In every modern microprocessor or microcontroller, step-by-step execution of an algorithm is accompanied by the occurrence of states which necessitate a temporary interruption in program execution. The cause can be instructions or data which are not yet available, for example. Where possible, the interruption should occur such that the information available at the time of the interruption or the data available is or are fully preserved. The states reached during program execution—including intermediate results already calculated—therefore need to be “frozen” for each of the successive steps of the algorithm such that program execution can be continued with minimal delay as soon as the information required for this purpose, namely the previously missing instruction or the missing data item, is available.
A schematic representation of the circuitry in this situation is given in FIG. 1. This shows just one bit of a data path and just one substep (k) in program execution. The states and intermediate results zk corresponding to the substeps k=1,2, . . . in the execution of the program are either calculated in arithmetic and logic circuits from zk-1 and control signals ctlk (data signal ak<1>) or are accepted from adjacent bits in the data path, or are supplied externally (ak<nk:2>) and are then stored in respectively associated register circuits which each have a clock input. The described “freezing” of the register contents zk corresponding to the states is produced by means of feedback, where the data output of the register <k> is connected to the multiplexer circuits situated upstream of the input for the registers. In this arrangement, each of the multiplexer circuits has a control input to which a control signal selk<sk:1> is applied. The combination of the multiplexer and the register is surrounded by a dashed line in FIG. 1.
In the case of the schematic circuit indicated in FIG. 1, each bit of a state stored in the registers is physically represented by a single electrical node at the output of the register. For the “single-rail” circuitry, so-called for this reason, this also applies for all the nodes within the combinational switching circuits (combinational logic and arithmetic), connected downstream of the registers, between the registers and for the register inputs. A single electrical node thus corresponds to the logic value of a state bit.
A drawback of this single-rail technology is the fact that the circuit design or the signals processed in the circuit can easily be spied out. One of the most important methods for attacking chip cards and for assessing the sensitivity thereof in security applications is differential power analysis (DPA). This method is used for deliberate attacks in order to discover confidential information, such as passwords or cryptographic keys.
In this case, the chip card's current profiles measured using statistical methods are evaluated for a given program or for a given algorithm. In particular, charge integrals calculated over one or more clock cycles are evaluated and—if the program is executed a large number of times—the correlation between systematic data variation and respective charge integral can be used to draw conclusions about the information which is to be protected.
It follows from this that the circuits integrated on a chip card need to be of such a type that they deliver the same current profile irrespective of the data which are to be processed, in order to cause differential power analysis to fail.
This is certainly not the case for the single-rail data paths indicated in FIG. 1, however. If program execution is interrupted, as described above, the register outputs are fed back via the multiplexer circuits situated upstream of the inputs. The result of this is the desired freezing of the register contents. Since none of the register nodes situated in the data path undergoes electrical charge reversal, however, a minimal charge integral is obtained for this case.
In contrast to this, at least some of the register contents change over the course of time or clock cycles in the event of program execution not being interrupted. The respective charge integral associated with each state change is therefore a function of those nodes or electrical capacitances which undergo electrical charge reversal. There is thus a strong dependence on the changes in the data to be processed over time. This statement applies not just to the register nodes shown in FIG. 1 but also to all nodes within switching circuits between the registers.
Changing charge integrals can be prevented by using “dual-rail technology”. In contrast to conventional single-rail technology, where each bit within a data or signal path is physically represented by a single electrical node k in a switching circuit or switching mechanism, the implementation using dual-rail technology involves each bit being represented by two nodes k and kq, with this bit having a valid logic value if k corresponds to the true logic value b for this bit and kq corresponds to the complementary value bn=not(b).
The desired invariance in the charge integrals is achieved in this case by virtue of a “precharge” state having been inserted between two states with valid logic values (b, bn)=(1,0) or (0,1). In this precharge state, both k and kq are charged to the same electrical potential, and thus assume logically invalid values (1,1) or (0,1). For the precharge state (1,1), a state sequence might have the following appearance:(1,1), (0,1), (1,1), (1,0), (1,1), (1,0), (1,1), (0,1), . . . 
For any of such state sequences, it holds true that any passage from (1,1) to (b, bn) involves a single node having its charge reversed from 1 to 0, and all (b, bn) to (1,1) states involve a single node having its charge reversed from 0 to 1. This is true irrespective of the logically valid value b of a respective state bit. Naturally, a similar situation also applies for state sequences with the precharge state (0,0).
It follows from this is that the charge integrals corresponding to these state sequences are independent of the sequence (b, bn) of the logically valid values. It is merely necessary to ensure that the nodes k and kq have the same electrical capacitances. The current profile for a data path implemented in this way is thus no longer dependent on variations in the data to be processed over time. A circuit designed using dual-rail technology is thus resistant to differential power analysis.
It is therefore the object of the present invention to provide a data path register which allows its contents to be “frozen” and at the same time features protection against differential power analysis.