Abstract: An electronic circuit includes a driving cell, one or more driven cells and one or more inverters. The driving cell has two or more inputs and at least one output and is configured to toggle the output between first and second logic states in response to the inputs. Each driven cell has two or more inputs, of which at least one input is configured to be driven by the output of the driving cell. The one or more inverters are placed in a signal network that connects the driving cell to the driven cells. The inverters are configured to balance, over the signal network, (i) a first capacitive load charged by electrical currents caused by transitions from the first logic state to the second logic state and (ii) a second capacitive load charged by electrical currents caused by transitions from the second logic state to the first logic state.

Abstract: An electronic device includes a combinational logic circuit, one or more functional state-sampling components, one or more protection state-sampling components, and protection logic. The combinational logic circuit has one or more outputs. The functional state-sampling components are configured to sample the respective outputs of the combinational logic circuit. The protection state-sampling components are associated respectively with the functional state-sampling components, each protection state-sampling component configured to sample a same output of the combinational logic circuit as the corresponding functional state-sampling component, but with a predefined time offset relative to the functional state-sampling component. The protection logic is configured to detect a discrepancy between the outputs sampled by the functional state-sampling components and the respective outputs sampled by the protection state-sampling components, and to initiate a responsive action in response to the discrepancy.

Abstract: An Integrated Circuit (IC) includes functional circuitry and protection circuitry. The protection circuitry is configured to maintain a counter value, which is indicative of a cumulative amount of hostile attacking attempted on the functional circuitry over a lifetime of the IC, to detect events indicative of suspected hostile attacks on the functional circuitry, to decide, responsively to a detected event, on an update of the counter value depending on a time difference between the detected event and a most recent power-up in the IC, and update the counter value in accordance with the decided update, and to disable at least part of the IC in response to the counter value crossing a threshold.

Abstract: An electronic device includes clock generation circuitry, a combinational logic circuit, one or more functional state-sampling components, and protection logic. The clock generation circuitry is configured to generate a clock signal having a periodic clock cycle. The combinational logic circuit includes multiple internal nets and one or more outputs. The functional state-sampling components are configured to sample the respective outputs of the combinational logic circuit periodically in accordance with the clock signal. The protection logic is configured to receive one or more signals from the internal nets or outputs of the combinational logic circuit, to detect, in one or more of the received signals, a signal instability that occurs during a predefined portion of the periodic clock cycle in which, in accordance with a design of the combinational logic circuit, the signals are expected to be stable, and to initiate a responsive action in response to the detected signal instability.

Abstract: A device including a network interface, a memory and a processor. The network interface is configured to communicate with a verifier over a communication network. The memory is configured to store multiple layers of mutable code, the layers identifiable by respective measurements. The processor is configured to generate, for a given boot cycle, a nonce associated uniquely with the given boot cycle, to receive a challenge from the verifier for attestation of a given layer of the mutable code, to calculate an attestation key based on (i) a Unique Device Secret (UDS) stored securely in the device, (ii) a measurement of the given layer taken by another layer, and (iii) the nonce generated for the given boot cycle, to calculate a response for the challenge, by signing the challenge using the attestation key, and to send the response to the verifier for verification of the given layer.

Abstract: An Integrated Circuit (IC) includes a non-volatile memory (NVM) and secure power-up circuitry. The NVM is configured to store an operational state of the IC. The secure power-up circuitry is configured to (i) during a power-up sequence of the IC, perform a first readout of the operational state from the NVM while a supply voltage of the IC is within a first voltage range, (ii) if the operational state read from the NVM in the first readout is a state that permits access to a sensitive resource of the IC, verify that the supply voltage is within a second voltage range, more stringent than the first voltage range, and then perform a second readout of the operational state from the NVM, and (iii) initiate a responsive action in response to a discrepancy between the operational states read from the NVM in the first readout and in the second readout.

Abstract: In one embodiment, a secure chip apparatus, includes a memory to store an encrypted value E and a one-way function output-value H, which is an output value of a one-way function computed with a nonce N as input, an interface to transfer data with an external device, and chip security circuitry to lock a portion of the chip apparatus from use, receive an unlock request from an unlocking hardware security module (HSM) via the interface, provide the encrypted value E to the HSM responsively to the unlock request, receive a value N? from the HSM, the value N? being a decrypted value of the encrypted value E, compute a one-way function output-value H? responsively to the value N?, compare the value H? to the value H, and unlock the portion of the chip apparatus for use responsively to a match between the value H? and the value H.

Abstract: A security device includes a bus interface and circuitry. The bus interface is coupled to a bus connecting between a host device and a peripheral device. The circuitry is configured to receive, via the bus interface, a clock signal of the bus, and to produce a delayed clock signal relative to the clock signal. The circuitry is further configured to monitor, using the clock signal, transactions communicated between the host device and the peripheral device, in response to identifying a given transaction, of which a portion is expected to be delayed by a predefined time delay relative to the clock signal, to sample the portion of the given transaction using the delayed clock signal, and in response to identifying, based on the sampled portion, that the given transaction violates a security policy, to apply a security action.

Abstract: A secure Integrated Circuit (IC) includes functional circuitry, and protection circuitry configured to protect the functional circuitry against fault-injection attacks. The protection circuitry includes a plurality of digital detection cells, and protection logic. The detection cells have respective inputs and outputs and are connected output-to-input in at least a chain. In response to a fault-injection attack, a given detection cell in the chain is configured to toggle an output that drives an input of a subsequent detection cell in the chain, thereby causing a pulse to propagate along the chain. The protection logic is configured to receive the pulse from the chain and initiate a responsive action.

Abstract: An Integrated Circuit (IC) includes functional circuitry and protection circuitry. The protection circuitry is configured to maintain a counter value, which is indicative of a cumulative amount of hostile attacking attempted on the functional circuitry over a lifetime of the IC, to detect events indicative of suspected hostile attacks on the functional circuitry, to decide, responsively to a detected event, on an update of the counter value depending on a time difference between the detected event and a most recent power-up in the IC, and update the counter value in accordance with the decided update, and to disable at least part of the IC in response to the counter value crossing a threshold.

Abstract: In one embodiment, a protected system, includes a first apparatus disposed on a silicon chip, and to perform a functional process, a second apparatus disposed on the silicon chip, and to perform a protecting process having a verifiable test result, the first and the second apparatus having a physical layout which interleaves at least part of the first apparatus with at least part of the second apparatus so that an attack on the at least part of the first apparatus also attacks the at least part of the second apparatus, a primary controller to signal the second apparatus to perform the protecting process during a time period that the first apparatus is performing the functional process, and an attack handling controller to perform a protective action to protect the functional process responsively to the protecting process failing to verify the verifiable test result providing an indication that the attack is being performed.

Abstract: A secure IC includes multiple functionally-equivalent combinational logic circuits, multiple sets of state-sampling components, and control circuitry. Each combinational logic circuit receives one or more inputs, and applies a combinational-logic operation to the one or more inputs so as to produce one or more outputs. Each set of state-sampling components includes one or more state-sampling components that samples one or more of the outputs of one of the combinational logic circuits and provides one or more of the sampled outputs as inputs to another of the combinational logic circuits. The control circuitry receives multiple sets of input data for processing by the combinational logic circuits, routes the sets of input data to the combinational logic circuits, extracts sets of output data from the combinational logic circuits, and outputs each set of output data in association with the respective set of input data.

Abstract: An electronic device includes a combinational logic circuit, one or more functional state-sampling components, one or more protection state-sampling components, and protection logic. The combinational logic circuit has one or more outputs. The functional state-sampling components are configured to sample the respective outputs of the combinational logic circuit. The protection state-sampling components are associated respectively with the functional state-sampling components, each protection state-sampling component configured to sample a same output of the combinational logic circuit as the corresponding functional state-sampling component, but with a predefined time offset relative to the functional state-sampling component. The protection logic is configured to detect a discrepancy between the outputs sampled by the functional state-sampling components and the respective outputs sampled by the protection state-sampling components, and to initiate a responsive action in response to the discrepancy.

Abstract: An electronic device includes clock generation circuitry, a combinational logic circuit, one or more functional state-sampling components, and protection logic. The clock generation circuitry is configured to generate a clock signal having a periodic clock cycle. The combinational logic circuit includes multiple internal nets and one or more outputs. The functional state-sampling components are configured to sample the respective outputs of the combinational logic circuit periodically in accordance with the clock signal. The protection logic is configured to receive one or more signals from the internal nets or outputs of the combinational logic circuit, to detect, in one or more of the received signals, a signal instability that occurs during a predefined portion of the periodic clock cycle in which, in accordance with a design of the combinational logic circuit, the signals are expected to be stable, and to initiate a responsive action in response to the detected signal instability.

Abstract: A method for initializing a computer system, which includes a Central Processing Unit (CPU), a Trusted Root Device and a Trusted Platform Module (TPM), includes authenticating a boot code of the CPU using the Trusted Root Device, and booting the CPU using the authenticated boot code. A challenge-response transaction, in which the TPM authenticates the Trusted Root Device, is initiated by the CPU following booting of the CPU. Only in response to successful authentication of the Trusted Root Device using the challenge-response transaction, a resource used in operating the computer system is released from the TPM.

Abstract: An electronic device includes a combinational logic circuit, one or more state-sampling components, and protection circuitry. The combinational logic circuit has one or more inputs and one or more outputs. The state-sampling components are configured to sample the outputs of the combinational logic circuit at successive clock cycles. The protection circuitry is configured to protect the combinational logic circuit by, per clock cycle, starting to apply random data to the inputs of the combinational logic circuit a given time duration before a sampling time of the state-sampling components for that clock cycle, and, after applying the random data, switching to apply functional data to the inputs of the combinational logic circuit, to be sampled by the state-sampling components. A propagation delay, over any signal path via the combinational logic circuit, is no less than the given time duration.

Abstract: A self-correcting memory system comprising an integrated circuit including memory and memory content authentication functionality, which is operative to compare content to be authenticated to a standard and to output “authentic” if the content to be authenticated equals the standard and “non-authentic” otherwise; and error correction functionality which is operative to apply at least one possible correction to at least one erroneous word entity in said memory, yielding a possibly correct word entity, call said authentication for application to the possibly correct word entity, and if the authentication's output is “authentic”, to replace said erroneous word entity in said memory, with said possibly correct word entity thereby to yield error correction at a level of confidence derived from the level of confidence associated with the authentication.

Abstract: System, method and computer program product for prioritizing trial-and-error attempted corrections of bit/s, in a memory, in which logical bit levels are determined by thresholding voltage values using threshold/s, the method comprising ranking bits such that a first bit is ranked before a second bit, which is less likely than said first bit to be erroneous and sequentially attempting to correct the bits in order of the ranking, including attempting to correct the first bit before attempting to correct the second bit.

Abstract: A controller includes a host interface and a processor. The host interface is configured for communicating with a host. The processor is configured to receive from the host, via the host interface, instructions for execution in a Non-Volatile Memory (NVM), to identify among the instructions an instruction, which pertains to a secure monotonic counter and is intended for execution in an NVM having a secure monotonic counter embedded therein, and to execute the identified instruction, and respond to the host responsively to the instruction, instead of the NVM.

Abstract: An electronic circuit for Random Number Generation (RNG) includes a first inverter having a first input and a first output, and a second inverter having a second input and a second output. The first output is connected to the second input, and the second output is connected to the first input. A switch is configured to (i) when closed, to set the first and second inverters to a meta-stable state by shorting the first output to the first input and the second output to the second input, and (ii) when open, to release the first and second inverters from the meta-stable state to a bi-stable random state. Logic circuitry is configured to alternately close and open the switch, and to output random values from at least one of the first and second inverters when at the bi-stable random state.