1. Field of the Invention
The present invention relates to a decryption circuit, an encryption circuit, a logic cell as well as a method of performing a dual-rail logic operation in a single-rail logic environment, and in particular to an implementation, in terms of circuit technology, of the decryption circuit and the encryption circuit as well as of the logic cell in an integrated circuit.
2. Description of Prior Art
Integrated circuits (ICs) are implemented by means of standard cells. A standard cell, also referred to as logic cell below, performs a specific logic function in this context. In security ICs, cryptographic algorithms are implemented in standard cells.
Typically, switching networks and switch mechanisms of an IC are implemented, in micro-electronical terms, such that each bit of a state stored in a register is physically represented by exactly one electrical node at a register output. Such an embodiment is referred to as “single-rail” circuit technology. In single-rail circuit technology, what applies to all nodes in a combinational switching network, between registers as well as for their inputs, is that generally exactly one electric node corresponds to a logical value of an in-between-states bit and/or its complement.
Switching networks and switch mechanisms for security-relevant applications, in particular, must be protected against attacks. Differential power analysis (DPA) is one of the most important methods of attacks on ICs for security applications. For this reason, DPA is also employed for evaluating a sensitivity of ICs toward specific attacks on confidential information, such as passwords or cryptographic keys. With DPA, current profiles measured by statistical methods or charge integrals of the IC, which are calculated across one or several clock cycles, are evaluated for a given program and/or a given algorithm. For a multitude of program implementations, conclusions are then drawn, from a correlation of systematic data variations and the respective charge integral, as to the information to be protected.
One possibility of at least substantially impeding attacks is to exchange, or transmit, data between sub-systems of the IC only in an encrypted form as far as possible. The crypto-system which is best suited for this purpose because it is provably secure is so-called one time pad encryption. A plain text m=(m1, m2, . . . ) encoded as a bit sequence is encrypted, in accordance with an XOR operation, or XOR linkage, into an encrypted text c with a key k=(k1, k2, . . . ), e.g. k=100110001011 . . . , obtained from a true random sequence. The encrypted text c results from the operation, or linkage, c=e(m, k)=(k1 XOR m1, k2 XOR m2, . . . ). This means that a bit cj of the encrypted text c=e(m, k) results from the XOR operation kj XOR mj of the corresponding bits of key k and plain text m. kj XOR cj=mj is true because of k XOR k=0 and 0 XOR k=k. A decryption of the encrypted text c to restore the plain text m is performed in accordance with the same bitwise XOR operation. For a one time pad cryptosystem it is important that each key sequence be used only once for encrypting and decrypting, since otherwise information about plain texts may be determined by statistical methods.
Unlike conventional single-rail logic, wherein each bit within a data path or signal path is represented physically by precisely one electric node k of a switching network or switch mechanism, with an implementation in a so-called dual-rail logic, each bit is represented by two nodes k and kq, this bit having a valid logical value if k corresponds to the true logical value b of this bit, and if kq corresponds to the negated value bn=not (b).
A desired invariance of the charge integrals is achieved in that a so-called precharge state is inserted between two states, respectively, with valid logical values (b, bn)=(1,0) or (0,1), for which precharge state both k and kq are charged to have the same electrical potential, i.e. adopt logically invalid values (1,1) or (0,0). Thus, for the precharge state (1,1), a state sequence may be as follows:
(1,1)->(0,1)->(1,1)->(1,0)->(1,1)->(1,0)->(1,1)->(0,1)-> . . .
For any such state sequence, the following is true: with any transition (1,1)->(b, bn), precisely one node is charge-reversed from 1 to 0, and for all (b, bn)->(1,1), precisely one node is charge-reversed from 0 to 1. This is true independently of a logically valid value b of the state bit in question. This applies analogously to state sequences having a precharge state of (0,0).
However, the consequence is that the charge integrals corresponding to these state sequences are independent of the sequence (b, bn) of the logically valid values if the only thing that is taken care of is for nodes k and kq to have the same electrical capacitances. The current profile of a data path thus implemented therefore does not depend on time-related variations of the data to be processed. It is thus DPA-resistant.
DPA-sensitive circuits are conventionally either implemented in dual-rail circuit technology or in single-rail circuit technology in combination with a one time pad encryption. Both forms have disadvantages regarding their implementations. Implementation of DPA-sensitive circuits as fully customized macro in dual-rail circuit technology requires high expenditure in terms of circuit architecture, circuit implementation, layout, functional verification, system integration as well as system testing. On the other hand, encrypted computing in single-rail circuit technology requires a very high expenditure in terms of circuitry, and thus in terms of area.