applied at the step 44, then it increments an error counter. If this error counter goes beyond a pre-determined threshold Si, then the processor 12 proceeds to a step 54 for applying counter-measures. For example, a counter-measure may consist in blocking the processor 12 so as to make it unusable even for the purpose of verifying the authenticity of accurately authenticated data. Another possible counter-measure is that of activating the display of a warning message.
The incrementing of the error coimter may have several causes. For example, if the processor 12 is subjected to a fault-injection attack, this can result in an erroneous execution of one of the operations 46 to 50 and hence in the restitution, at the end of the step 44, of an invalid data element D'. An invalid data element D' is also obtained if the triplet (D, D*, Dc) received has not been authenticated, i.e. if the signature Dc does not correspond to the index D.
Should the value of the error counter be below the threshold Si, the module 20 executes the specific processing operation on the data element D' at a step 56. Typically, the specific processing operation comprises an operation 58 to verify the internal format of the data element D'. If this format is incorrect because, for example, the format of the data element D received by the unit 6 was incorrect, then the specific processing operation is stopped and a corrective operation 60 is executed. The operation 60 may consist, for example, in asking for the re-sending of the data element D from the server 4 in a correct format.
If not, i.e. if the format of the data element D' is correct, the execution of the specific processing operation is continued up to the end.
It will be noted that a fault-injection attack can be executed during the operation 52 so that even if the data element D' is invalid, the specific processing operation is executed at the step 56. However, such an attack would be conducted in vain since, at the step 56, the specific processing operation will be executed on an invalid data element D'. Now, the execution of the specific processing operation on the invalid data element D' can only give unexploitable or unnecessary results. Thus, such an attack does not jeopardize the security of the system 2 again.
Figure 3 shows another system 70 secured against fault-injection attacks on a conditional jump. The architecture of this system 70 is identical to that of the system 2 except that the processor 12 is replaced by a security processor 72. This security processor 72 is identical to the processor 12 except that it has, in addition, an enciphering model 74.
In the system 70, even the enciphering operation 36 can be done in the processor 72. Thus, the server 4 no longer needs to transmit the cryptogram D* to the processor 72. Indeed, this processor 72 can easily re-build it from the data element D received and fi-om the H function. This saves bandwidth in the network 8. In this embodiment, the set of computation means for computing the data element D' is then housed in the security processor.
Furthermore, since the cryptogram D* is built within the processor 72 and not received through a non-secured network, it is possible to build this cryptogram D* by using not a complex enciphering algorithm but on the contrary a simple enciphering algorithm. This makes it possible for the conditional jiimp to be executed at greater speed or with a lower consumption of computer resources.
An example of a faster method of this kind for securing a conditional jump is described with reference to figure 4.
Initially, the processor 72, in an operation 80, draws a random number Ri. hi this operation 80, this number Ri is combined in an addition operation with the byte 0x01.
In an operation 82, a second random number R2 is drawn and then combined with the byte 0x01.
The rest of the method of figure 4 is described in the particular example in which the conditional jump to be secured is the following:
"if A = B then execute the specific processing operation on the data element D" Then, a specific operation 84 is performed to combine the operands A and B of the Boolean expression of the conditional jump by means of a function F returning a value X if A = B and another value if A is different from B. For example, the operands A and B are combined by means of the following function F: F(A, B) = A-B
With this function F, the value X is null while the other values are different fi-om 0. This function F does not return a Boolean result. Thus, provision must be made for several bits to store the resuh R.
In an operation 86, the result R of the function F(A,B) is masked by a combination of this value with the random number Ri. For example, the masking operation 86 is performed by means of the following relationship: Yi=F(A,B)*Ri
Then, in an operation 88, the data element D is enciphered to obtain the cryptogram D*. Here, the enciphering operation applied is a simple enciphering operation. For example, this is simply a masking of the data element D by means of the random number R2. For example, this masking is done by means of the follov^ng relationship:
D* = R2©D
A simple enciphering of this kind is thus a reversible fimction which enables the data element D to be converted into a different data element D*.
Once the data element D has been enciphered, an operation 90 is performed to decipher the cryptogram D* by bringing into play the result R of the function F(A,B) obtained during the operation 84. This deciphering operation is an operation for building the data element D'. For example, at the step 90, the following instructions are performed successively:
Yi=D* + Yi
D' = Yi®R2
It will be understood that if the operands A and B are equal, then the data element D' obtained at the end of the operation 90 is identical to the data element D. On the contrary, if the operands A and B are different, the data element D' obtained at the end of the operation 90 is different from the data element D.
Then, the method proceeds systematically to an operation 92 in which the module 20 systematically performs the specific processing operation on the data element D' whether or not this data element D' is identical to the data element D.
Indeed, it is not necessary to detect that the data element D' is invalid. For example, if the processor 72 is used to authorize the de-scrambling of a multimedia program, the fact of providing an invalid data element D' to a decoder results in an incorrect de-scrambling of the multimedia program and hence in the display on a screen of a multimedia program unintelligible to the viewer. In these circumstances, it is not necessary to detect the fact that the data element D' is invalid.
The method of figure 4 also illustrates a case in which the operands of the Boolean expression are built independently of the data element D.
Many other embodiments are possible. For example, the key Ki may be built , differently from the key described or may even be a constant.
The fimctions G, H, H' and the ES and EA algorithms may be public or secret algorithms.
Should the function G be secret, the function F(D,Dc) may be chosen as follows:
F(D, Dc) = H(D)eH'(Dc)®G(H(D)).
The function F is not necessarily a combination of Boolean operations. For example F may be a polynomial.
The functions F described here above have been described in the particular case in which the Boolean expression to be tested for the conditional jump is an equality. However, what is described here also applies to other Boolean expressions. In particular, the Boolean expression tested may be an inequality between two operands A and B. For example, the Boolean expression tested may be the following: AB then process D;
Each of these two conditional jumps may be secured as indicated here above.
Preferably the operands of the Boolean expression of the conditional jump are non-Boolean operands.
As a variant, the operations for formatting the data element D and verifying the syntax of the data element D' can be omitted.
As a variant, the operations for converting the data element D into a different data element D* may also be omitted. In this case, the data element D' is computed by means of a formula that directly combines the operands of the Boolean expression with the data element D. For example, the following formula can be used for this purpose:
D'=A-B+D
where A and B are the operands of the Boolean expression "A=B".
What has been described here above in the case of a securing of a single conditional jump can be applied to a "switch" type instruction. More specifically, a switch instruction of this kind can be broken down into a succession of conditional jumps to which the method described herein can be applied. What has been described herein also applies to any conditional jump whether it has to be executed in a security routine or at the exit from such a routine.
The securing method described here may also be used if the Boolean expression involves several values. For example, the Boolean expression may be the following A+B=C. In this case, the function F is the function of the three values A, B and C and returns the resuh R. For example, the function F(A,B,C) may be the following:
F(A, B, C) = (H(A + B)©H(C))eG(H(D))
where:
- H is the hash function and - G(H(D)) is the key Kj.
At least one of the operands of the Boolean expression is a variable whose value is unknown in advance. On the contrary, one or more of the other operands may be constants. Thus, the case in which the Boolean expression comprises only one operand A whose value may be "true" or "false" is actually only a particular form of the case in which the Boolean expression consists in testing the equality of this operand A with the value "1" ("true") or "0" ("false"). Hence, this case is only a particular form of a Boolean expression with an operand A which is a variable and an operand B which is a constant.
For the small-sized data D, the cryptogram D* may also be obtained by enciphering the data element D with a private key and an asymmetrical enciphering algorithm. In this case, the unit 6 or the processor 12 or 72 must have a corresponding public key at its disposal to decipher the cryptogram D*. In this context, the conditional jump can be executed in a sure way by enciphering the public key with the key Ki and by subjecting the restitution of the original public key to the delivery by the fimction F of a result R identical to the key Ki. In other words, the same processing is applied to the public key as the one applied to the data element D in the methods of the figures 2 and 4.
The module 20 can be implemented in the unit 6.
The asymmetrical enciphering algorithm EA can be chosen in such a way that it is also its own associated deciphering algorithm EA-1.

CLAIMS

1. Method for securing a conditional jump against fault injection attacks, this conditional jump authorizing the execution of a specific processing operation on a data element D if a Boolean expression between one or more operands is verified and, if not, prohibiting the execution of the specific processing operation on the data element characterized in that this method comprises the execution of the conditional jump by means of the following succession of operations:

a) computing (36,48, 50; 84, 88, 90) a non-Boolean data element D' from the data element D and from the operands of the Boolean expression so that the data element D' is identical to the data element D if and only if the Boolean expression is verified and so that the data element D' has another value, called an invalid value, if the Boolean expression is not verified, the data element D' being encoded on several bits, and

b) using (56;92) the data element D' instead of the data element D during any execution of the specific processing operation.

2. Method according to claim 1, wherein the computation of the data element D' comprises:

c) the conversion (36; 38), by means of a reversible function, of the data element D to produce a different data element D* from which it is not possible to rebuild the data D without any other information,
d) the building (50; 90) of the data element D' from the data element D’ and from the operands of the Boolean expression so that the data element D' is identical to the data element D if and only if the Boolean expression is verified and so that the data element D' has another value, called an invalid value, if the Boolean expression is not verified;

3. Method according to claim 2, wherein :
the method comprises the combination (48) of the operands used to evaluate the Boolean expression so as to obtain a non-Boolean result R having a value X if and only if the Boolean expression is verified, the result R being encoded on several bits,

the operation c) is an operation of enciphering (36) the data element D using an enciphering algorithm and the value X as an enciphering key to obtain the data element D*, and

during the operation d), the data element D* is deciphered (50) using the deciphering algorithm and the result R as a deciphering key to build the data element D'.

4. Method according to claim 3, wherein the value X is a function of the data element D.

5. Method according to claim 2, wherein the operation c) is an operation for masking (88) the data element D by means of a random number;

6. Method according to any one of the above claims, wherein the method comprises:

- before the computation of the data element D*, the adding (34) to the data element D of additional bits according to a known syntax to obtain a data element D with an identifiable syntax;
- the computing of the data element D' from the data element D with an identifiable syntax,
- before the execution of the specific processing operation or during its execution, the verifying (52) of the syntax of the data element D' to detect the execution of a fault injection attack.

7. Method according to any one of the above claims, wherein the Boolean expression is an expression of equality among several operands.

8. Information recording carrier characterized in that it comprises instructions for the execution of the operations a) and b) of a securing method according to any of the claims 1 to 7 when these instructions are executed by an electronic computer.

9. Computer program comprising instructions for the execution of the operations a) and b) of a securing method according to any one of the claims 1 to 7 when these instructions are executed by an electronic computer.

10. System secured against fault-injection attacks on a conditional jump, this conditional jump authorizing the execution of a specific processing operation on a data element D if a Boolean expression between one or more operands is verified and, if not, prohibiting the execution of the specific processing operation on the data element D,
characterized in that this system comprises:

means for the computing, by means of a security processor, of a data element D' from the data element D and from the operands of the Boolean expression so that the data element D' is identical to the data element D if and only if the Boolean expression is verified and so that the data element D' has another value, called an invalid value, if the Boolean expression is not verified, the data element D' being encoded on several bits, and

a module (20) capable of executing this specific processing operation on the data element D' instead of the data element D whenever the specific processing operation has to be executed.

11. System according to claim 10, the security processor is capable of executing at least one of the operations for computing the data element D'.

12. Security processor capable of being implemented in a system according to claims 10 or 11 characterized in that the security processor is capable of executing at least one of the operations for computing the data element D', from the data element

D and from the operands of the Boolean expression so that the data element D' is identical to the data element D if and only if the Boolean expression is verified and so that the data element D' has another value, called an invalid value, if the Boolean expression is not verified, the data element D' being encoded on several bits.