The present invention relates generally to processors and controllers and standard cells for arithmetic logic units (ALUs) in such processors and controllers.
A standard cell for ALUs in microcontrollers may be implemented using a semi-custom design style. Chip card controllers have to meet high requirements in terms of resistance to invasive probing and/or non-invasive differential power analysis (DPA) of security-critical information. One prior art device uses bitwise XOR masking of all data using time-variant masks, so-called “one-time pad (OTP)” masks.
FIG. 1 shows a so-called “mirror adder”, a conventional full adder cell 10 which implements the equationsco—n= a·b+b·ci+ci·a  (1)s_n= a⊕b⊕ci  (2).
The mirror adder thus logically combines the two operand bits a and b and the carry-in bit ci in order to obtain the inverted carry-out bit co_n and the inverted sum bit s_n. In a standard-cell implementation of the mirror adder, co_n and s_n are usually additionally inverted by two inverters so that then the outputs of the mirror adder cell are usually the carry bit co and the sum bit s.
When output signals produced by a conventional full adder are supplied with masked input data, the equationsy=a·b+b·c+c·a  (3)z=a⊕b⊕c  (4)are transformed under the “masking operation”, that is, the XOR combination{circumflex over (x)}=x⊕k  (5)of x=a, b and c with an OTP bit k.
One then obtains â·{circumflex over (b)}+{circumflex over (b)}·ĉ+ĉ·â=(a·b+b·c+c·a)⊕k=y⊕k=ŷ and â⊕{circumflex over (b)}⊕ĉ=a⊕b⊕c⊕k=z⊕k={circumflex over (z)}. The “full adder equations” are form-invariant (covariant) under the “masking operation”: from input data masked with k, the full adder computes output data which is also obtained when output data from unmasked input data is masked with k.