Several embodiments described herein relate to masked memory cells and, in particular, to masked memory cells using the available resources more efficiently while preserving the functionality of the masked (maskable) memory cell.
In the field of security applications, for memory circuitry in particular, various methods of attack are known from which memory circuitry is to be protected. The differential power analysis (DPA) is a common technique for attacking ICs (IC=integrated circuit) and/or memory circuitry. These attacks also serve for assessing the sensitivity of packages to security applications with respect to deliberate attacks on “confidential” information such as passwords or cryptographic keys. For a given program or a given algorithm, in these attacks, power profiles measured by statistical methods and/or their charge integrals calculated over one or more clock cycles are evaluated wherein, for a multitude of program executions, conclusions to the information to be protected may be drawn from the correlation of systematic data variation and a respective charge integral.
One way to at least substantially impede DPA attacks consists in exchanging or transferring data among subsystems of an IC encrypted, as far as this is possible. One possible cryptosystem for this purpose, as it is proven safe, is the so-called one-time-pad encryption. In this method, plain texts m=(m1,m2, . . . ) encoded as a bit sequence are encrypted with keys k=(k1,k2, . . . ) obtained from truly random sequences, according to c=e(k,m)=(k1⊕m1,k2⊕m2, . . . ), that is, a bit cj of the ciphertext c=e(m,k) results from the XOR operation kj⊕mj of the corresponding bits of key k and plaintext m. Due to k⊕k=0 and 0⊕k=k, kj⊕cj=mj holds true, that is, the decryption of c so as to restore the plaintext m, takes place according to the same bitwise XOR operation.
In the one-time-pad cryptosystem, it is important that each key sequence be used only once each for the encryption and the decryption, as otherwise information on plaintexts may be determined by means of statistical methods.
FIG. 1 shows an example of an array of maskable memory cells developed to overcome the problem of having to transport data stored in a memory cell without encryption, i.e. applying one-time-pad encryption simultaneously with read-out of the stored data, as it is explained in more detail below.
For the following considerations, one exemplary memory cell 160 of the memory cell array of FIG. 1 will be discussed.
FIG. 1 shows an mROM cell 160. The mROM cell 160 is programmed to logic 0, wherein a programming to logic 1 is denoted by connections drawn in dashed lines. The mROM cell 160 shows a word line 150 at which a binary query signal may be applied. Furthermore, the mROM cell 160 exhibits a first output 110 for a first binary value bl and a second output 120 for a second binary value blq, which is complementary to the first binary value bl. Furthermore, the mROM cell 160 exhibits a first input 130 for a first mask value m and a second input 140 for a second masking value mq, which is complementary to the first masking value m (together being a valid mask signal comprising two logically complementary subsignals m and mq).
In the following Figures, the logic elements are predominantly realized by n-channel and p-channel FETs. Their control signals are indicated in small letters. For reasons of clarity, the introduction of additional reference numerals for all devices is omitted. Signals implemented in dual-rail logic are indicated by small letters such as m and bl in FIG. 1, and the complementary components are indicated by a subsequent small-letter q such as mq and bq.
FIG. 1 shows an exemplary implementation of an mROM cell 160 having n-channel FETs. This specific implementation only represents an embodiment and is not limiting, other embodiments are conceivable in implementations having p-channel FETs or other transistors and/or electrical switches. FIG. 1 further shows a first transistor 170, which is coupled to and controllable via the word line 150 (wl). The transistor 170 is on the one hand coupled to a reference signal or a reference potential 195 and, via a second FET 180, coupled to the output 110 for the first binary value. Furthermore, the transistor 170 is coupled, via a third FET 190 to the output 120 for the second binary value. The second FET 180 is controllable from the second masking value mq and/or via the input 140. The third FET 190 is controllable via the first masking value m and/or via the input 130.
The connection represented in FIG. 1 therefore corresponds to a stored logic 0, wherein the dashed lines denote the control of the transistors 180 and 190, for the case that a logic 1 were stored. The consideration of the embodiment of the stored logic 0 is not meant limiting.
During readout, the bit-line pair (bl,blq), for an activated word line, wl=1, and with the masking values (m,mq)=(0,1), is brought from its precharge state (1,1) to the state (0,1), whereas for (m,mq)=(1,0), the denotations of bl and blq are interchanged as (bl,blq) then assumes the state (1,0). Sufficiently frequent interchanging of (m,mq) also each time interchanges the denotations of bl and blq. The risk of a DPA attack may thus be reduced and probing is also substantially impeded.
FIG. 2 shows a generalization of the concept of FIG. 1 to re-writeable RAM-cells. The basic functionality of the masking operation is essentially the same as previously discussed in FIG. 1. Considering, as an example, memory cell 200, the data stored within the memory cell is, as usual, preserved using two latched inverters 202a and 202b. As compared to a ROM cell, when implementing dual-rail-logic with RAM cells, both states stored within the latched inverters have to be accessed simultaneously, thus using two read/write transistors 204a and 204b, which are activated by word line 210. As the two possible logical states may be stored within the latched inverters 202a and 202b, it is mandatory to be able to switch each of the outputs to either of the bit lines 220a and 220b. Therefore, four control transistors 230a, 230b, 240a and 240b are required, which are, equivalent to the memory cell of FIG. 1, controlled by the mask-bit-lines 250a and 250b. 
In order to operate an array of maskable memory cells, a suitable access logic is required, as shortly summarized below.
The block diagram in FIG. 3 shows an mROM address and/or data flow. FIG. 3 shows an address latch with single-to-dual-rail conversion 810. FIG. 3 further shows a masked address decoder 820 operative to split the addresses in address positions indicating a row of memory cells to be accessed (mAdr_msb) and a column of memory cells to be accessed (mAdr_lsb). A word-line driver 830 is used to address the rows to be accessed. The masked ROM cell 840 may be assembled according to a plurality of masked ROM cells of the embodiment of FIG. 1. FIG. 3 further shows a masked bit-line multiplexer 850 with a peripheral connection and a control block 860 providing enable-signals for the individual components and therefore realizing a self-clocking.
The control block 860 further coordinates the precharge states of the individual components. The address latch 810 is externally provided with address inputs mAdr having a width of a bits, which are masked with a mask resulting from a further input signal mask having a width of m bits. From these two input signals, the address latch 810 may forward the mAdr_msb (msb=most significant bit) highest-order addresses with a width of a_msb bits to the masked address decoder 820 for selection, which, based on a mask mask_msb with a width of m_msb bits performs a demasking thereof.
The mask signal mask_msb results from the input signal mask.
The masked address decoder 820 may now forward the signals mask_Wl with a width of m_mWl bits to the word-line driver 830 for the demasking of the signals mWl with a bit width of a_mWl. The word-line driver 830 is capable of extracting, from these signals, the word-line signals with a width of a_mWl bits, which are present as plaintext. Based on these signals, the masked ROM cell 840 may now read an address area and provide same to the masked bit-line multiplexer 850 with a width of d_mbl bits in a signal mBl. The masked bit-line multiplexer 850 further receives, from the address latch 810, the signals mAdr_lsb (lsb=least significant bit) with a width of a_lsb bits and the signal mask_lsb with a width of m_lsb bits for the masking thereof. Based on these signals, the masked bit-line multiplexer 850 may extract the desired data from the data area provided by the masked ROM cell field 840 and provide same at the output as mDo with a width of d bits. The mask bit-line multiplexer further receives, from the address latch, the signal mask_dbl, which same forwards to the masked ROM cell field 840, and on the basis of which the data areas may be masked, that is, these signals allow the bitwise switching between normal and complementary representation of the data area.
That is mAdr stands for the a-bit-wide masked address inputs, mask represents the m-bit-wide masks for at least mAdr and mDo, the d-bit-wide outputs masked with mask. The signals mAdr_msb, which are a_msb bits wide, comprise the highest-order (dual-rail) addresses for the selection of a_mWl masked word lines mWl, mask_msb and mask_Wl comprise the corresponding m_msb-bit or m_mWl-bit-wide masks, respectively. The signals wl comprise the a_mWl-bit-wide word lines and in general several mROM cell fields, which may be read in parallel and are present as plaintext in the embodiment considered. The signal mbl comprises the d_mbl-bit-wide bit-line pairs masked with the m_mbl-bit-wide masks of generally several mROM cell fields, from which the d-bit-wide data outputs mDo are selected with the mAdr_lsb-bit-wide lowest order and with the m_lsb (the a_lsb-bit-wide lowest-order dual-rail addresses masked with the m_lsb-bit-wide masks mask_lsb).
As becomes apparent from the previously described implementations, masking and dual rail implementations use complex memory cells and operating circuitry, to fulfill the enhanced security requirements.