The present invention relates to the field of electronic circuits, and, more particularly, to a master-slave D type flip-flop circuit with a secured structure. The present invention may be used in applications in which access to services or data is strictly monitored, and in which electronic circuits implementing security hardware and/or software are used. Electronic circuits of this kind are used especially in chip cards or microelectronic circuits for certain applications such as accessing certain data banks, banking applications, and the like. For these applications, such electronic circuits have an architecture formed around a microprocessor and memories. These circuits may be used, for example, to process secret or confidential data, to encipher messages with cryptography algorithms, to decipher received messages, or to compute signatures.
It has been observed that external attacks on a circuit may be carried out based upon the differential analysis of current consumption of the circuit during the performance of certain instructions. In particular, it is possible to determine all or part of a secret key used in a cryptography algorithm performed by a microprocessor. These external attacks, known as differential power analysis or DPA attacks, are based on the fact that the current consumption of the microprocessor carrying out instructions varies according to the data being handled. For example, when an instruction performed by the microprocessor requires bit-by-bit handling, there are two different power consumption profiles at the instant of execution, depending on whether the bit being handled is equal to 1 or 0.
Thus, the DPA attack makes use of the difference in the current consumption profile in the electronic circuit during the performance of an instruction depending on the value of the bit or bits handled. Stated alternatively, this attack uses a statistical approach to verify assumptions concerning the value of the bits of a confidential data element. This is done by making the same scenario run several times in the electronic circuit, with different input values of this scenario, and by analyzing all the consumption profiles obtained.
The present invention is designed to make it more difficult to carry out DPA attacks of this kind on certain instructions. More specifically, the present invention makes it impossible in the first order approach to differentiate between the handling of a 1 and the handling of a 0 by these instructions through the differential analysis of the consumption profiles.
All the data elements handled in an electronic circuit travel in transit, between memories and the microprocessor, through registers. Other registers are used by the microprocessor to store data during the execution of certain programs. More particularly, some of these registers are required to transmit sensitive data, such as a secret key of a cryptography algorithm.
These registers are usually based on master-slave type flip-flop circuits. In this type of flip-flop circuit, if a new data element corresponding to a data element already stored in this flip-flop circuit is presented at the input, there is no switching in the flip-flop circuit. The switching in the flip-flop circuit gives rise to a specified current consumption. Thus, depending on whether the data changes or does not change in the flip-flop circuit, there are two distinct consumption profiles (or signatures), and this fact may render a DPA attack possible while these registers are being used.
It is an object of the invention to provide a secure master-slave D type flip-flop circuit so that a current consumption profile of the flip-flop circuit is independent of the data handled therein.
The basic idea of the invention is that the flip-flop circuit will always provide a switching operation, whatever the state at the time, of the flip-flop circuit and the state of the new data element presented at the input.
The invention therefore relates to a master-slave D type flip-flop circuit including a master stage followed by a slave stage. The two stages may have an identical structure including a first pass gate for the transmission on an internal node of an input data element and a storage loop with inverters connected to the internal node to supply a data element at an output of the stage. The storage loop may also include a second pass gate for the transmission on the internal node of the data element complementary to the output data element.
The flip-flop circuit may also include a power consumption masking circuit including, at each of the stages (i.e., the master and slave stage), a parallel reference stage with a similar structure whose storage loop is disconnected from the output of the associated master or slave stage. The second pass gate of the storage loop of the reference stage may be connected between the output of the associated master stage or slave stage and the internal node of the reference stage.
The invention also relates to an integrated circuit including at least one secured flip-flop circuit as described above. Such integrated circuit is especially suited for registers that are required to process confidential or secret data elements.
Other features and advantages of the invention will be described in detail in the following description of different embodiments, given by way of a non-limitative example, with reference to the appended figures, in which:
FIG. 1 is a schematic diagram of a master-slave D type flip-flop circuit according to the prior art;
FIG. 2 is a schematic diagram of a master-slave D type flip-flop circuit according to the present invention;
FIG. 3 is a timing diagram showing the changes undergone at the different internal nodes in the flip-flop circuit of FIG. 2 as a function of the input data elements; and
FIGS. 4a and 4b are schematic diagrams illustrating the equivalent diagram of a master-slave flip-flop circuit according to the invention at a high level and a low level, respectively, of the clock signal H for the sequencing of the flip-flop circuit.