Nothing Special   »   [go: up one dir, main page]

GB2424089A - Side channel attack prevention in data processing apparatus such as a smart card - Google Patents

Side channel attack prevention in data processing apparatus such as a smart card Download PDF

Info

Publication number
GB2424089A
GB2424089A GB0504825A GB0504825A GB2424089A GB 2424089 A GB2424089 A GB 2424089A GB 0504825 A GB0504825 A GB 0504825A GB 0504825 A GB0504825 A GB 0504825A GB 2424089 A GB2424089 A GB 2424089A
Authority
GB
United Kingdom
Prior art keywords
scrambling
memory
data
data processing
processing apparatus
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
GB0504825A
Other versions
GB0504825D0 (en
Inventor
Anthony Kirby
John Patrick Nonweiler
Sususmu Kurioka
Andrew Kay
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sharp Corp
Original Assignee
Sharp Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sharp Corp filed Critical Sharp Corp
Priority to GB0504825A priority Critical patent/GB2424089A/en
Publication of GB0504825D0 publication Critical patent/GB0504825D0/en
Publication of GB2424089A publication Critical patent/GB2424089A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • G06F12/1408Protection against unauthorised use of memory or access to memory by using cryptography
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/72Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in cryptographic circuits
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/74Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information operating in dual or compartmented mode, i.e. at least one secure mode
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/77Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in smart cards
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/82Protecting input, output or interconnection devices
    • G06F21/85Protecting input, output or interconnection devices interconnection devices, e.g. bus-connected or in-line devices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2105Dual mode as a secondary aspect

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Mathematical Physics (AREA)
  • Storage Device Security (AREA)

Abstract

Data processing apparatus is provided which comprises: a processor (5); memory (3); a scrambler (110) arranged on a data transfer path (114) between the processor (5) and the memory (3), for scrambling data items passing through the scrambler (110) according to a specified scrambling regime; and at least one designated control line (120) arranged between the processor (5) and the scrambler (110) for switching the scrambler (110) at least between operating according to a first scrambling regime and operating according to a second scrambling regime different to the first scrambling regime. The data processing apparatus is a smart card in the embodiment.

Description

Side Channel Attack Prevention In Data Processing Apparatus The present
invention relates side channel attack prevention in data processing apparatus, for example in smart cards.
Figure 1 of the accompanying drawings is a block diagram illustrating the main parts of a typical smart card, also known as an integrated circuit card (ICC). The smart card 1 of Figure 1 comprises a memory portion 3, a central processing unit (CPU) 5, an input/output (I/O) portion 7, and a encryption unit 9. The CPU 5 is in two-way communication with the memory portion 3, the I/O portion 7, and the encryption unit 9.
These portions are typically contained within a single integrated circuit 2 embedded into the smart card I, which may be of a contact or contactless variety; one such smart card arrangement is illustrated schematically in Figure 2 of the accompanying drawings.
The smart card I is able to communicate with external devices via POWER and CLK channels to receive the required power and clock signal CLK (although some smart cards may have an internal power or clock source), and via an I/O channel to communicate data to and from the smart card I. Such communication is either by electrical signals through contact pins for a contact card, or by inductive, capacitive or optical coupling for a contact-less card.
Smart cards find many applications where the security and integrity of data stored in the card and communicated to and from the card is of paramount importance. For example a smart card can act as an identification card which is used to prove the identity of the cardholder. It can also be used as a medical card storing the entire medical history of a person. Furthermore a smart card can be used as a credit/debit bank card allowing off- line transactions. For this reason, it is common for smart cards to have encryption/ decryption capabilities so that sensitive data can be encrypted before it leaves the card via the I/O channel.
in the smart card 1 illustrated in Figure 1, such encryption is performed by the encryption unit 9. For example, if data stored within the memory portion 3 is required to be communicated to an external requesting device via the 1/0 channel, this data is requested from the memory portion 3 by the CPU 5 and sent to the encryption unit 9 as input data DIN. The encryption unit 9 encrypts the input data DIN to produce encrypted output data DOUT, which is returned to the CPU 5 for forwarding to the I/O portion 7 and subsequent transmission to the external requesting device on the I/O channel.
Any suitable encryption model can be used in the processing unit 9 to perform the encryption. Examples of encryption algorithms used in smart cards are the symmetric (or private) key ciphers such as the Data Encryption Standard (DES), the Triple DES, the Advanced Encryption Standard (AES), the Fast Data Encipherment Algorithm (FEAL) and the International Data Encryption Algorithm (IDEA). Alternatively use can be made of asymmetric (or public) key encryption algorithms such as the Rivest- Shamir-Adleman (RSA) algorithm and the Rabin Encryption Scheme.
Figure 3 of the accompanying drawings is a block diagram illustrating a cryptographic model which represents both public and private key cryptosystems. In this model, two parties, X and Y, attempt to use a cipher to engage in private communication across a public channel 13. Party X uses an encryption unit E to encrypt plaintext T using an encryption key K (which would be a public key in an asymmetric encryption model or a private key in the symmetric encryption model) to produce ciphertext C which is communicated over the public channel 13 to party Y. Party Y uses a decryption unit D and a private key K corresponding to the key Kx to decrypt the ciphertext C to reproduce the original plaintext T. However, a third party Z is eavesdropping on the private conversation between X and Y by monitoring the public channel 13. Party Z may know all the details of the cipher algorithm used, except for the secret key K, will have many ciphertext samples and may have several plaintextciphertext pairs (with the plaintext being derived from either party X or party Y by some other means). Such gathered information is then subject to computationally intensive cryptanalysis to break the cipher used and to determine the secret key used to produce or decrypt the ciphertext. This can be thought of as a traditional type of attack.
However, modern encryption techniques have been developed to be far more resistant to such traditional attacks based on brute-force computational analysis of traditionally gathered information. Attention has therefore turned recently to the use of other more obscure sources of information based on the physical implementation of the encryption system.
In reality, cipher systems are implemented on physical devices which interact with and are influenced by their environments. Electronic devices such as pagers and smart cards consume power and emit radiation as they operate and they also react to temperature changes and electromagnetic fields. It is these physical interactions which can be manipulated and monitored by third parties such as party Z and which may result in information which is useful in cryptanalysis. The traditional cryptographic model shown does not account for the physical side-effects of using ciphers in the real world, and a more realistic model can be described using the concept of a "side channel", and examples of side channels are illustrated in Figure 3. A side channel is a source of information that is inherent to a physical implementation, and an attack using such information is referred to as a "side channel attack".
For example, the amount of time it takes to compute a cryptographic function depends not only on what that function does, but also what inputs are passed to it. In addition to the message to be encrypted, cryptographic functions usually take a secret key as input and therefore the value of the secret key might influence publicly-observable timing characteristics. Such an attack based on timing side-channel information was proposed by Paul Kocher in an article entitled "Timing Attacks on Implementation of Diffie- Heliman, RSA, DSS and Other Systems", CRYPTO 96. In this paper was outlined a cryptanalysis method in which an attacker is able to analyse measurements of the time it takes to compute several RSA signatures and deduce the signing entity's secret key.
In addition, electronic devices draw current from a power source during their operation.
The amount of current they draw, and therefore the power consumption, varies as the logic gates (usually CMOS) switch during the performance of the encryption algorithm.
Power consumption is useful to an adversary because it is correlated to the calculations being performed. One of the most threatening types of side-channel attacks based on power analysis is that of differential power analysis (DPA) proposed by Kocher et al in a paper entitled "Differential Power Analysis", CRYPTO 99.
Another form of side-channel attack is one that is based on the deliberate introduction of a fault into the encrypting system and the subsequent monitoring of the effect caused by that fault. In their paper entitled "On the Importance of Checking Cryptographic Protocols for Faults", 1997, Boneh, DeMillo and Lipton introduced fault- based side- channel attacks based on the observation that errors induced in the hardware devices leak information about the implemented encryption algorithm. By exposing an encryption device to ionising or microwave radiation, a fault could be introduced at a random bit location in one of the registers, which could be used to factor the modulus of an RSA public key encryption algorithm. Bihim and Shamir presented a fault-based channel-attack called Differential Fault Analysis (DFA) in their paper entitled "Differential Fault Analysis of Secret Key Cryptosystems" CRYPTO 97, which is effective against symmetric or private key cryptosystems such as DES. It was shown that DFA can find the last DES round key using less than 200 ciphertexts (no plaintext) and can even uncover the structure of an unknown cryptosystem implemented in a smart card. The best non-side- channel attacks against DES require just under 64 terabytes of plaintext and ciphertext encrypted under a single key.
Such side channel attacks can be applied against a wide variety of data processing devices to reveal secret information about the physical implementation of that device.
Because of the increasing sophistication of such side-channel attacks, it is important to address these technical problems and to protect data processing devices such as smart cards from these attacks by leaking as little information as possible in the side-channels, making it more difficult to introduce faults, and detecting attempted attacks. Some techniques for doing so are described in GB-A-2,399,426 and GB-A-2,403, 308.
According to a first aspect of the present invention there is provided data processing apparatus comprising: a processor; memory; a scrambler arranged on a data transfer path between the processor and the memory, for scrambling data items passing through the scrambler according to a specified scrambling regime; and at least one designated control line arranged between the processor and the scrambler for switching the scrambler at least between operating according to a first scrambling regime and operating according to a second scrambling regime different to the first scrambling regime.
The first scrambling regime may comprise scrambling data items before they are written to the memory.
The first scrambling regime may comprise descrambling data items after they are read from the memory.
The second scrambling regime may comprise not scrambling data item before they are written to the memory.
The second scrambling regime may comprise not descrambling data items after they are read from the memory.
The scrambler may be arranged on the data path closer to the processor than the memory.
The scrambler may be adjacent the processor.
At least one otherwise redundant signal line originating from the processor may be used as the at least one designated control line.
At least one of the at least one designated control line may be a dedicated control line.
A subset of a group of signal lines originating from the processor may be used as at least one of the at least one designated control line, the group of signal lines having a common intended function.
The common intended function may comprise an address transfer function.
The common intended function may comprise a data transfer function.
The scrambler may be arranged on an address transfer path between the processor and the memory.
The address transfer path may comprise a plurality of address lines for carrying respective addressing signals defining a memory address to be used for an operation on the memory.
At least one address line may be used as at least one of the at least one designated control line.
It may be that the at least one address line so used would otherwise be active only when specifying such a memory address outside an addressing range of the memory.
The at least one address line so used may represent the most significant part of such a memory address.
The at least one address line so used may terminate at the scrambler.
The data transfer path may comprise a plurality of data lines for carrying respective data signals representing the data.
At least one of the data lines may be used as at least one of the at least one designated control line.
The memory may comprise persistent memory.
The memory may comprise flash memory.
The apparatus may further comprise a memory controller arranged between the scrambler and the memory.
The memory controller may be responsive to data carried on the data lines representing commands to the memory controller to perform specified tasks.
The processor may be operable to use the at least one control line to switch the scrambler to the second scrambling regime before sending data representing such a command over the data lines.
The apparatus may further comprise a select line for carrying a select signal to the scrambler for controlling whether scrambling or descrambling is performed.
The apparatus may comprise a single such designated control line.
The processor may be a Central Processing Unit, CPU.
According to a second aspect of the present invention there is provided a smart card comprising data processing apparatus according to the first aspect of the present invention.
According to a third aspect of the present invention there is provided a method for use by a processor in an apparatus comprising memory and a scrambler arranged on a data transfer path between the processor and the memory for scrambling data items passing through the scrambler according to a specified scrambling regime, the method comprising using at least one designated control line of the apparatus to switch the scrambler at least between operating according to a first scrambling regime and operating according to a second scrambling regime different to the first scrambling regime.
According to a fourth aspect of the present invention there is provided a method of applying a first scrambling regime to first data items and a second scrambling regime, different to the first scrambling regime, to second data items, comprising allocating the first data items to a first memory addressing range associated with the first scrambling regime and the second data items to a second memory addressing range associated with the second scrambling regime, the first and second memory addressing ranges being differentiated by use of at least one addressing bit, and relying on an external scrambler to perform scrambling according to the scrambling regime specified by the at least one addressing bit.
According to a fifth aspect of the present invention there is provided a program for controlling a processor to perform a method according to the third or fourth aspect of the present invention.
The program may be carried on a carrier medium.
The carrier medium may be a transmission medium.
The carrier medium may be a storage medium.
Reference will now be made, by way of example, to the accompanying drawings, in which: Figure 1, discussed hereinbefore, is a block diagram illustrating the main parts of a typical smart card; Figure 2, also discussed hereinbefore, is an illustrative diagram showing a typical smart card layout; Figure 3, also discussed hereinbefore, is an illustrative block diagram for use in explaining a typical cryptographic model including side-channels; Figure 4 is a block diagram showing a known arrangement for implementing a memory scrambling technique; Figure 5 is a block diagram showing data processing apparatus to which an embodiment of the present invention is applied; Figure 6 is a block diagram showing parts of the data processing apparatus of Figure 5 in more detail in accordance with a first embodiment of the present invention; Figure 7 is a block diagram showing parts of the data processing apparatus of Figure 5 in more detail in accordance with a second embodiment of the present invention; and Figure 8 is a block diagram showing parts of the data processing apparatus of Figure 5 in more detail in accordance with a third embodiment of the present invention.
Secret information can leak from a smart card in a side channel not only when performing cryptographic operations as described above, but also when processing secret data in a more routine way, for example when loading that data from memory or writing that data to memory. If the secret data is a secret key, for example, then the power consumption of the memory might be related to the bit content of the secret key; anyone monitoring this power consumption during a memory read or write operation could glean important information about the secret key.
To provide further security against side channel attacks of this type, it is proposed in an embodiment of the present invention to use a "scrambling" technique whereby information is "scrambled" before it is written to memory, and "unscrambled" as it is read back out from memory. This is referred to here as "memory scrambling", because the memory itself contains data in a scrambled format. This is to be contrasted with "bus scrambling" to be described below. Memory scrambling in general has been previously proposed for smart cards, but has not been previously described in relation to improving protection against power side channel attacks.
Random Access Memory (RAM) is relatively straightforward to scramble, and a typical arrangement to achieve this is shown in Figure 4. A scrambling unit 11 is provided between the CPU 5 and the memory portion 3, scrambling all data transferred on a data bus as it is written to the memory portion 3, and descrambling all data as it is read from the memory portion 3. This can be completely invisible to the CPU 5, with the scrambled memory appearing like normal memory.
Scrambling flash type memory, for example NOR-type flash memory, is somewhat more complicated due to the physical processes involved in writing data to flash memory, as will be described below. Flash memory is often provided in smart cards for storing sensitive information code and data, particularly sensitive information such as secret encryption keys. If an attacker can read the contents of memory in the smart card, then they will be also be able to read any key used to encrypt those contents, so encryption alone cannot be used to make the memory secure. The nature of smart cards make it intrinsically difficult for an attacker to access to the memory, but it may be useful to add some encryption or scrambling to make any attack even more difficult.
It has been previously considered to scramble the memory bus in a smart card between the CPU and the memory, whereby data is scrambled either before or soon after it leaves the CPU, and then descrambled before it is actually written to memory. This is referred to here as "bus scrambling", since only data travelling on the bus is in scrambled format; the data eventually written to memory is not.
Bus scrambling is useful for protecting against some of the attacks described above, and avoids any problems associated with writing scrambled messages to the flash memory.
However, it can be considered to be less effective as scrambling the memory itself, due to the fact that data is written to and read from the memory in unscrambled format, and hence the memory power consumption will still reveal information about the data. It also costs more in terms of speed and area, since a scrambling and a descrambling step is required for each data write and read operation (at either end of the bus), whereas for memory scrambling only a single step is required for each such operation (a single scrambling step for a write operation and a single descrambling step for a read operation).
TW0526496B and JP2001035 171A2 describe a flash memory which is not accessed with standard commands. The command codes are encrypted, such that if an attacker who does not know the secret encryption method or key connects directly to the flash memory, then it is difficult for them to control the flash memory. Only the initial command codes are encrypted, and the flash memory controller switches off the decryption after successfully receiving a command code, so that data and addresses can be used as normal. Another system is described in the article "Fast Primitives for Internal Data Scrambling in Tamper Resistant Hardware", C. K. Koc, D. Naccache, and C. Paar, Eds., Cryptographic Hardware and Embedded Systems, CHES 2001, vol. 2162 of Lecture Notes in Computer Science, pp. 16-28, Springer-Verlag, 2001 (available from http://www. gemplus.com/srnaJ.tJrdJpublicatjofl5/pf/ 1 scr.pdf).
Further, if memory scrambling is used, then bus scrambling is not actually required, so long as scrambling and descrambling is performed at the CPU end of the bus, since both the bus and the memory will benefit from the scrambling.
Apart from power side channel attacks mentioned above, there are also direct attacks based on taking a smart card apart, attaching a probe to a line inside the chip, and monitoring the signal on one or two bus lines (usually not reading the whole bus).
Scrambling can be useful to stop the attacker getting any useful information in this way.
As mentioned previously, the introduction of a fault into a cryptographic calculation can also be used to form the basis of an attack, and such a fault might be introduced into memory. If the memory is scrambled, then it can make it more difficult for an attacker to introduce specific faults.
In this context, it should be recognised that "scrambling" is similar to "encryption" in that both terms imply a mixing of data bits in a reversible manner. The term "encryption" is generally considered to suggest a stronger form of security than "scrambling", disguising the content of a message or data in a more effective or complex way, but this need not be the case. The term "scrambling" will be used herein, but it is to be understood that this term should be interpreted as covering any form of reversible data manipulation.
A smart cart 100 to which an embodiment of the present invention is applied is illustrated schematically in Figure 5. The smart card 100 differs from the smart card 1 of Figure 1 by incorporating a scrambling unit 110 disposed on a path between the Cpu and the memory portion 3.
Figure 6 is a block diagram showing a schematic arrangement of the CPU 5, scrambling unit 110 and memory portion 3 of Figure 5 according to a first embodiment of the present invention.
The scrambling unit 110 is arranged on a data bus 114 between the CPU 5 and the memory portion 3. The scrambling unit 110 is also arranged on an address bus 116 between the CPU 5 and the memory portion 3. Unlike the scrambling unit 11 of Figure 4, the scrambling unit 110 is switchable between operating according to a first scrambling regime in which a data item is scrambled before an operation to write the data item to the memory portion 3, and according to a second scrambling regime in which a data item is not scrambled before an operation to write the data item to the memory portion 3. A designated control line 120 is provided for this purpose to carry a control signal to an enable/disable input of the scrambling unit 110.
When the control signal is at a high level, the scrambling regime is activated in which a data item on the data bus 114 is scrambled before it is written to the memory portion 3 at a memory location specified by address data on the address bus 116. When the control signal is at a low level, the second scrambling regime is activated in which the scrambling unit 110 does not perform scrambling on a data item on the data bus 114 before it is written to the memory portion 3 at the memory location specified by the address data. Of course, these two scrambling regimes could be activated with the control signal levels reversed. A similar process to that described above also operates for read operations, whereby data items are either descrambled or not after being read from the memory portion 3, depending on the level of the control signal on the control line 120. The term "scrambling regime" used herein is intended to describe both what happens in the write direction and what happens in the read direction.
The read/write select line 115 carries a read/write select signal which is used to determine whether or not the scrambling unit 110 performs scrambling or descrambling on the data on the data bus 114, and whether to read data from the CPU S side or the memory portion 3 side of the data bus 114. The read/write select line 115 continues on to the memory portion 3 to control whether a read or write operation is performed there.
In this particular embodiment, the address bus 116 is not required as input to the scrambling unit 110 since the address data is not required at the scrambling unit 110.
The address bus 116 therefore bypasses the scrambling unit entirely.
An embodiment of the present invention has a major technical advantage over previously-considered systems in that a program executing on the CPU 5 can choose at run-time which locations are to be scrambled and which are not. Unlike the arrangement described above with reference to Figure 4, where scrambling is enabled at all times for all memory locations within the memory portion 3, with an embodiment of the present invention scrambling can be switched on or off at any time.
In the first embodiment described above with reference to Figure 6, the control line 120 is dedicated to carrying a control signal for enabling and disabling operation of the scrambling unit 110, and is provided specifically for this purpose. However, it is preferable in some situations that an existing but otherwise redundant signal line originating from the CPU 5 is designated for use as the control line 120. This type of arrangement will be described below in connection with the second and third embodiments of the present invention.
Figure 7 is a block diagram showing a schematic arrangement of the CPU 5, scrambling unit 110 and memory portion 3 of Figure 5 according to a second embodiment of the present invention. In the second embodiment, a redundant address line is designated for use as the control line 120 described above in connection with the first embodiment.
In the second embodiment shown in Figure 7, the address bus 116 comprises five address lines originating from the Cpu 5, while the memory portion 3 comprises memory that is fully addressable using only four address bits. One of the address lines originating from the CPU 5 is therefore redundant for the purpose of addressing memory locations in the memory portion 3, only being active when specif'ing a memory address outside an addressing range of the memory portion 3. This redundant address line is used as the control line 120 in the second embodiment of the present invention for carrying the control signal described above for switching the scrambling unit 110 between the first and second scrambling regimes.
When the control signal on the fifth address line is at a high level, the first scrambling regime is activated in which a data item on the data bus 114 is scrambled before it is written to the memory portion 3 at a memory location specified by the other four address lines. When the control signal on the fifth address line is at a low level, the second scrambling regime is activated in which the scrambling unit 110 does not perform scrambling on a data item on the data bus 114 before it is written to the memory portion 3 at the memory location specified by the other four address bits. Of course, these two scrambling regimes could be activated with the control signal levels reversed. A similar process to that described above also operates for read operations, whereby data items are either descrambled or not after being read from the memory portion 3, depending on the level of the control signal on the address control line 120, and in dependence upon the value of the read/write select signal on the read/write select line 115.
The above arrangement according to the second embodiment of the present invention has the effect of providing two logical views of the single physical memory area in the memory portion 3, one of which uses scrambling and the other of which does not. This has a major technical advantage in that a program executing on the CPU 5 can choose at memory allocation time which locations are to be scrambled and which are not (as well as at run time), and the task of scrambling and descrambling will effectively be hidden from the programmer thereafter. This greatly eases the burden on the programmer, and encourages greater use of the scrambling function. This ease of use will be illustrated in an example to be described below.
It will be appreciated that an embodiment of the present invention can beused both in the case where the memory portion 3 comprises random access memory (RAM) and in the case where the memory portion 3 comprises persistent memory such as flash memory. In the case of flash memory, particular issues arise, and these will now be discussed.
A flash write operation can only change a data bit value stored in the flash memory from a 1 to a 0, with a flash erase operation being required to change a stored bit value from a 0 to a 1. Another type of flash memory could operate in reverse, with a write operation changing a data bit value from a 0 to a I and a flash erase operation changing a data bit value from a I to a 0, but the former will be assumed herein. On the other hand, a flash erase operation is only possible on a whole page of stored data, which can be very large, for example 64 kB.
Flash write operations, and in particular flash write operations to update data already written at a particular location, are therefore very different to RAM write operations since it is only possible to alter the value of a particular bit from a I to a 0, but not vice versa. This presents problems when trying to implement a scrambling function for flash memory which are not an issue when applying a scrambling function to RAM.
Because the flash erase operation does not work at the word level, flash memory must be treated differently to RAM. When a value stored in flash memory is to be updated, it cannot usually be updated in place, as would be done in RAM. Instead, the new value would usually be written at a new address, with information being stored to ensure that the old value is ignored and the new value is used instead. Eventually the segment would fill up and would be erased in a block, copying just the current stored items back in after the block erase operation. Because of this, flash memory is often used for storing "bit fields" where each bit (or several bits) in a word has a specific logical meaning, such as "valid data" or "marked for deletion". These bits would typically be set individually, at different times during the operation of the device, each time setting one or more value to a 0 value (a whole word could be used instead to store each bit, although this would be less efficient).
Where a value is to be updated in place, this can only be by way of changing an existing I to a 0. A particular bit of a stored value can be changed from a I to a 0 simply by writing a new word to the appropriate memory location in which the target bit is set to 0 instead of 1. Because of the history property of flash memory, it is important that each source bit is written to the same target bit in the memory location each time. For example, suppose a value at a particular flash memory location is read out as being 11, and this value is to be updated (written back to the same memory location) as 1001, with only the third bit changing from a 1 and to a 0. It is important that the bit order is preserved, or at least changed in the same way each time, so that the updated bit is actually written to the same bit location in the memory location as before, changing the bit location from a I to a 0. The introduction of a scrambling unit between the Cpu and the memory portion would potentially destroy this consistent mapping without careful consideration.
One solution would be to use a very weak form of scrambling in which the data bits are permuted in a predictable and consistent way for a particular address. The permuting could therefore be keyed with the address, resulting in the mixing of existing bits within the word without any of the bit values actually being changed. However, this weak form of scrambling would be less effective against side channel attacks.
This is one of the problems associated with writing to and reading from flash memory.
A further complication is caused by the presence of a flash memory controller which is used as an interface between the CPU and the actual memory. For example, before writing any data to flash memory, a "write command" must first be sent to the flash controller to prepare the flash for writing, with the actual data value to be written being sent to the flash thereafter. The flash memory is controlled by sending sequences of commands to the flash controller.
When the flash state machine is in the "read array mode", data can be read from flash by the CPU as it would read from RAM. However, writing or erasing flash is very different, as the following simple example of writing a data value OxDD to an address OxAA illustrates. (It should be noted that, on a smart card flash memory is used for storing both code and data. However, flash control routines cannot be executed from flash memory as will be explained below; therefore the first step in the following sequence of example steps is to jump out of the flash-stored code into RAM- or ROM- stored code.) 1. Jump to RAM or ROM code.
2. Write 0x40 (interpreted by the flash controller as the "write command") to any address in the flash memory.
3. Write OxDD (the data value) to the address OxAA (the intended address). This value is understood by the flash controller as being the data to be written and the address to be written to. This causes the flash controller to initiate the write operation, which may take a few hundred CPU cycles.
4. Send a "read" command to read from any address in the flash memory. This is interpreted by the flash controller as a "read status register" command. Continue doing this until the status register indicates that the physical write operation has finished.
5. Write OxFF (interpreted by the flash controller as the "read array command") to any address in the flash memory.
6. Jump back to the flash code.
From the time that the "write command" is sent until the "read array command" is sent, the flash memory is in a special mode and cannot be used for reading data or CPU instructions. Instead, each "read" CPU instruction is interpreted by the flash controller as a request to read the status register (which is why flash control routines cannot be executed from flash memory).
Since the commands, parameters and responses travel down the normal address and data buses, they would be subject to any scrambling which happened to be in force (the address bus would usually be scrambled as well as the data bus, although this is not essential). In particular, since the commands to the flash controller are sent on the data bus, any command would be rendered unintelligible to the flash controller after scrambling. Therefore, an extra "pre-scrambling" step would be required to be performed in software before the command is sent to the flash controller over the data bus, resulting in a major overhead at the Cpu.
However, the actual data sent in step 3 above should still be scrambled (if required), so it is not possible simply to turn all scrambling off for the duration of the above routine.
Other, more complex, command sequences exist, to which similar considerations apply.
It might be possible to avoid some of the above problems by not having a hardware scrambling unit at all, instead scrambling some sensitive "writeonce" data in software before writing to and after reading from the flash memory. However, this would require a great deal of extra work for software developers, with the temptation to scramble only the bare minimum of data. Software is also slow when compared to hardware, more code space would be required by the software, with extra temporary buffers in RAM, and code running from flash memory would not be scrambled.
If only data are stored in flash, and the cu is able switch scrambling on and off, then some of that data can be scrambled, and some not. Also scrambling can be switched off for writing commands, and on for writing/reading data. However, if code is also stored in flash, then switching scrambling on and off will interfere with reading those instructions that tell the CPU to read the data.
The above problems associated with applying scrambling to flash memory can elegantly be addressed by an embodiment of the second embodiment of the present invention, as will now be described.
Consider again the above example where the value OxDD is to be written to flash memory address OxAA. As mentioned above, the effect of using one of the address lines as the control line 120 in the second embodiment is to divide the physical memory into two logical areas. For this example, consider that the memory portion 3 is divided into a scrambled area S and a non-scrambled area N. The data OxDD can be chosen either to be scrambled in memory, in which case it would be allocated an address OxAA in the scrambled area S, or to be non-scrambled in memory, in which case it would be allocated an address OxAA in the non-scrambled area N. In the second embodiment of the present invention, the above procedure to write the value OxDD to address OxAA 1. Jump to RAM or ROM code.
2. Write 0x40 to any address in memory area N. 3. Write OxDD to address OxAA.
4. Read from any address in memory area N until the physical write process has finished.
5. Write OxFF to any address in memory area N. 6. Jump back to flash code stored in memory area S. In the above scheme, all commands are non-scrambled to avoid having to perform a "pre-scramble" step in software to ensure an understandable command at the flash controller, and all data is either scrambled or not depending on what it is and what is required of it (i.e. depending on whether it is allocated to memory area S or N). The second embodiment illustrates that the "data" on the data bus I 14 can be any type of information, including commands, and the term "data" used herein is not intended to be limited to any particular kind of information.
In the second embodiment illustrated in Figure 7, the redundant address line used as the control line 120 is shown as terminating at the scrambling unit 110 since it is not required by the memory portion 3. This is not essential.
It is also possible to use a non-redundant address line as the control line 120, in other words an address line carrying an address bit which is actively used to address memory within a valid addressing range. For example, the address line carrying the most significant bit of an address within the addressing range of the memory portion 3 could be designated as the control line 120. In this case, the memory portion would be divided into a first half that is always scrambled and a second half that is always non- scrambled, unlike in the second embodiment in which a particular memory location can either be allocated to the scrambled or the non-scrambled view. In such a case, the control line 120 would not be a dedicated control line in the sense that it serves only as a control line, since it also still serves as an address line. Even in the case where a redundant address line is designated as the control line, this control line need not be dedicated for use in controlling the scrambling unit 110 only; it may also serve to carry control or other signalling to other parts.
In the second embodiment described above, an existing address line was used as the control line 120. It is possible that another type of existing signal line is used instead as the control line 120. For example, Figure 8 is an illustrative block diagram of a third embodiment of the present invention in which a redundant data line of the data bus 114 is used as the control line 120. The manner of operating an apparatus according to the third embodiment would be readily apparent to the skilled person and will not be described herein.
Any suitable scrambling algorithm can be used in the scrambling unit 110 of an embodiment of the present invention. For example, the well-known DES (Data Encryption Standard) encryption algorithm could be used, or a reduced version thereof with fewer rounds to improve operation speed on a smart card. Other types of scrambling methods would be readily apparent to the skilled person. The scrambling key could be stored (unscrambled) in flash memory. A different scrambling key could be used for each smart card. A different scrambling key could be used within different areas of the memory, for example for different segments of the memory. The boot program could be stored in an unscrambled area, and this could load the scrambling key before jumping to scrambled code. Bit fields in flash would usually not be scrambled.
Code, and write-once data (such as all other secret keys) would usually be scrambled.
In the above-described embodiments, the control signal on the control line 120 controlled the scrambling unit 110 to enable and disable scrambling for both read and write operations, and this is preferable. It is possible that, in an alternative embodiment, the control signal is used to control scrambling in one direction only, for example only for data items being written to the memory portion 3, with data items being transferred unscrambled back to the CPU 5 after being read from the memory portion 3, or vice versa. In such an embodiment, there is no need for the read/write select line 115 to be routed via the scrambling unit 110. In this context, there would be two scrambling regimes: a first scrambling regime in which data items are scrambled towards the memory portion 3 but are not descrambled towards the CPU 5; and a second scrambling regime in which data items are not scrambled or descrambled in either direction.
Although it is described above that the control line is a single physical line, this need not be the case. The control line may, for example, comprise more than one physical line carrying the same signal. It will also be appreciated that more than one control signal, and corresponding control line, may be used to control the scrambling unit 110.
For example, one control signal could be used to switch the scrambling unit 110 into the first scrambling regime, and another could be used to switch the scrambling unit 110 into the second scrambling regime.
The second embodiment described the mapping of two logical memories within a single physical memory by use of a single addressing line as the dedicated control line.
Essentially, with the second embodiment there are two scrambling regimes which the programmer can switch between, for example scrambled and nonscrambled, or scrambled using a first method and scrambled using a second method. It would be possible to have more than two logical memories mapped within a single physical memory, and each logical memory could have its own scrambling regime. For example, possible scrambling regimes might be: unscrambled, simply scrambled, scrambled with address, scrambled with key, scrambled with address and key, and so on. The programmer would have the added flexibility of choosing from one of a number of different scrambling regimes. This would require the use of more than one spare address line to encode the various scrambling choices.
A smart card might have a number of different types of memory, such as RAM, ROM (Read Only Memory), and Flash. These different types of memory will often be mapped to separate areas in the CPU's address space, and an embodiment of the present invention can be used in conjunction with such an arrangement. Different scrambling regimes might be used for the different memories, or some memories might not be scrambled at all.
Although the above embodiments are described particularly in the context of flash memory and RAM, other types of memory can be used, such as EEPROM. In addition, although the main application for the scrambling technique has been described above as being for use in a smart card such as that shown in Figure 1, the technique can be employed in other secure devices such as USB tokens, secure memory, secure multimedia, secure access modules (SAM) and RFID (Radio frequency identification) tags.
An embodiment of the present invention is able to improve protection against side channel attacks. An embodiment of the present invention is relatively fast since the scrambling function can be implemented in hardware. An embodiment of the present invention makes it easier to develop hardware and software for smart card and other applications. An embodiment of the present invention is uses less area on the chip than equivalent methods. An embodiment of the present invention is allows the use of scrambled code and unscrambled data at the same time, with full flexibility in software even after the hardware is fixed.
A program embodying the present invention performs the necessary functions at the processing unit 5 for enabling the proper control signal or signals to be sent to the scrambling unit 110 to switch the scrambling unit 110 to the appropriate scrambling regime. A program embodying the present invention could be stored on a computer- readable medium, but could also be embodied in a signal such as a downloadable data signal provided from an Internet website. The appended claims are to be interpreted as covering a program by itself, or as a record on a carrier, or as a signal, or in any other form.

Claims (35)

  1. CLAIMS: 1. Data processing apparatus comprising: a processor; memory; a
    scrambler arranged on a data transfer path between the processor and the memory, for scrambling data items passing through the scrambler according to a specified scrambling regime; and at least one designated control line arranged between the processor and the scrambler for switching the scrambler at least between operating according to a first scrambling regime and operating according to a second scrambling regime different to the first scrambling regime.
  2. 2. Data processing apparatus as claimed in claim 1, wherein the first scrambling regime comprises scrambling data items before they are written to the memory.
  3. 3. Data processing apparatus as claimed in claim I or 2, wherein the first scrambling regime comprises descrambling data items after they are read from the memory.
  4. 4. Data processing as claimed in claim 1, 2 or 3, wherein the second scrambling regime comprises not scrambling data item before they are written to the memory.
  5. 5. Data processing apparatus as claimed in any preceding claim, wherein the second scrambling regime comprises not descrambling data items after they are read from the memory.
  6. 6. Data processing apparatus as claimed in any preceding claim, wherein the scrambler is arranged on the data path closer to the processor than the memory.
  7. 7. Data processing apparatus as claimed in claim 6, wherein the scrambler is adjacent the processor.
  8. 8. Data processing apparatus as claimed in any preceding claim, wherein at least one otherwise redundant signal line originating from the processor is used as the at least one designated control line.
  9. 9. A method as claimed in any preceding claim, wherein at least one of the at least one designated control line is a dedicated control line.
  10. 10. A method as claimed in any preceding claim, wherein a subset of a group of signal lines originating from the processor is used as at least one of the at least one designated control line, the group of signal lines having a common intended function.
  11. 11. Data processing as claimed in claim 10, wherein the common intended function is an address transfer function.
  12. 12. Data processing as claimed in claim 10, wherein the common intended function is a data transfer function.
  13. 13. Data processing apparatus as claimed in any preceding claim, wherein the scrambler is arranged on an address transfer path between the processor and the memory.
  14. 14. Data processing apparatus as claimed in claim 13, wherein the address transfer path comprises a plurality of address lines for carrying respective addressing signals defining a memory address to be used for an operation on the memory.
  15. 15. Data processing apparatus as claimed in claim 14, wherein at least one address line is used as at least one of the at least one designated control line.
  16. 16. Data processing apparatus as claimed in claim 15, wherein the at least one address line so used would otherwise be active only when specifying such a memory address outside an addressing range of the memory.
  17. 17. Data processing apparatus as claimed in claim 15 or 16, wherein the at least one address line so used represents the most significant part of such a memory address.
  18. 18. Data processing apparatus as claimed in claim 15, 16 or 17, wherein the at least one address line so used terminates at the scrambler.
  19. 19. Data processing apparatus as claimed in any preceding claim, wherein the data transfer path comprises a plurality of data lines for carrying respective data signals representing the data.
  20. 20. Data processing apparatus as claimed in claim 19, wherein at least one of the data lines is used as at least one of the at least one designated control line.
  21. 21. Data processing apparatus as claimed in any preceding claim, wherein the memory comprises persistent memory.
  22. 22. Data processing apparatus as claimed in claim 21, wherein the memory comprises flash memory.
  23. 23. Data processing apparatus as claimed in claim 21 or 22, further comprising a memory controller arranged between the scrambler and the memory.
  24. 24. Data processing apparatus as claimed in claim 23, when dependent on claim 19, wherein the memory controller is responsive to data carried on the data lines representing commands to the memory controller to perform specified tasks.
  25. 25. Data processing apparatus as claimed in claim 24, wherein the processor is operable to use the at least one control line to switch the scrambler to the second scrambling regime before sending data representing such a command over the data lines.
  26. 26. Data processing apparatus as claimed in any preceding claim, further comprising a select line for carrying a select signal to the scrambler for controlling whether scrambling or descrambling is performed.
  27. 27. Data processing apparatus as claimed in any preceding claim, comprising a single designated control line.
  28. 28. Data processing apparatus as claimed in any preceding claim, wherein the processor is a Central Processing Unit, CPU.
  29. 29. A smart card comprising data processing apparatus as claimed in any preceding claim.
  30. 30. A method for use by a processor in an apparatus comprising memory and a scrambler arranged on a data transfer path between the processor and the memory for scrambling data items passing through the scrambler according to a specified scrambling regime, the method comprising using at least one designated control line of the apparatus to switch the scrambler at least between operating according to a first scrambling regime and operating according to a second scrambling regime different to the first scrambling regime.
  31. 31. A method of applying a first scrambling regime to first data items and a second scrambling regime, different to the first scrambling regime, to second data items, comprising allocating the first data items to a first memory addressing range associated with the first scrambling regime and the second data items to a second memory addressing range associated with the second scrambling regime, the first and second memory addressing ranges being differentiated by use of at least one addressing bit, and relying on an external scrambler to perform scrambling according to the scrambling regime specified by the at least one addressing bit.
  32. 32. A program for controlling a processor to perform a method as claimed in claim or 31.
  33. 33. A program as claimed in claim 32, carried on a carrier medium.
  34. 34. A program as claimed in claim 33, wherein the carrier medium is a transmission medium.
  35. 35. A program as claimed in claim 33, wherein the carrier medium is a storage medium.
GB0504825A 2005-03-09 2005-03-09 Side channel attack prevention in data processing apparatus such as a smart card Withdrawn GB2424089A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
GB0504825A GB2424089A (en) 2005-03-09 2005-03-09 Side channel attack prevention in data processing apparatus such as a smart card

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB0504825A GB2424089A (en) 2005-03-09 2005-03-09 Side channel attack prevention in data processing apparatus such as a smart card

Publications (2)

Publication Number Publication Date
GB0504825D0 GB0504825D0 (en) 2005-04-13
GB2424089A true GB2424089A (en) 2006-09-13

Family

ID=34452058

Family Applications (1)

Application Number Title Priority Date Filing Date
GB0504825A Withdrawn GB2424089A (en) 2005-03-09 2005-03-09 Side channel attack prevention in data processing apparatus such as a smart card

Country Status (1)

Country Link
GB (1) GB2424089A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180137061A1 (en) * 2016-11-16 2018-05-17 Stmicroelectronics (Rousset) Sas Storage in a non-volatile memory
US10423805B2 (en) 2016-12-22 2019-09-24 International Business Machines Corporation Encryption engine with an undetectable/tamper-proof private key in late node CMOS technology
GB2544546B (en) * 2015-11-20 2020-07-15 Advanced Risc Mach Ltd Dynamic memory scrambling

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107783023A (en) * 2016-08-31 2018-03-09 国民技术股份有限公司 Side channel leakage analysis system and method based on chip

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4573119A (en) * 1983-07-11 1986-02-25 Westheimer Thomas O Computer software protection system
US5081675A (en) * 1989-11-13 1992-01-14 Kitti Kittirutsunetorn System for protection of software in memory against unauthorized use
EP1093056A1 (en) * 1999-10-13 2001-04-18 Nec Corporation Data processor having data processing unit incorporating scramble and descramble means

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4573119A (en) * 1983-07-11 1986-02-25 Westheimer Thomas O Computer software protection system
US5081675A (en) * 1989-11-13 1992-01-14 Kitti Kittirutsunetorn System for protection of software in memory against unauthorized use
EP1093056A1 (en) * 1999-10-13 2001-04-18 Nec Corporation Data processor having data processing unit incorporating scramble and descramble means

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
Proceedings of the 2003 International symposium on Low Power Electronics and Design, ISLPED '03, 25-27 Aug 2003, pp 26-29, Benini L. et al., "Energy efficient data scrambling on memory-processor interfaces" *

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2544546B (en) * 2015-11-20 2020-07-15 Advanced Risc Mach Ltd Dynamic memory scrambling
US20180137061A1 (en) * 2016-11-16 2018-05-17 Stmicroelectronics (Rousset) Sas Storage in a non-volatile memory
FR3058813A1 (en) * 2016-11-16 2018-05-18 Stmicroelectronics (Rousset) Sas STORAGE IN NON-VOLATILE MEMORY
EP3324327A1 (en) * 2016-11-16 2018-05-23 Stmicroelectronics (Rousset) Sas Storage in a non-volatile memory
CN108073528A (en) * 2016-11-16 2018-05-25 意法半导体(鲁塞)公司 Storage in nonvolatile memory
US10649916B2 (en) 2016-11-16 2020-05-12 Stmicroelectronics (Rousset) Sas Storage in a non-volatile memory
US11003595B2 (en) 2016-11-16 2021-05-11 Stmicroelectronics (Rousset) Sas Storage in a non-volatile memory
CN108073528B (en) * 2016-11-16 2021-10-29 意法半导体(鲁塞)公司 Storage in non-volatile memory
US10423805B2 (en) 2016-12-22 2019-09-24 International Business Machines Corporation Encryption engine with an undetectable/tamper-proof private key in late node CMOS technology
US10997321B2 (en) 2016-12-22 2021-05-04 International Business Machines Corporation Encryption engine with an undetectable/tamper proof private key in late node CMOS technology
US11216595B2 (en) 2016-12-22 2022-01-04 International Business Machines Corporation Encryption engine with an undetectable/tamper-proof private key in late node CMOS technology

Also Published As

Publication number Publication date
GB0504825D0 (en) 2005-04-13

Similar Documents

Publication Publication Date Title
USRE48716E1 (en) Encryption-based security protection for processors
US7194633B2 (en) Device and method with reduced information leakage
US7543159B2 (en) Device and method with reduced information leakage
US8296577B2 (en) Cryptographic bus architecture for the prevention of differential power analysis
US7657754B2 (en) Methods and apparatus for the secure handling of data in a microcontroller
Saputra et al. Masking the energy behavior of DES encryption [smart cards]
US20040025032A1 (en) Method and system for resistance to statiscal power analysis
US5995623A (en) Information processing apparatus with a software protecting function
EP1308885B1 (en) Information processing and encryption unit
KR100445406B1 (en) Apparatus for encrypting the data and method therefor
US7092400B2 (en) Method of transmitting data through a data bus
US7036017B2 (en) Microprocessor configuration with encryption
US10146701B2 (en) Address-dependent key generation with a substitution-permutation network
US7657034B2 (en) Data encryption in a symmetric multiprocessor electronic apparatus
GB2424089A (en) Side channel attack prevention in data processing apparatus such as a smart card
GB2399426A (en) Fault detection in data processing apparatus
JP2001195555A (en) Ic card and microcomputer
Mahmoud et al. Novel algorithmic countermeasures for differential power analysis attacks on smart cards
KR20100015077A (en) Apparatus and method for encryption in system on chip
KR20060068006A (en) Method and apparatus for preventing dpa(differential power analysis) attacks on data bus
CN113642051B (en) Encrypted data read-write method of SPI storage equipment and embedded processor chip
WO2005121923A1 (en) Hiding information transmitted on a data bus
CN116341026A (en) Encryption computer system based on double-memory exclusive OR and bus encryption method
Stone et al. High Security Modules—Still Needed Despite Advances in Platforms
CA2397615A1 (en) Method and system for resistance to statistical power analysis

Legal Events

Date Code Title Description
WAP Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1)