1. Field of the Invention
The present invention relates to a logic circuit and a method for calculating a result operand from a first input operand and a second input operand according to a combination rule, wherein the logic circuit and the method may be employed for security-relevant applications, in particular.
2. Description of the Related Art
Circuits employed for the processing of security-relevant data are designed, if possible, so that the data to be processed is protected from attackers attempting to obtain the safety-relevant data by an analysis of the circuit. Due to SPS/DPA (simple power attack/differential power attack) attacks, it is necessary for high-security applications to design the current consumption of an integrated circuit independently of the processed data.
This problem may be solved by a dynamic dual-rail circuit technology the design, characterization, and verification of which is, however, time-consuming. A library based on the dynamic dual-rail circuit technology cannot be synthesized, due to the precharge signals required for a precharge state between the data states, and is not suited for static timing analyses.
A static implementation of circuitry for processing two dual-rail signals is described in the patent document DE 103 44 647 B3. The dual-rail signals have precharge signals with precharge values between valid data values. Valid data values are characterized in that respective logic states inverted with respect to each other exist on both individual signals of the dual-rail signal. Precharge values are characterized in that the same logic states exist on both signals of a dual-rail signal. According to the patent document, the precharge values present at the inputs of the circuitry are passed through onto an output of the circuitry.
The patent document mentioned does not deal with encrypted signals.
In the “masking” technology, internal signals are encrypted by a mask. Here, special new logic cells capable of generating an also encrypted output signal ZM from masked input signals AM and BM as well as a mask M are employed.
FIG. 18 shows a block circuit diagram of such a logic cell with the masked inputs AM, BM, an input for the mask M, and an output for outputting the encrypted output signal ZM.
The underlying masking is described on the basis of FIGS. 19a and 19b. 
FIG. 19a shows a table of values for an XOR combination. Here, the signals A, B, Z are not encrypted. The table of values for the XOR2 combination is based on the equation A xor B=Z.
FIG. 19b shows a table of values of an XOR combination for masked signals AM, BM, ZM, wherein the mask M is used. The encryption or masking is an XOR combination of the signals AM, BM, ZM with the value of the mask M. Thus, AM=AM XOR M; BM=BM XOR M; ZM=ZM XOR Mapplies. The shown table of values of the masked XOR2 combination is based on the equation ((AM xor M) xor (BM xor M)) xor M=ZM.
From the document “Side-Channel Leakage of Masked CMOS Gates; Stefan Mangard, Thomas Popp, Berndt M. Gammel”, it is known that possible glitches, i.e. spurious impulses, render the logic vulnerable in a single-rail realization of the masked circuit technology.
One possibility for secure encryption of masked signals consists in a masked dual-rail precharge logic. As with unencrypted dual-rail, the signals encrypted with the mask M and also the mask itself are embodied twice. Thus, there are two dual-rail input signals AM, AMN, and BM, BMN, as well as a dual-rail mask M, MN. Furthermore, an idle phase is introduced between two valid value sequences. The idle phase is a precharge state, or also called “precharge”, between two evaluate phases, also called calculation cycles in the following. As with unencrypted dual-rail, an alternating sequence of the two states develops:
Evaluate→Idle→Evaluate→Idle→Evaluate→Idle→Evaluate . . . .
FIG. 20 shows a logic basic function, reduced by precharge states, which has to be realized by a masked dual-rail precharge logic for an XOR combination.
Due to glitches, which occur in every CMOS circuit, a masked dual-rail circuit nevertheless is vulnerable.
In particular, at a transition from a calculation cycle, i.e. a cycle with valid data values at the inputs, to a precharge cycle, i.e. a cycle in which precharge values are present at the input, or at a reverse transition, spurious impulses may occur.
In particular, this is the case when, at the transition from the calculation cycle to the precharge cycle, the precharge value is already present on an input signal, but a valid data value is still present on the other input signal. In this case, a precharge value may already be output at the output, or also still a data value. It is also not impossible that several different data values are output at the output at a transition in the meantime, before finally outputting precharge values at the output. The same problem occurs in the transition from precharge cycle to the calculation cycle. When a valid data value is already present at one of the inputs, but still a precharge value at the other input, it is again open whether already a valid data value, changing data values, or still a precharge value is present at the output. These insecurities may lead to spurious impulses and represent a point of attack for most recent attack scenarios in which it is attempted to recognize different switching time instants and then assess the current course correspondingly by a higher temporal resolution of the current consumption of a circuit.