1. Field of the Invention
The present invention relates to a device for generating a pair of signals, a device for generating a recovered data signal, a device for carrying out a data path operation, and a device for storing a pair of signals, and particularly to a device for generating a pair of signals and a device for generating a recovered data signal allowing a secure transmission of a data signal via a data path.
2. Description of the Related Art
Integrated circuits (IC) carrying out security-relevant applications must be protected against external attacks. The differential power analysis (DPA) is a major method for attacking ICs for security applications and for assessing the susceptibility of ICs to specific attacks on confidential information like passwords or cryptographic keys. In DPA, a measured current profile of the IC and/or its charge integral calculated over one or more clock cycles is evaluated with statistical methods for a given program and/or a given algorithm. From a correlation of a systematic data variation and the associated charge integral, conclusions can be drawn with respect to the information to be protected for a variety of program executions.
Frequently microprocessors and microcontrollers are employed for security-relevant applications. In the core of a processing unit of modern microprocessors or microcontrollers, the so-called CPU (central processing unit), there is the data path. The data path constitutes an interconnection of all functional units for processing of data within the CPU. The interconnection takes place via line groups, so-called data busses, and includes characteristic functional units such as multiplexer, arithmetic logical unit (ALU), shifter and storage circuits referred to as register files.
On the one hand, a register file discussed in the following serves for storing and/or latching addresses and data required for the task just being processed by the CPU. Thus the register file may be understood as a scratchpad. Furthermore, the register file serves for a quick, random and simultaneous read access to generally at least two ALU operands, and a quick, random write access simultaneous to read accesses. For this, the register file comprises so-called write back ports serving for writing back results and/or intermediate results of ALU computing operations. Furthermore, the register file serves for loading and for transmitting addresses and data into and from the register file. For this, the register file comprises write/read ports serving for the communication with system parts external to the CPU data path.
In order to satisfy all these requirements with minimal area and energy consumption, register files are often implemented as multi-port memories, so-called multi-port RAMs (RAM=random access memory). A RAM consists of registers interconnected via their bit line groups, wherein a functional unit register is defined here as a set of homogeneous so-called one-bit register cells with the four properties of the register file listed above. The number of bits which may be stored in a register generally corresponds to a bit width of the data path. The number of ports corresponds to the maximum number of different accesses to be allowed simultaneously to different registers.
FIG. 6 shows a prior art one-bit register cell with the minimum number of four ports A, B, C, Z in the above sense. Port A comprises a bit line pair bla, blaq, and a word line wla. Port B comprises a bit line pair blb, blaq, and a word line wlb. Port Z comprises a bit line pair blzq, blz, and a word line wlz, and port C comprises a bit line pair blcq, blc, and a word line wlc. Normally, operands are read out via the ports A and B. Via port Z, a computing result is written back, and via port C, memory contents external to the data path are loaded and/or transmitted thereto.
The ports A and B are thus described as pure read ports. In case of a low potential level of the word lines wla and wlb, the n-channel transfer transistors 612 block. First, the nodes corresponding to the bit line pairs bla, blaq, and blb, blbq, respectively, are precharged to a high potential level Vdd and are then disconnected from the precharging device (not shown) provided for this per bit line pair in the periphery of the register file. The bit line pairs bla, blaq and blb, blbq, respectively, are then still at a high potential level Vdd, but they are no longer held there actively, i.e. by conductive connection with the supply voltage source, but only capacitively. This state referred to as floating state will be referred to as (H, H). Shortly afterwards, the bit line pairs bla, blaq and blb, blbq, respectively, are conductively connected to the nodes bit and bitq, respectively, within the cell 615 by word lines wla and/or wlb raised to a high potential level. Since one of the two nodes bit, bitq is at a low potential, the bit line bla, blaq, blb, blbq connected conductively therewith via the now opened transfer transistor 612 is also discharged to a low potential. Thus the bits to be read out are on the respective bit line pairs bla, blaq and blb, blbq and may be adopted by other parts of the data path, while the word lines wla, wlb are lowered back to a low potential to disconnect the memory cell again from the bit lines so that the bit lines may be prepared for the following access. A logical value 1 of a bit corresponds to a bit line pair value (1, 0), and a logical value 0 of a bit corresponds to a bit line pair value (0, 1).
Port Z is operated as pure write port. In the case of closed n-channel transfer transistors 614, the word line wlz is at a low potential level so that the transistors 614 block. First a bit to be written is transmitted from outside to the bit line pair blz, blzq, before the word line wlz is raised to a high potential level, node bit and bitq, respectively, thereby being conductively connected to the bit line pair blz and blzq, respectively, within the cell 615. A capacitive voltage divider existing immediately afterwards with generally very large bit line capacitances compared to capacitances within the cell, supported by an external write circuit (not shown) and a feedback within the cell, then lead to the value of the potential previously stored in the cell being overwritten with the one applied to the bit line pair blz, blzq. In this way, the word line wlz may be lowered back to a low potential to disconnect the memory cells again from the bit lines so that the latter may be prepared for the following access.
The cell depicted in FIG. 6 does not show which of the ports A, B, C, Z serve as read ports and which serve as write ports. This is determined by a temporal behavior impressed externally and/or by driving word lines wla, wlb, wlz and bit lines bla, blaq, blb, blbq, blz, blzq. Therefore both precharging and write and read drive circuits. (not shown in FIG. 6) are associated with port C described as write and read port in the periphery of the register file.
Normally, switching networks in ICs are implemented in a so-called single rail circuit technology. Here, each bit of an information to be processed is physically represented by exactly one electrical node. Single rail switching networks are susceptible to DPA attacks.
In order to prevent DPA attacks, ICs should ideally be designed so that they always provide the same current profile independent of the data to be processed. However this is not always the case for a single rail data path implementation. A charge integral associated with a temporal behavior of the states of a circuit is a function of the nodes and/or electrical capacitances which are electrically charge-reversed. Thus a single rail implementation is highly dependent on the temporal changes in the data to be processed.
For preventing the problem of variable charge integrals, the so-called dual rail logic is used for implementing the data paths. In contrast to the conventional single rail logic, in which each bit is physically represented within a data or signal path by exactly one electrical node k of a switching network or a logic device, in the case of an implementation with dual rail logic, each bit is represented by two nodes k and kq, wherein this bit has a valid logical value, then k corresponds to the true logical value b of this bit and kq corresponds to the negated value bn=|b. The register cell shown in FIG. 6 is realized in dual rail technology.
In dual rail technology, the desired invariance of the line integrals is achieved by a so-called precharge state, also referred to as precharge, being inserted between each two states with valid logical values (b, bn)=(1, 0) or (0, 1). In this precharge state, both k and kq are charged to the same electrical potential and thus adopt logically invalid values of (1, 1) or (0, 0). For a precharge state (1, 1), a state sequence could therefore be as follows:    (1, 1)→(0, 1)→(1, 1)→(1, 0)→(1, 1)→(1, 0)→(1, 1)→(0, 1)→ . . . ,
What applies for any such state sequence is that in any transition (1, 1)→(b, bn) exactly one node is charge-reversed from 1 to 0, and that for all (b, bn)→(1, 1) exactly one node is charge-reversed from 0 to 1, independent of the logically valid value b of the state bit in question.
This applies analogously to state sequences with the precharge state (0, 0).
The result, however, is that the charge integrals corresponding to these state sequences are independent of the sequence (b, bn) of the logically valid values, if the only thing taken account of is that the nodes k and kq have the same electrical capacitances. Thus the current profile of a data path such implemented does not depend on temporal variations of the data to be processed. It is thus resistant to DPA attacks. However, in real circuits the nodes k and kq normally have unequal capacitances.
FIG. 7 shows a data path consisting of two signal line pairs 702, 704. The data path is implemented in dual rail technology. That means that the line pair 702 comprises a signal line x and a signal line xq complementary to the signal line x. Likewise, the line pair 704 comprises a signal line y and a signal line yq complementary to the signal line y. The signal line pairs (x, xq) and (y, yq) have capacitances 712, 714, 716, 718 to a fixed potential denoted with C(*) and coupling capacitances 722, 724, 726 between the signal lines x, xq, y, yq denoted with C(*,#). In FIG. 7, only the coupling capacitances 722, 724, 726 between adjacent signal lines x, xq, y, yq are illustrated. The signal line x has the capacitance C(x) 712, the signal line xq has the capacitance C(xq) 714, the signal line y has the capacitance C(y) 716, and the signal line yq has the capacitance C(yq) 718. The signal lines x, xq are connected via the coupling capacitance C(x, xq) 722, the signal lines xq, y are connected via the coupling capacitance C(xq, y) 724, and the signal lines y, yq are connected via the coupling capacitance C(y, yq).
Depending on a precharge state and a subsequent logically valid state, some of the listed capacitances must be charge-reversed. In the following table, the sums of capacitances are given which are charged in the case of a transition from a precharge state (0, 0) to the logically valid states (0, 1) or (1, 0):
pre-(x, xq)(y, yq)chargetargettargetstatestatestateΔC(0, 0)(0, 1)(0, 1)C(x, xq) + C(y, yq) + C(xq, y) +C(xq) + C(yq)(0, 0)(0, 1)(1, 0)C(x, xq) + C(y, yq) + C(xq) + C(y)(0, 0)(1, 0)(0, 1)C(x, xq) + C(y, yq) + C(x) + C(yq)(0, 0)(1, 0)(1, 0)C(x, xq) + C(y, yq) + C(xq, y) +C(x) + C(y)
As can be seen from the above table, all coupling capacitances C(*,#)>0, that is coupling capacitances 722, 724, 726 differing from 0 and/or capacitances C(*)≠ C(*q), that is unequal capacitances 712, 714 of the first line pair 702 and unequal capacitances 716, 718 of the second line pair 704 yield data-depending capacitance sums ΔC and thus data-depending charge integrals.
Such data-dependent capacitance sums and charge integrals may still be used for DPA attacks. The dual rail technology thus does not offer an effective protection against DPA attacks.
A reduction of the problem of data-dependent effective coupling capacitances allowing a DPA analysis may be achieved by means of physically exchanging an arrangement of bit lines in certain intervals in the layout. This technology referred to as crossover of bit lines is primarily used in DRAMs. Data dependency of effective coupling capacitances may thus be reduced. However, data dependency of line capacitances with respect to a fixed potential remains. Therefore, a DPA analysis cannot be prevented by crossover. A further disadvantage of crossover are the considerable area requirements of this measure.