1. Field of the Invention
The present invention relates to electronic circuits with a controller and, in particular, to controlling the controller in these electronic circuits.
2. Description of the Prior Art
With the increasingly widespread use of cashless payment transactions, electronic data transmission via public networks, and the exchange of credit card numbers via public networks, there is an increasing need for cryptography algorithms so as to be able to implement digital signatures, authentications or encryption tasks. Known cryptography algorithms include asymmetrical encryption algorithms, such as the RSA algorithm, or methods based on elliptic curves, or symmetrical encryption methods, such as encryption methods in accordance with the DES or AES standards.
To be able to execute the calculations prescribed by the cryptography algorithms at an acceptable speed in every-day life, specifically provided cryptography controllers are employed. Such cryptography controllers are used, for example, in chip cards, such as, e.g., SIM cards or signature cards, for example for effecting payment using the mobile phone, for home banking transactions or legally binding electronic signatures. Alternatively, cryptography controllers are used in computers or servers as security ICs so as to carry out an authentication or to be able to perform encryption tasks, which may be comprised, for example, of securely transmitting credit card numbers, transmitting e-mails of secret contents and of secure cashless payment transactions via the Internet.
The requirements placed upon cryptography controllers are demanding, so that same meet the users' high expectations and can establish themselves on the market. So as to be able to ensure algorithmic security with regard to attacks from outside, cryptography controllers must provide, for example, considerable computing power. The reason for this is that the security of cryptographic algorithms, such as, for example, the known RSA algorithm, in general crucially depends on the bit length of the key used and that, consequently, those cryptography controllers executing the corresponding cryptography algorithms must be able to deal with figures of as long a length as possible. In the RSA algorithms, for example, key bit lengths of 1024 bits or up to 2048 bits have prevailed, whereas current general-purpose processors, in comparison, work with 8-bit, 32-bit or, as a maximum, 64-bit figures.
In addition, cryptography controllers must have a high computing power so as to be able to carry out the calculations required for the respective cryptographic algorithm within an appropriate amount of time. It would be, for example, too much to ask of any user to have to wait several minutes for an authentication check or a payment transaction. To be able to achieve these high computing powers, known cryptography controllers process in parallel many of the computing operations to be carried out so as to increase the computing speed.
In using cryptography controllers in chip cards, such as SIM cards or signature cards, an additional problem results from the requirement that same must be producible at low cost as a mass product. Even though they must execute, within as short a time period as possible, algorithms requiring a large computation effort, the electronic circuit, on the other hand, must not be too complicated and, as a consequence, expensive.
A further problem in designing cryptography controllers results from the co-existence of many common cryptography algorithms. In the case of a chip card, for example, that cryptography controller which is capable of implementing most standard cryptography algorithms and which, consequently, exhibits broad-range serviceability and a high amount of user friendliness, will prevail on the market. Such a “multi-functional” cryptography controller prevents a user, for example, from having to carry several chip cards around with him/her, of which each is intended for a specific application or for a specific cryptography procedure. On the grounds of multi-purpose employment, such a multi-functional cryptography controller, however, must be capable of performing a multitude of computing operations used by many cryptographic algorithms, which leads to an increase in the complexity or a decrease in the speed of the electronic circuit.
A possible design for a cryptography controller, which exhibits a high amount of multi-functionality on the one hand and high processing speed on the other hand, consists of a combination of a central processing unit and one or several coprocessors working in parallel, such as is the case, for example, in modern PCs, but also in modern graphic cards, and being connected to each other via a bus system. The coprocessors take on complicated computing tasks associated with, for example, specific cryptography algorithms or specific computing operations, such as a modular or arithmetic multiplication.
An additional problem that cryptography controllers must face is that only a limited energy is available to them. Terminals for contact-bearing chip cards provide, for example, a current of only a few mA as a maximum, whereas the current may be limited to an amount even smaller than 10 mA in contact-less applications and mobile applications, such as in an SIM card in a mobile phone. Consequently, the computing speed of the coprocessors is limited by the energy available. The clock frequency with which the CPU and the cryptocoprocessors are clocked is subject to limitations imposed by the energy available, since in the implementation of the controller chip in CMOS technology, the current consumption depends on the clock frequency or on the switching frequency of the MOSFETs.
The problems associated with the low energy available and, in contact-less and mobile applications, even varying or decreasing amounts of energy available are dealt with, in conventional cryptography controllers, only in that same are designed for a certain minimum energy supply. The entire cryptography controller, i.e., the CPU and the cryptocoprocessors, are clocked, with fixed clock frequencies, such that the energy required for the clock frequencies set corresponds to the minimum energy. Consequently, operation of the circuit is possible only if the energy available is sufficient, i.e., is equal to or larger than the minimum energy. Due to the fixed clocking of the coprocessors, the energy required for operating the cryptography controller is also independent of the cryptography controller task, so that, for example, as much energy is required for complicated RSA cryptography applications as for less complicated calculations based on elliptic curves. In the event that the energy available exceeds the energy required for operating the cryptography controller, the additional energy available is lost and remains unused.
For chip card and security-IC manufacturers, cryptography controllers with a better energy utilization would be of enormous significance since hereby, on the one hand, the computing speed and, thus, the waiting times at the terminals and the user friendliness could be increased and, on the other hand, the circuit complexity and, thus, the cost of the controller could be reduced at the same computing speed, which is advantageous in particular with mass products.