Situated at the heart of the processing unit of modem microprocessors and microcontrollers, the so-called “Central Processing Unit” (CPU), is the data path, which represents the interconnection of all the functional units for processing data. The interconnection is effected via bundles of lines, so-called data buses, and comprises, inter alia, the functional units of multiplexer, arithmetic logic unit (ALU), shifter and register file. The construction and the interaction of the functional units of data paths are sufficiently known to the person skilled in the art, and so a more detailed description is dispensed with.
The shifter serves for bit manipulation i.e. for shifting a binary data word by a number n of bit positions toward the right or left, said number generally being programmable by means of control signals. By way of example, a shifter has a programmable range of values n [−7, 7], i.e. the data word (assumed to be sufficiently wide) at the input of the shifter can be shifted by up to seven bit positions toward the right or left.
There are various forms of realization of shifters, namely the so-called barrel shifters and the logarithmic shifters. In the case of a single-stage realization of the abovementioned example with a barrel shifter which has to be able to process M=15 different shift operations (M is also referred to as the power), this requires a 1-out-of-15 multiplexer for each data bit, which multiplexer has to have a corresponding number of data and control inputs. In the case of the multistage, logarithmic realization with the logarithmic shifter, shifting e.g. by +4, 0 or −4 bits is effected in the first stage, shifting e.g. by +1, 0 or −1 bit is effected in the second stage connected downstream, and shifting e.g. by +2, 0 or −2 bits is effected in the subsequent third stage. With three cascaded 1-out-of-3 multiplexer circuits and a maximum of nine control inputs, this means a significantly more favorable solution with regard to the number of switching elements required and principally the wiring and area outlay.
It holds true, in general, that the barrel shifter is appropriate only for small values of M. For larger values of M, the logarithmic shifter is significantly more effective and more efficient both as far as the outlay is concerned and as far as the switching time is concerned. Background information in this respect can be gathered from the book “DIGITAL INTEGRATED CIRCUITS—A Design Perspective”, Jan M. Rabaey, Prentice Hall (1996), Chapter 7.
Data paths of modern microprocessors and microcontrollers are usually embodied in so-called “single-rail” circuitry. In these, each bit of the information to be processed is physically represented by precisely one electrical node. Consequently, precisely one electrical node corresponds to the logic value of a state bit.
A disadvantage of this single-rail technology is the fact that the circuit construction or the signals processed in the circuit can be covertly discovered in a simple manner. One of the most important methods for attacking circuits and for assessing their sensitivity in security applications is differential power analysis (DPA). This methodology is used for targeted attacks in order to covertly discover confidential information such as, for example, passwords or cryptographic keys.
This involves evaluating power profiles measured by statistical methods for a given program or for a given algorithm. In particular, charge integrals calculated over one or more clock cycles are evaluated, in which case—for a multiplicity of program executions—conclusions about the information to be protected can be drawn from the correlation of systematic data variation and respective charge integral.
It follows from this that the integrated circuits to be protected, such as e.g. smart cards, should be configured in such a way that they yield the same power profile independently of the data to be processed, in order to cause a differential power analysis to come to nothing.
This is not the case for single-rail data paths. The charge integral assigned to the temporal profile of the states of a circuit is a function of those nodes or electrical capacitances which are subjected to electrical charge reversal. The temporal profile is thus greatly dependent on the temporal changes in the data to be processed.
One disadvantage of known shifters is that they are embodied using single-rail technology and, therefore, the data transported through them can be covertly discovered.