The invention relates to a method and a detector circuit for detecting short-lasting voltage pulses (spikes) in a power supply voltage, and to a data processing unit such as particularly a smart card.
When operating electronic apparatuses, it is important to protect them against fluctuations of the power supply voltage for the apparatus. Such fluctuations may occur under the influence of the circuit but may also be attempts to manipulate the circuit. The latter will hereinafter be elucidated by way of example with reference to a smart card.
Smart card controller chips have in common that security-relevant data are stored in these cards, which data should be absolutely protected against abuse by third parties. One of the many possible attack scenarios is the operation of the circuits with power supply voltages outside the specified or allowed range. An attack with static voltages will generally have no effect because circuits of this type are customarily protected adequately by voltage sensors. It is, however, feasible to attack the power supply voltage with short pulses which may be both negative and positive. When these pulses have a width which is within the reaction time of the voltage sensors but beyond the response time of the circuit to these events, such an attack might be successful.
It is therefore an object of the invention to provide a method and a circuit for detecting short-lasting voltage pulses (spikes) in a power supply voltage with which a microelectronic circuit, such as particularly a smart card controller chip, can be protected against such spikes. The function of this detector circuit and the protection should particularly be ensured also independently of the value of the power supply voltage during a spike.
This object is achieved by a detector circuit as defined in claim 1, a data processing unit as defined in claim 9 and a method as defined in claim 10. Advantageous embodiments are defined in the dependent claims.
According to the invention, the detector circuit for detecting short-lasting voltage pulses in a power supply voltage comprises the following elements:
a) a first memory for storing a typically electric energy provided by the power supply voltage;
b) a second memory for energy, which second memory is connected to the first memory via a switch;
c) a comparator which is connected at its input to the power supply voltage and to at least a reference voltage, and whose output is coupled to the switch in such a way that it closes said switch when the power supply voltage is outside a predetermined voltage interval;
d) an output circuit which is connected at its input to the second memory and is adapted in such a way that it generates an output signal when the energy in the second memory exceeds a predetermined threshold value.
The detector circuit described ensures a secure function during the occurrence of a spike in the power supply voltage, with a continued indication of this spike beyond its duration. This secure function is achieved in that energy is stored in the first memory during normal operation, which energy is available in the case of a spike determined by the comparator and which is to be evaluated by the output circuit. For this purpose, said energy is passed from the first memory to a second memory where it is detected by the output circuit and can be used for generating an output signal indicating a spike when a threshold value is exceeded. This output signal may be available as long as the energy in the second memory is above the threshold value. Accordingly, the output circuit can indicate the detection of a spike also when this spike has already finished and the switch between the first and the second memory has already been opened again by the comparator. Such a continuing indication is advantageous because it allows a main circuit, such as, for example a smart card controller chip, connected to the detector circuit to appropriately react to the occurrence of the spike only after the spike has decayed. During the spike itself, such a reaction by the main circuit is not ensured with sufficient certainty because it is the spike which may lead to a disturbance of the power supply voltage and hence of the main circuit.
There are several possibilities for the definition of the interval within which the power supply voltage must lie so as to prevent the comparator from being activated. For example, this interval may be particularly defined by a predetermined lower reference voltage and a predetermined upper reference voltage. However, similarly, the upper limit of the interval may be mathematically at an infinite value so that the comparator is only activated at a value falling below a predetermined lower reference value. This reference value may be particularly constituted by the average value of the power supply voltage or by the ground potential. It is of course also possible to activate the comparator only when a predetermined upper reference value is exceeded, by predetermining a negatively infinite lower interval limit.
The detector circuit preferably comprises an integrator connected to the power supply voltage, the output of this integrator being connected to the first memory. Such an integrator may constitute a gliding average value of the power supply voltage and may be used for charging the first memory and possibly for operating further parts of the detector circuit.
In accordance with a further embodiment of the detector circuit, the second memory is constituted in such a way that it is self-discharging at a predetermined time constant. Energy once stored in this second memory is thus automatically built up again so that an overflow of the second memory falls below the threshold for activating the output circuit after a certain period of time. It is thereby ensured that the indication of a detected spike by the output signal of the output circuit is eliminated again after a predetermined maximum period of time which is dependent on the charge state of the second memory.
In accordance with a further embodiment of the detector circuit, a delay circuit for delaying the energy stream is arranged in the connection between the first memory and the second memory. This delay circuit ensures that the energy in the first memory does not flow too fast or not instantaneously into the second memory when a spike occurs, but that it requires a given period of time for this purpose. When a spike is therefore very short, a correspondingly small amount of energy is transported to the second memory so that it may not be sufficient to exceed the threshold value for activating the output circuit. A possibly unwanted detection of too short spikes is thus prevented by the delay circuit.
The first memory of the detector circuit may be particularly constituted by a first capacitor connected between ground and the power supply voltage, which capacitor stores energy from the power supply voltage in the form of charge. The connection of the capacitor to the power supply voltage is preferably established by means of a first resistor so that an RC member is obtained which simultaneously forms an average value (integration) and stores the power supply voltage. Moreover, a diode, which becomes conducting when its threshold voltage is exceeded and thus ensures a faster recharging of the capacitor, may be arranged parallel to said first resistor.
For realizing the comparator, a first transistor may be used whose gate (base) is connected to the power supply voltage, whose source (emitter) is connected to the first memory and whose drain (collector) is connected to the second memory. The connection of the drain to the second memory is preferably established via an interpositioned second resistor. A transistor used as described compares the voltage at the first memory with the power supply voltage at the gate and is turned on when the difference between these voltages exceeds the threshold voltage of the transistor. In this case, the transistor connects the first memory to the second memory so that this can lead to a (partial) transfer of the stored energies. The optional second resistor in the connection between the first and the second memory ensures a possibly desirable delay of the charging process between the memories.
The second memory may be particularly constituted by a second capacitor whose first terminal is directly or indirectly connected to the comparator output and whose second terminal is directly or indirectly connected to ground. Such a capacitor may store energy in the form of charge. The first terminal of the second capacitor connected to the comparator output is preferably also connected to ground additionally via a third resistor. A time constant, at which the second capacitor is automatically discharged, can then be predetermined via this third resistor. Energy once stored in the second capacitor thus builds up automatically again so that an activation of the output circuit is terminated at the end of a maximal period of time.
In accordance with a further embodiment of the last-mentioned realization of the detector circuit, the output circuit is constituted by a second transistor whose gate (base) is connected to the first terminal of the second capacitor and whose source (emitter) is connected to ground, and from whose drain (collector) the output signal can be tapped. The output signal of this transistor indicating a spike thus consists in that its drain is passed towards ground potential (LOW state). Furthermore, the transistor is turned on by the energy in the second memory. Both characteristic features ensure that the function and the output signal of the transistor are independent of the current value of the (disturbed) power supply voltage.
The invention also relates to a data processing unit which may be particularly a smart card. The data processing unit is characterized in that it comprises a detector circuit of the type described above for detecting short-lasting voltage pulses (spikes) in the power supply voltage, the output circuit of this detector circuit being coupled to an error treatment circuit of the data processing unit. The error treatment circuit appropriately reacts to the occurrence of a spike in the power supply voltage, which is indicated by the output signal of the detector circuit. In a smart card, this provides a particularly effective protection against attempted attacks on the circuit by spikes impressed on the power supply voltage.
The invention also relates to a method of detecting voltage spikes in a power supply voltage, which method comprises the steps of
a) storing energy provided by the power supply voltage in a first memory;
b) passing on said energy to a second memory when the power supply voltage is outside a predetermined interval;
c) generating an output signal by means of the energy in the second memory, when the energy in the second memory exceeds a predetermined threshold value.
A secure detection of spikes in the power supply voltage is possible by means of said method, because only energy previously stored in the first memory is used for generating the output signal. The method thus does not depend on the fact that a power supply voltage allowing the output signal to be generated is available during the period of a spike. The method may be particularly carried out with a detector circuit of the type described hereinbefore, in which the detector circuit variants described lead to corresponding further embodiments of the method.