Abstract: An integrated circuit device includes first and second semiconductor die and a physically unclonable function (PUF). The second semiconductor die is attached, at least partially, to the first semiconductor die using the PUF. The PUF includes a plurality of conductive paths formed between the first semiconductor die and the second semiconductor die. The PUF controller is coupled to the PUF for generating a digital value based on a characteristic of each conductor of the plurality of conductive paths. The digital value logically binds the first semiconductor die to the second semiconductor die. The first semiconductor die may include a nonvolatile memory and the digital value may be an encryption key for encrypting data stored in the nonvolatile memory.

Abstract: The disclosure relates to secure data storage and retrieval, in particular to methods and circuits for securely storing data to reduce the possibility of leakage via side channel attacks. Embodiments disclosed include a method of storing a value comprising a series of words, the method comprising: i) combining in a series of XOR operations a word of a first portion of the value, a word of a second portion of the value and an output word of a first random number generator to provide a first combined word; ii) storing the first combined word in a shift register; and iii) repeating steps i) and ii) for each successive word of the first and second portions of the value.

Abstract: An encryption module and method for performing an encryption/decryption process executes two cryptographic operations in parallel in multiple stages. The two cryptographic operations are executed such that different rounds of the two cryptographic operations are performed in parallel by the same instruction or the same finite state machine (FSM) state for hardware implementation.

Abstract: According to a first aspect of the present disclosure, an integrated circuit is provided which comprises an active shield in a first layer and at least one security-critical component in a second layer, said security-critical component being configured to generate an access key for enabling access to at least a part of said security-critical component, wherein said access key is based on an output value of the active shield. According to a second aspect of the present disclosure, a corresponding method for protecting an integrated circuit is conceived. According to a third aspect of the present disclosure, a corresponding computer program product is provided.

Abstract: An integrated circuit device includes first and second semiconductor die and a physically unclonable function (PUF). The second semiconductor die is attached, at least partially, to the first semiconductor die using the PUF. The PUF includes a plurality of conductive paths formed between the first semiconductor die and the second semiconductor die. The PUF controller is coupled to the PUF for generating a digital value based on a characteristic of each conductor of the plurality of conductive paths. The digital value logically binds the first semiconductor die to the second semiconductor die. The first semiconductor die may include a nonvolatile memory and the digital value may be an encryption key for encrypting data stored in the nonvolatile memory.

Abstract: In an embodiment, an integrated circuit (IC) device for detecting fault attacks is disclosed. In the embodiment, the IC device includes a main CPU core, memory coupled to the main CPU core, and a co-processor core including a checksum generation module, the co-processor core coupled to the main CPU core, wherein the main CPU core is configured to direct the co-processor core to process data from the memory and the co-processor core is configured to process the data, in part, by feeding internal signals to the checksum generation module and wherein the co-processor core is further configured to return a checksum value generated by the checksum generation module to the main CPU core.

Abstract: An encryption module and method for performing an encryption/decryption process executes two cryptographic operations in parallel in multiple stages. The two cryptographic operations are executed such that different rounds of the two cryptographic operations are performed in parallel by the same instruction or the same finite state machine (FSM) state for hardware implementation.

Abstract: Various embodiments relate to a device including a digital component configured to output a plurality of parallel bits based on an input wherein the digital component is capable of occupying a metastable state between a time the input is changed and a time the output plurality of parallel bits changes based on the changed input, wherein the digital component outputs metastable bits while occupying the metastable state; and a synchronous sampling circuit configured to sample bits from the digital component in synchronization with a received clock signal pulse, wherein when the clock signal pulse occurs while the digital component occupies a metastable state, the synchronous sampling circuit samples metastable bits, and wherein the input into the digital component changes in a manner that is asynchronous with respect to the clock signal pulse. In various embodiments, the digital component is a substitution box (S-box).

Abstract: The disclosure relates to secure data storage and retrieval, in particular to methods and circuits for securely storing data to reduce the possibility of leakage via side channel attacks. Embodiments disclosed include a method of storing a value comprising a series of words, the method comprising: i) combining in a series of XOR operations a word of a first portion of the value, a word of a second portion of the value and an output word of a first random number generator to provide a first combined word; ii) storing the first combined word in a shift register; and iii) repeating steps i) and ii) for each successive word of the first and second portions of the value.

Abstract: In an embodiment, an integrated circuit (IC) device for detecting fault attacks is disclosed. In the embodiment, the IC device includes a main CPU core, memory coupled to the main CPU core, and a co-processor core including a checksum generation module, the co-processor core coupled to the main CPU core, wherein the main CPU core is configured to direct the co-processor core to process data from the memory and the co-processor core is configured to process the data, in part, by feeding internal signals to the checksum generation module and wherein the co-processor core is further configured to return a checksum value generated by the checksum generation module to the main CPU core.

Abstract: According to a first aspect of the present disclosure, an integrated circuit is provided which comprises an active shield in a first layer and at least one security-critical component in a second layer, said security-critical component being configured to generate an access key for enabling access to at least a part of said security-critical component, wherein said access key is based on an output value of the active shield. According to a second aspect of the present disclosure, a corresponding method for protecting an integrated circuit is conceived. According to a third aspect of the present disclosure, a corresponding computer program product is provided.

Abstract: Various embodiments relate to a device including a digital component configured to output a plurality of parallel bits based on an input wherein the digital component is capable of occupying a metastable state between a time the input is changed and a time the output plurality of parallel bits changes based on the changed input, wherein the digital component outputs metastable bits while occupying the metastable state; and a synchronous sampling circuit configured to sample bits from the digital component in synchronization with a received clock signal pulse, wherein when the clock signal pulse occurs while the digital component occupies a metastable state, the synchronous sampling circuit samples metastable bits, and wherein the input into the digital component changes in a manner that is asynchronous with respect to the clock signal pulse. In various embodiments, the digital component is a substitution box (S-box).

Abstract: A data processing device includes a first register unit, a second register unit and a data handling unit. The first register unit generates an address signal based on a first control signal. The address signal points to a region in an external storage device where first data is stored. The second register unit receives the first data output from the external storage device, generates second data based on the first data and a second control signal, and selectively generates a detectable error in the second data according to an operating mode when a fault is injected into the first data. A bit number of the detectable error in the second data is larger than a bit number of the fault injected into the first data. The data handling unit selectively processes the second data depending on whether the detectable error is generated.

Abstract: In a method of detecting a fault attack in a secure memory device, payload data is initialized by determining whether the payload data is consistent. The payload data is stored in a plurality of ephemeral registers included in the secure memory device. A count value included in the payload data is increased by detecting whether a fault is injected in the secure memory device from outside, during a processing operation of secure data, stored in the secure memory device. It is determined whether the fault injected in the secure memory device from the outside is caused by the fault attack based on the count value and a threshold value.

Abstract: A security device includes a shield having at least one first and second conductive wire, first and second logic units, and a detecting unit. The first logic unit is configured to receive a first pattern signal, transmit data based on the first pattern signal through the at least one first conducting wire, and output a detection pattern signal based on data received through the at least one second conducting wire. The second logic unit is configured to perform a logical operation on the data received through the at least one first conducting wire, and transmit a result of the logical operation through the at least one second conducting wire. The detecting unit is configured to provide the first pattern signal to the first logic unit, receive the detection pattern signal from the first logic unit, and detect an unauthorized access attempt.

Abstract: In a method of detecting a fault attack in a secure memory device, payload data is initialized by determining whether the payload data is consistent. The payload data is stored in a plurality of ephemeral registers included in the secure memory device. A count value included in the payload data is increased by detecting whether a fault is injected in the secure memory device from outside, during a processing operation of secure data, stored in the secure memory device. It is determined whether the fault injected in the secure memory device from the outside is caused by the fault attack based on the count value and a threshold value.

Abstract: A data processing device includes a first register unit, a second register unit and a data handling unit. The first register unit generates an address signal based on a first control signal. The address signal points to a region in an external storage device where first data is stored. The second register unit receives the first data output from the external storage device, generates second data based on the first data and a second control signal, and selectively generates a detectable error in the second data according to an operating mode when a fault is injected into the first data. A bit number of the detectable error in the second data is larger than a bit number of the fault injected into the first data. The data handling unit selectively processes the second data depending on whether the detectable error is generated.

Abstract: A secure memory interface includes a reader block, a writer block, and a mode selector for detecting fault injection into a memory device when a secure mode is activated. The mode selector activates or deactivates the secure mode using memory access information from a data processing unit. Thus, the data processing unit flexibly specifies the amount and location of the secure data stored into the memory device.

Abstract: A secure memory interface includes a reader block, a writer block, and a mode selector for detecting fault injection into a memory device when a secure mode is activated. The mode selector activates or deactivates the secure mode using memory access information from a data processing unit. Thus, the data processing unit flexibly specifies the amount and location of the secure data stored into the memory device.

Abstract: A secure memory interface includes a reader block, a writer block, and a mode selector for detecting fault injection into a memory device when a secure mode is activated. The mode selector activates or deactivates the secure mode using memory access information from a data processing unit. Thus, the data processing unit flexibly specifies the amount and location of the secure data stored into the memory device.