WO2012127135A1 - Secure memory element - Google Patents

Secure memory element Download PDF

Info

Publication number
WO2012127135A1
WO2012127135A1 PCT/FR2012/000103 FR2012000103W WO2012127135A1 WO 2012127135 A1 WO2012127135 A1 WO 2012127135A1 FR 2012000103 W FR2012000103 W FR 2012000103W WO 2012127135 A1 WO2012127135 A1 WO 2012127135A1
Authority
WO
WIPO (PCT)
Prior art keywords
flip
flop
signal
clock
memory element
Prior art date
Application number
PCT/FR2012/000103
Other languages
French (fr)
Inventor
Philippe Maurine
Bruno VAQUIE
Original Assignee
Université Montpellier 2 Sciences Et Techniques
Centre National De La Recherche Scientifique
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Université Montpellier 2 Sciences Et Techniques, Centre National De La Recherche Scientifique filed Critical Université Montpellier 2 Sciences Et Techniques
Publication of WO2012127135A1 publication Critical patent/WO2012127135A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06KGRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
    • G06K19/00Record carriers for use with machines and with at least a part designed to carry digital markings
    • G06K19/06Record carriers for use with machines and with at least a part designed to carry digital markings characterised by the kind of the digital marking, e.g. shape, nature, code
    • G06K19/067Record carriers with conductive marks, printed circuits or semiconductor circuit elements, e.g. credit or identity cards also with resonating or responding marks without active components
    • G06K19/07Record carriers with conductive marks, printed circuits or semiconductor circuit elements, e.g. credit or identity cards also with resonating or responding marks without active components with integrated circuit chips
    • G06K19/073Special arrangements for circuits, e.g. for protecting identification code in memory
    • G06K19/07309Means for preventing undesired reading or writing from or onto record carriers
    • G06K19/07363Means for preventing undesired reading or writing from or onto record carriers by preventing analysis of the circuit, e.g. dynamic or static power analysis or current analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/75Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information by inhibiting the analysis of circuitry or operation
    • G06F21/755Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information by inhibiting the analysis of circuitry or operation with measures against power attack
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/77Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in smart cards
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/82Protecting input, output or interconnection devices
    • G06F21/85Protecting input, output or interconnection devices interconnection devices, e.g. bus-connected or in-line devices
    • HELECTRICITY
    • H03ELECTRONIC CIRCUITRY
    • H03KPULSE TECHNIQUE
    • H03K3/00Circuits for generating electric pulses; Monostable, bistable or multistable circuits
    • H03K3/02Generators characterised by the type of circuit or by the means used for producing pulses
    • H03K3/027Generators characterised by the type of circuit or by the means used for producing pulses by the use of logic circuits, with internal or external positive feedback
    • H03K3/037Bistable circuits
    • H03K3/0372Bistable circuits of the master-slave type
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2153Using hardware token as a secondary aspect

Definitions

  • the invention relates to secure integrated circuits, and more particularly to a master-slave type D flip-flop resistant to hidden channel attacks.
  • Secure electronic circuits are intended to process secret or confidential data. They are, for example, used in smart cards to carry out banking transactions. In general, this type of circuit is built around a microprocessor associated with a memory. The microprocessor implements cryptographic algorithms to encrypt or decrypt messages, or uses a certificate to authenticate a user.
  • a register is a buffer formed of flip-flops, generally of master-slave type D (flip-flop D). Each flip-flop corresponds to a bit of the register.
  • Figure 1 shows the symbol of a conventional master slave D flip-flop.
  • the flip-flop comprises a data input D, a clock input H and a Q output.
  • An RST signal makes it possible to initialize the state of the flip-flop at power-up, ie the value of the flip-flop. bit memorized in the flip-flop.
  • the output Q copies the input value D.
  • the flip-flop then maintains this value until the next rising edge.
  • the state of the output Q does not vary.
  • the input D differs from the stored value, the output Q changes state. This is called switching or switching.
  • Figure 2 shows the current consumption of such a rocker.
  • the curve in dotted lines corresponds to the current consumed by the rocker when switching, while the curve in solid line represents the consumption of the rocker in the absence of switching.
  • the consumption of the flip-flop depends on the state of the input data and the current state in the flip-flop.
  • Side Channel Attacks Side Channel Attacks
  • DPA Differentential Power Analysis
  • CPA Correlation Power Analysis
  • FIG. 3 schematically shows the flip-flop D described in this application.
  • the flip-flop conventionally comprises a master stage 2M and a slave stage 2S, of identical structure and connected in series.
  • the flip-flop further includes a consumption masking circuit.
  • the masking circuit consists of a 4M control stage connected in parallel with the master stage 2M and a control stage 4S connected in parallel with the slave stage 2S.
  • this rocker is in short the following.
  • the master and slave stages do not switch.
  • the two control stages switch.
  • one of the master and slave stages switches, as well as one of the control stages.
  • the difference in consumption is not sufficiently reduced and it is still possible to distinguish the state in which the flip-flop is located. This is due to the fact that the control stage is not strictly identical to the corresponding stage of the flip-flop (master or slave). Indeed, a node of the control stages is disconnected, as can be seen in FIG. 3.
  • the consumption due to the tilting of a control stage is then different from that of the master or slave stage.
  • the power consumption of this rocker is greatly increased, due to the systematic switching of two floors.
  • the memory element comprises a logic circuit configured to detect switching of the first flip-flop and to control switching of the second flip-flop when the first flip-flop does not switch.
  • the logic circuit receives as input an input signal of the first flip-flop, an output signal of the first flip-flop and an output signal of the second flip-flop, the logic circuit being configured to switch the second flip-flop when none of the three signals is in an active state or when two of the three signals are in an active state.
  • the memory element comprises a clock generating circuit from an external signal, configured to introduce a random delay between each active edge of the clock and an associated active edge of the external signal.
  • the clock is generated using a plurality of inverters from the external signal and the generator circuit comprises a modulation circuit of the number of inverters.
  • FIG. 1, previously described is a symbolic representation of a master-slave D flip-flop
  • FIG. 2, previously described represents the current consumption of a flip-flop according to FIG. 1, with and without switching
  • FIG. 3, previously described is a block diagram of a secure master-slave D flip-flop according to the prior art
  • FIG. 4 represents an embodiment of a secure memory element provided with two master-slave D flip-flops interconnected by a logic circuit
  • FIGS. 5 to 9 are timing diagrams illustrating an overall operation of the memory element of FIG. 4
  • FIG. 10 represents power consumption profiles of the memory element according to FIG. 4
  • FIG. 11 is a block diagram of a memory element provided with an internal clock tree;
  • Figures 12 to 18 are timing diagrams of internal signals of the memory element of Figure 11;
  • FIG. 19 represents current consumption profiles of the memory element according to FIG. 11;
  • FIG. 20 represents an embodiment of the logic circuit of FIG. 4. Description of a preferred embodiment of the invention
  • An active edge is defined as the edge, or transition, of a signal that triggers the switching of one of the flip-flops.
  • the rising edge has been arbitrarily chosen as the active edge of the clock signal.
  • the active state of a signal will correspond to the logic high or logic level.
  • the operation of the memory element would, however, be similar to that described below, considering the falling edge as the active edge and the low state as the active state.
  • Figure 4 shows an embodiment of a memory element 6 having a balanced consumption.
  • the memory element 6 comprises a data input D, a clock input H and an output Q respectively connected to the inputs-outputs D1, H1 and Q1 of a first master-slave type D flip-flop 8a.
  • the element further comprises a second latch 8b, structurally identical to the latch 8a and clocked by the same clock H.
  • the inputs H1 and H2 of the latches 8a and 8b are connected to the input H of the memory element.
  • the initialization inputs RST1 and RST2 of the flip-flops 8a and 8b are connected to an input RST of the element 6.
  • the signals of the flip-flops have hereinafter the same name as the input-outputs to which they are connected. affected.
  • the flip-flop 8b is connected to the flip-flop 8a via a logic circuit 10.
  • the circuit 10 receives as input the input signal D1 of the flip-flop 8a, the output signal Q1 of the flip-flop 8a and the signal of Q2 output of the flip-flop 8b.
  • the output of the circuit 10 is connected to the input D2 of the flip-flop 8b.
  • the signal D2 is a logical function of the signals D1, Q1 and Q2, the calculation of which is carried out offset from the active edge of the clock.
  • the inputs D and D1 receive the same signal.
  • the flip-flop 8a performs the memory function of the element 6 and the flip-flop 8b makes it possible to balance the power consumption. In fact, the memory element has the same function as that of a master-slave D flip-flop.
  • the circuit 10 is configured to detect a switching of the flip-flop 8a and cause switching of the flip-flop 8b when the flip-flop 8a does not switch.
  • Figures 5 to 9 show, in a simplified manner, signal timing of the memory element of Figure 4.
  • the plot of Figure 5 corresponds to the clock signal H which rates flip-flops 8a and 8b.
  • the plots of FIGS. 6 to 9 represent the input and output signals of flip-flops 8a and 8b, respectively D1, Q1, O2 and Q2.
  • the flip-flops are initially initialized using the RST signal.
  • the signals Q1 and Q2, which correspond to the data stored in the latches, are initially in the low state (or logic level ⁇ ').
  • the signal D1 is maintained at '1' so the flip-flop 8a does not switch.
  • the signal D2 is switched on, which causes switching of the flip-flop 8b.
  • the signal D2 takes into account the signal D1 (or D) and the output state of the flip-flop 8a (Q1) to know whether there will be a switching of the flip-flop 8a. It also takes into account the state of the output of the flip-flop 8b (Q2) to generate, if necessary, the switching of the flip-flop 8b.
  • the updating of the signal D2 is performed at a different time from that of the flip-flops 8a and 8b, for example on the falling edges of the clock H (FIG. 8). This avoids hazards in the latch 8b which would cause overconsumption.
  • FIG. 10 shows the envelope of the current consumption defined from all the operating modes of the memory element 6.
  • the solid line represents the lower limit of the consumption envelope, that is, say the minimum consumption regardless of the operating mode of element 6.
  • the dotted line curve corresponds to the upper limit of the consumption envelope, ie the maximum consumption regardless of the mode of operation. operation.
  • the difference between the two curves corresponds to the maximum consumption difference (in the worst case) depending on whether the data stored in the element 6 changes state or not.
  • This difference in consumption, inevitable, is attributable to the polarization of the internal nodes of the flip-flops. It can be seen that, compared with FIG. 2, this difference is considerably reduced, which makes the DPA attacks more difficult.
  • FIG 11 is a detailed view of some components of the memory element 6: the latches 8a and 8b, and an internal clock shaft 20.
  • the logic circuit 10 is not shown in this figure.
  • Each flip-flop 8a, 8b comprises a master stage 2M and a slave stage 2S.
  • the master and slave stages are identical in structure and connected in series.
  • each master stage 2M (respectively slave 2S) comprises an inverter 12 followed by a first transfer gate TM (respectively TS), and a storage loop 14.
  • the storage loop 14 includes two other inverters 16, 18 and a second transfer gate TM '(respectively TS') in series.
  • the transfer gates are formed, for example, of two MOS transistors connected in parallel, one of the N type and the other of the P type.
  • the transfer gate TM connects the output of the inverter 12 to a storage node of the storage loop 14 located between the transfer gate TM 'and the inverter 16.
  • the storage node is noted NM1 in the master stage of the flip-flop 8a, NS1 in the slave stage of the flip-flop 8a, NM2 in the master stage of the flip-flop 8b and NS2 in its slave stage.
  • the output of the inverter 16 of the master stage is connected to the input of the inverter 12 of the slave stage.
  • the signals at the nodes NM1 and NM2 of the master stages respectively correspond to the complements of the input signals D1 and D2.
  • the signals at the nodes NS1 and NS2 of the slave stages respectively correspond to the signals Q1 and Q2.
  • An inverter 19 is then added in each flip-flop 8a, 8b in parallel with the slave stage 2S to obtain the outputs Q1 and Q2 of FIG.
  • the latches 8a and 8b and more particularly the transfer gates TM, TM ', TS and TS', are controlled by internal clock signals CPI and CPN. These signals are assigned to the gates of the NMOS and PMOS transistors of each transfer gate. The CPI, CPN signals are complementary. Thus, the two transistors of a door are simultaneously blocked or passersby.
  • the CPI, CPN signals come from the clock tree 20 integrated in each memory element. They are generated using a plurality of inverters from the external clock H.
  • the clock shaft 20 usually consists of two inverters 22 and 24 connected in series.
  • the external clock signal H propagates through the two inverters.
  • the signal CPN is recovered at the output of the first inverter 22 and the signal CPI is recovered at the output of the second inverter 24.
  • the signal CPN corresponds to the complement of the external signal H and the signal CPI corresponds to the signal H.
  • the assignment of the CPI and CPN signals between the transfer gates TM and TM ' is reversed.
  • the TS and TS 'gates are controlled in phase opposition.
  • Figures 12 to 18 show, in a simplified manner, timing of internal signals flip-flops 8a and 8b.
  • the plots of FIGS. 12 to 14 respectively represent the internal clock signals CPI and CPN and the input D1 of the flip-flop 8a (equivalent to the input D of the memory element).
  • the plots of FIGS. 15 to 18 represent the signals at the storage nodes NM1, NS1, NM2 and NS2 of the flip-flops 8a and 8b.
  • the circuit 10 then controls the switching of the flip-flop 8b, with a new value of the input D2.
  • the node NM2 goes to '0' at the falling edge of the signal CPI, following the activation of the gate TM, then the node NS2 copies this value during the activation of the gate TS, at the rising edge of the signal CPI (instant t 4 ).
  • the memory element consumes less power than a conventional secure flip-flop.
  • the slave master D flip-flop described in this application is more robust to hidden channel attacks than the prior art circuits.
  • each data processing circuit whose power consumption is to be masked is provided with a complementary masking circuit, controlled in parallel with the processing circuit.
  • a transition (rising or falling) takes place in the data processing circuit, the opposite transition occurs in the masking circuit (downstream or rising respectively).
  • the power consumption of the master slave D flip-flop is balanced in time because there is systematically (i.e. at each clock edge) only one of the two flip-flops that switches.
  • the clock tree 20 is modified to form a random delay generator between the external clock signal H and the internal clock signals CPI and CPN which control flip-flops 8a, 8b.
  • the random delay generator 20 comprises, in addition to the inverters 22 and 24 of the clock shaft, two inverters 26 and 28 connected in series and arranged between the inverters 22 and 24.
  • the generator also comprises two transfer gates 30 and 32.
  • the gate 30 connects the output of the inverter 22 to the input of the inverter 24 and the gate 32 connects the output of the inverter 28 to the input of the inverter 24.
  • Each inverter is characterized by a propagation time of the external clock signal H through the inverter.
  • the gate 30 When the signal DJIT is low (DJIT-0 '), the gate 30 is on and the clock signal H passes through the inverters 22 and 24. The signal CPN is then inverted and offset by the propagation time of the inverter 22 relative to the signal H. In the same way, the signal CPI is inverted and offset from the propagation time of the inverter 24 with respect to the signal CPN. The signal CPI therefore corresponds to the signal H shifted by two propagation times. This operating state corresponds in fact to that of a conventional clock tree.
  • the signal H passes through two further inverters, 26 and 28.
  • the delays applied to the CPN and CPI signals are then increased by the propagation time of the inverter 26 and by the propagation time of the inverter 28.
  • DJIT signal it is therefore possible, using the DJIT signal, to modulate the time delay between each rising edge of the control signal CPI and an associated rising edge of the external signal H.
  • This delay can take two distinct values, depending on the number of inverters used. to generate the signal CPI, two or four in the example of Figure 11.
  • the delay is much less than the duration of a period of the signal H. It is of the order of half the delay of propagation of the signal between the input H and the Q output of the flip-flop of FIG. 1, that is to say between 50 ps and 100 ps in 130 nm technology.
  • the generator 20 may also comprise additional inverters and transfer gates, arranged to form other propagation loops of the signal H. The number of possible delay values is thus increased.
  • the DJIT signal is then encoded on several bits.
  • the DJIT signal preferably corresponds to the output of a random number generator (not shown).
  • the delay generator 20 is then stochastically controlled.
  • the propagation time of the signal H in an inverter varies as a function of the size of the transistors constituting the inverter, typically an N-type MOS transistor and a P-type MOS transistor connected in series.
  • the size of the transistors for example those of the inverters 26 and 28, it is possible to vary the delays applied to the CPI and CPN signals from one memory element to the other.
  • a register comprises a plurality of memory elements and at least one of the two delay values differs from one memory element to another.
  • FIG. 19 represents the envelope of the electric current consumed by a memory element 6 equipped with the random delay generator 20. It can be seen that the difference between the upper limit and the lower limit of the envelope is smaller than in FIG. 10 but also that this envelope spreads over a longer period. In fact, the random delay introduced on the CPI and CPN signals delays the updating of the signal Q1 (or the signal Q2) with respect to the front of the external clock H. The average electrical consumption of the flip-flop is therefore spread. over a longer period of time. In other words, the current consumption of the memory element is averaged over several cycles or cryptographic calculations. This has the effect of further reducing the average consumption difference between all modes of operation of the memory element. It thus becomes difficult to distinguish the state of the memory element from the consumption records.
  • each element is slightly out of synchronization with the clock H thanks to the generator 20 integrated in each flip-flop.
  • This desynchronization is on the one hand variable within the same rocker, between two successive failovers, thanks to the signal DJIT.
  • it may differ from one memory element to another by adapting the generator 20, for example by changing the size of the transistors of the inverters. Resynchronization of all memory elements is therefore impossible, which further improves the robustness to hidden channel attacks.
  • the random delay generator 20 has the effect of limiting information leaks logic circuits located downstream of the memory element. Indeed, the calculations of these circuits are delayed, which also reduces their average difference in consumption.
  • the memory element is not only secure, but the logic circuits at the output are also more robust to attacks.
  • a binary value is encoded on a wire, which corresponds to two distinct states: '0' and.
  • double rail logic the binary value is coded on two wires. It is then possible to code up to four states: ⁇ ', ⁇ 1', '10' and ⁇ l '. Double rail coding is intrinsically more robust to attacks because it allows a first balancing of consumption.
  • the secure memory element described above can be used in a single rail logic circuit, using only the signal D1 at the output of the memory element.
  • the memory element is also suitable for double-rail coding with invalid state feedback. It suffices for this to use the output Q2 of the second flip-flop 8b. It is thus possible to combine, in a simple and secure manner, single rail registers and double rail registers in the same circuit, using a single type of memory element.
  • the signal D2 of the flip-flop 8b is updated before the update of the flip-flops 8a and 8b, that is to say before each rising edge of the signal CPI, for example on each falling edge .
  • FIG. 20 represents a preferred embodiment of logic circuit 10 in which the signal D2 is synchronized on the falling edges of the signal CPI.
  • the signal D1 is synchronized on the rising edges of the signal CPI.
  • the signal D1 ' will then be offset by one half of a clock cycle with respect to the signal D1.
  • the signal D1 ' corresponds in fact to the complement of the signal at the node NM1 (FIG.
  • two transfer gates TG and TG ' make it possible to obtain the signals Q1' and Q2 'from the signals Q1 and Q2.
  • the signals Q1 'and Q2' respectively correspond to the signals Q1 and Q2 synchronized on the rising edges of the signal CPI and whose values are maintained on the low state of the signal CPI.
  • the exclusive NOR function of the circuit 10 is performed by a plurality of inverters and transfer gates arranged to define different propagation paths of the signal D1 '.
  • the circuit 10 comprises a first inverter 34 receiving as input the signal D1 'and connected in series with a first branch 36a provided with a transfer gate 38a.
  • a second branch 36b in parallel with the branch 36a, comprises a transfer gate 38b and an inverter 34b.
  • the doors 38a and 38b are controlled in phase opposition by the signals Q1 'and Q1 ⁇
  • a third branch 36c is connected in series with the branches 36a and 36b. It includes a transfer gate 38c. Connected in parallel with the branch 36c, a branch 36d comprises a transfer gate 38d and an inverter 34d. The doors 38c and 38d are controlled in phase opposition by the signals Q2 'and Q2'.
  • the signal D1 ' propagates systematically through two of the four branches, one of the branches 36a and 36b, then one of the branches 36c and 36d, depending on the state of the doors 38a-d.
  • the signal D passes through one, two or three inverters depending on the state of the signals Q1 ', Q2', Qf and Q2 '.
  • the signals Q1 'and Q2' are in the low state ( ⁇ ')
  • the signal D1' propagates through the branches 36a and 36c and passes through only one inverter (34).
  • the signal D2 is then '1' if the signal D1 'is at' 0 'and' 0 'if the signal D1' is at ⁇ '.
  • the signal D2 evolves at the same time as the signal D1 ', c i.e. in synchronism with the rising edges of the clock signal CPI.

Abstract

The memory element comprises a clock, a first flip-flop (8a) of master-slave D type regulated by the clock and a second flip-flop (8b) of master-slave D type, structurally identical to the first flip-flop, regulated by the clock and connected to the first flip-flop (8a) in such a way that the second flip-flop (8b) switches upon each active edge of the clock where the first flip-flop does not switch.

Description

ELEMENT MEMOIRE SECURISE  SECURE MEMORY ELEMENT
Domaine technique de l'invention Technical field of the invention
L'invention est relative aux circuits intégrés sécurisés, et plus particulièrement à une bascule de type D maître-esclave résistante aux attaques par canaux cachés. The invention relates to secure integrated circuits, and more particularly to a master-slave type D flip-flop resistant to hidden channel attacks.
État de la technique State of the art
Les circuits électroniques sécurisés sont destinés à traiter des données secrètes ou confidentielles. Ils sont, par exemple, utilisés dans les cartes à puce pour effectuer des transactions bancaires. De manière générale, ce type de circuit est construit autour d'un microprocesseur associé à une mémoire. Le microprocesseur met en œuvre des algorithmes de cryptographie pour chiffrer ou déchiffrer des messages, ou bien utilise un certificat pour authentifier un utilisateur. Secure electronic circuits are intended to process secret or confidential data. They are, for example, used in smart cards to carry out banking transactions. In general, this type of circuit is built around a microprocessor associated with a memory. The microprocessor implements cryptographic algorithms to encrypt or decrypt messages, or uses a certificate to authenticate a user.
Une donnée secrète, telle qu'une clé de cryptographie, peut transiter entre le microprocesseur et la mémoire par un registre. Un registre est une mémoire tampon formée de bascules, généralement de type D maître-esclave (flip- flop D). A chaque bascule correspond un bit du registre. Secret data, such as a cryptographic key, may pass between the microprocessor and the memory by a register. A register is a buffer formed of flip-flops, generally of master-slave type D (flip-flop D). Each flip-flop corresponds to a bit of the register.
La figure 1 représente le symbole d'une bascule D maître-esclave classique. La bascule comprend une entrée de données D, une entrée d'horloge H et une sortie Q. Un signal RST permet d'initialiser l'état de la bascule lors de la mise sous tension, c'est-à-dire la valeur du bit mémorisé dans la bascule. Figure 1 shows the symbol of a conventional master slave D flip-flop. The flip-flop comprises a data input D, a clock input H and a Q output. An RST signal makes it possible to initialize the state of the flip-flop at power-up, ie the value of the flip-flop. bit memorized in the flip-flop.
A chaque front montant du signal d'horloge H, la sortie Q recopie la valeur d'entrée D. La bascule maintient ensuite cette valeur jusqu'au prochain front montant. Ainsi, lorsque la donnée présentée en entrée D est identique à la valeur stockée dans la bascule, l'état de la sortie Q ne varie pas. Par contre, lorsque l'entrée D diffère de la valeur stockée, la sortie Q change d'état. On parle alors de commutation ou de basculement. At each rising edge of the clock signal H, the output Q copies the input value D. The flip-flop then maintains this value until the next rising edge. Thus, when the data presented at the input D is identical to the value stored in the flip-flop, the state of the output Q does not vary. On the other hand, when the input D differs from the stored value, the output Q changes state. This is called switching or switching.
La figure 2 représente la consommation en courant d'une telle bascule. La courbe en traits pointillés correspond au courant consommé par la bascule lors d'une commutation, tandis que la courbe en trait plein représente la consommation de la bascule en absence de commutation. Figure 2 shows the current consumption of such a rocker. The curve in dotted lines corresponds to the current consumed by the rocker when switching, while the curve in solid line represents the consumption of the rocker in the absence of switching.
On distingue donc deux profils de consommation selon que la donnée mémorisée dans la bascule change ou ne change pas. Ainsi, la consommation de la bascule dépend de l'état de la donnée en entrée et de l'état courant dans la bascule. There are therefore two consumption profiles depending on whether the data stored in the flip-flop changes or does not change. Thus, the consumption of the flip-flop depends on the state of the input data and the current state in the flip-flop.
Les attaques par canaux cachés (« Side Channel Attacks » en anglais), et plus particulièrement les attaques de type analyse différentielle (« Differential Power Analysis », DPA) et en corrélation (« Corrélation Power Analysis », CPA) de puissance ou des émissions électromagnétiques, exploitent cette différence de consommation pour retrouver la clé cryptographique stockée dans le circuit sécurisé. Side Channel Attacks ("Side Channel Attacks"), and more particularly the differential analysis ("Differential Power Analysis" (DPA) and correlation ("Correlation Power Analysis", CPA) type of power or emissions electromagnetic, exploit this difference in consumption to find the cryptographic key stored in the secure circuit.
Les fabricants de circuits sécurisés prévoient des systèmes de contre- mesure pour protéger les registres contre les attaques DPA. En particulier, la demande de brevet FR2802733 vise à masquer la différence de consommation d'une bascule D maître-esclave. Secure circuit manufacturers provide countermeasure systems to protect registers against DPA attacks. In particular, the patent application FR2802733 aims to mask the consumption difference of a master-slave D flip-flop.
La figure 3 représente schématiquement la bascule D décrite dans cette demande. La bascule comprend classiquement un étage maître 2M et un étage esclave 2S, de structure identique et connectés en série. La bascule comprend en outre un circuit de masquage de la consommation. Le circuit de masquage se compose d'un étage témoin 4M monté en parallèle de l'étage maître 2M et d'un étage témoin 4S monté en parallèle de l'étage esclave 2S. Figure 3 schematically shows the flip-flop D described in this application. The flip-flop conventionally comprises a master stage 2M and a slave stage 2S, of identical structure and connected in series. The flip-flop further includes a consumption masking circuit. The masking circuit consists of a 4M control stage connected in parallel with the master stage 2M and a control stage 4S connected in parallel with the slave stage 2S.
Le fonctionnement de cette bascule est en bref le suivant. Lorsque la donnée en entrée D est identique à la donnée en mémoire, les étages maître et esclave ne commutent pas. Par contre, les deux étages témoins commutent. Lorsque la donnée en entrée diffère de celle en mémoire, l'un des étages maître et esclave commute, ainsi que l'un des étages témoins. En d'autres termes, il y a toujours deux des quatre étages qui commutent à chaque front d'horloge. On observe cependant que la différence de consommation n'est pas suffisamment réduite et on parvient encore à distinguer l'état dans lequel se trouve la bascule. Cela est dû au fait que l'étage témoin n'est pas rigoureusement identique à l'étage correspondant de la bascule (maître ou esclave). En effet, un nœud des étages témoins est déconnecté, comme cela est visible sur la figure 3. La consommation due au basculement d'un étage témoin est alors différente de celle de l'étage maître ou esclave. En outre, la consommation électrique de cette bascule est fortement augmentée, en raison du basculement systématique de deux étages. The operation of this rocker is in short the following. When the input data D is identical to the data in memory, the master and slave stages do not switch. On the other hand, the two control stages switch. When the input data differs from that in memory, one of the master and slave stages switches, as well as one of the control stages. In other words, there are always two of the four stages that switch at each clock edge. However, it is observed that the difference in consumption is not sufficiently reduced and it is still possible to distinguish the state in which the flip-flop is located. This is due to the fact that the control stage is not strictly identical to the corresponding stage of the flip-flop (master or slave). Indeed, a node of the control stages is disconnected, as can be seen in FIG. 3. The consumption due to the tilting of a control stage is then different from that of the master or slave stage. In addition, the power consumption of this rocker is greatly increased, due to the systematic switching of two floors.
Résumé de l'invention Summary of the invention
On constate qu'il existe un besoin de prévoir un élément mémoire robuste aux attaques, tout en ayant une consommation électrique maîtrisée. On tend à satisfaire ce besoin en prévoyant une horloge, une première bascule de type D maître-esclave cadencée par l'horloge et une seconde bascule de type D maître-esclave, structurellement identique à la première bascule, cadencée par l'horloge et connectée à la première bascule de sorte que la seconde bascule commute à chaque front actif de l'horloge où la première bascule ne commute pas. It is noted that there is a need to provide a memory element robust attacks, while having a controlled power consumption. This need is satisfied by providing a clock, a first master-slave D-type flip-flop clocked by the clock and a second master-slave D-type flip-flop, structurally identical to the first flip-flop, clocked and connected. to the first flip-flop so that the second flip-flop switches to each active edge of the clock where the first flip-flop does not switch.
Dans un mode de réalisation, l'élément mémoire comprend un circuit logique configuré pour détecter une commutation de la première bascule et pour commander la commutation de la seconde bascule lorsque la première bascule ne commute pas. Selon un développement, le circuit logique reçoit en entrée un signal d'entrée de la première bascule, un signal de sortie de la première bascule et un signal de sortie de la seconde bascule, le circuit logique étant configuré pour faire commuter la seconde bascule lorsque aucun des trois signaux est dans un état actif ou lorsque deux des trois signaux sont dans un état actif. Dans un autre mode de réalisation, l'élément mémoire comprend un circuit générateur de l'horloge à partir d'un signal externe, configuré pour introduire un retard aléatoire entre chaque front actif de l'horloge et un front actif associé du signal externe. In one embodiment, the memory element comprises a logic circuit configured to detect switching of the first flip-flop and to control switching of the second flip-flop when the first flip-flop does not switch. According to a development, the logic circuit receives as input an input signal of the first flip-flop, an output signal of the first flip-flop and an output signal of the second flip-flop, the logic circuit being configured to switch the second flip-flop when none of the three signals is in an active state or when two of the three signals are in an active state. In another embodiment, the memory element comprises a clock generating circuit from an external signal, configured to introduce a random delay between each active edge of the clock and an associated active edge of the external signal.
Selon un développement, l'horloge est générée à l'aide d'une pluralité d'inverseurs à partir du signal externe et le circuit générateur comprend un circuit de modulation du nombre d'inverseurs. Description sommaire des dessins According to a development, the clock is generated using a plurality of inverters from the external signal and the generator circuit comprises a modulation circuit of the number of inverters. Brief description of the drawings
D'autres avantages et caractéristiques ressortiront plus clairement de la description qui va suivre de modes particuliers de réalisation donnés à titre d'exemples non limitatifs et illustrés à l'aide des dessins annexés, dans lesquels : la figure 1 , précédemment décrite, est une représentation symbolique d'une bascule D maître-esclave ; la figure 2, précédemment décrite, représente la consommation en courant d'une bascule selon la figure 1 , avec et sans commutation ; - la figure 3, précédemment décrite, est un schéma synoptique d'une bascule D maître-esclave sécurisée selon l'art antérieur ; la figure 4 représente un mode de réalisation d'un élément mémoire sécurisé muni de deux bascules D maître-esclave interconnectées par un circuit logique ; - les figures 5 à 9 sont des chronogrammes illustrant un fonctionnement global de l'élément mémoire de la figure 4 ; la figure 10 représente des profils de consommation en courant de l'élément mémoire selon la figure 4 ; la figure 11 est un schéma synoptique d'un élément mémoire muni d'un arbre d'horloge interne ; les figures 12 à 18 sont des chronogrammes de signaux internes de l'élément mémoire de la figure 11 ; la figure 19 représente des profils de consommation en courant de l'élément mémoire selon la figure 11 ; et - la figure 20 représente un mode de réalisation du circuit logique de la figure 4. Description d'un mode de réalisation préféré de l'invention Other advantages and features will emerge more clearly from the following description of particular embodiments given as non-limiting examples and illustrated with the aid of the accompanying drawings, in which: FIG. 1, previously described, is a symbolic representation of a master-slave D flip-flop; FIG. 2, previously described, represents the current consumption of a flip-flop according to FIG. 1, with and without switching; FIG. 3, previously described, is a block diagram of a secure master-slave D flip-flop according to the prior art; FIG. 4 represents an embodiment of a secure memory element provided with two master-slave D flip-flops interconnected by a logic circuit; FIGS. 5 to 9 are timing diagrams illustrating an overall operation of the memory element of FIG. 4; FIG. 10 represents power consumption profiles of the memory element according to FIG. 4; Fig. 11 is a block diagram of a memory element provided with an internal clock tree; Figures 12 to 18 are timing diagrams of internal signals of the memory element of Figure 11; FIG. 19 represents current consumption profiles of the memory element according to FIG. 11; and FIG. 20 represents an embodiment of the logic circuit of FIG. 4. Description of a preferred embodiment of the invention
On propose ici de dupliquer une bascule de type D maître-esclave classique pour former un élément mémoire sécurisé. Les deux bascules sont interconnectées de manière à obtenir la commutation d'une seule de ces bascules à chaque front actif d'un signal d'horloge. Ainsi, la consommation électrique de l'élément mémoire est sensiblement constante. Cela permet de contrer efficacement les attaques faisant appel à une analyse de puissance. It is proposed here to duplicate a conventional master-slave D-type flip-flop to form a secure memory element. The two flip-flops are interconnected so as to obtain the switching of only one of these flip-flops to each active edge of a clock signal. Thus, the power consumption of the memory element is substantially constant. This effectively counter attacks using power analysis.
On définit un front actif comme étant le front, ou la transition, d'un signal qui déclenche la commutation d'une des bascules. Dans la description qui suit, on a choisi de façon arbitraire le front montant comme front actif du signal d'horloge. De façon similaire, l'état actif d'un signal correspondra à l'état logique haut ou niveau logique . Le fonctionnement de l'élément mémoire serait toutefois similaire à celui décrit ci-dessous en considérant le front descendant comme front actif et l'état bas comme état actif. La figure 4 représente un mode de réalisation d'un élément mémoire 6 ayant une consommation équilibrée. L'élément mémoire 6 comprend une entrée de données D, une entrée d'horloge H et une sortie Q connectées respectivement aux entrées-sorties D1 , H1 et Q1 d'une première bascule 8a de type D maître-esclave. L'élément comprend en outre une seconde bascule 8b, structurellement identique à la bascule 8a et cadencée par la même horloge H. Les entrées H1 et H2 des bascules 8a et 8b sont donc reliées à l'entrée H de l'élément mémoire. Les entrées d'initialisation RST1 et RST2 des bascules 8a et 8b sont reliées à une entrée RST de l'élément 6. Pour des raisons de commodité, les signaux des bascules ont ci-après le même nom que les entrées-sorties auxquelles ils sont affectés. An active edge is defined as the edge, or transition, of a signal that triggers the switching of one of the flip-flops. In the following description, the rising edge has been arbitrarily chosen as the active edge of the clock signal. Similarly, the active state of a signal will correspond to the logic high or logic level. The operation of the memory element would, however, be similar to that described below, considering the falling edge as the active edge and the low state as the active state. Figure 4 shows an embodiment of a memory element 6 having a balanced consumption. The memory element 6 comprises a data input D, a clock input H and an output Q respectively connected to the inputs-outputs D1, H1 and Q1 of a first master-slave type D flip-flop 8a. The element further comprises a second latch 8b, structurally identical to the latch 8a and clocked by the same clock H. The inputs H1 and H2 of the latches 8a and 8b are connected to the input H of the memory element. The initialization inputs RST1 and RST2 of the flip-flops 8a and 8b are connected to an input RST of the element 6. For reasons of convenience, the signals of the flip-flops have hereinafter the same name as the input-outputs to which they are connected. affected.
La bascule 8b est reliée à la bascule 8a par l'intermédiaire d'un circuit logique 10. Le circuit 10 reçoit en entrée le signal d'entrée D1 de la bascule 8a, le signal de sortie Q1 de la bascule 8a et le signal de sortie Q2 de la bascule 8b. La sortie du circuit 10 est connectée à l'entrée D2 de la bascule 8b. Ainsi, le signal D2 est une fonction logique des signaux D1 , Q1 et Q2 dont le calcul est effectué de manière décalée par rapport au front actif de l'horloge. Dans cette configuration, les entrées D et D1 reçoivent le même signal. La bascule 8a réalise la fonction mémoire de l'élément 6 et la bascule 8b permet d'équilibrer la consommation électrique. En fait, l'élément mémoire a la même fonction que celle d'une bascule D maître-esclave. Le circuit 10 est configuré pour détecter une commutation de la bascule 8a et provoquer la commutation de la bascule 8b lorsque la bascule 8a ne commute pas. The flip-flop 8b is connected to the flip-flop 8a via a logic circuit 10. The circuit 10 receives as input the input signal D1 of the flip-flop 8a, the output signal Q1 of the flip-flop 8a and the signal of Q2 output of the flip-flop 8b. The output of the circuit 10 is connected to the input D2 of the flip-flop 8b. Thus, the signal D2 is a logical function of the signals D1, Q1 and Q2, the calculation of which is carried out offset from the active edge of the clock. In this configuration, the inputs D and D1 receive the same signal. The flip-flop 8a performs the memory function of the element 6 and the flip-flop 8b makes it possible to balance the power consumption. In fact, the memory element has the same function as that of a master-slave D flip-flop. The circuit 10 is configured to detect a switching of the flip-flop 8a and cause switching of the flip-flop 8b when the flip-flop 8a does not switch.
La fonction logique du circuit 10 correspond à celle d'une porte NON-OU exclusif à trois entrées. En considérant D1 , Q1 et Q2 comme les entrées du circuit 10 et D2 sa sortie, on obtient : D2 = D10Q1 ®Q2 The logic function of circuit 10 corresponds to that of an exclusive three-input NOR gate. Considering D1, Q1 and Q2 as the inputs of the circuit 10 and D2 its output, we obtain: D2 = D10Q1 ®Q2
La table de vérité du circuit logique 0 est donnée ci-dessous :  The truth table of logic circuit 0 is given below:
Figure imgf000008_0001
Figure imgf000008_0001
On constate que la sortie D2 du circuit 10 passe à l'état haut lorsque aucune des entrées D1 , Q1 et Q2 est à l'état haut ou lorsque deux de ces trois entrées sont à l'état haut. Les figures 5 à 9 représentent, de manière simplifiée, des chronogrammes de signaux de l'élément mémoire de la figure 4. Le tracé de la figure 5 correspond au signal d'horloge H qui cadence les bascules 8a et 8b. Les tracés des figures 6 à 9 représentent les signaux en entrées et sorties des bascules 8a et 8b, respectivement D1 , Q1 , 02 et Q2. It can be seen that the output D2 of the circuit 10 goes high when none of the inputs D1, Q1 and Q2 are in the high state or when two of these three inputs are in the high state. Figures 5 to 9 show, in a simplified manner, signal timing of the memory element of Figure 4. The plot of Figure 5 corresponds to the clock signal H which rates flip-flops 8a and 8b. The plots of FIGS. 6 to 9 represent the input and output signals of flip-flops 8a and 8b, respectively D1, Q1, O2 and Q2.
Les bascules sont préalablement initialisées à l'aide du signal RST. Les signaux Q1 et Q2, qui correspondent aux données mémorisées dans les bascules, sont initialement à l'état bas (ou niveau logique Ό'). The flip-flops are initially initialized using the RST signal. The signals Q1 and Q2, which correspond to the data stored in the latches, are initially in the low state (or logic level Ό ').
Lors d'un premier front montant d'horloge, à l'instant ti , l'entrée D1 est à l'état bas (Fig.6 : D1='0'). Ainsi, conformément au fonctionnement d'une bascule D maître-esclave décrit en relation avec la figure 1 , la sortie Q1 reste à l'état bas (Fig.7 : Q1- 0'). Il n'y a donc pas de commutation dans la bascule 8a. During a first rising edge of clock, at time ti, the input D1 is in the low state (Fig.6: D1 = '0'). Thus, in accordance with the operation of a master-slave D flip-flop described in connection with FIG. 1, the output Q1 remains in the low state (FIG. 7: Q1-0 '). There is therefore no switching in the flip-flop 8a.
Les signaux D1 , Q1 , et Q2 étant initialement tous à Ό', le signal D2 vaut Ί' (Fig.8) d'après la table de vérité du circuit logique 10. Au front montant, la sortie Q2 recopie l'entrée D2 de la bascule 8b. Le signal Q2 passe donc de '0' à (Fig.9), ce qui signifie que la bascule 8b commute. A l'instant t2, l'entrée D1 étant maintenue à l'état bas, la bascule 8a ne commute toujours pas. Le signal D2 vaut '0' à l'instant t2 car une seule des entrées du circuit 10 est à l'état haut (D1='0\ Q1='0', Q2= ). De ce fait, la bascule 8b commute et le signal Q2 retombe à Ό'. Since the signals D1, Q1, and Q2 are initially all Ό ', the signal D2 is equal to Ί' (FIG. 8) according to the truth table of the logic circuit 10. At the rising edge, the output Q2 copies the input D2 of the flip-flop 8b. The signal Q2 thus goes from '0' to (FIG. 9), which means that the flip-flop 8b switches. At time t2, the input D1 being kept low, the flip-flop 8a still does not switch. The signal D2 is' 0 'at the instant t2 because only one of the inputs of the circuit 10 is in the high state (D1 =' 0 \ Q1 = '0', Q2 =). As a result, flip-flop 8b switches and signal Q2 drops back to Ό '.
A l'instant t.3, le signal d'entrée D1 de la bascule 8a vaut '1' alors que la valeur précédemment stockée dans la bascule 8a est Ό' (Fig.7 ; Q1 (t2)='0'). On observe donc la commutation de la bascule 8a (Q1(t.3)=T). A cet instant, le signal D2 vaut '0' car seule l'entrée D1 est à l'état haut. En conséquence, la bascule 8b ne commute pas (Fig.9 : Q2(t3) = Q2(t2) ='0'). At time t.3, the input signal D1 of flip-flop 8a is' 1 'while the value previously stored in flip-flop 8a is Ό'(Fig.7; Q1 (t2) = '0'). We observe the switching of the flip-flop 8a (Q1 (t.3) = T). At this time, the signal D2 is '0' because only the input D1 is in the high state. Accordingly, the latch does not switch 8b (Fig.9: Q2 (t 3) = Q2 (t 2) = '0').
Au quatrième front montant (t4), le signal D1 se maintient à '1' donc la bascule 8a ne commute pas. Par contre, le signal D2 est passé à , ce qui provoque la commutation de la bascule 8b. At the fourth rising edge (t4), the signal D1 is maintained at '1' so the flip-flop 8a does not switch. On the other hand, the signal D2 is switched on, which causes switching of the flip-flop 8b.
Ainsi, on peut montrer qu'on a systématiquement un seul basculement par front montant de l'horloge, quel que soit l'état de l'entrée D et l'état courant des bascules 8a et 8b. En effet, on constate sur les figures 7 et 9 qu'un seul des signaux Q1 et Q2 change de niveau à chaque front montant. Le signal D2 tient compte du signal D1 (ou D) et de l'état en sortie de la bascule 8a (Q1) pour savoir s'il y aura une commutation de la bascule 8a. Il tient également compte de l'état de la sortie de la bascule 8b (Q2) pour générer, le cas échant, la commutation de la bascule 8b. La mise à jour du signal D2 est réalisée à un instant différent de celui des bascules 8a et 8b, par exemple sur les fronts descendants de l'horloge H (Fig.8). On évite ainsi des aléas dans la bascule 8b qui provoqueraient une surconsommation. Thus, it can be shown that there is systematically only one flip-flop on the rising edge of the clock, regardless of the state of the input D and the current state of the flip-flops 8a and 8b. Indeed, it can be seen in FIGS. 7 and 9 that only one of the signals Q1 and Q2 changes level at each rising edge. The signal D2 takes into account the signal D1 (or D) and the output state of the flip-flop 8a (Q1) to know whether there will be a switching of the flip-flop 8a. It also takes into account the state of the output of the flip-flop 8b (Q2) to generate, if necessary, the switching of the flip-flop 8b. The updating of the signal D2 is performed at a different time from that of the flip-flops 8a and 8b, for example on the falling edges of the clock H (FIG. 8). This avoids hazards in the latch 8b which would cause overconsumption.
La figure 10 représente l'enveloppe de la consommation en courant définie à partir de tous les modes de fonctionnement de l'élément mémoire 6. La courbe en trait plein représente la limite inférieure de l'enveloppe de consommation, c'est-à-dire la consommation minimale quel que soit le mode de fonctionnement de l'élément 6. La courbe en traits pointillés correspond à la limite supérieure de l'enveloppe de consommation, c'est-à-dire la consommation maximale quel que soit le mode de fonctionnement. FIG. 10 shows the envelope of the current consumption defined from all the operating modes of the memory element 6. The solid line represents the lower limit of the consumption envelope, that is, say the minimum consumption regardless of the operating mode of element 6. The dotted line curve corresponds to the upper limit of the consumption envelope, ie the maximum consumption regardless of the mode of operation. operation.
L'écart entre les deux courbes correspond à la différence maximale de consommation (dans le pire des cas) selon que la donnée mémorisée dans l'élément 6 change d'état ou non. Cette différence de consommation, inévitable, est attribuable à la polarisation des nœuds internes des bascules. On constate que, par rapport à la figure 2, cet écart est considérablement réduit, ce qui rend plus difficiles les attaques DPA. The difference between the two curves corresponds to the maximum consumption difference (in the worst case) depending on whether the data stored in the element 6 changes state or not. This difference in consumption, inevitable, is attributable to the polarization of the internal nodes of the flip-flops. It can be seen that, compared with FIG. 2, this difference is considerably reduced, which makes the DPA attacks more difficult.
La figure 11 est une vue détaillée de certains constituants de l'élément mémoire 6 : les bascules 8a et 8b, ainsi qu'un arbre d'horloge interne 20. Le circuit logique 10 n'est pas représenté sur cette figure. Chaque bascule 8a, 8b comprend un étage maître 2M et un étage esclave 2S. Les étages maître et esclave sont de structure identique et connectés en série. Figure 11 is a detailed view of some components of the memory element 6: the latches 8a and 8b, and an internal clock shaft 20. The logic circuit 10 is not shown in this figure. Each flip-flop 8a, 8b comprises a master stage 2M and a slave stage 2S. The master and slave stages are identical in structure and connected in series.
Dans l'exemple de réalisation de la figure 11 , chaque étage maître 2M (respectivement esclave 2S) comprend un inverseur 12 suivi d'une première porte de transfert TM (respectivement TS), et une boucle de mémorisation 14. La boucle de mémorisation 14 comprend deux autres inverseurs 16, 18 et une seconde porte de transfert TM' (respectivement TS') en série. Les portes de transfert sont par exemple formées de deux transistors MOS connectées en parallèle, l'un de type N et l'autre de type P. In the embodiment of FIG. 11, each master stage 2M (respectively slave 2S) comprises an inverter 12 followed by a first transfer gate TM (respectively TS), and a storage loop 14. The storage loop 14 includes two other inverters 16, 18 and a second transfer gate TM '(respectively TS') in series. The transfer gates are formed, for example, of two MOS transistors connected in parallel, one of the N type and the other of the P type.
La porte de transfert TM relie la sortie de l'inverseur 12 à un nœud de stockage de la boucle de mémorisation 14 situé entre la porte de transfert TM' et l'inverseur 16. Le nœud de stockage est noté NM1 dans l'étage maître de la bascule 8a, NS1 dans l'étage esclave de la bascule 8a, NM2 dans l'étage maître de la bascule 8b et NS2 dans son étage esclave. La sortie de l'inverseur 16 de l'étage maître est connectée à l'entrée de l'inverseur 12 de l'étage esclave. The transfer gate TM connects the output of the inverter 12 to a storage node of the storage loop 14 located between the transfer gate TM 'and the inverter 16. The storage node is noted NM1 in the master stage of the flip-flop 8a, NS1 in the slave stage of the flip-flop 8a, NM2 in the master stage of the flip-flop 8b and NS2 in its slave stage. The output of the inverter 16 of the master stage is connected to the input of the inverter 12 of the slave stage.
On notera que les signaux aux nœuds NM1 et NM2 des étages maîtres correspondent respectivement aux compléments des signaux d'entrée D1 et D2. En outre, les signaux aux nœuds NS1 et NS2 des étages esclaves correspondent respectivement aux signaux Q1 et Q2. On ajoute alors dans chaque bascule 8a, 8b un inverseur 19 en parallèle avec l'étage esclave 2S pour obtenir les sorties Q1 et Q2 de la figure 4. It will be noted that the signals at the nodes NM1 and NM2 of the master stages respectively correspond to the complements of the input signals D1 and D2. In addition, the signals at the nodes NS1 and NS2 of the slave stages respectively correspond to the signals Q1 and Q2. An inverter 19 is then added in each flip-flop 8a, 8b in parallel with the slave stage 2S to obtain the outputs Q1 and Q2 of FIG.
Les bascules 8a et 8b, et plus particulièrement les portes de transfert TM, TM', TS et TS', sont commandées par des signaux d'horloge interne CPI et CPN. Ces signaux sont affectés sur les grilles des transistors NMOS et PMOS de chaque porte de transfert. Les signaux CPI, CPN sont complémentaires. Ainsi, les deux transistors d'une porte sont simultanément bloqués ou passants. The latches 8a and 8b, and more particularly the transfer gates TM, TM ', TS and TS', are controlled by internal clock signals CPI and CPN. These signals are assigned to the gates of the NMOS and PMOS transistors of each transfer gate. The CPI, CPN signals are complementary. Thus, the two transistors of a door are simultaneously blocked or passersby.
Les signaux CPI, CPN proviennent de l'arbre d'horloge 20 intégré à chaque élément mémoire. Ils sont générés à l'aide d'une pluralité d'inverseurs à partir de l'horloge externe H. The CPI, CPN signals come from the clock tree 20 integrated in each memory element. They are generated using a plurality of inverters from the external clock H.
L'arbre d'horloge 20 est habituellement constitué de deux inverseurs 22 et 24 connectés en série. Le signal d'horloge externe H se propage au travers des deux inverseurs. Le signal CPN est récupéré en sortie du premier inverseur 22 et le signal CPI est récupéré en sortie du deuxième inverseur 24. Ainsi, le signal CPN correspond au complément du signal externe H et le signal CPI correspond au signal H. Les portes de transfert TM et TM' sont commandées en opposition de phase : lorsque la porte TM est passante, la porte TM' est bloquée, et inversement. Pour cela, on inverse l'affectation des signaux CPI et CPN entre les portes de transfert TM et TM'. De même, les portes TS et TS' sont commandées en opposition de phase. Par contre, les portes TM et TS' sont commandées simultanément, ainsi que les portes TM' et TS. The clock shaft 20 usually consists of two inverters 22 and 24 connected in series. The external clock signal H propagates through the two inverters. The signal CPN is recovered at the output of the first inverter 22 and the signal CPI is recovered at the output of the second inverter 24. Thus, the signal CPN corresponds to the complement of the external signal H and the signal CPI corresponds to the signal H. The transfer doors TM and TM 'are controlled in phase opposition: when the TM gate is busy, the gate TM' is blocked, and vice versa. For this purpose, the assignment of the CPI and CPN signals between the transfer gates TM and TM 'is reversed. Similarly, the TS and TS 'gates are controlled in phase opposition. On the other hand, the doors TM and TS 'are controlled simultaneously, as well as the doors TM' and TS.
Les figures 12 à 18 représentent, de manière simplifiée, des chronogrammes de signaux internes des bascules 8a et 8b. Les tracés des figures 12 à 14 représentent respectivement les signaux d'horloge interne, CPI et CPN, et l'entrée D1 de la bascule 8a (équivalant à l'entrée D de l'élément mémoire). Les tracés des figures 15 à 18 représentent les signaux aux nœuds de stockage NM1 , NS1 , NM2 et NS2 des bascules 8a et 8b. Figures 12 to 18 show, in a simplified manner, timing of internal signals flip-flops 8a and 8b. The plots of FIGS. 12 to 14 respectively represent the internal clock signals CPI and CPN and the input D1 of the flip-flop 8a (equivalent to the input D of the memory element). The plots of FIGS. 15 to 18 represent the signals at the storage nodes NM1, NS1, NM2 and NS2 of the flip-flops 8a and 8b.
Le fonctionnement des bascules 8a et 8b est décrit en détail ci-dessous, en relation avec le schéma synoptique de la figure 11 et les chronogrammes des figures 12 à 18. The operation of the flip-flops 8a and 8b is described in detail below, in connection with the block diagram of FIG. 11 and the timing diagrams of FIGS. 12 to 18.
Entre les instants ti et t2, la donnée présentée en entrée D1 (ou D) correspond déjà à celle stockée dans la bascule 8a, au nœud NM1 (NM1 = 1 = D1). Il n'a donc pas de commutation de la bascule 8a, ni dans l'étage maître (NM1 : Fig.15), ni dans l'étage esclave (NS1 : Fig.16) pendant cette période. Between instants t 1 and t 2 , the input data D 1 (or D) already corresponds to that stored in flip-flop 8a, at node NM 1 (NM 1 = 1 = D 1). It therefore has no switching of the flip-flop 8a, neither in the master stage (NM1: Fig.15), nor in the slave stage (NS1: Fig.16) during this period.
Par contre, on observe la commutation de la bascule 8b. Au front descendant du signal CPI (ou front montant du signal CPN), la porte de transfert TM de la bascule 8b devient passante et le nœud NM2 change d'état (Fig.17). Au front suivant, c'est-à-dire au front montant du signal CPI, la porte TS devient passante. L'étage esclave recopie alors la valeur du nœud NM2 dans le nœud NS2 (Fig.18). On the other hand, we observe the switching of the flip-flop 8b. At the falling edge of the signal CPI (or rising edge of the signal CPN), the transfer gate TM of the flip-flop 8b becomes conducting and the node NM2 changes state (FIG. 17). At the next edge, that is to say at the rising edge of the signal CPI, the gate TS becomes busy. The slave stage then copies the value of the node NM2 in the node NS2 (FIG. 18).
A l'instant t2, l'entrée D1 de la bascule 8a change d'état (D1= ). Cela occasionne d'abord le basculement de l'étage maître 2M de la bascule 8a. En effet, en activant la porte TM au front descendant du signal CPI, le signal au nœud NM1 passe à '0' (Fig.15). Puis, l'étage esclave 2S bascule au front montant suivant du signal CPI (à l'instant t.3). La porte TS est activée et le nœud NS1 recopie la valeur du nœud NM1 (Fig.16). Puisque la commutation de la bascule 8a a eu lieu, le circuit 10 ne provoque aucun changement du signal D2 (non représenté) de la bascule 8b entre les instants t2 et t.3. On n'observe donc aucun basculement dans les étages maître et esclave associés. Entre les instants t3 et tt, l'entrée D1 reste à . Lors de l'activation des portes TM et TS, il n'y a donc pas d'évolution dans l'état des nœuds NM1 et NS1 de la bascule 8a. At time t 2 , the input D1 of the flip-flop 8a changes state (D1 =). This first causes the tilting of the master stage 2M of the flip-flop 8a. Indeed, by activating the TM gate at the falling edge of the signal CPI, the signal at the node NM1 goes to '0' (Fig.15). Then, the slave stage 2S switches to the next rising edge of the signal CPI (at time t.3). The TS gate is activated and the node NS1 copies the value of the node NM1 (FIG. Since the switching of the flip-flop 8a has taken place, the circuit 10 does not cause any change of the signal D2 (not shown) of the flip-flop 8b between the instants t2 and t.3. There is therefore no tilting in the associated master and slave stages. Between instants t3 and t t , the input D1 remains at. When the TM and TS gates are activated, there is therefore no change in the state of the nodes NM1 and NS1 of the flip-flop 8a.
Le circuit 10 commande alors la commutation de la bascule 8b, avec une nouvelle valeur de l'entrée D2. Le nœud NM2 passe à '0' au front descendant du signal CPI, suite à l'activation de la porte TM, puis le nœud NS2 recopie cette valeur lors de l'activation de la porte TS, au front montant du signal CPI (instant t4). The circuit 10 then controls the switching of the flip-flop 8b, with a new value of the input D2. The node NM2 goes to '0' at the falling edge of the signal CPI, following the activation of the gate TM, then the node NS2 copies this value during the activation of the gate TS, at the rising edge of the signal CPI (instant t 4 ).
Ainsi, on peut montrer qu'à chaque front descendant du signal H (ou front descendant du signal CPI), seul l'un des étages maîtres commute. Au front montant du signal H (ou front montant du signal CPI), seul l'un des étages esclaves commute. Pour résumer, un seul des quatre étages de l'élément mémoire bascule à chaque front du signal d'horloge H, contrairement à la bascule D maître-esclave sécurisée de l'art antérieur. Thus, it can be shown that at each falling edge of the signal H (or falling edge of the signal CPI), only one of the master stages switches. At the rising edge of the signal H (or rising edge of the signal CPI), only one of the slave stages switches. To summarize, only one of the four stages of the memory element switches at each edge of the clock signal H, unlike the master-slave D flip-flop secure of the prior art.
Il n'y a donc pas d'augmentation de la consommation instantanée relative à la commutation systématique de deux étages. L'élément mémoire consomme moins d'énergie qu'une bascule sécurisée classique. There is therefore no increase in the instantaneous consumption relative to the systematic switching of two floors. The memory element consumes less power than a conventional secure flip-flop.
La bascule D maître esclave décrite dans cette demande est plus robuste aux attaques par canaux cachés que les circuits de l'art antérieur. The slave master D flip-flop described in this application is more robust to hidden channel attacks than the prior art circuits.
Dans le document WO00/26746 par exemple, chaque circuit de traitement de données dont on veut masquer la consommation électrique est muni d'un circuit complémentaire de masquage, contrôlé en parallèle du circuit de traitement. Lorsqu'une transition (montante ou descendante) a lieu dans le circuit de traitement de données, la transition opposée s'effectue dans le circuit de masquage (descendante ou montante respectivement). In WO00 / 26746 for example, each data processing circuit whose power consumption is to be masked is provided with a complementary masking circuit, controlled in parallel with the processing circuit. When a transition (rising or falling) takes place in the data processing circuit, the opposite transition occurs in the masking circuit (downstream or rising respectively).
Cependant, il est toujours possible de distinguer l'activité ou l'inactivité de ce circuit de traitement, en analysant la consommation en courant selon que le circuit commute ou ne commute pas. La différence de consommation est même doublée, puisqu'on observe deux transitions (au lieu d'une seule) lorsque le circuit est actif et aucune transition lorsqu'il est inactif. Il est donc encore plus facile de mener des attaques qui exploitent cette différence de consommation. However, it is still possible to distinguish the activity or inactivity of this processing circuit, by analyzing the current consumption according to whether the circuit switches or does not switch. The difference in consumption is even doubled, since we observe two transitions (instead of only one) when the circuit is active and no transition when it is inactive. It is therefore even easier to conduct attacks that exploit this difference in consumption.
Ici, la consommation en puissance de la bascule D maître esclave est équilibrée dans le temps car il y a systématiquement (i.e. à chaque front d'horloge) une seule des deux bascules qui commute. Here, the power consumption of the master slave D flip-flop is balanced in time because there is systematically (i.e. at each clock edge) only one of the two flip-flops that switches.
Dans un mode de réalisation préférentiel représenté par des pointillés sur la figure 11 , on modifie l'arbre d'horloge 20 pour former un générateur de délai aléatoire entre le signal d'horloge externe H et les signaux d'horloge interne CPI et CPN qui commandent les bascules 8a, 8b. In a preferred embodiment represented by dotted lines in FIG. 11, the clock tree 20 is modified to form a random delay generator between the external clock signal H and the internal clock signals CPI and CPN which control flip-flops 8a, 8b.
Le générateur de délai aléatoire 20 comporte, en plus des inverseurs 22 et 24 de l'arbre d'horloge, deux inverseurs 26 et 28 connectés en série et disposés entre les inverseurs 22 et 24. Le générateur comprend également deux portes de transfert 30 et 32. La porte 30 relie la sortie de l'inverseur 22 à l'entrée de l'inverseur 24 et la porte 32 relie la sortie de l'inverseur 28 à l'entrée de l'inverseur 24. Chaque inverseur est caractérisé par un temps de propagation du signal d'horloge externe H au travers de l'inverseur. On distingue deux états de fonctionnement du générateur 20, selon l'état des portes 30 et 32. Celles-ci sont commandées en opposition de phase par un signal DJIT. The random delay generator 20 comprises, in addition to the inverters 22 and 24 of the clock shaft, two inverters 26 and 28 connected in series and arranged between the inverters 22 and 24. The generator also comprises two transfer gates 30 and 32. The gate 30 connects the output of the inverter 22 to the input of the inverter 24 and the gate 32 connects the output of the inverter 28 to the input of the inverter 24. Each inverter is characterized by a propagation time of the external clock signal H through the inverter. There are two operating states of the generator 20, according to the state of the gates 30 and 32. These are controlled in phase opposition by a DJIT signal.
Lorsque le signal DJIT est à l'état bas (DJIT- 0'), la porte 30 est passante et le signal d'horloge H traverse les inverseurs 22 et 24. Le signal CPN est alors inversé et décalé du temps de propagation de l'inverseur 22 par rapport au signal H. De la même manière, le signal CPI est inversé et décalé du temps de propagation de l'inverseur 24 par rapport au signal CPN. Le signal CPI correspond donc au signal H décalé de deux temps de propagation. Cet état de fonctionnement correspond en fait à celui d'un arbre d'horloge classique. When the signal DJIT is low (DJIT-0 '), the gate 30 is on and the clock signal H passes through the inverters 22 and 24. The signal CPN is then inverted and offset by the propagation time of the inverter 22 relative to the signal H. In the same way, the signal CPI is inverted and offset from the propagation time of the inverter 24 with respect to the signal CPN. The signal CPI therefore corresponds to the signal H shifted by two propagation times. This operating state corresponds in fact to that of a conventional clock tree.
Par contre, lorsque la porte 36 est passante (DJIT= ), le signal H traverse deux inverseurs supplémentaires, 26 et 28. Les retards appliqués aux signaux CPN et CPI sont alors augmentés du temps de propagation de l'inverseur 26 et du temps de propagation de l'inverseur 28. On the other hand, when the gate 36 is busy (DJIT =), the signal H passes through two further inverters, 26 and 28. The delays applied to the CPN and CPI signals are then increased by the propagation time of the inverter 26 and by the propagation time of the inverter 28.
On peut donc, à l'aide du signal DJIT, moduler le retard temporel entre chaque front montant du signal de commande CPI et un front montant associé du signal externe H. Ce retard peut prendre deux valeurs distinctes, selon le nombre d'inverseurs utilisés pour générer le signal CPI, deux ou quatre dans l'exemple de la figure 11. Le retard est largement inférieur à la durée d'une période du signal H. Il est de l'ordre de la moitié du délai de propagation du signal entre l'entrée H et la sortie Q de la bascule de la figure 1 , c'est-à-dire entre 50 ps et 100 ps en technologie 130 nm. It is therefore possible, using the DJIT signal, to modulate the time delay between each rising edge of the control signal CPI and an associated rising edge of the external signal H. This delay can take two distinct values, depending on the number of inverters used. to generate the signal CPI, two or four in the example of Figure 11. The delay is much less than the duration of a period of the signal H. It is of the order of half the delay of propagation of the signal between the input H and the Q output of the flip-flop of FIG. 1, that is to say between 50 ps and 100 ps in 130 nm technology.
Le générateur 20 peut également comprendre des inverseurs et portes de transfert additionnels, agencé de manière à former d'autres boucles de propagation du signal H. On augmente ainsi le nombre de valeurs de retard possibles. Le signal DJIT est alors codé sur plusieurs bits. Le signal DJIT correspond, de préférence, à la sortie d'un générateur de nombre aléatoire (non représenté). Le générateur de délai 20 est alors commandé de manière stochastique. The generator 20 may also comprise additional inverters and transfer gates, arranged to form other propagation loops of the signal H. The number of possible delay values is thus increased. The DJIT signal is then encoded on several bits. The DJIT signal preferably corresponds to the output of a random number generator (not shown). The delay generator 20 is then stochastically controlled.
Le temps de propagation du signal H dans un inverseur varie en fonction de la taille des transistors qui constituent l'inverseur, typiquement un transistor MOS de type N et un transistor MOS de type P connectés en série. En jouant sur la taille des transistors, par exemple ceux des inverseurs 26 et 28, il est possible de faire varier les retards appliqués aux signaux CPI et CPN d'un élément mémoire à l'autre. The propagation time of the signal H in an inverter varies as a function of the size of the transistors constituting the inverter, typically an N-type MOS transistor and a P-type MOS transistor connected in series. By varying the size of the transistors, for example those of the inverters 26 and 28, it is possible to vary the delays applied to the CPI and CPN signals from one memory element to the other.
Dans un mode de réalisation préférentiel, un registre comprend plusieurs éléments mémoire et au moins une des deux valeurs de retard diffère d'un élément mémoire à l'autre. In a preferred embodiment, a register comprises a plurality of memory elements and at least one of the two delay values differs from one memory element to another.
La figure 19 représente l'enveloppe du courant électrique consommé par un élément mémoire 6 muni du générateur de délai aléatoire 20. On constate que l'écart entre la limite supérieure et la limite inférieure de l'enveloppe est plus faible que sur la figure 10, mais aussi que cette enveloppe s'étale sur une durée plus grande. En fait, le délai aléatoire, introduit sur les signaux CPI et CPN, retarde la mise à jour du signal Q1 (ou du signal Q2) par rapport au front de l'horloge externe H. La consommation électrique moyenne de la bascule est donc étalée sur une période de temps plus grande. En d'autres termes, la consommation en courant de l'élément mémoire est moyennée sur plusieurs cycles ou calculs cryptographiques. Cela a pour effet de réduire encore la différence moyenne de consommation entre tous les modes de fonctionnement de l'élément mémoire. Il devient donc difficile de distinguer l'état de l'élément mémoire à partir des relevés de consommation. FIG. 19 represents the envelope of the electric current consumed by a memory element 6 equipped with the random delay generator 20. It can be seen that the difference between the upper limit and the lower limit of the envelope is smaller than in FIG. 10 but also that this envelope spreads over a longer period. In fact, the random delay introduced on the CPI and CPN signals delays the updating of the signal Q1 (or the signal Q2) with respect to the front of the external clock H. The average electrical consumption of the flip-flop is therefore spread. over a longer period of time. In other words, the current consumption of the memory element is averaged over several cycles or cryptographic calculations. This has the effect of further reducing the average consumption difference between all modes of operation of the memory element. It thus becomes difficult to distinguish the state of the memory element from the consumption records.
Pour mener des attaques par canaux cachés sur un registre, la commutation des bascules et leurs consommations associées doivent être synchronisées par rapport au signal d'horloge externe H. Lorsque ce n'est pas le cas, l'attaquant effectue une opération dite de resynchronisation. Or, dans le cas d'éléments mémoire selon la figure 11 , chaque élément est légèrement désynchronisé de l'horloge H grâce au générateur 20 intégré dans chaque bascule. Cette désynchronisation est d'une part variable au sein d'une même bascule, entre deux basculements successifs, grâce au signal DJIT. D'autre part, elle peut différer d'un élément mémoire à l'autre en adaptant le générateur 20, par exemple en modifiant la taille des transistors des inverseurs. La resynchronisation de tous les éléments mémoire est dès lors impossible, ce qui améliore davantage la robustesse aux attaques par canaux cachés. To carry out hidden channel attacks on a register, the switching of the flip-flops and their associated consumption must be synchronized with respect to the external clock signal H. When this is not the case, the attacker performs a so-called resynchronization operation. . However, in the case of memory elements according to FIG. 11, each element is slightly out of synchronization with the clock H thanks to the generator 20 integrated in each flip-flop. This desynchronization is on the one hand variable within the same rocker, between two successive failovers, thanks to the signal DJIT. On the other hand, it may differ from one memory element to another by adapting the generator 20, for example by changing the size of the transistors of the inverters. Resynchronization of all memory elements is therefore impossible, which further improves the robustness to hidden channel attacks.
En outre, le générateur de délai aléatoire 20 a pour effet de limiter les fuites d'informations des circuits logiques situées en aval de l'élément mémoire. En effet, les calculs de ces circuits sont retardés, ce qui réduit également leur différence moyenne de consommation. L'élément mémoire est non seulement sécurisé, mais les circuits logiques placés en sortie sont également plus robustes aux attaques. Dans un circuit logique simple rail, une valeur binaire est codée sur un fil, ce qui correspond à deux états distincts : '0' et . En logique double rail, la valeur binaire est codée sur deux fils. Il est alors possible de coder jusqu'à quatre états : ΌΟ', Ό1', '10' et Ί l'. Le codage double rail est intrinsèquement plus robuste aux attaques car il permet un premier équilibrage de la consommation. In addition, the random delay generator 20 has the effect of limiting information leaks logic circuits located downstream of the memory element. Indeed, the calculations of these circuits are delayed, which also reduces their average difference in consumption. The memory element is not only secure, but the logic circuits at the output are also more robust to attacks. In a single rail logic circuit, a binary value is encoded on a wire, which corresponds to two distinct states: '0' and. In double rail logic, the binary value is coded on two wires. It is then possible to code up to four states: ΌΟ ', Ό1', '10' and Ί l '. Double rail coding is intrinsically more robust to attacks because it allows a first balancing of consumption.
L'élément mémoire sécurisé décrit ci-dessus peut être utilisé dans un circuit logique simple rail, en exploitant seulement le signal D1 en sortie de l'élément mémoire. Toutefois, on remarque que l'élément mémoire est aussi adapté au codage double rail avec retour à état invalide. Il suffit pour cela d'utiliser la sortie Q2 de la seconde bascule 8b. On peut ainsi combiner, de façon simple et sécurisée, des registres simple rail et des registres double rail dans un même circuit, en utilisant un seul type d'élément mémoire. Comme cela a été décrit précédemment, le signal D2 de la bascule 8b est mis à jour avant la mise à jour des bascules 8a et 8b, c'est-à-dire avant chaque front montant du signal CPI, par exemple sur chaque front descendant. The secure memory element described above can be used in a single rail logic circuit, using only the signal D1 at the output of the memory element. However, it is noted that the memory element is also suitable for double-rail coding with invalid state feedback. It suffices for this to use the output Q2 of the second flip-flop 8b. It is thus possible to combine, in a simple and secure manner, single rail registers and double rail registers in the same circuit, using a single type of memory element. As previously described, the signal D2 of the flip-flop 8b is updated before the update of the flip-flops 8a and 8b, that is to say before each rising edge of the signal CPI, for example on each falling edge .
La figure 20 représente un mode de réalisation préférentiel de circuit logique 10 dans lequel le signal D2 est synchronisé sur les fronts descendants du signal CPI. FIG. 20 represents a preferred embodiment of logic circuit 10 in which the signal D2 is synchronized on the falling edges of the signal CPI.
On souhaite dans un premier temps synchroniser le signal D1 sur les fronts descendants du signal CPI. Pour cela, on a reproduit une portion du schéma synoptique de la bascule 8a (Fig.11). Cette portion en entrée de la bascule 8a comprend successivement l'inverseur 12, la porte de transfert TM et l'inverseur 16. Le signal D1\ en sortie de l'inverseur 16, correspond au signal D1 synchronisé sur les fronts descendants du signal CPI. En effet, la porte TM est passante lors d'un état bas du signal CPI. In the first place, it is desired to synchronize the signal D1 on the falling edges of the signal CPI. For this, we reproduced a portion of the block diagram of the flip-flop 8a (Fig.11). This input portion of the flip-flop 8a successively comprises the inverter 12, the transfer gate TM and the inverter 16. The signal D1 \ at the output of the inverter 16 corresponds to the signal D1 synchronized on the falling edges of the signal CPI . Indeed, the gate TM is busy during a low state of the CPI signal.
Dans l'exemple des figures 12 à 18, le signal D1 est synchronisé sur les fronts montants du signal CPI. Le signal D1' sera alors décalé d'une moitié de cycle d'horloge par rapport au signal D1. Le signal D1' correspond en fait au complément du signal au nœud NM1 (Fig.15). In the example of FIGS. 12 to 18, the signal D1 is synchronized on the rising edges of the signal CPI. The signal D1 'will then be offset by one half of a clock cycle with respect to the signal D1. The signal D1 'corresponds in fact to the complement of the signal at the node NM1 (FIG.
Sur la figure 20, deux portes de transfert TG et TG' permettent d'obtenir les signaux Q1' et Q2' à partir des signaux Q1 et Q2. Les signaux Q1' et Q2' correspondent respectivement aux signaux Q1 et Q2 synchronisés sur les fronts montants du signal CPI et dont les valeurs sont maintenues sur l'état bas du signal CPI. La fonction NON-OU exclusif du circuit 10 est réalisée par une pluralité d'inverseurs et de portes de transfert agencés de manière à définir différents chemins de propagation du signal D1'. In FIG. 20, two transfer gates TG and TG 'make it possible to obtain the signals Q1' and Q2 'from the signals Q1 and Q2. The signals Q1 'and Q2' respectively correspond to the signals Q1 and Q2 synchronized on the rising edges of the signal CPI and whose values are maintained on the low state of the signal CPI. The exclusive NOR function of the circuit 10 is performed by a plurality of inverters and transfer gates arranged to define different propagation paths of the signal D1 '.
Le circuit 10 comprend un premier inverseur 34 recevant en entrée le signal D1' et connecté en série à une première branche 36a munie d'une porte de transfert 38a. Une seconde branche 36b, en parallèle de la branche 36a, comprend une porte de transfert 38b et un inverseur 34b. Les portes 38a et 38b sont commandées en opposition de phase par les signaux Q1' et Q1\ The circuit 10 comprises a first inverter 34 receiving as input the signal D1 'and connected in series with a first branch 36a provided with a transfer gate 38a. A second branch 36b, in parallel with the branch 36a, comprises a transfer gate 38b and an inverter 34b. The doors 38a and 38b are controlled in phase opposition by the signals Q1 'and Q1 \
Une troisième branche 36c est connectée en série avec les branches 36a et 36b. Elle comprend une porte de transfert 38c. Connectée en parallèle de la branche 36c, une branche 36d comprend une porte de transfert 38d et un inverseur 34d. Les portes 38c et 38d sont commandées en opposition de phase par les signaux Q2' et Q2'. A third branch 36c is connected in series with the branches 36a and 36b. It includes a transfer gate 38c. Connected in parallel with the branch 36c, a branch 36d comprises a transfer gate 38d and an inverter 34d. The doors 38c and 38d are controlled in phase opposition by the signals Q2 'and Q2'.
Le signal D1' se propage systématiquement au travers deux des quatre branches, l'une des branches 36a et 36b, puis l'une des branches 36c et 36d, selon l'état des portes 38a-d. Ainsi, le signal D' traverse un, deux ou trois inverseurs selon l'état des signaux Q1', Q2', Qf et Q2'. A titre d'exemple, lorsque les signaux Q1' et Q2' sont à l'état bas (Ό'), le signal D1' se propage au travers des branches 36a et 36c et ne traverse qu'un seul inverseur (34). Le signal D2 vaut alors '1' si le signal D1' est à '0' et '0' si le signal D1' est à Ί'. The signal D1 'propagates systematically through two of the four branches, one of the branches 36a and 36b, then one of the branches 36c and 36d, depending on the state of the doors 38a-d. Thus, the signal D passes through one, two or three inverters depending on the state of the signals Q1 ', Q2', Qf and Q2 '. By way of example, when the signals Q1 'and Q2' are in the low state (Ό '), the signal D1' propagates through the branches 36a and 36c and passes through only one inverter (34). The signal D2 is then '1' if the signal D1 'is at' 0 'and' 0 'if the signal D1' is at Ί '.
Avec cette configuration, on parvient à associer une valeur du signal D2 à chaque combinaison de valeurs des signaux D1 , Q1 et Q2, selon la table de vérité du circuit logique 10. Le signal D2 évolue en même temps que le signal D1', c'est-à-dire en synchronisme avec les fronts montants du signal d'horloge CPI. With this configuration, it is possible to associate a value of the signal D2 with each combination of values of the signals D1, Q1 and Q2, according to the truth table of the logic circuit 10. The signal D2 evolves at the same time as the signal D1 ', c i.e. in synchronism with the rising edges of the clock signal CPI.
De nombreuses variantes et modifications de l'élément mémoire apparaîtront à l'homme du métier. En particulier, d'autres implémentations de bascule D maître-esclave, de porte NON-OU exclusif et d'inverseur que celles qui sont décrites ici peuvent être employées. Many variations and modifications of the memory element will occur to those skilled in the art. In particular, other implementations of master-slave D-flip-flop, exclusive NOR gate, and inverter than those described herein can be employed.

Claims

Revendications claims
1. Elément mémoire comprenant une horloge (CPI), une première bascule (8a) de type D maître-esclave cadencée par l'horloge, caractérisé en ce qu'il comprend une seconde bascule (8b) de type D maître-esclave, structurellement identique à la première bascule, cadencée par l'horloge (CPI) et connectée à la première bascule de sorte que la seconde bascule (8b) commute à chaque front actif de l'horloge où la première bascule (8a) ne commute pas. 1. Memory element comprising a clock (CPI), a first flip-flop (8a) of master-slave type D clocked by the clock, characterized in that it comprises a second flip-flop (8b) of master-slave type D, structurally identical to the first flip-flop, clocked by the clock (CPI) and connected to the first flip-flop so that the second flip-flop (8b) switches to each active edge of the clock where the first flip-flop (8a) does not switch.
2. Elément mémoire selon la revendication 1 , comprenant un circuit logique (10) configuré pour détecter une commutation de la première basculeMemory element according to claim 1, comprising a logic circuit (10) configured to detect a switching of the first flip-flop
(8a) et pour commander la commutation de la seconde bascule (8b) lorsque la première bascule (8a) ne commute pas. (8a) and to control switching of the second flip-flop (8b) when the first flip-flop (8a) does not switch.
3. Elément mémoire selon la revendication 2, dans lequel le circuit logique (10) reçoit en entrée un signal d'entrée (D1) de la première bascule (8a), un signal de sortie (Q1) de la première bascule (8a), et un signal de sortie (Q2) de la seconde bascule (8b), le circuit logique (10) étant configuré pour faire commuter la seconde bascule (8b) lorsque aucun des trois signaux (D1 , Q1 , Q2) est dans un état actif ou lorsque deux des trois signaux sont dans un état actif. 3. The memory element according to claim 2, wherein the logic circuit (10) receives as input an input signal (D1) of the first flip-flop (8a), an output signal (Q1) of the first flip-flop (8a). , and an output signal (Q2) of the second flip-flop (8b), the logic circuit (10) being configured to switch the second flip-flop (8b) when none of the three signals (D1, Q1, Q2) are in a state active or when two of the three signals are in an active state.
4. Elément mémoire selon la revendication 3, dans lequel le circuit logique (10) est une porte NON-OU exclusif agencée pour fonctionner en décalage avec le front actif de l'horloge. 4. The memory element of claim 3, wherein the logic circuit (10) is an exclusive NOR gate arranged to operate in offset with the active edge of the clock.
5. Elément mémoire selon la revendication 1 , comprenant un circuit générateur (20) de l'horloge (CPI) à partir d'un signal externe (H), configuré pour introduire un retard aléatoire entre chaque front actif de l'horloge (CPI) et un front actif associé du signal externe (H). 5. A memory element according to claim 1, comprising a generator circuit (20) of the clock (CPI) from an external signal (H), configured to introduce a random delay between each active edge of the clock (CPI). ) and an associated active edge of the external signal (H).
6. Elément mémoire selon la revendication 5, dans lequel l'horloge (CPI) est générée à l'aide d'une pluralité d'inverseurs (22, 24, 26, 28) à partir du signal externe (H), et dans lequel le circuit générateur (20) comprend un circuit de modulation (30, 32) du nombre d'inverseurs. The memory element of claim 5, wherein the clock (CPI) is generated using a plurality of inverters (22, 24, 26, 28) from the external signal (H), and which the generator circuit (20) comprises a modulation circuit (30, 32) of the number of inverters.
7. Elément mémoire selon la revendication 6, dans lequel le retard varie entre une première valeur et seconde valeur en fonction du nombre d'inverseurs (22, 24, 26, 28) utilisés pour générer l'horloge (CPI). The memory element of claim 6, wherein the delay varies between a first value and a second value as a function of the number of inverters (22, 24, 26, 28) used to generate the clock (CPI).
8. Circuit intégré comprenant des premier et second éléments mémoire selon la revendication 7, caractérisé en ce que la première valeur de retard du premier élément diffère de la première valeur de retard du second élément. An integrated circuit comprising first and second memory elements according to claim 7, characterized in that the first delay value of the first element differs from the first delay value of the second element.
PCT/FR2012/000103 2011-03-24 2012-03-23 Secure memory element WO2012127135A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
FR1100889A FR2973138B1 (en) 2011-03-24 2011-03-24 SECURE MEMORY ELEMENT
FR1100889 2011-03-24

Publications (1)

Publication Number Publication Date
WO2012127135A1 true WO2012127135A1 (en) 2012-09-27

Family

ID=45974372

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/FR2012/000103 WO2012127135A1 (en) 2011-03-24 2012-03-23 Secure memory element

Country Status (2)

Country Link
FR (1) FR2973138B1 (en)
WO (1) WO2012127135A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3166143A1 (en) * 2015-11-05 2017-05-10 Gemalto Sa Method for manufacturing a device with an integrated circuit chip by direct deposition of conductive material

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2000026746A2 (en) 1998-11-03 2000-05-11 Koninklijke Philips Electronics N.V. Data carrier with obscured power consumption
FR2802733A1 (en) 1999-12-21 2001-06-22 St Microelectronics Sa SECURE MASTER-SLAVE LOCK

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2000026746A2 (en) 1998-11-03 2000-05-11 Koninklijke Philips Electronics N.V. Data carrier with obscured power consumption
FR2802733A1 (en) 1999-12-21 2001-06-22 St Microelectronics Sa SECURE MASTER-SLAVE LOCK

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3166143A1 (en) * 2015-11-05 2017-05-10 Gemalto Sa Method for manufacturing a device with an integrated circuit chip by direct deposition of conductive material
WO2017076780A1 (en) * 2015-11-05 2017-05-11 Gemalto Sa Method for manufacturing a device with integrated-circuit chip by direct deposit of conductive material
US10658283B2 (en) 2015-11-05 2020-05-19 Thales Dis France Sa Method for manufacturing a device with integrated-circuit chip by direct deposit of conductive material

Also Published As

Publication number Publication date
FR2973138B1 (en) 2013-04-12
FR2973138A1 (en) 2012-09-28

Similar Documents

Publication Publication Date Title
US20110260749A1 (en) Synchronous logic system secured against side-channel attack
TW200541279A (en) Integrated decision feedback equalizer and clock and data recovery circuit
EP1993057A1 (en) Detection of a status disruption of a rocker of an electronic circuit
Suresh et al. Entropy extraction in metastability-based TRNG
US20110285421A1 (en) Synchronous logic system secured against side-channel attack
TWI748285B (en) Random number generator based on meta-stability of shorted back-to-back inverters
FR3051084B1 (en) OSCILLATION NUMBER GENERATOR
CN102007470A (en) Device and method for generating a random bit sequence
WO2013104837A1 (en) Method of encryption protected against side channel attacks
FR2932336A1 (en) TIME-SAVING ASYNCHRONOUS CIRCUIT WITH DELAY INSERT CIRCUIT
WO2000054410A1 (en) Logic circuit protected against transitory perturbations
Lee et al. A 650Mb/s-to-8Gb/s referenceless CDR circuit with automatic acquisition of data rate
EP2257904A1 (en) Method for protecting a programmable cryptography circuit, and circuit protected by said method
TW201014284A (en) Decision feedback equalizer having clock recovery circuit and method for recovering clock
WO2012127135A1 (en) Secure memory element
EP1111783B1 (en) Protected D-type master-slave flip-flop
EP3242397A1 (en) Multiplexer structure
FR3051086A1 (en) PULSE COUNTING CIRCUIT
Drucker et al. Continuous key agreement with reduced bandwidth
Luo et al. Faulty clock detection for crypto circuits against differential fault analysis attack
Yuen et al. On the security of Y-00 under fast correlation and other attacks on the key
FR2995476A1 (en) ASYNCHRONOUS CIRCUIT WITH SEQUENTIAL WRITINGS
FR2986679A1 (en) True random number generator for use in digital electronic circuit e.g. field programmable gate array, has sampling unit sampling signals delivered on outputs of preceding stage of oscillator with specific integer values
KR102340775B1 (en) Synchronization circuit for threshold implementation of s-box
FR3034593A1 (en)

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12714742

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12714742

Country of ref document: EP

Kind code of ref document: A1