Device for detecting a fault in circuit propagating a clock signal, and corresponding method

Abstract

An electronic circuit includes a clock signal generator configured to deliver a clock signal. A propagation circuit is configured to propagate the clock signal on a plurality of propagation branches. A number of timers are coupled to at least some of the branches. The timers are clocked by corresponding replicas of the clock signal and configured to generate a pulse signal every N pulses of the corresponding replica of the clock signal. A comparator is configured to generate an alarm signal having a first state when two of the pulse signals are phase-offset with respect to one another.

Claims

1. An electronic circuit comprising: a clock signal generator configured to deliver a clock signal; a propagation circuit configured to propagate the clock signal on a plurality of propagation branches; a plurality of timers coupled to at least some of the branches, the timers clocked by corresponding replicas of the clock signal and configured to generate a pulse signal every N pulses of the corresponding replica of the clock signal; and a comparator configured to generate an alarm signal having a first state when two of the pulse signals are phase-offset with respect to one another, wherein the comparator comprises: a plurality of input terminals, a single output terminal that is configured to deliver the alarm signal, and a plurality of logic circuits connected in cascade, each input terminal of the comparator being coupled to a separate input of a logic circuit.

2. The electronic circuit according to claim 1, wherein each logic circuit includes a single output, the logic circuits being connected in series such that an initial logic circuit has inputs coupled to two separate timers, and that the other logic circuits have one input coupled to the output of a separate logic circuit and a second input coupled to a separate timer, a terminal logic circuit having an output coupled to the output terminal.

3. The electronic circuit according to claim 2, wherein the terminal logic circuit is an Exclusive OR logic gate, and the other logic circuits are OR logic gates.

4. The electronic circuit according to claim 1, wherein each logic circuit has an output coupled to the output terminal and is configured to generate an alarm signal.

5. The electronic circuit according to claim 1, wherein the logic circuits each include a single output and are coupled in a tree structure.

6. The electronic circuit according to claim 5, wherein the logic circuits are Exclusive OR gates, and wherein the output of a terminal logic circuit is coupled to the output terminal.

7. The electronic circuit according to claim 6, wherein the output of each logic circuit is coupled to the output terminal.

8. The electronic circuit according to claim 1, wherein the electronic circuit is part of an electronic system of a motor vehicle.

9. The electronic circuit according to claim 1, further comprising a storage medium containing secure data, wherein the alarm signal is to indicate an issue regarding security of the secure data.

10. The electronic circuit according to claim 9, wherein the electronic circuit is part of a chip card.

11. The electronic circuit according to claim 10, wherein the chip card includes a physical card.

12. An electronic circuit comprising: a clock signal generator configured to deliver a clock signal; a plurality of timers, each timer having an input coupled to an output of the clock signal generator; and a plurality of logic circuits connected in cascade, each logic circuit having a first input, a second input and an output and each timer having an output coupled to a logic circuit, wherein for each logic circuit the first input is coupled to the output of an associated timer or the output of another one of the logic circuits and wherein for each logic circuit the second input is coupled to the output of a second associated timer or the output of a different another one of the logic circuits.

13. The electronic circuit according to claim 12, wherein the timers are coupled to be clocked by corresponding replicas of the clock signal and configured to generate a pulse signal every N pulses of the corresponding replica of the clock signal.

14. The electronic circuit according to claim 13, wherein an output of one of the logic circuits is used as an output of the electronic circuit, the output configured to provide an alarm signal having a first state when two of the pulse signals are phase-offset with respect to one another.

15. The electronic circuit according to claim 12, further comprising additional circuitry, wherein an output of one of the logic circuits is used as an output of the electronic circuit that is configured to provide an alarm signal indicative of a security issue regarding the additional circuitry.

16. The electronic circuit according to claim 12, wherein each logic circuit includes a single output, the logic circuits being connected in series such that an initial logic circuit has inputs coupled to two separate timers, and that the other logic circuits have one input coupled to the output of a separate logic circuit and a second input coupled to a separate timer, a terminal logic circuit having an output coupled to an output terminal of the electronic circuit.

17. The electronic circuit according to claim 12, wherein the logic circuits each include a single output and are coupled in a tree structure.

18. A method for detecting an anomaly in a clock signal, the method comprising: propagating replicas of a clock signal on a plurality of branches of a propagation circuit; generating pulse signals at ends of at least some of the branches of the propagation circuit, the pulse signals being generated every N pulses of the corresponding replica; and detecting a mutual phase offset between two of the pulse signals by using a plurality of logic circuits connected in cascade, each of the plurality of logic circuits having an input for receiving a respective pulse signal of the pulse signals, the phase offset being representative of the presence of an anomaly in the clock signal.

19. The method according to claim 18, further comprising generating an alarm signal based on the presence of an anomaly in the clock signal, the alarm signal being indicative of potential security breach.

20. The method according to claim 18, wherein N is equal to 3, 8, or 16.

21. The method according to claim 18, wherein the logic circuits each include a single output and are coupled in a tree structure.

22. The electronic circuit according to claim 1, wherein the plurality of timers are distributed across a surface area of an integrated circuit.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

(1) Other advantages and features of the invention will become apparent upon examining the detailed description of completely non-limiting embodiments of the invention and the appended drawings, in which

(2) FIGS. 1 to 11 illustrate embodiments of the invention.

DETAILED DESCRIPTION OF ILLUSTRATIVE EMBODIMENTS

(3) FIG. 1 is a schematic depiction of an integrated circuit CI according to one embodiment of the invention. The integrated circuit CI includes a clock signal generator GH, configured so as to deliver a clock signal SH having a first frequency.

(4) The clock signal generator may be for example a piezoelectric quartz-based oscillator comprising a phase-locked loop.

(5) The generator GH is coupled in this case to a propagation circuit CP for propagating the clock signal SH into various zones of the integrated circuit. The propagation circuit is produced in a conventional manner and includes vias and metal tracks produced in the interconnect portion of the integrated circuit (BEOL, back end of line as it is well known in the art) and intermittently connecting components that are produced in the substrate of the integrated circuit.

(6) The propagation circuit CP has in this case, as is conventional, a tree structure the root of which is coupled to the clock generator GH and each branch BR.sub.i of which propagates a corresponding replica SH.sub.i of the clock signal SH. Depending on their length, the various branches BR.sub.i may comprise a delay element (not shown), for example, inverting or non-inverting buffers, for maintaining synchronous operation of the integrated circuit.

(7) The branches of the propagation circuit, and in particular their ends EX.sub.i, that is to say the portions of the propagation circuit that connect the components of the integrated circuit, in this case contacts made of tungsten, are thus each configured so as to deliver a replica SH.sub.i of the clock signal SH.

(8) The ends EX.sub.i of the branches BR.sub.i of the propagation circuit CP are coupled in this case to a device DIS for monitoring for a potential fault injection into the integrated circuit.

(9) Fault injection is understood here and in the remainder of the description to mean any intentional injection of a fault by an attacker, for example by generating an electromagnetic pulse near the circuit CI leading to a voltage pulse in the propagation circuit CP, or else any unintentional injection of a fault, on account for example of a random phenomenon depending on the environment in which the integrated circuit is situated and exhibiting similar effects on the integrated circuit, such as for example an emission of alpha or gamma particles leading to a voltage pulse in the propagation circuit CP.

(10) The device DIS includes a plurality of timers CT.sub.i, each of which is coupled to one end EX.sub.i of a separate branch of the propagation circuit so as to receive a replica of the clock signal SH.sub.i. A comparator CMP includes a plurality of inputs BE.sub.i each coupled to the output of a separate timer CT.sub.i, and an output terminal BS configured so as to deliver an alarm signal ALM having a default state, in this case a low state, if no fault is detected and having a first state, in this case a high state, if a fault is detected.

(11) The timers CT.sub.i are each configured so as to generate, in the absence of a fault, a pulse signal SCT.sub.i every N cycles of a corresponding replica of the clock signal SH.sub.i.

(12) In this case, the timers are configured so as to generate a pulse every 3 clock cycles, for example.

(13) It would be possible to choose an arbitrary number N of clock cycles, and a person skilled in the art will know how to choose this number according to the desired accuracy and the consumption constraints under consideration.

(14) During normal operation of the integrated circuit CI, that is to say in the absence of a fault, the timers CT.sub.i are therefore configured so as to deliver pulse signals SCT.sub.i having zero phase offset with respect to one another, and the comparator is configured so as to generate the alarm signal in its default state.

(15) FIG. 2 illustrates the temporal evolution

(16) of a first replica SH.sub.1 of the clock signal SH into which no fault has been injected,

(17) of a second replica SH.sub.2 of the clock signal SH into which a fault Ft has been injected,

(18) of the pulse signals SCT.sub.1 and SCT.sub.2 generated by a first timer CT.sub.1 and a second timer CT.sub.2, respectively, and

(19) of the alarm signal ALM.

(20) In this case, the first timer CT.sub.1 receives the first replica SH.sub.1, and the second timer receives the second replica SH.sub.2.

(21) The first timer CT.sub.1 delivers a pulse every 3 pulses of the first replica SH.sub.1, for example on the rising edges of the first replica SH.sub.1 of the clock signal SH.

(22) It may therefore be considered, for the sake of understanding the invention, that the pulses of the first pulse signal SCT.sub.1 are generated in a first period T.sub.1.

(23) The second timer CT.sub.2 is also configured so as to deliver a pulse every 3 cycles of the clock signal, but, since the second replica SH.sub.2 contains a fault Ft, in this case an additional pulse, the latter is processed by the timer as a pulse of the second replica SH.sub.2, and the pulse IMP of the second pulse signal SCT.sub.2 following the injection of the fault Ft is generated earlier, at the end of a duration T.sub.2 after the previous pulse.

(24) Plus, since the pulses of the pulse signals in this case have a duration of one clock signal cycle, this leads to shortening of the duration of the pulse IMP. In this case, the pulse IMP has a duration Δ equal to T1-T2.

(25) As the two timers CT.sub.1 and CT.sub.2 are continuously desynchronized, they will generate phase-offset output signals at a regular interval. In this case, the first signal SCT.sub.1 and the second signal SCT.sub.2 are phase-offset by one clock signal cycle.

(26) Upon detecting this phase offset, the comparator CMP will change the alarm signal ALM from its default state to its first state.

(27) The alarm signal may be delivered for example to a circuit for controlling the integrated circuit CI, which is configured so as to reset the integrated circuit CI when receiving the alarm signal in its first state.

(28) Security of the integrated circuit is thus ensured. It should be noted in this case that such a device DIS does not prevent the occurrence of a fault injection, but prevents operation of the integrated circuit CI from continuing in the event that a fault injection takes place.

(29) This approach allows the circuit to be protected using simple circuits.

(30) Furthermore, by dispensing with a monitoring clock signal, a protection device with improved reliability is obtained.

(31) FIG. 3 illustrates one particular embodiment of the comparator CMP, and FIG. 4 is a schematic plan view of an integrated circuit CI illustrating one exemplary layout of the various elements of the device DIS according to the embodiment of FIG. 3.

(32) In this embodiment, the comparator CMP includes a plurality of logic circuits CL.sub.j, in this case Exclusive OR logic gates, connected in cascade in a tree structure the root of which is coupled to the output terminal of the comparator.

(33) In this case, the inputs of a first logic gate CL.sub.1, of a second logic gate CL.sub.2 and of a third logic gate CL.sub.3 are coupled to the input terminals BE.sub.1 to BE.sub.6 of the comparator CMP, so as to receive the pulse signals SCT.sub.1 and SCT.sub.2, SCT.sub.3 and SCT.sub.4, SCT.sub.5 and SCT.sub.6, respectively.

(34) The output of the first logic gate CL.sub.1 and the output of the second logic gate CL.sub.2 are coupled in this case to the input of a fourth logic gate CL.sub.4, and the output of the third logic gate CL.sub.3 is coupled to the input of a fifth logic gate CL.sub.5. The second input of the fifth logic gate CL.sub.5 is coupled in this case to an input terminal BE.sub.7 of the comparator, so as to receive the pulse signal SCT.sub.7 from the seventh timer CT.sub.7.

(35) A sixth logic gate CL.sub.6 has its inputs coupled to the outputs of the fourth and fifth logic gates CL.sub.4 and CL.sub.5 and its output coupled to the output terminal BS of the comparator CMP. The logic gate CL.sub.6 therefore forms a terminal logic gate of the cascade tree.

(36) Each logic gate is thus configured so as to deliver a signal having a low state if the signals that it receives on its inputs are identical or not phase-offset, and so as to deliver the signal having a high state when the two signals that it receives on its inputs are different or phase-offset.

(37) For example, for the logic gates CL.sub.1 to CL.sub.3, when the pulse signals on their inputs are phase-offset, the signal on the output of the logic gate under consideration will be in a high state.

(38) If a phase offset is detected, the high state will be propagated to the subordinate logic gates (in this case CL.sub.4, CL.sub.5 or CL.sub.6), which will, for their part, generate a high state.

(39) The signal generated by the logic gate situated at the root of the tree, in this case the logic gate CL.sub.6, forms the alarm signal ALM, which is therefore in its default state, in this case a low state, if no phase offset has occurred, and in its first state, in this case a high state, if a phase offset has occurred.

(40) In FIG. 4, the timers CT.sub.i are distributed over the entire surface area of the integrated circuit, and are each coupled to the comparator CMP.

(41) Alternatively, it would be possible, as illustrated in FIG. 5, for the outputs of each of the logic gates to be coupled to the output terminal BS of the comparator CMP, for example via a logic module (not shown), making it possible to combine the outputs of all of the logic gates on the output terminal BS. Each signal delivered by a logic gate thus forms an alarm signal in this case.

(42) It would furthermore be possible, as illustrated in FIG. 6, for the logic circuits CL.sub.j of the comparator to be distributed over the entire surface area of the integrated circuit CI, so as to be closer to the timers CT.sub.i. This advantageously makes it possible to limit the lengths of connections between the detection elements in the circuit.

(43) According to one embodiment illustrated in FIG. 7, the logic circuits CL.sub.j, in this case logic gates, are connected in cascade in a series structure. Each logic circuit CL.sub.j thus has its output coupled to the input of the logic circuit CL.sub.j+1 that follows it in the series, with the exception of the terminal logic circuit CL.sub.6 the output of which is coupled to the output terminal BS of the comparator CMP.

(44) The comparator CMP includes an initial logic gate CL.sub.1, forming the first logic gate of the series of logic gates, and the inputs of which are coupled to the first timer CT.sub.1 and to the second timer CT.sub.2, and the output of which is coupled to a following logic gate CL.sub.2.

(45) All of the logic circuits CL.sub.j, with the exception of the initial logic circuit CL.sub.1, have a first input coupled to an output of a logic circuit CL.sub.i−1 preceding it in the series of logic circuits, and a second input coupled to a separate timer CT.sub.i.

(46) The terminal logic gate, in this case an Exclusive OR logic gate, is coupled to the output terminal BS of the comparator CMP and is configured so as to deliver the alarm signal ALM.

(47) All of the logic gates, with the exception of the terminal logic gate, are OR logic gates in this case.

(48) Each logic gate is thus configured so as to perform a comparison and so as to transmit, to the following logic gate, a signal containing information on the phase offset or absence of phase offset of the pulse signals that have already been compared.

(49) In this case, the information on the phase offset or absence of phase offset of the pulse signals is contained in the duration of the high states at the output of the OR logic gates.

(50) For example, if the first and second pulse signals CT.sub.1 and CT.sub.2 are not phase-offset, the initial logic gate will generate a pulse equivalent in duration to a pulse of the pulse signals generated by the timers.

(51) A high state at the output of an OR logic gate the duration of which is equal to the duration of a high state of a pulse of a pulse signal is therefore information that indicates an absence of phase offset.

(52) If the first and second pulse signals CT.sub.1 and CT.sub.2 are phase-offset in accordance with the illustration of FIG. 2, the initial logic gate CL.sub.1 will generate, at output, a pulse the duration of which is equal to the duration of a pulse of a pulse signal SCT.sub.i, plus the duration Δ, that is to say a duration of T1-T2 in this case.

(53) In this case, a high state at the output of a logic gate the duration of which is equal to the duration of a high state of a pulse of a pulse signal plus the duration Δ is information that indicates the presence of a phase offset.

(54) This additional duration Δ that forms information indicating that two signals have been phase-offset will be transmitted from one OR logic gate to another, whether or not another pulse signal exhibits a phase offset, as far as the terminal logic circuit CL.sub.6.

(55) When the terminal logic circuit compares the signals on its inputs, if no phase offset has occurred, the terminal logic circuit CL.sub.6, in this case an Exclusive OR logic gate, generates the alarm signal ALM having a low state.

(56) By contrast, if the two signals are phase-offset or if the two signals are pulses having different durations, then it will deliver the alarm signal ALM having a high state.

(57) In the example of FIG. 7, the logic circuits, with the exception of the terminal logic circuit, include OR gates.

(58) It would be possible however to contemplate other types of logic circuit, for example Exclusive OR gates.

(59) FIG. 8 schematically illustrates a plan view of an integrated circuit in which the device is in accordance with the embodiment of FIG. 7 described above and considered in a general manner with regard to the structure of the logic circuits CL.sub.i.

(60) The series coupling of the comparator elements advantageously allows better optimization of the occupation of the surface area of the integrated circuit CI, and makes it possible to avoid the signals from the logic gates travelling excessively long distances.

(61) FIG. 9 illustrates one variant of the embodiment described above with reference to FIGS. 7 and 8, wherein each logic circuit CL.sub.j is configured so as to generate an alarm signal ALM.

(62) According to this embodiment, each logic circuit comprises a plurality of logic gates. A person skilled in the art will know how to choose the appropriate logic circuit configuration according to the applications under consideration.

(63) The integrated circuit such as described above with reference to FIGS. 1 to 7 may be integrated into any type of system, such as for example a chip card CB such as the one illustrated in FIG. 10, or else into an electronic system of a motor vehicle VT such as the one illustrated in FIG. 11. Other examples of secure products include identify documents such as passports, tags for products as printer cartridges, and others.

(64) While illustrated as a physical card in FIG. 10, it is understand that the chip card need not be an actual card. As an example SIM-card for mobile phones or IoT devices may be replaced by so-called “embedded SIM” where the secured chip is directly soldered to the product board. Same soldered SIM circuits may be used in automotive for connectivity.

Device for detecting a fault in circuit propagating a clock signal, and corresponding method

Assignee

Inventors

Cpc classification

Classification Explorer

G06F1/08

PHYSICS

Classification Explorer

G01R31/31727

PHYSICS

Classification Explorer

H03K5/19

ELECTRICITY

Classification Explorer

G06F11/277

PHYSICS

Classification Explorer

H03K19/21

ELECTRICITY

Classification Explorer

H03K5/1565

ELECTRICITY

International classification

Classification Explorer

G06F1/08

PHYSICS

Classification Explorer

H03K5/156

ELECTRICITY

Classification Explorer

G06F11/277

PHYSICS

Classification Explorer

H03K19/21

ELECTRICITY

Abstract

Claims

Description