Patent Application
20090313424
This application claims priority from European Patent Application No. 08158260.3 filed Jun. 13, 2008, the entire disclosure of which is incorporated herein by reference.
The invention relates to a memory device, in particular a non-volatile memory device, comprising a memory array and a readout circuit and to a method for secure readout of protected data from such a memory device.
Non-volatile memory devices such as EEPROM, FLASH, ROM, FERRO-MEM, MRAM, HDD etc. and volatile memory devices such as static random access memory (SRAM) or dynamic random access memory (DRAM) devices are widely known for storing secret and non-secret data. Secret data is stored in many applications using passwords, keys and the like.
In conventional memory devices, the power consumption of the memory during reading a bit with the value 1 is slightly different from the power consumption during reading a bit with the value 0.
This results in the problem that upon reading the secure data, the measuring of the power consumption of the memory device can be used to obtain the secret data from the chip. This technique is called simple power analysis (SPA). If the power consumption is measured several times and average power consumption is calculated to suppress the random variations of the power consumption, the corresponding technique is called differential power analysis (DPA).
This type of attack is known since a long time and several proposals for preventing such attacks have been made. According to a first type of SPA/DPA protection, it has been proposed to try modifying a sense amplifying device of the memory device such that it has the same power consumption during reading 0's and reading 1's. A second proposal consists in doubling the memory and to use two chips, such that every bit may be written and read twice. In the first memory device, the bit value itself is stored and in the second memory device, its inverse value is stored, such that always one bit with the value 1 and one bit with the value 0 are read at the same time. As a consequence, the power consumption of entire structure can be made roughly independent on the memory content being read.
In the above mentioned first type of SPA/DPA protection, it has turned out to be very difficult to provide hardware having the same power consumption during reading 0's and 1's, since the power consumption profile can change with temperature, supply voltage and other external influences. If two memory devices are used, the unavoidable tolerances may result in a possible point for a DPA attack. Moreover, doubling all of the bits in a memory causes a significant increase of the area of the memory block.
In the most common applications, the memory device, e.g. a non-volatile memory device, is used to store non-secret data together with secret data. The efforts for protecting the readout of non-secure data against SPA/DPA attacks are unnecessary and result in an ineffective use of resources.
It is the object of the invention to provide a memory device enabling an effective prevention of SPA/DPA attacks while enabling an effective use of the resources.
The object is achieved in particular by a memory device according to claim 1 and by a method for reading out protected data according to claim 10.
A first aspect of the invention relates to a memory device comprising a memory array with multiple memory cells for storing bits of data. The memory cells are arranged in word lines and columns. The memory device further comprises a readout circuit for reading out data from the memory array. It is proposed to provide the non-volatile memory device with at least two sense amplifier devices, wherein the sense amplifier devices are connected to respectively different subsets of memory cells of one of the word lines.
In contrast to common memory devices, where each word line is associated to one sense amplifier for amplifying the signals from this word line, the invention proposes to divide the word line into two or more subsets of memory cells each being associated and connected to a respectively different sense amplifier. The provision of two or more sense amplifiers enables a simultaneous readout from the different subsets of memory cells of the word line. On the one hand, protected data may be read in a SPA/DPA-proof way provided that the protected data is stored in a first part of the word line, i.e. in memory cells belonging to a first subset of memory cells of the word line, and the inverse copy of the protected data is stored in the second part i.e. in a second subset of memory cells of the same word line, said part being associated to a different sense amplifier. On the other hand, non-protected data may be simultaneously read out from the different regions of the word line in order to accelerate the readout for the non-protected data. As a consequence the twofold readout structure may be effectively used also for non-protected data.
According to a preferred embodiment of the invention, the memory device is a non-volatile memory device, such as for example a FLASH memory device.
The SPA/DPA-proof readout may be executed if the readout circuit is configured to simultaneously read out one first data bit of a first part of the word line using a first sense amplifier and one second data bit from a second part of the same word line using a second sense amplifier and if the first data bit is protected data bit and the second data bit is an inverse copy of the first data bit.
Correspondingly, it is proposed that the different subsets of memory cells of one of the word lines include a first subset of protected memory cells for storing protected data bits and a second subset of protected memory cells for storing an inverse copy of the protected data bits. The protected memory cells may be constructed with reduced temperature sensitivity and/or reduced tolerances compared to non-protected memory cells.
A corresponding write circuit may be configured to always automatically write the bit value and its inverse. Alternatively, the write procedure may be implemented in the application software.
However, the protected and the non-protected data bits may also have the same semiconductor-structure.
In a particularly simple embodiment of the invention, at least a part of the word lines is divided into half word lines, and the two half word lines of one line constitute the different subset of memory cells of the word line being connected to different sense amplifier devices. In general, the entire memory may be divided into two halves each being connected to one of the sense amplifier devices.
Moreover, it is proposed that the memory array comprises a protected subset of memory cells for storing protected data and an inverse copy of the protected data and further comprises a non-protected subset of memory cells for storing non-protected data. The size of the protected part of the memory may then be adapted such that ineffective use of the resources may be avoided.
In a particularly favourable embodiment of the invention, it is proposed that the readout circuit is configured to simultaneously read out two bits of the non-protected data from the non-protected subset of the memory cells using the at least two sense amplifiers in an accelerated reading mode. In a normal reading mode, the readout circuit may be configured to sequentially read out the bits of non-protected data from a third subset of the memory cells by employing the at least two sense amplifiers sequentially or alternatingly.
Moreover, it is proposed that the memory device further comprises a control device for adapting the size of the protected and non-protected parts of the memory device dependent on the amount of protected data to be stored. The control device may be a computer comprising the non-volatile memory device, wherein the computer runs a secure application using some type of protected data. The application may adapt the size of the protected and non-protected parts of the memory cells depending in the size of the protected data.
In particular, the control device may adapt the size of the protected and non-protected subsets of the memory cells by allocating word lines of the memory array to the protected subset or to the non-protected subset of the memory cells.
A further aspect of the invention relates to a method for secure readout of protected data from a memory device comprising a memory array with multiple memory cells for storing bits of data. The memory cells are arranged in word lines and columns.
It is proposed that the method comprises simultaneously reading out data bits from different subsets of memory cells of one of the word lines using at least two sense amplifier devices. The sense amplifier devices are connected to these different subsets of memory cells of the same word line respectively.
In a particularly favourable embodiment of the method according to the invention, it is proposed that the protected data bits and an inverse copy of these protected data bits are simultaneously read out from the different subsets of memory cells of the same word line, e.g. in order to avoid possible SPA/DPA attacks.
Further characterizing features of the invention and the advantages thereof will become apparent from the following description of a preferred embodiment of the invention. The embodiment and the figures illustrating the embodiment show a particular combination of the characterizing features of the invention. However, the invention is not limited to this particular combination and may be easily adapted by the skilled person to be applied in different environments or applications by considering further combinations or sub-combinations of the characterizing features.
The protected data is stored together with other data in the non-volatile memory device.
According to the invention, the non-volatile memory device comprises two sense amplifier devices 22, 24, namely a left hand sense amplifier device 22 and a right hand sense amplifier device 24. The sense amplifier devices 22, 24 have the well-known structure of regenerative sense amplifiers including PMOS isolation transistors and are used to amplify the memory device's sense bit-lines-swings between 100 mV and 300 mV to the full swing voltage of between 2 and 3 V.
In the embodiment shown in
The readout circuit 20 is configured to simultaneously read out data bits from both halves of the same word line using the two sense amplifier devices 22, 24.
The readout circuit 20 is capable of performing the readout in three different operation modes. The first operation mode is a secure operation mode in which the readout circuit 20 reads out protected data bits from a first half of a word line and an inverse copy of the protected data bits from the second half of the protected word line using the two sense amplifiers 22, 24 simultaneously. In the secure mode, the readout circuit 20 always reads one bit with the value 1 and one bit with the value 0 simultaneously such that the total power consumption of the non-volatile memory device is independent of the bit-value of the protected data. As a consequence, SPA/DPA attacks are prevented.
The central processing unit 14 of the computer 10 of
In a corresponding write mode for secure writing, the control device may simultaneously write the bit values of the protected data and the inverse thereof to the different halves of the protected word lines.
In the schematic representation of
In a normal reading mode, the readout circuit 20 sequentially reads out the bits of the non-protected data from the non-protected subset of the memory cells using the two sense amplifiers. In the non-protected subset of the memory cells, the values of the bits being stored in the left halves of the word lines are independent of the values of the bits stored in the right halves of the word lines. The values of the non-protected Boolean variables are a0-an, and b0-bn in
The central processing unit 14 and the readout circuit 20 implement a method for secure readout of the protected data from the non-volatile memory device according to
In a third accelerated reading mode, the readout circuit 20 reads out bits from the two halves of the non-protected word lines (e. g. the values ak and am+k) using the two sense amplifier devices 22, 24 simultaneously and in parallel.
| Number | Date | Country | Kind |
|---|---|---|---|
| 08158260.3 | Jun 2008 | EP | regional |
