The invention relates to a circuit arrangement comprising complementary data lines, in particular data lines of a dual rail data bus or in the case of a memory circuit comprising a plurality of memory cells which are connected to complementary data lines, in a regular operating phase the complementary data lines carrying complementary signals, and in a precharge phase the complementary data lines assuming an identical logic state or the same electrical potential, and a device for detecting manipulation attempts. Moreover, the invention relates to a method for detecting manipulation attempts in the case of a circuit arrangement having complementary data lines, in a regular operating phase the complementary data lines carrying complementary signals, and in a precharge phase the signals on the complementary data lines being brought to an identical logic state. Moreover, the invention relates to a method for detecting manipulation attempts in the case of a circuit arrangement having complementary data lines.
In many circuits measures are provided in order to prevent data from being able to be read out from specific memory areas. This is necessary particularly when security-critical data are processed, as is often the case with smart cards. Smart cards are used as an authentication tool or for banking applications, which increases the security requirements. The measures for restricting access are implemented at the level of an operating system or an application, a limitation to specific address ranges or specific addresses being performed. The protective measures make it possible to ensure that only specific users or specific applications can access security-critical data.
Attackers assume the aim of overcoming the security measures implemented and of obtaining access to secret data. A further aim may be to gain knowledge about the construction of the circuit.
Attack Possibilities
In order to attain the desired information about memory content or circuit construction, firstly so-called reverse engineering is carried out, in the course of which the integrated circuit is analyzed. Afterward, inter alia, the functioning of the circuit is altered or a data manipulation is carried out in the memory. Typically, during this analysis, the material that covers the chip and also a portion of the upper layers protecting the wiring of the chip are removed. The upper interconnects then uncovered are usually lines which are not security-relevant and which can be bypassed by means of so-called bypass lines in order to reach further to deeper layers and lines. With some effort these steps can be carried out nowadays by means of the “FIB” method (“Focussed-Ion-Beam”). As soon as more deeply situated, security-relevant and hence critical lines have been reached, either signals and pulses can be tapped off at the lines (so-called “Probing”), or it is possible to apply signals to the lines in order to manipulate data (so-called “Forcing”).
In an attack using ionizing radiation, data are altered on lines of the circuit arrangement, so that complete supervision by the security mechanisms implemented is no longer possible. This exploits the physical effect that, in the case of reverse-biased pn junctions, a charge separation and, as a result, a short circuit are effected if an ionizing radiation, that is to say a radiation that generates electron-hole pairs, such as photons or alpha-particles acts on the pn junction. As a result of the short circuit, it can happen that the signal state of a data line changes from “1” to “0” or from “0” to “1”, so that “incorrect” data are subsequently worked with. By way of example, data are consequently read out from memory areas which are actually blocked for access.
Defence Measures
In the past the aim has been to prevent or at least make more difficult the analysis and manipulation of the integrated circuits by means of the particular construction of the circuit. This has been attempted to be achieved, on the one hand, by means of a concealed structuring of the critical lines in the wiring plan and, on the other hand, by application of a dedicated covering shield over the relevant wiring planes. In the case of these shields, meandering or grid-type lines are realized e.g. in pairs in the shield, upon the interruption or short circuit of which, for the case where different voltages are present, the detecting sensor instigates an erasure of the memory, a reset or the inoperability of other circuit sections. An embodiment of these lines, which are called “passive”, as unconnected voltageless lines is likewise possible. In this case they serve only for increasing the outlay during the attack or for confusion.
The security of the components can also be increased by the passive lines described being replaced by so-called active lines in the design of the wiring plan. In the case of the lines, signals are applied to the lines of the shield by drive circuits, which signals are analyzed by evaluation circuits and compared e.g. with reference signals. Owing to the possible variation of the signals, the shield can be circumvented in this case only by the very complicated laying of a bypass line and by the application of the FIB method.
In the case of attacks using ionizing radiation or targeted fluctuations of the supply voltage, one possibility for defence consists in registering the causes of the manipulations, that is to say detecting the ionizing radiation or the supply voltage fluctuations. This requires the presence of specially provided sensors which are sensitive to the different types of attack in different attack scenarios. One disadvantage of this procedure is that the sensors are only ever sensitive to a limited set of attacks, and so for example new attacks to which a set of sensors of a cryptographic circuit is not sensitive with some probability will lead to a successful error attack. A further disadvantage is that, on account of the wealth of attack scenarios, the number of sensors for an integrated circuit in the context of high security requirements has to be very high. If only few sensors are provided, no protection is afforded against “local radiation attacks” on individual or some memory cells or gates. Many sensors constructed using complicated analog technology significantly increase the costs of such a cryptographic circuit. This becomes apparent in a disadvantageous manner particularly in the case of mass-produced articles such as chip cards and smart cards. Consequently, the integration of light and spike sensors embodied as analog circuits on ICs for security applications is not an optimum solution to the above problem.
Instead or in addition, in the past it has also been attempted not to detect the manipulation itself, but rather to deduce the presence of a manipulation on the basis of the effect of the manipulation. The effect of a manipulation is changed data. Therefore, memory contents are usually protected by error detecting codes (EDC), but this leads to significantly increased outlay in respect of area since this necessitates EDC evaluation and generation circuits.