1. Field of the Invention
The present invention relates to the decryption and encryption during write accesses to a memory, as it is used for securing data with chip cards or smart cards, for example.
2. Description of the Related Art
For protection against unauthorized spying out stored information, in various applications, the memory contents of the memory are encrypted. In the field of cashless payments, for example, amounts of money are stored on chip cards in encrypted manner, to protect it from unauthorized spying out or from manipulation, such as unauthorized amount changes.
An unauthorized person acquires the plain text underlying the encrypted information stored in the memory by statistical analysis of the cipher text stored on the memory, for example. This statistical analysis, for example, includes an analysis of the probability of occurrence of certain cipher text data blocks or the like. In order to make this statistical analysis more difficult, it is desirable that the same plain texts located at different memory positions of the memory in encrypted form are not present there in form of identical cipher text texts.
One possibility to ensure the encryption of plain texts at different memory positions into different cipher texts is to use the so-called cipher block chaining method for encryption, i.e. operating a block cipher in the CBC mode, as it is described in the Handbook of Applied Cryptography, CRC Press, NY, 1997, page 230, for example. In the CBC mode, the cipher text of the preceding plain text data block, such as the plain text data block with an address in the memory lower by 1 or higher by 1, is always employed for encryption of a plain text data block. The CBC mode has the disadvantage that an individual isolated datum in the memory can only be decrypted when the entire or at least part of the chain of the sequential data is decrypted. As a result, no direct access to data within the CBC chain is possible. Going through the cipher chain again costs valuable computation time and consumes unnecessarily much current, which is of disadvantage particularly with smart cards used in battery-operated devices, such as mobile phones, or with chip cards in which the customers of the chip card issuers demand as-short-as-possible transaction times at the terminals.
Another possibility to ensure that the same clear texts located at different memory positions are encrypted into different cipher texts is the generation of address-dependent keys for encrypting the plain texts. The use of address-dependent keys takes advantage of the fact that a fixed memory space, and thus a fixedly associated address, is associated with a datum to be stored and to be encrypted, and that the encrypted, stored datum is and remains stored exactly at this fixedly associated address until it is again read out on the basis of this address. From a present secret master key and the address information for a memory position or an individually addressable unit, an individual key with which the datum concerned can be encrypted in a write process and decrypted in a read process may now be generated.
On the basis of FIGS. 4 and 5, a previously possible construction of systems with address-dependent encryption, as it could be implemented previously, is described. FIG. 4 shows the rough construction of an arrangement with memory encryption. The arrangement includes a CPU 900, a cache memory 902, an encryption/decryption apparatus 904, and a memory 906. CPU 900 and cache 902 are connected to each other via a bus 908. The bus 908 includes an address bus 908a and a data bus 908b. Likewise, the cache 902 and the encryption/decryption apparatus 904 are connected to each other via a bus 910, which again consists of an address bus 910a and a data bus 910b, whereas the encryption/decryption apparatus 904 and the memory 906 are connected to each other via a bus 912 consisting of an address bus 912a and a data bus 912b. 
In a write access, the CPU 900 now at first sends the ad-dress at which a datum is to be stored to the cache memory 902 via the address bus 908a. From there, the address proceeds further to the encryption/decryption apparatus 904, which again generates the address-individual key from the address, via the address bus 910a. The CPU 900 outputs the datum to be stored in unencrypted manner to the cache memory 902 on the data bus 908b. The cache memory 902 enters the pair of address and data to be stored, displacing another address/datum pair, and forwards the datum to be stored to the encryption/decryption apparatus 904. This encrypts the datum to be stored according to the address-individual key and outputs the cipher text for physical storage to the memory 906 via the data bus 912b. 
In the read process, the CPU 900 outputs the address to the cache memory 902 via the address bus 908a. It at first looks up whether the current memory content of this address is present in the cache memory. In case of a cache miss, the address proceeds further to the encryption/decryption apparatus 904 via the address bus 910a. From the address, it in turn generates the address-individual key and outputs the address to the memory 906 via the address line 912a. The memory 906 returns the memory content of this address to the encryption/decryption apparatus 904 as a response, which in turn converts the cipher text read out from the memory 906 to plain text data on the basis of the address-individual key and outputs the same to the cache memory 902 via the data bus 910b. The cache memory 902 then updates its entries by displacement of another address/datum pair and outputs the decrypted plain text datum to the CPU 900 via the data bus 908b. 
FIG. 5 illustrates the encryption/decryption apparatus 904 of FIG. 4 in greater detail. As can be seen, the encryption/decryption apparatus 904 includes an encryption unit 942, a key calculation module 944, and a decryption unit 946. The encryption unit 942 is provided to receive the blocks to be stored during store processes and to output encrypted blocks via the data bus 912b. Similarly, the decryption unit 946 is provided to receive blocks to be decrypted from the memory via the data bus 912b and to forward the same as decrypted blocks in the direction of CPU or cache via the data bus 910b. The key calculation module 944 is connected to the address busses 910a and 912a, which form a uniform address bus, as can be seen in FIG. 5. The key calculation module 904 is provided both during write and read processes, in order to convert the address on the address bus 910a or 912a to the address-individual key and output the same to a key input of the encryption unit 942 and the decryption unit 946, which in turn use this key for encryption and decryption themselves, respectively.
With the dashed line in FIG. 5, the encryption part 948 of the encryption/decryption apparatus 904 is again highlighted. As can be seen, the same includes the encryption unit 942 and the key calculation module 944. Each is in charge of a special task in the encryption, the encryption unit 942 for the encryption of the data block to be stored, and the key calculation module 944 for the generation of the address-individual key. Encryption unit 942 and key calculation module 944 each consist of hardware of their own, which is also different from the hardware of the decryption unit 946. Hence, address and block to be stored pass through physically different data paths in the encryption part 948, so as to obtain the address-individual key and the encrypted data block therefrom, respectively. Viewing the decryption part in isolated manner of course yields the like.
It is disadvantageous in the possibility of realization according to FIG. 5 that enormous hardware effort is required for memory backup. Hence, it would be desirable to have an encryption/decryption scheme for backed-up storage of data, which is less hardware-intensive in its realization or implementation. With chip cards and smart cards in particular, any saving in chip area does pay off extraordinarily, since these items are mass-produced items.
US 2002/0073326 A1 refers to the protection of stored data, using the memory address as an encryption key. As encryption key, the physical address, the logical address, or any other address depending on one of the two addresses in causal and predictable manner may be used.
EP 0 455 064 B1 is different from memory systems in which the stored data is protected using the memory address and undertakes protection of the stored data by providing, based on the data address of a datum to be stored or stored, at first a key address, which then points to a datum serving as an encryption key for the encryption of the datum to be stored or stored. According to a special embodiment, it is described that the provision of the key address takes place by setting bits of the data address to 0, whereupon the key address is used to generate an encryption key bit which is then subject to bit-wise XNORing with the byte stored in the data register. Furthermore, it is described that the generation of the encryption key byte takes place while the actual encryption of the datum from the data register is performed in an encryption circuit separate herefrom.