FR2867286A1 - State machine for integrated circuit, has NOR gate providing error signal when current state code does not correspond to preset codes having hamming distance equal to two, where codes are compared by comparators of current state decoder - Google Patents

Abstract

The machine has a flip-flop (31) receiving a following sate code to provide a current state code (CSC) in synchronization with a clock signal. A current state decoder (33) has comparators comparing the code (CSC) and preset codes (SC0-SCk) by full scale decoding to provide identification signals to a NOR gate (35). The gate provides an error signal when the code (CSC) does not correspond to the preset codes having a hamming distance equal to 2. Independent claims are also included for the following: (A) an integrated circuit having state machines (B) a method of manufacturing a state machine of an integrated circuit.

Description

STATE MACHINE WITH CABLE LOGIC PROTECTED AGAINST

DERAILMENT BY INJECTION OF FAULT

  The present invention relates to the protection of logic circuits against error injection attacks, and more particularly the protection of state machines against derailment by fault injection.

  The logic circuits present in secure integrated circuits such as integrated circuits for smart cards, are the subject of various attacks by fraudsters who seek to discover their structure and / or secrets they understand. They are generally DES, AES, RSA, microprocessor-type cryptography circuits programmed to execute cryptography algorithms, register banks containing secret keys, etc. However, such logic circuits generally include many state machines, which must be protected against such attacks.

  FIG. 1 schematically represents the structure of a conventional state machine 10. The state machine 10 receives INO control signals, ... INj, ... INn, and provides a code of the current state CSC (FIG. "current state code") encoded on N bits. This code represents the current state of the state machine and is a function of the previous state and the value of the control signals. It is applied to a control circuit 20 which supplies control signals COM1, ... COMi, ... COMm whose value is thus a function of the current state of the state machine.

  The state machine 10 comprises an N-bit synchronous flip-flop 11 and an asynchronous state transition circuit 12. The flip-flop 11 is generally a Flip-Flop flip-flop formed by N 1-bit elementary flip-flops arranged in parallel. It is synchronized by a clock signal CK1 and receives on its input D a code of the next state NSC ("Next State Code") provided by the state transition circuit 12. At each edge of the clock signal for example, at each rising edge, the next state code NSC is copied by the Q output of flip-flop 11 and becomes the code of the current state CSC.

  The CSC code is returned to the state transition circuit 12 which provides, based on this code and control signals INj, the code of the next state NSC. The state transition circuit 12 conventionally comprises a decoder of the current state 13 ("Curent State Decoder") and a state selection circuit 14. The decoder 13 receives the CSC code and provides an identification ID signal of the current state. This identification signal ID is applied to the state selection circuit 14, which receives as input the control signals IN0, .. INj, ... INn and supplies the flip-flop 11 with the code of the next state NSC.

  In such a state machine, the states are therefore represented by N-bit codes. Generally, the coding of the states is ensured by codes having a number of bits equal to the minimum number of bits making it possible to code all the states, for example 2 bits for 4 states to code.

  The "one hot" coding method, which is more rarely used, consists of associating with each state a code in which only one bit at a time is at one time. For example, the "one hot" codes of a state machine four states have the following values: Code (status 0) = 0001 Code (status 1) = 0010 Code (status 2) = 0100 Code (status 3) = 1000 The "one hot" coding is used to quickly decode the code of the current state, with a decoder of a simplified structure comprising only means for identifying the rank of the single bit which is 1.

  As noted above, such a state machine is susceptible to various attacks. These attacks may occur during so-called sensitive calculation phases, for example during the phases of calculating an authentication code or during the reading of a cryptography key in a memory. Among the various known attacks, the attack by fault injection, or injection of error, is often used by fraudsters. Localized attacks, involving one or more bits, and "all-in-one" or "all-at-0" type attacks, which aim to force a set of bits at a given point in the circuit to a same logical value are distinguished. These attacks are made by introducing disturbances (glitches) into the supply voltage of the circuit, by applying a laser beam or an X-ray beam at certain points of the circuit, etc. Some attacks are made on the rear face of the silicon chip of the integrated circuit, by application of determined electrical potentials. Such attacks make it possible to observe the behavior of a logic circuit, for example the modification of an output code as a function of the error injected, and to deduce its structure.

  If one observes the mechanism of such an error injection at a state machine, it appears that an attack can relate to one or more bits of the code of the current state (attack on the flip flop 11) or on one or more bits of the next state code (attack on the state transition circuit 12).

  An attack can concern a bit of the code, two bits of the code, etc. The injection of error into the state machine leads it to a derailment in which it can be placed in a state not belonging to the list of predetermined states, or in an authorized state but in which it is 'should not have switched, given the value of the inputs I0-INn and the value of the current state.

  To counter such attacks, the methods of securing by software redundancy and security by parity control are known.

  Securing by software redundancy requires a verification program that restarts the execution of a calculation by the state machine and compares the result provided to the result previously obtained. This method is not always applicable because many state machines are not controllable by software, the software does not have the ability to restart the execution of a calculation by the state machine.

  Securing by parity checking consists of only providing codes with a fixed parity, and checking the parity of the code of the current state of the state machine. For example, the codes "one hot" have a parity equal to 1 because each code comprises an odd number of bits to 1. If the parity of the code of the current state is not equal to 1, the code is considered as erroneous and the state machine returns to one of the predetermined states. However, checking the parity of a "one hot" code only detects attacks involving 1 bit. Indeed, a two bit attack can force the state machine into a state corresponding to another "one hot" code, so that the attack is not detected by the parity check. In this case, it is a derailment characterized by an unplanned state transition, and not a derailment leading to a state not belonging to the list of predetermined states.

  For example, in the "one hot" coding example cited above, an attack on the second and third bits of the code "0010" of the state N 1 leads to the code "0100", ie the code of the state N 3. Such an attack is therefore not detectable.

  Thus, a general object of the present invention is to provide a means for securing a state machine against fault injection derailment that is more efficient than the parity check method.

  For this purpose, a first idea of the present invention is to code the states of a state machine by means of codes having relative to each other a Hamming distance of at least 2, if not equal to 3 or more according to the degree of resistance to error injections sought, and to declare prohibited codes that do not meet this criterion. It is known that the Hamming distance is the number of different bits that have two specific codes.

  Another idea of the present invention is to provide a full scale decoding of the current state, that is to say a decoding which relates to all the code bits.

  Yet another idea of the present invention is to provide means for producing an error signal when the current state code does not correspond to any authorized code, which means that the state machine is in a forbidden state. .

  Thus, the present invention provides a wired logic state machine having a predetermined number of states each corresponding to a predetermined code, and comprising a synchronous flip-flop receiving a code of the next state and providing a code of the current state. in synchronism with a clock signal, and a state transition circuit for supplying the flip-flop the code of the next state according to the code of the current state and control signals, wherein the predetermined codes of the state machine have relative to each other a Hamming distance of at least 2, and the state transition circuit comprises: a decoder of the current state performing a full-scale decoding of the state code current, and means for providing an error signal having a determined active value when a code of the current state does not correspond to any predetermined code.

  According to one embodiment, the predetermined codes of the state machine have relative to each other a Hamming distance of at least 3.

  According to one embodiment, the predetermined codes of the state machine have relative to each other a Hamming distance of at least 4.

  According to one embodiment, a code comprising only bits at 0 or bits at 1 is a forbidden code whose appearance in the state machine activates the error signal.

  According to one embodiment, the current state decoder comprises comparators each receiving the code of the current state and one of the predetermined codes, and providing a state identification signal having a determined active value if the two codes are identical, each comparator making a comparison of the two codes covering all of their constituent bits.

  According to one embodiment, the state machine comprises a logic circuit receiving the state identification signals provided by the comparators, and providing the error signal if none of the identification signals has the determined value.

  The present invention also relates to an integrated circuit comprising a plurality of state machines according to the invention, and logic gates for combining the error signals emitted by the set of state machines and to provide a general error signal. .

  The present invention also relates to a method for producing a wired logic state machine having a predetermined number of states each corresponding to a predetermined code, and comprising a synchronous flip-flop receiving a code of the next state and providing a code of the current state, in synchronization with a clock signal, and a state transition circuit for supplying the flip-flop the code of the next state according to the code of the current state and control signals, the method comprising the following steps. assigning to the state machine predetermined codes having relative to each other a Hamming distance of at least 2, providing in the state transition circuit a decoder of the current state performing a full-scale decoding of the code of the current state, and providing in the state machine means for providing an error signal having a determined active value when the code of the current state does not correspond to any predetermined code.

  According to one embodiment, the method comprises assigning to the machine predetermined code states having relative to each other a Hamming distance of at least 3.

  According to one embodiment, the method comprises assigning to the machine predetermined code states having relative to each other a Hamming distance of at least 4.

  According to one embodiment, the method comprises never assigning to a state of the state machine a code which comprises only bits at 0 or bits at 1.

  According to one embodiment, the method comprises predicting, in the decoder of the current state, comparators each receiving the code of the current state and one of the predetermined codes, and providing a state identification signal. having a determined active value if the two codes are identical, each comparator making a comparison of the two codes covering all of their constituent bits.

  According to one embodiment, the method comprises the provision of a logic circuit receiving the state identification signals provided by the comparators, and providing an error signal if none of the identification signals has the determined value.

  According to one embodiment, the method comprises predicting, in an integrated circuit comprising a plurality of state machines, logic gates for combining the error signal and other error signals sent by other signal machines. states, and provide a general error signal.

  These and other objects, features and advantages of the present invention will be set forth in more detail in the following description of the method of making a state machine according to the invention and a practical example of making a such state machine, made in a non-limiting manner in relation to the attached figures among which: - Figure 1 previously described represents the general structure of a conventional state machine, - Figure 2 shows the structure of a machine of states produced according to the method of the invention, - Figures 3A, 3B, 3C illustrate an example of application of the method of the invention and respectively represent a primary clock signal, a secondary clock signal, and a counting signal; - FIG. 4 is the state diagram of a state machine intended to supply the clock signal of FIG. 3B; FIG. 5 represents the structure of a corresponding state machine; at the d FIG. 6 shows a logic circuit comprising a plurality of state machines according to the invention.

  The method of the invention provides for producing a state machine having at least the following three characteristics: the codes characterizing the states of the state machine are chosen from a list of authorized codes which have relative to each other a determined Hamming distance equal to H, with H at least equal to 2, the other codes being declared forbidden, decoding of the current state is carried out on the full scale of the code of the current state, that is to say ie, taking into account all the bits constituting the code of the current state, and - an error signal is emitted if the code of the current state does not correspond to any of the authorized codes assigned to the state machine.

  A fourth feature of the invention, optional but recommended, is to attribute to a state machine no code comprising only bits at 0 or including only bits at 1, in order to protect the state machine against fault injection attacks of the "all-in-one" or "all-in" type.

  According to the first characteristic of the invention, a list of authorized codes is thus defined that has a Hamming distance of at least 2 relative to each other. Such a list comprises, between each authorized code, forbidden codes. This will be better understood in light of the following examples.

  Example N 1: 4-bit codes having relative to each other a Hamming distance of at least 2 are eight, for example: 0001; 0010; 0100; 0111; 1000; 1011; 1101; 1110 and make it possible to construct a state machine having at most eight states, all the other codes being forbidden codes.

  Example N 2: 4-bit codes having relative to each other a Hamming distance of at least 3 are two, for example: 0001; 0110 and make it possible to build a state machine with two states, all the other codes being forbidden codes.

  Example N 3: 5-bit codes having a relative Hamming distance of at least 3 to each other are four, for example: 00001; 00110; 11000; 11111 and allow to build a state machine having at most four states, all the other codes being forbidden codes, or a state machine having at most three states if the code "11111" is declared forbidden because it only includes bits at 1.

  Example N 4: There are eight 6-bit codes having a relative Hamming distance of at least three in each other, for example: 000001; 000110; 011000; 011111; 101010; 101101; 110011; 110100 and allow to build a state machine having at most eight states, all the other codes being forbidden codes.

  In general, codes having a Hamming distance of at least 2 provide maximum protection against the injection of an error (1 bit of erroneous code) into the state machine, if the decoding of the current state is ensured on all the code bits. Indeed, the injection of a single error in the code of the current state (or in the code of the next state) inevitably leads to the appearance of a forbidden code.

  Similarly, codes having relative to each other a Hamming distance of at least 3 are distinguished from each other by three different bits and offer protection against the injection of one or two errors (2 wrong code bits) in the state machine, if the decoding of the current state is ensured on all the code bits. Indeed, the injection of one or two errors in the code of the current state (or the next state) inevitably leads to the appearance of a forbidden code.

  In summary, the choice of a Hamming distance "H" between the codes of a state machine, which is not arbitrary and is at least equal to a given value, makes it possible to offer absolute resistance to a error injection number ranging from 1 to H-1, provided that the decoding of the current state is performed on all the code bits.

  FIG. 2 represents a state machine structure 30 according to the invention which comprises K stable states ST0, ST1,... STk. These states are coded, in accordance with the invention, by SCO codes, SC1,... SCk exhibiting relative to each other a Hamming distance of at least 2.

  The state machine 30 comprises an N-bit synchronous flip-flop 31 and a state transition circuit 32. The flip-flop 31, for example a Flip-Flop flip-flop, is synchronized by a clock signal CK1 and comprises N elementary flip-flops. in parallel (not shown). The state transition circuit 32 comprises a decoder of the current state 33 and a state selection circuit 34 which supplies a code of the following state NSC to the input D of the flip-flop 31, whose output Q provides the code of the current state CSC.

  According to the invention, the decoder of the current state 33 comprises comparators COMPO, COMP1, ... COMPk in number equal to the number of authorized states allocated to the state machine. Each comparator receives as input the code of the current state CSC as well as one of the authorized codes SCO, SC1,... SCk, and provides a identification signal of 1 bit, respectively IDO, ID1, ... IDk . Thus, the comparator COMPO receives the codes SCO, CSC and provides the signal IDO, the comparator COMP1 receives the codes SC1, CSC and provides the signal ID1, etc. the comparator COMPk receiving the codes SCk, CSC and providing the signal IDk. When the code of the current state CSC is equal to one of the codes SCO, SC1,... SCk, the corresponding comparator sets to 1 the corresponding identification signal. For example, the code ID1 goes to 1 at the output of the comparator COMP1 if the code CSC is equal to the code SC1.

  The SCO, SC1, ... SCk codes applied to the comparators are generated in hardware within the state machine by conductive track connections at a supply voltage Vcc (bit at 1) or by ground connections (0 bit).

  In each comparator, the comparison is made on the full scale of each code. For this purpose, each comparator comprises a plurality of logic gates (not shown in the figure), for example EXCLUSIVE OR gates (XOR) whose outputs are combined in a NOR gate whose output provides the identification signal. Each EXCLUSIVE OR gate receives one bit of the current state code and one bit of the authorized state code to which the current state code is compared. If all the bits are identical in pairs, the outputs of the EXCLUSIVE OR gates are all 0 and the output of the NOR gate is at 1 (active value of the identification signal). If at least one bit of the code of the current state is different from the code of the state to which the current state is compared, the output of the corresponding XOR gate goes to 1 and the output of the NOR gate goes to O. The state selection circuit 34 comprises a hard-wired logic decision circuit DCT1 and a multiplexer MUX1. The decision circuit DCT1 receives control signals INO, IN1,

  .INn and the identification signals IDO, ID1 ... IDk provided by the decoder of the current state 33. The circuit 34 provides the multiplexer MUX1 a NSSEL signal for selecting the next state. The multiplexer MUX1 receives as input the SCO, SC1 ... SCk codes assigned to the state machine (generated in a hardware way), selects the code of the following state NSC from one of these codes as a function of the value signal NSSEL, and applies the code to the input D of the synchronous flip-flop 31 ... DTD: According to the invention, the state machine 30 further comprises a NOR gate 35 to K inputs which receives the signals D identification IDO, ID1 ... IDk provided by the decoder 33. This logic gate 35 provides an error signal ERS which passes to 1 if none of the identification signals is 1, which means that the state current does not match any of the allowed states assigned to the state machine. The ERS signal is valid on the rising edge of the clock CK1 and must be locked at this time there by any known locking means, for example a D flip-flop (not shown).

  Such a state machine is resistant to the injection of an error in the code of the current state CSC (error injection at the output of latch 31) or in the code of the following state NSC (injection of multiplexer output error) if the Hamming distance between the codes is at least 2. It is resistant to the injection of one and two errors if the Hamming distance between the codes is at least 3, etc. . By "error resistance" is meant the fact that an error is invariably detected. If the Hamming distance between the codes is at least 2, an error injection on one bit is inevitably detected while a two-bit error injection can be detected but is not necessarily detected, because the code obtained after injection of the error can belong to the list of authorized codes. Similarly, if the Hamming distance is at least 3, an error injection on one or two bits is inevitably detected while a three-bit error injection is detected only if the code obtained after Error injection is a forbidden code.

  Thus, an error injection is inevitably detected if it inevitably leads the state machine to switch to a forbidden state, so that the error signal invariably passes to 1.

  The error signal emitted by a state machine according to the invention can be exploited in various ways within the reach of those skilled in the art in order to take preventive measures: blocking or resetting the machine states, general blocking of the logic circuit comprising the state machine (microprocessor, sequencer, cryptographic calculation circuit), sending of an external alert, preventive clearing of sensitive data, etc. An error counter can be provided to trigger such preventive actions from a given number of accumulated errors, so as not to take into account an isolated error unrelated to a fraudulent error injection.

  An example of application of the method of the invention will now be described. It is assumed here that a primary clock signal CK1 as shown in FIG. 3A is available, and that it is desired to produce a clock generator supplying a secondary clock signal CK2 represented in FIG. 3B. having a duty cycle programmable equal to R, with R at least equal to 1.

  FIG. 3B shows the shape of the clock signal CK2 when R is equal to 2. In this case, the clock signal CK2 is at 1 during a period T1 of the clock signal CK1 and is at 0 for two periods of the clock signal CK1, ie for a duration 2T1, which corresponds to a duty cycle equal to 2 (2T1 / T1).

  To produce such a clock generator, a state machine is defined which is clocked by the primary clock signal CK1 whose state diagram is represented in FIG. 4. The state machine presents

three stable states:

  an IDLE state in which the state machine is deactivated; a state SETCK2 in which the clock signal CK2 is set; a state RSTCK2 in which the clock signal CK2 is set to O. In addition to these states, control signals of the state machine are defined to control the state transitions. These control signals include an ON / OFF commissioning signal and a binary encoded RS setpoint which is binary coded to the desired duty cycle R. A COUNT variable is also set to control the number of cycles of the clock signal. primary CK1 (the number of periods Tl) during which the state machine remains in state RSTCK2, this number of cycles to be equal to the RS instruction. The variable COUNT is brought to the value of the setpoint RS when the state machine switches to the SETCK2 state, and is decremented by one unit when the state machine switches to the state RSTCK2 and / or when remains in the RSTCK2 state for an additional CK1 clock cycle.

  The state machine thus has the following state transitions: - i) transition from the IDLE state to the SETCK2 state when the ON / OFF signal is set and RS is not equal to 0 25 (RS> 0 ii) transition from the SETCK2 state to the RSTCK2 state after a cycle of the primary clock signal CK1 (except in the case referred to in point iv), iii) transition from the RSTCK2 state to the state SETCK2 when 30 COUNT = O, - iv) return to IDLE state when RS is set to 0 and / or when the ON / OFF signal is carried O. SETCOUNT, DECCOUNT control internal signals are also defined to ensure the management of the COUNT variable. By definition, the variable COUNT is brought to the value of the setpoint RS when SETCOUNT is 1, and is decremented by one unit when DECCOUNT is equal to 1. Thus, the SETCOUNT signal is set to 1 and the DECCOUNT signal set to 0 when the state machine is switched to the SETCK2 state, while the DECCOUNT signal is set to 1 and the SETCOUNT signal is set to 0 when the state machine is switched to the RSTCK2 state or when the state machine is set to 0 The states remain in the RSTCK2 state for an additional CK1 clock cycle.

  The design steps that have just been described are in themselves classic. Once these steps have been performed, codes according to the invention are assigned to each of the three states defined above. It is assumed here that the specifications of the state machine require a total resistance to the injection of one or two errors into the state machine, as well as the prohibition to provide codes having only bits to 0 or bits to 1, to guard the state machine against attacks of type "all to 0" or "all to 1". Under these conditions, the Hamming distance between the codes must be at least equal to 3. Among the examples of codes according to the invention described above, the example N 3 shows that 5-bit codes having a Hamming distance. at least 3 are four in number. For example, the following codes are chosen: 00001; 00110; 11000; 11111 After deleting the code "11111" which contains only bits at 1, and must therefore be declared forbidden, there remain three codes available to code the three states IDLE, SETCK2, RSTCK2. The coding of the three states of the state machine is thus carried out as described in Table 1 below. This table also represents the value of SETCOUNT and DECCOUNT signals. The code bits are designated c0, cl, c2, c3, c4.

Table 1

  State Code Code Value SETCOUNT DECCOUN c4 c3 c2 and cO T IDLE SCO 0 0 0 0 1 0 0 SETCK2 SC1 0 0 1 1 0 1 0 RSTCK2 SC2 1 1 0 0 0 0 1 (prohibited) - 1 1 1 1 1 - FIG. 5 represents an exemplary embodiment 40 of such a state machine, intended to be implemented on a silicon chip. The state machine 40 comprises, as described above, a synchronous flip-flop 41 and a state transition circuit 42 which comprises a current state decoder 43 and a state selection circuit 44.

  The synchronous flip-flop 41, synchronized by the primary clock signal CK1, receives the code of the next state NSC on its input D and its output Q provides the code of the current state CSC. The current state decoder 43 comprises comparators COMPO, COMP1, COMP2. The comparator COMPO receives the code CSC and the code SCO and provides an identification signal IDO. The comparator COMP1 receives the code CSC and the code SC1 and provides an identification signal ID1. The comparator COMP2 receives the code CSC and the code SC2 and provides an identification signal ID2. When the code CSC is equal to one of the codes SCO, SC1, SC2, the corresponding comparator sets the corresponding identification signal. In each comparator, the comparison is made in full scale, taking into account the N bits of each code. The SCO codes, SC1, SC2 are, as before, generated in hardware.

  The state selection circuit 44 comprises a decision circuit DCT2 and a multiplexer MUX2. The decision circuit DCT2 receives the set point RS and the signal ON / OFF, as well as an internal control signal COUNTNIL which is equal to 1 when the variable COUNT is equal to 0. The circuit DCT2 provides a signal NSSEL for selecting the next state applied to the MUX2 multiplexer. The multiplexer MUX2 receives as input the codes SCO, SC1, SC2, selects the code of the next state NSC from one of these codes and applies the selected code to the input D of the flip-flop 41.

  The state machine 40 also includes a NOR gate 45 which receives the three identification signals IDO, ID1, ID2 and provides an ERS error signal. This error signal goes to 1 if none of the identification signals is 1, which means as before that the current state does not correspond to any of the three authorized states assigned to the state machine. As indicated above, the ERS signal is valid on the rising edge of the clock CK1 and must be locked at that instant.

  The state machine also comprises a counter 46 controlled by the primary clock signal CK1, a comparator 47 and an auxiliary decoder 48. The counter 46 has a data loading input IN which receives the setpoint RS, an output OUT which provides the variable COUNT, a LOAD input which receives the SETCOUNT signal and triggers the loading of the RS setpoint into the counter, and a decrement input DEC of the COUNT variable, which receives the DECCOUNT signal. The comparator 47 has a first input connected to the output OUT of the counter 46 and receives on another input a data equal to 0. Its output provides the COUNTNIL signal which remains at 0 as COUNT is different from O. The auxiliary decoder 48 receives the next state code NSC and supplies the internal control signals SETCOUNT, DECCOUNT, which are thus updated before the state machine changes from the current state to the next state. Thus, when the next state becomes the current state, i.e., when the flip-flop 41 and the counter 46 receive a rising edge of the primary clock signal CK1, the values of the signals SETCOUNT, DECCOUNT are up to date. on the LOAD and DEC inputs of the counter 46, so that it loads the RS setpoint if SETCOUNT = 1 or decrements the COUNT variable if DECCOUNT = 1 at the beginning of the clock cycle. The state machine thus operates in accordance with the diagram of FIG.

  The output of the secondary clock signal CK2 is provided by a control circuit 50 to which the current state code CSC is applied. This control circuit 50 is here a simple decoder comprising a gate 51 of the NAND type with 5 inputs and two inverting gates 52, 53. The inverting gates 52, 53 respectively receive the bits c1, c2 of the CSC code. The gate 51 receives on a first input the bit cO of the code CSC, on a second input the output of the gate 52, on a third input the output of the gate 53, and on its other two inputs the bits c3, c4 of the code CCS. Thus, the signal CK2 goes to 1 when the state machine is in the SETCK2 state (code 00110) and goes to 0 in the other cases. The duty cycle of the signal CK2 is here equal to the number of cycles of the primary clock signal CKi during which the state machine is maintained in the state RSTCK2, this number being a function of the setpoint RS.

  It will be apparent to those skilled in the art that the present invention is susceptible of various other embodiments, particularly with respect to the structure of the current state decoder, the structure of the state selection circuit, and the structure of the. logic circuit providing the error signal, these elements being capable of various variants within the reach of those skilled in the art. On the other hand, the present invention is obviously capable of various other applications than that described above by way of non-limiting example, including applications well known to those skilled in the art such as the realization of cryptography circuits. , central microprocessor units, etc. In some applications, an integrated circuit according to the invention may comprise tens or even hundreds of state machines according to the invention, each providing an error signal. Multiple error signals will therefore have to be managed collectively. FIG. 6 schematically represents an integrated circuit 60 comprising a plurality of state machines according to the invention, and shows how the individual error signals transmitted by the state machines can be managed collectively. The state machines are arranged in groups GO..Gn, each group comprising subgroups SGO ... SGn, each subgroup comprising a plurality of state machines SMO ... SMn. In each subgroup SGO ... SGn the error signals ERSO ... ERSn provided by the state machines are collected by an OR gate 61 to form an error signal of subgroup ERSO, O .. .ERSO, n. In each group, the subgroup error signals are collected by an OR gate 62 to form a GERSO ... GESRn group error signal. The group error signals are then collected by an OR gate 63 which provides a general error signal GERS. The signal GERS is memorized by a synchronous flip-flop 64 to obtain a synchronous general error signal SGERS, which is sent back to the input D of the flip-flop 64 via an OR gate 65 in order to be refreshed at each cycle. clock. The synchronous flip-flop 64 is synchronized by the clock signal CK1 because, as indicated above, it is on the rising edge of the signal CK1 that the individual error signals are valid.

  The general error signal SGERS can be used in various ways within the reach of those skilled in the art to block or reset the integrated circuit 60, or parts of the integrated circuit, especially during the execution of a calculation or sensitive operation.

Claims (14)

  A wired logic state machine (30, 40) having a predetermined number of states each corresponding to a predetermined code (SCO, SC1, SC2, SCk) and comprising: - a synchronous latch (31, 41) receiving a next state code (NSC) and providing a current state code (CSC), in synchronism with a clock signal (CK1), and - a state transition circuit (32, 42) for providing toggles the next state code (NSC) according to the current state code (CSC) and control signals (INO-INn, ON / OFF, RS), characterized in that the predetermined codes ( SCO, SC1, SC2, SCk) of the state machine have relative to each other a Hamming distance of at least 2, and in that the state transition circuit comprises: - a decoder of the state current (33, 43) performing full scale decoding of the current state code (CSC), and - means (35, 45) for providing an error signal (ERS) having a value of determined when a code of the current state does not correspond to any predetermined code.   2. State machine according to claim 1, wherein the predetermined codes (SCO, SC1, SC2, SCk) of the state machine have relative to each other a Hamming distance of at least 3.   3. State machine according to claim 1, wherein the predetermined codes (SCO, SC1, SC2, SCk) of the state machine have relative to each other a Hamming distance of at least 4.   4. State machine according to one of claims 1 to 3, wherein a code comprising only 0 bits or 1-bit is a forbidden code whose appearance in the state machine activates the signal. error message (ERS).   5. State machine according to one of claims 1 to 4, wherein the decoder of the current state (33, 43) comprises comparators (COMPO, COMP1, COMP2, COMPk) each receiving the code of the state current (CSC) and one of the predetermined codes (SCO, SC1, SC2, SCk), and providing a state identification signal (IDO, ID1, ID2, IDk) having a determined active value if the two codes are identical, each comparator making a comparison of the two codes covering all of their constituent bits.   6. State machine according to claim 5, comprising a logic circuit (35, 45) receiving the state identification signals (IDO, ID1, ID2, IDk) provided by the comparators (COMPO, COMP1, COMP2, COMPK ), and providing the error signal (ERS) if none of the identification signals has the determined value.   An integrated circuit (60) comprising a plurality of state machines (SMOSMn) according to one of claims 1 to 6, and logic gates (61, 62, 63, 65) for combining the error signals transmitted by the set of state machines and provide a general error signal (GERS, SGERS).   8. A method for producing a wired logic state machine having a predetermined number of states each corresponding to a predetermined code (SCO, SC1, SC2, SCk), and comprising a synchronous latch (31, 41) receiving a next state code (NSC) and providing a current state code (CSC), in synchronism with a clock signal (CK1), and a state transition circuit (32, 42) for providing the following status code (NSC) is toggled according to the code of the current state (CSC) and of the control signals (INO-INn, ON / OFF, RS), characterized in that it comprises the following steps: - assigning to the state machine predetermined codes (SCO, SC1, SC2, SCk) having relative to each other a Hamming distance of at least 2, - providing in the state transition circuit a current state decoder (33, 43) performing full-scale decoding of the current state code (CSC), and - providing in the state machine of the means (35,45) for providing an error signal having a determined active value when the code of the current state does not correspond to any predetermined code (SCO, SC1, SC2, SCk).   9. The method of claim 8, comprising the assignment to the machine of predetermined code states (SCO, SC1, SC2, SCk) having relative to each other a Hamming distance of at least 3.   10. The method of claim 8, comprising the assignment to the machine of predetermined code states (SCO, SC1, SC2, SCk) having relative to each other a Hamming distance of at least 4.   11. The method according to one of claims 8 to 10, comprising never assigning to a state of the state machine a code which comprises only bits at 0 or bits at 1.   12. Method according to one of claims 8 to 11, comprising the prediction, in the decoder of the current state, comparators (COMPO, COMP1, COMP2, COMPk) each receiving the code of the current state and one predetermined codes (SCO, SC1, SC2, SCk), and providing a state identification signal (IDO, ID1, ID2, IDk) having a determined active value if the two codes are identical, each comparator performing a comparison of the two codes covering all of their constituent bits.   The method according to claim 12, comprising providing a logic circuit (35, 45) receiving the state identification signals (IDO, ID1, ID2, IDk) provided by the comparators (COMPO, COMP1, COMP2, COMPk), and providing an error signal (ERS) if none of the identification signals has the determined value.   The method according to one of claims 8 to 13, comprising providing, in an integrated circuit (60) comprising a plurality of state machines (SMO-SMn), logic gates (61, 62, 63, 65). to combine the error signal (ERS) and other error signals sent by other state machines, and provide a general error signal (GERS, SGERS).