Search

CN-122029540-A - Network attack countermeasure circuit and method

CN122029540ACN 122029540 ACN122029540 ACN 122029540ACN-122029540-A

Abstract

Embodiments of the present disclosure include countermeasure circuit techniques for network attacks. In one embodiment, a portion of the combinational logic receives the shared input bit groups and generates shared output bit groups. The shared output bit groups may be coupled between the combinational logic portions in a series configuration using control gates. The clock signal is delayed to activate the control gate after the output stabilizes. In some embodiments, the first set of combinational logic and the second set of combinational logic operate on a clock and an inverted clock.

Inventors

  • LIU KUNYAN
  • TAO YUCONG

Assignees

  • 微软技术许可有限责任公司

Dates

Publication Date
20260512
Application Date
20241021
Priority Date
20231109

Claims (20)

  1. 1.A circuit, comprising: A plurality of combinational logic circuit groups (101, 102), each combinational logic circuit group comprising a plurality of combinational logic circuits (103, 104) configured in series, wherein each combinational logic circuit comprises a plurality of combinational logic circuit sections (110-112 and 120-122), and each combinational logic circuit section receives one or more shared input bit groups of the plurality of shared input bit groups and generates a shared output bit group (151); a plurality of registers configured between a plurality of combinational logic circuit groups, each register having a control input; A plurality of control gates configured between the plurality of combinational logic circuit portions of the plurality of combinational logic circuit groups, and A plurality of delay circuits, each delay circuit being arranged between the control input of a particular register and the control input of a control gate, Wherein the plurality of shared output bit groups of the upstream combinational logic circuit form the plurality of shared input bit groups of the downstream combinational logic circuit, and wherein each combinational logic circuit portion of a particular downstream combinational logic circuit receives less than the total number of the plurality of shared input bit groups.
  2. 2. The circuit of claim 1, wherein the shared input bit group is processed by the combinational logic circuit to perform a threshold implementation countermeasure circuit.
  3. 3. The circuit of claim 1, wherein a first register of the plurality of registers coupled to an input of the set of combinational logic circuits receives the clock signal, and wherein a second register of the plurality of registers coupled to an output of the set of combinational logic circuits receives an inverse of the clock signal.
  4. 4. The circuit of claim 1, further comprising an inverter coupled to a clock signal, wherein the clock signal is coupled to a first control input of a first register of the plurality of registers and an input of a first delay circuit of the plurality of delay circuits.
  5. 5. The circuit of claim 4, wherein an output of the inverter is coupled to a first control input of a second register of the plurality of registers and an input of a second delay circuit of the plurality of delay circuits.
  6. 6. The circuit of claim 1, wherein the control gate is a multiplexer.
  7. 7. The circuit of claim 6, wherein each multiplexer includes a first input coupled to a particular shared output bit group and a second input coupled to ground.
  8. 8. The circuit of claim 1, wherein the first combinational logic circuit is activated in response to a clock signal and the second combinational logic circuit is activated in response to an inverted clock signal.
  9. 9. The circuit of claim 1, wherein a first group of shared input bits is coupled to a first and second combinational logic circuit portion of a combinational logic circuit, a second group of shared input bits is coupled to the first and third combinational logic circuit portion of the combinational logic circuit, and a third group of shared input bits is coupled to the second and third combinational logic circuit portion of the combinational logic circuit.
  10. 10. The circuit of claim 1, wherein the delay circuit is a programmable delay circuit.
  11. 11. The circuit of claim 1, wherein the delay circuit comprises an inverter.
  12. 12. A method of preventing network attacks, comprising: Receiving a plurality of shared input bit groups in a plurality of combinational logic circuit portions of a plurality of combinational logic circuit groups, each combinational logic circuit group comprising a plurality of combinational logic circuits configured in series, wherein each combinational logic circuit comprises the plurality of combinational logic circuit portions; receiving a clock signal in a plurality of registers disposed between a plurality of groups of combinational logic circuits, each register having a control input to receive the clock signal; Delaying the clock signal to generate a plurality of delayed clock signals; receiving the plurality of delayed clock signals in a plurality of control gates disposed between a plurality of combinational logic circuits of the plurality of combinational logic circuit groups, and A shared output bit group is generated by each combinational logic circuit portion, Wherein the shared output bit groups of the upstream combinational logic circuit form shared input bit groups of the downstream combinational logic circuit, and wherein each combinational logic circuit portion of a particular downstream combinational logic circuit receives less shared output bit groups than the total number of the plurality of shared output bit groups of the particular upstream combinational logic circuit.
  13. 13. The method of claim 12, wherein a first register of the plurality of registers coupled to an input of the set of combinational logic circuits receives the clock signal, and wherein a second register of the plurality of registers coupled to an output of the set of combinational logic circuits receives an inverse of the clock signal.
  14. 14. The method of claim 12, wherein the shared input bit group is processed by the combinational logic circuit to perform a threshold implementation countermeasure circuit.
  15. 15. The method of claim 12, further comprising inverting the clock signal, wherein the clock signal is coupled to a first control input of a first register of the plurality of registers and an input of a first delay circuit of the plurality of delay circuits.
  16. 16. The method of claim 12, wherein the control gate is a multiplexer.
  17. 17. The method of claim 16, wherein each multiplexer includes a first input coupled to a particular shared output bit group and a second input coupled to ground.
  18. 18. The method of claim 12, wherein a first combinational logic circuit is activated in response to the clock signal and a second combinational logic circuit is activated in response to an inverted clock signal.
  19. 19. The method of claim 18, wherein a first shared input bit group is coupled to a first combinational logic circuit portion and a second combinational logic circuit portion of a first combinational logic circuit, a second shared input bit group is coupled to the first and third combinational logic circuit portions of the first combinational logic circuit, and a third shared input bit group is coupled to the second and third combinational logic circuit portions of the first combinational logic circuit.
  20. 20. A circuit, comprising: A first register; a first set of combinational logic circuits comprising a first plurality of combinational logic circuits configured in series; a second register; a second set of combinational logic circuits comprising a second plurality of combinational logic circuits configured in series, wherein each combinational logic circuit comprises a plurality of combinational logic circuit sections, and each combinational logic circuit section receives one or more shared input bit groups of a plurality of shared input bit groups and generates a shared output bit group, wherein each combinational logic circuit section of a particular downstream combinational logic circuit receives less than the total number of shared input bit groups of the plurality of shared input bit groups; A plurality of multiplexers configured between the plurality of combinational logic circuit portions, each multiplexer having one input coupled to ground; A first delay circuit configured between a control input of the first register and a control input of the first portion of the multiplexer, and A second delay circuit configured between a control input of the second register and a control input of a second portion of the multiplexer, Wherein a plurality of shared output bit groups of an upstream combinational logic circuit form the shared input bit groups of a downstream combinational logic circuit, and wherein the downstream combinational logic circuit receives shared input bit groups in response to a delayed version of the clock signal.

Description

Network attack countermeasure circuit and method Background The present disclosure relates generally to semiconductor circuits, and in particular to network attack countermeasure circuits and methods. Recently, power analysis methods have become an attack path for extracting sensitive information, such as encryption keys, from semiconductor Integrated Circuit (IC) devices. Such attacks are based on the principle that when the device operates on sensitive data, the power consumption or EM radiation of the device is related to the data value being processed. Thus, data may leak out of the system and it is possible to recover the data by collecting and analyzing the power traces. Hardware security devices, particularly root of trust devices, typically employ hardware countermeasures against such attacks. The present disclosure is directed to circuits and methods that may be used as countermeasures against such network attacks. Drawings Fig. 1 illustrates a circuit according to an embodiment. Fig. 2 illustrates a digital circuit method of preventing network attacks according to an embodiment. Fig. 3 illustrates an example countermeasure circuit in accordance with an embodiment. Fig. 4 illustrates an example Threshold Implementation (TI) countermeasure circuit, according to an embodiment. Fig. 5 illustrates waveforms for a countermeasure circuit according to an embodiment. Detailed Description Described herein are circuit techniques for preventing network attacks. In the following description, for purposes of explanation, numerous examples and specific details are set forth in order to provide a thorough understanding of some embodiments. Various embodiments as defined by the claims may include some or all of the features of these examples, alone or in combination with other features described below, and may also include modifications and equivalents of the features and concepts described herein. Fig. 1 illustrates a circuit according to an embodiment. Features and advantages of the present disclosure include countermeasure techniques for network attacks. To prevent network attacks, combinational logic may be partitioned into combinational logic portions, and shared input bit groups may be applied to different portions of the combinational logic circuit. If the shared input bit groups hold secret information, the secret information may be observed externally (e.g., by power or electromagnetic radiation, also known as "EMF") when each combinational logic circuit portion processes less than the total number of the plurality of shared input bit groups. The circuit of fig. 1 includes combinational logic groups 101 and 102. The set of combinational logic 101 may include a plurality of combinational logic circuits 103 and 104 configured in series (e.g., the output of an upstream combinational logic circuit is the input of a downstream combinational logic circuit). Each combinational logic circuit 103 and 104 includes a plurality of combinational logic circuit portions 110-112 and 120-122, respectively. Each combinational logic circuit portion 110-112 receives one or more shared input bit groups (illustrated by arrows) of the plurality from register 150 and generates a shared output bit group. Each combinational logic circuit portion 120-122 receives one or more shared input bit groups (illustrated by the arrows) of the plurality of shared input bit groups formed from the shared output bit groups of the upstream combinational logic circuit and generates a shared output bit group to the register 151. It should be appreciated that many additional combinational logic circuits may be configured in series between circuits 103 and 104. Thus, the present example is merely illustrative. The set of combinational logic 102 includes combinational logic circuits 105 and 106, which in turn include combinational logic circuit portions 130-132 and 140-142, respectively. These circuits are configured in substantially the same manner as the circuits in the combinational logic group 101. The registers may be configured between groups of combinational logic circuits. Registers 150 and 151 have control inputs. When the control input is triggered (e.g., by a clock signal), the data is shifted to the output of the register (e.g., typically from the input of the register). In this example, a shared bit group (S1) at the output of register 150 is coupled to combinational logic circuit portions 110 and 111, a second shared bit group (S2) is coupled to combinational logic circuit portions 110 and 112, and a third shared bit group (S3) is coupled to combinational logic circuit portions 111 and 112. This is just one example of how shared bit groups may be distributed to confuse secret data from external detection. In some embodiments, the shared bit group may be processed by combinational logic circuitry to perform a Threshold Implementation (TI) countermeasure circuit. More generally, the present techniques may be used to control the order of co