Located at the heart of the processing unit in modern microprocessors and microcontrollers—the “Central Processing Unit” (CPU)—is the data path, which represents the interconnection of all functional units for processing data. Interconnection is effected by means of line bundles (“data buses”) and encompasses, inter alia, the following functional units: multiplexer, arithmetic-logic unit (ALU), shifter and register file. The design and interaction of the functional units of data paths are sufficiently well known to a person skilled in the art, with the result that a more precise description will be dispensed with.
Only the register file (a “storage register”) is of interest below. The register file is first of all used to (buffer) store addresses and data which are required for the task currently being handled by the CPU. This means that the register file may be regarded as being a type of “scratchpad memory”. It also serves the purpose of fast, random and simultaneous read access to, in general, at least two operands in the ALU. The intention is also to enable fast, random write access at the same time as read access operations. This is known as “write back” and is used to write back (intermediate) results of arithmetic operations in the ALU. Finally, it is used to load data into the register file and to remove addresses and data from same. The sense and purpose is to communicate with system parts outside the data path in the CPU.
In order to be able to satisfy all these requirements using as little surface area and power as possible, register files or storage registers are in the form of “multiport RAMs” (Random Access Memories). The latter are registers which are interconnected by means of their bit line bundles, with the functional unit “register” being defined as a quantity of identical “single-bit register cells” having the characteristics listed above. The number of bits which can be stored in a register generally corresponds to the bit width of the data path. The number of ports constituting a switching device corresponds to the maximum number of different access operations intended to be simultaneously possible to different registers.
Data paths in modern microprocessors and microcontrollers are usually designed using “single-rail” circuitry. In the case of said data paths, each bit of information to be processed is physically represented by a single electrical node. A single electrical node thus corresponds to the logic value of a state bit.
A drawback of this single-rail technology is the fact that the circuit design or the signals processed in the circuit can easily be spied out. One of the most important methods for attacking circuits and for assessing the sensitivity thereof in security applications is differential power analysis (DPA). This method is used for deliberate attacks in order to spy out confidential information such as passwords or cryptographic keys, for example.
In this case, current profiles measured using statistical methods are evaluated for a given program or for a given algorithm. In particular, charge integrals calculated over one or more clock cycles are evaluated, in which case—if the program is executed a large number of times—the correlation between systematic data variation and the respective charge integral can be used to draw conclusions about the information which is to be protected.
It follows from this that the integrated circuits to be protected such as, for example, chip cards should be of such a type that they deliver the same current profile irrespective of the data to be processed, in order to cause differential power analysis to fail.
This is not the case for single-rail data paths. The charge integral associated with the time profile for the states of a circuit is a function of those nodes or electrical capacitances which undergo electrical charge reversal. The time profile is thus heavily dependent on the changes in the data to be processed over time.
Changing charge integrals can be prevented by using “dual-rail technology”. In contrast to conventional single-rail technology, where each bit within a data or signal path is physically represented by a single electrical node k in a switching matrix or switching mechanism, the implementation using dual-rail technology involves each bit being represented by two nodes k and kq, with this bit having a valid logic value if k corresponds to the true logic value b for this bit and kq corresponds to the complementary value bn=not (b).
The desired invariance in the charge integrals is achieved in this case by virtue of a “precharge” state having been inserted between two states with valid logic values (b, bn)=(1,0) or (0,1). In this precharge state, both the node k and the node kq are charged to the same electrical potential and thus assume logically invalid values (1,1) or (0,0). For the precharge state (1,1), a state sequence could have the following appearance:
(1,1),(0,1),(1,1),(1,0),(1,1),(1,0),(1,1),(0,1) . . .
For any of such state sequences, it holds true that any (1,1) to (b,bn) transition involves a single node having its charge reversed from 1 to 0, and all (b,bn) to (1,1) states involve a single node having its charge reversed from 0 to 1. This is true irrespective of the logically valid value b of a respective state bit. Naturally, a similar situation also applies to state sequences having the precharge state (0,0).
It follows from this that the charge integrals corresponding to these state sequences are independent of the sequence (b,bn) of the logically valid values. It is merely necessary to ensure that the nodes k and kq have the same electrical capacitances. The current profile for a data path implemented in this way is thus no longer dependent on temporal variations in the data to be processed. A circuit designed using dual-rail technology is thus resistant to differential power analysis.
FIG. 1 shows an example of a single-bit register cell in which the data path has been designed using dual-rail technology and which has the minimum number (in the above sense) of four ports or switching devices.
The switching devices PA, PB are used to read out operands. The switching device PZ is used to write back an arithmetic result, and the switching device PC is used to load memory contents from outside the data path and to remove them to outside the data path.
Each of the switching devices PA, PB, PC, PZ is connected to a line pair comprising the lines BLi1, BLi2 (where i=a, b, c, z). Said line pairs constitute bit line pairs. A dual-rail signal bli, bliq (where i=a, b, c, z) can be applied to each of the line pairs. Also connected to a respective bit line pair BLi1, BLi2 (where i=a, b, c, z) is a respective precharging unit Va, Vb, Vc, Vz which can apply a precharge state to the respective bit line pair. The switching devices PA, PB, PC, PZ are actuated by means of control connections SA, SB, SC, SZ which are connected to a word line in the integrated circuit. A control signal wla, wlb, wlc, wlz can be applied to said word line.
Each of the switching devices PA, PB, PC, PZ comprises two transistors Tj, TjQ (where j=A, B, C, Z), the control connections on which are connected to one another and to the control connections SA, SB, SC, SZ. A respective main connection on the transistors Tj and TjQ is connected to one of the lines BLi1 and BLi2, while the other main connections are connected to an additional line pair having the lines L1 and L2.
The additional line pair is connected to a memory cell MC comprising two inverters which are connected back to back and have the transistors T1, T1Q and T2, T2Q. The memory cell is connected between an operating potential connection BP and a supply potential connection VP.
The switching devices PA, PB are operated as pure read ports. When the transistors TA, TAQ and TB, TBQ are closed, the two nodes which respectively correspond to the bit line pairs BLa1, BLa2 and BLb1, BLb2 are first of all precharged to a high potential level and are then disconnected from the precharging units Va, Vb provided in the peripheral area of the storage register. The respective transistors in the switching device PA, PB are closed by applying control signals wla, wlb having a low potential level, since the transistors in said switching devices are all of the n-conductive type. The bit line pairs BLa1, BLa2 and BLb1, BLb2 are at a high potential level even after disconnection from the precharging units Va, Vb. Since there is no longer any conductive connection to the supply potential connection of a supply voltage source, said bit line pairs BLa1, BLa2 and BLb1, BLb2 are now held only capacitively, that is to say in a floating manner, at this level. This state is designated (H, H) below.
If the transistors in the switching devices PA, PB are then turned on by means of suitable actuating signals wla, wlb, an electrical connection is produced between the additional line pair L1, L2 and the respective bit line pair. Since one of the lines L1, L2 (which are connected to the memory cell MC) is at a low potential, the bit line which is conductively connected thereto (by means of the transistor which is now open) is also discharged to a low potential. This means that the bits which are to be read out from the memory cell are on the respective bit line pairs BLa1, BLa2 and BLb1, BLb2.
It is assumed in the following text that the state (1,0) corresponds to the value 1 and the state (0,1) corresponds to the value 0. The states on the bit line pairs BLa1, BLa2 and BLb1, BLb2 can now be assumed by other parts of the data path. The control signals wla and wlb are simultaneously lowered to a low potential again in order to disconnect the memory cell MC from the bit line pairs again so that the latter can be prepared for the subsequent access operation.
In contrast, the switching device PZ is operated as a pure write port. When the transistors TZ, TZQ are closed, the bit to be written is first of all transferred, from the outside, onto the bit line pair BLz1, BLz2 before the control signal w/z is raised to a high potential level, as a result of which the lines L1, L2 are in turn connected to the bit line pair BLz1, BLz2 by means of the switching device PZ.
The capacitive voltage divider which exists immediately thereafter and generally has very high bit line capacitances in comparison with the capacitances within the cell—assisted by the external write circuit and the feedback within the cell—results in the potential's value (previously stored in the cell) being overwritten by the dual-rail signal blz, blzq applied to the bit line pair BLz1, BLz2. This means that the control signal w/z can be lowered to a low potential again in order to disconnect the memory cell MC from the bit line pair BLz1, BLz2 so that the latter can be prepared for the subsequent access operation.
It is not possible to tell, solely from the single-bit register cell shown in FIG. 1, which of the switching devices are used as read ports and which are used as write ports. This is determined by the externally impressed time response or by the actuation of the bit line pairs and the control connections on the switching devices.
The switching device PC which is operated as a write and read port therefore has both precharging and also writing and reading driver circuits associated with it in the peripheral area of the storage register. Said circuits, with the exception of the precharging unit Vc, are not shown in FIG. 1.
FIG. 2 shows, by way of example, the time response of the bit line pairs BLi1, BLi2, that is to say the timing of the dual-rail signals bli, bliq (where i=a, b, c, z) thereon and of the control signals wla, wlb, wlc, w/z at the respective control connections SA, SB, SC, SZ.
In phase (1), the binary value 0 is first of all loaded into the memory cell MC by means of the switching device PC. As long as the control signal wlc is equal to 0, the following dual-rail signal: (blc, blcq)=(0,1) is applied to the bit line pair BLc1, BLc2. If the state applied to this bit line pair is intended to be loaded into the memory cell MC, the control signal wlc is brought to the value 1. At this point in time, the lines L1, L2 are electrically connected to the bit line pair BLc1, BLc2, with the result that the following dual-rail state: (bit, bitq)=(0,1) is produced on the additional line pair L1, L2. After storage in the memory cell MC has been completed, the control signal wlc is lowered to 0 again.
In phase (2), the value stored in the memory cell MC is read out by means of the switching device PA. Before the reading-out operation, the bit line pair BLa1, BLa2 is put into a precharge state so long as the control signal wla is equal to 0. This means that the following signal: (bla, blaq)=(1,1) is present on both lines. After the bit line pair BLa1, BLa2 has been isolated from the supply potential by means of the precharging unit Va, the abovementioned dual-rail signal now remains only capacitively at the high potential level. Application of the control signal wla=1 produces an electrical connection to the additional line pair L1, L2, as a result of which the line BLa1 or the potential stored thereon adjusts to the potential on the line L1 and accordingly falls to 0. The same dual-rail signal as on the additional line pair L1, L2 is now applied to the bit line pair BLa1, BLa2.
In phase (3), the binary value 1 (corresponding to (1,0)) is written to the memory cell MC. A precharge phase is first of all implemented on the signal line pair BLz1, BLz2, so that the two lines have the value 1. The line BLz2 is then brought to a low potential, so that the value blzq=0 is applied to this line. During this time, the control signal wlz is at a low signal level. In order to write the dual-rail signal to the memory cell MC, the control signal wlz is brought to a high signal level, as a result of which the potentials are aligned by virtue of the conductive connection between the bit line pair and the additional line pair L1, L2. Following the write operation, the control signal wlz is brought to a low signal level again, as a result of which the conductive connection between the line pair BLz1, BLz2 and the additional line pair L1, L2 is cleared.
In phase (4), this value is read out again by means of the switching device PB. Before the control signal wlb is brought to a high signal level, the bit line pair BLb1, BLb2 is precharged to the value (1,1) and the electrical connection to the supply potential connection is then severed by means of the precharging unit Vb, with the result that the potential values are capacitively stored on the bit line pair. After the control signal wlb=1 has been applied, the potentials on the bit line pair and the additional line pair L1, L2 are gradually aligned, with the result that the following state is achieved: (blb, blbq)=(1,0). This corresponds to (bit, bitq)=(1,0).
In phase (5), the cell contents are finally removed by means of the switching device PC. This means that (blc, blcq)=(hh) before wlc=1. As a result, (blc, blcq)=(bit, bitq) (1,0).
Although the single-bit register cell shown in FIG. 1 has been provided with dual-rail connections which are respectively precharged to a high potential level before and between the access operations, its charge flow is data-independent only for read access operations.
In comparison, for write access operations, the charge integral depends on whether or not the value which has been supplied externally by means of the bit line pair and is to be newly written to the cell matches the old value which was previously stored in the cell. In the first case, the charges of the capacitances of the additional line pair L1, L2, that is to say the cell nodes (bit, bitq), need not be reversed, but they must in the second case.