+

WO2010011399A2 - Methods and circuits for thwarting semi-invasive and non-invasive integrated circuit security attacks - Google Patents

Methods and circuits for thwarting semi-invasive and non-invasive integrated circuit security attacks Download PDF

Info

Publication number
WO2010011399A2
WO2010011399A2 PCT/US2009/043994 US2009043994W WO2010011399A2 WO 2010011399 A2 WO2010011399 A2 WO 2010011399A2 US 2009043994 W US2009043994 W US 2009043994W WO 2010011399 A2 WO2010011399 A2 WO 2010011399A2
Authority
WO
WIPO (PCT)
Prior art keywords
integrated circuit
circuitry
secure integrated
power supply
secure
Prior art date
Application number
PCT/US2009/043994
Other languages
French (fr)
Other versions
WO2010011399A3 (en
Inventor
Lawrence T. Clark
Fionn Sheerin
Thomas Mozdzen
Original Assignee
Arizona Board Of Regents For And On Behalf Of Arizona State University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Arizona Board Of Regents For And On Behalf Of Arizona State University filed Critical Arizona Board Of Regents For And On Behalf Of Arizona State University
Publication of WO2010011399A2 publication Critical patent/WO2010011399A2/en
Publication of WO2010011399A3 publication Critical patent/WO2010011399A3/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/86Secure or tamper-resistant housings
    • G06F21/87Secure or tamper-resistant housings by means of encapsulation, e.g. for integrated circuits

Definitions

  • Integrated circuits used in applications such as financial transactions, personal medical information, and military use must be secure against unauthorized access. More specifically, it is desirable for such integrated circuits to be secure against security attacks by an unauthorized user, such as an attacker or intruder, having a chip in his or her possession and potentially having sophisticated resources at his or her disposal.
  • a field programmable gate array FPGA
  • FPGA field programmable gate array
  • the programmable logic circuits of the FPGA may be generic and known.
  • the FPGA bitstream program may represent a design that must be secure against unauthorized access. Therefore, such an FPGA bitstream program needs to be encrypted when stored outside the FPGA to avoid the design being copied. Thus, there is a need for a secure integrated circuit that thwarts such security attacks.
  • the present invention relates to methods and systems for thwarting semi-invasive and non-invasive security attacks on an integrated circuit (IC).
  • the methods and systems generally make reverse engineering, reconfiguration, and observation of the internal operations of the IC substantially more difficult, if not impossible.
  • all or a portion of the IC is implemented utilizing P-type Metal-Oxide-Semiconductor (PMOS) ratioed logic.
  • PMOS P-type Metal-Oxide-Semiconductor
  • PMOS ratioed logic By using the PMOS ratioed logic, photo emissions are reduced and a Signal-to-Noise Ratio (SNR) is reduced, thereby making optical probing techniques, such as Picosecond Imaging Circuit Analysis (PICA) or Time Resolved Emission Microscopy (TRE), substantially more difficult, if not impossible.
  • PICA Picosecond Imaging Circuit Analysis
  • TRE Time Resolved Emission Microscopy
  • the PMOS ratioed logic gates have a lower swing voltage than Complementary Metal-Oxide-Semiconductor (CMOS) gates, thereby increasing the difficulty of Laser Voltage Probing (LVP).
  • CMOS Complementary Metal-Oxide-Semiconductor
  • LVP Laser Voltage Probing
  • PICA and LVP may involve receiving photo emissions produced by IC circuitry through the backside of the ICs semiconductor die. Long-channel circuits, stacked transistors, or both may also be used to further reduce the PICA SNR and to limit the PMOS circuit power
  • differential circuits combined with a tight physical layout of adjacent complementary nodes may be utilized to make probing techniques such as PICA and LVP substantially more difficult, if not impossible.
  • the differential circuits may also thwart power attacks due to consistent current draw.
  • the layout of the differential circuits is such that spacing between complementary nodes is less than a specific spatial resolution of the probing techniques. For example, for an IC fabricated on a Silicon (Si) substrate, the optical probing spatial resolution is approximately 900 nanometers (nm), where the optical probing spatial resolution is a physical limitation resulting from the band gap of Si.
  • the layout of the differential circuits may be designed such that the spacing between complementary nodes is less than 900 nm.
  • the difficulty of optical probing begins to increase with spacing of approximately 1100 nm. As the spacing decreases, the difficulty of optical probing increases. At approximately 900 nm, the difficulty of optical probing reaches a point that begins to adequately thwart optical probing techniques.
  • Long-channel circuits, stacked transistors, or both may also be used to further reduce the PICA SNR and to limit power consumption.
  • Local node jamming may also be used to thwart good LVP signals. Local jamming can also arise from skewing the arrival times of the differential inputs to differential Cascode Voltage Switch Logic (CVSL) gates by causing temporary current flow in neighboring transistors.
  • CVSL Voltage Switch Logic
  • authentication and Input/Output (I/O) scrambling may be performed using one or more keys.
  • the one or more keys are dynamically moving keys in order to complicate LVP attacks intended to obtain the one or more keys. More specifically, time-varying pseudo-random key storage after power-up may be used to provide the dynamically moving keys. By using the dynamically moving keys, an attacker is prevented from simply reading the one or more keys from the IC using LVP.
  • the IC may include one or more intrusion detection and self-disable circuits for detecting attacks on the IC and disabling the ICs response thereto.
  • Each intrusion detection and self-disable circuit may include one or more observation circuits.
  • the one or more observation circuits may observe glitches or stopping of a clock provided to the IC as a type of security attack, changes in a power supply provided to the IC as a type of security attack, or the like.
  • one or more monolithic capacitors are utilized to provide at least a temporary power supply for the one or more observation circuits when the power supply is disconnected from the IC.
  • the temporary power supply enables the one or more observation circuits to, for example, record information to thereafter assist the intrusion detection and self- disable circuits in determining whether a security attack is being made upon the IC. If so, the intrusion detection and self-disable circuits may cause the IC to self-destruct or otherwise become inoperable.
  • power supply ripple current variation reduction circuitry is used to minimize side channel information leakage, otherwise detection of input currents may be used to extract information about the IC. For example, by monitoring the power supply current of a field programmable gate array (FPGA) circuit or other circuit containing a decryption circuit, it may be possible to determine when some bits of the key have been successfully guessed.
  • FPGA field programmable gate array
  • power supply current confusion circuitry is used to minimize side channel information leakage, otherwise detection of input currents may be used to extract information about the IC state or keys.
  • the power supply current confusion circuitry may minimize or eliminate an intruder's ability to differentiate between when an FPGA is being programmed or the relative accuracy of authentication keys that have been guessed. For instance, in a smart-card, guessing the PIN number may leave the power supply current draw behavior relatively unaffected.
  • Figure 1 illustrates a Complementary Metal-Oxide-Semiconductor (CMOS) inverter according to the prior art.
  • Figures 2A and 2B are graphs illustrating a first inverter output signal and a possible Picosecond Imaging Circuit Analysis (PICA) or a Laser Voltage Probing (LVP) probe signal of the CMOS inverter, respectively, illustrated in Figure 1.
  • Figure 3 illustrates a secure Integrated Circuit (IC) according to one embodiment of the present invention.
  • Figure 4A is a graph showing a relationship between minimum gate separation and semiconductor diffusion spacings versus various process technology modes.
  • Figure 4B illustrates a ratioed P-type Metal-Oxide-Semiconductor (PMOS) inverter according to one embodiment of the present invention
  • Figure 4C illustrates a ratioed PMOS NOR gate according to one embodiment of the present invention.
  • Figure 4D illustrates a ratioed PMOS NAND gate according to one embodiment of the present invention.
  • PMOS Metal-Oxide-Semiconductor
  • Figures 5A and 5B are duplicates of Figures 2A and 2B, respectively, for clarity, and Figures 5C and 5D are graphs illustrating a second inverter output signal and a possible PICA or LVP probe signal of the ratioed PMOS inverter, respectively, illustrated in Figure 4B.
  • Figures 6A and 6B illustrate a first differential NAND2 gate having a tight layout of complementary nodes in order to thwart semi-invasive and invasive attacks according to one embodiment of the present invention
  • Figures 7 illustrates a second differential NAND2 gate, which has a substantially PMOS implementation according to an alternate embodiment of the present invention.
  • Figures 8A, 8B, 8C, 8D, and 8E are graphs illustrating signals associated with the first differential NAND2 gate illustrated in Figure 6A;
  • Figure 9 illustrates a process for forming a Cascode Voltage Switch Logic (CVSL) netlist and automatic place and routed chip layout beginning with a single-ended register transfer layer (RTL) description of a single-ended logic netlist.
  • Figure 10A illustrates a power supply system enabling power to be supplied to observation circuits that detect attacks on the secure IC after the main power supply has been disconnected according to one embodiment of the present invention.
  • Figure 10B shows details of a power supply coupling circuit illustrated in Figure 10A.
  • Figure 11 illustrates the power supply system according to an alternate embodiment of the present invention.
  • Figure 12 shows details of the power supply system illustrated in Figure 11.
  • Figures 13A and 13B illustrate an exemplary monolithic capacitor that can be used as a virtual power supply for retaining power for the observation circuits of the secure IC as discussed with respect to Figure 10A according to one embodiment of the present invention.
  • Figure 14A and 14B graphically illustrate the operation of active circuits utilizing a virtual power supply after the main power supply of the secure IC has been disconnected according to one embodiment of the present invention.
  • Figures 15A, 15B, 15C, 15D, and 15E illustrate different embodiments of power supply ripple current variation reduction circuitry and power supply current confusion circuitry.
  • Figures 16A, 16B, 16C, and 16D illustrate details of different embodiments of the power supply ripple current variation reduction circuitry illustrated in Figure 15A.
  • Figure 17 illustrates details of one embodiment of the power supply current confusion circuitry illustrated in Figure 15C.
  • Figures 18A, 18B, 18C, and 18D are graphs illustrating timing relationships between a system clock and first, second, and Nth control signals, respectively, according to one embodiment of the present invention. Detailed Description of the Preferred Embodiments
  • the present invention relates to methods and systems for thwarting semi-invasive and non-invasive security attacks on an integrated circuit (IC).
  • IC integrated circuit
  • PMOS P-type Metal-Oxide-Semiconductor
  • SNR photo emission Signal-to-Noise Ratio
  • the PMOS ratioed logic gates have a lower swing voltage than Complementary Metal-Oxide-Semiconductor (CMOS) gates, thereby increasing the difficulty of Laser Voltage Probing (LVP).
  • PICA and LVP may involve receiving photo emissions produced by IC circuitry through the backside of the ICs semiconductor die. Long-channel circuits, stacked transistors, or both may also be used to further reduce the PICA SNR and to limit power consumption.
  • differential circuits combined with a tight physical layout of adjacent complementary nodes may be utilized to make probing techniques such as PICA and LVP substantially more difficult, if not impossible. These differential circuits also thwart power attacks due to steady current draw.
  • the layout of the differential circuits is such that spacing between complementary nodes is less than a special resolution of the probing techniques. For example, for an IC fabricated on a Silicon (Si) substrate, the optical probing spatial resolution is approximately 900 nanometers (nm), where the optical probing spatial resolution is a physical limitation resulting from the band gap of Si. As such, the layout of the differential circuits may be designed such that the spacing between complementary nodes is less than 900 nm.
  • the difficulty of optical probing begins to increase with spacing of approximately 1100 nm. As the spacing decreases, the difficulty of optical probing increases. At approximately 900 nm, the difficulty of optical probing reaches a point that begins to adequately thwart optical probing techniques.
  • Long-channel circuits, stacked transistors, or both may also be used to further reduce the PICA SNR and to limit power consumption.
  • Local node jamming may also be used to thwart good LVP signals. Local jamming can also arise from skewing the arrival times of the differential inputs to differential Cascode Voltage Switch Logic (CVSL) gates by causing temporary current flow in neighboring transistors.
  • CVSL Voltage Switch Logic
  • authentication and Input/Output (I/O) scrambling may be performed using one or more keys.
  • the one or more keys are dynamically moving keys in order to complicate LVP attacks intended to obtain the one or more keys. More specifically, time-varying pseudo-random key storage after power-up may be used to provide the dynamically moving keys. By using the dynamically moving keys, an attacker is prevented from simply reading the one or more keys from the IC using LVP.
  • the IC may include one or more intrusion detection and self-disable circuits for detecting attacks on the IC and disabling the ICs response thereto.
  • Each intrusion detection and self-disable circuit may include one or more observation circuits.
  • the one or more observation circuits may observe glitches or stopping of a clock provided to the IC as a type of security attack, changes in a power supply provided to the IC as a type of security attack, or the like.
  • one or more monolithic capacitors are utilized to provide at least a temporary power supply for the one or more observation circuits when the power supply is disconnected from the IC.
  • the temporary power supply enables the one or more observation circuits to, for example, record information to thereafter assist the intrusion detection and self- disable circuits in determining whether a security attack is being made upon the IC. If so, the intrusion detection and self-disable circuits may cause the IC to self-destruct or otherwise become inoperable.
  • power supply ripple current variation reduction circuitry is used to minimize side channel information leakage, otherwise detection of input currents may be used to extract information about the IC. For example, by monitoring the power supply current of a smart- card circuit, it may be possible to determine when some portion of the key or PIN has been successfully guessed.
  • Power supply ripple current variation reduction circuitry may minimize or eliminate an intruder's ability to differentiate between when an FPGA is being programmed with an FPGA load and when the FPGA is operating using the FPGA load.
  • power supply current confusion circuitry is used to minimize side channel information leakage, otherwise detection of supply currents may be used to extract information about the IC.
  • the power supply current confusion circuitry may minimize or eliminate an intruder's ability to differentiate between when an FPGA is being programmed with an FPGA bitstream and when the FPGA is operating using the FPGA successfully decrypted bitstream.
  • FIG. 1 illustrates a CMOS inverter 10 according to the prior art.
  • the CMOS inverter 10 is a digital circuit and includes a first PMOS transistor element 12 and a first N-type Metal-Oxide-Semiconductor (NMOS) transistor element 14 coupled in series between a power supply V SUPPLY and ground.
  • NMOS N-type Metal-Oxide-Semiconductor
  • Gates of the first PMOS and the first NMOS transistor elements 12, 14 are coupled together and receive a first inverter input signal V INVHN and drains of the first PMOS and the first NMOS transistor elements 12, 14 are coupled together and provide a first inverter output signal V
  • Figures 2A and 2B are graphs illustrating the first inverter output signal ViNviou ⁇ and a possible PICA or LVP probe signal V PROBE of the CMOS inverter 10, respectively, illustrated in Figure 1.
  • the first inverter input signal V INVHN is a logic "0”
  • N viou ⁇ is a logic "1 ", such that the first PMOS transistor element 12 is in an ON state and the first NMOS transistor element 14 is in an OFF state.
  • N viou ⁇ transitions from a logic "1 " to a logic "0"
  • the first PMOS transistor element 12 transitions from an ON state to an OFF state
  • the first NMOS transistor element 14 transitions from an OFF state to an ON state.
  • current may flow simultaneously through both the first PMOS and NMOS transistor elements 12, 14 between the power supply V SUPPLY and ground, and current flows through the first NMOS transistor element 14 as circuit capacitances coupled to the drain of the first NMOS transistor element 14 are coupled to ground.
  • These currents, which flow through the drain of the first NMOS transistor element 14, produce photo emissions, which may be detected through the backside of a semiconductor die providing the CMOS inverter 10, using PICA to produce the probe signal V PROBE as shown in Figure 2B.
  • N viou ⁇ transitions from a logic "0" to a logic “1 " may be significantly smaller than the peak current through the first NMOS transistor element 14 when the first inverter output signal V
  • the magnitude of the probe signal V PROBE may be significantly smaller on rising edges of the first inverter output signal V
  • an intruder using PICA may be able to accurately detect and reproduce the first inverter output signal V
  • Some embodiments of the present invention relate to making signals undetectable using PICA or LVP, to making it difficult or impossible to discern rising edges from falling edges of signals, or both.
  • FIG. 3 illustrates a secure IC 16 according to one embodiment of the present invention.
  • the secure IC 16 includes one or more core circuits 18 protected by one or more authentication circuits 20, one or more scrambled I/O circuits 22, and one or more intrusion detection and self- disable circuitry 24.
  • the core circuits 18 may include an FPGA or a nonvolatile memory that stores an FPGA bitstream program, be used in a "smart card", or the like.
  • the present invention is not limited thereto.
  • the core circuits 18 are protected by the authentication circuits 20.
  • the authentication circuits 20 require that a correct programming code, or key, be entered into the authentication circuits 20 before the core circuits 18, the scrambled I/O circuits 22, or both, are enabled to function properly.
  • the authentication circuits 20 contain pre-programmed unique codes, set during manufacturing or at some other time by, for example, burning fuses. Note that if the secure IC 16 is mass produced, each instance, or individual IC, of the secure IC 16 is preferably programmed with a different code.
  • encrypted data or a decryption key is entered into the authentication circuits 20 from an external device. When the encryption of the data or the decryption key matches the code contained in the authentication circuits 20, or is otherwise authenticated against the code contained in the authentication circuits 20, the external device is authenticated.
  • the core circuits 18, the scrambled I/O circuits 22, or both are enabled to function properly.
  • the I/O scrambling will match the values expected by the external device with which the secure IC 16 is communicating. If the external device is not authenticated, the core circuits 18 will function incorrectly and the I/O scrambling will appear to be a random pattern. In this mode, the device will not communicate properly with the board or system and is thus disabled.
  • the core circuits 18 may be an FPGA.
  • the authentication circuits 20 decode encrypted data that is entered through an authentication programming path. If the decryption key for the encrypted data matches the code contained in the authentication circuits 20, the FPGA functions as intended. If the decryption key does not match the code contained in the authentication circuits 20, the FPGA is programmed with an incorrect configuration.
  • the FPGA may be programmed with an arbitrary configuration.
  • the scrambled I/O circuits 22 are programmed similarly. If the programming code does not set the scrambled I/O circuits 22 to the expected configuration after being decoded, the scrambled I/O circuits 22 output an essentially pseudo-random pattern rather than the intended pattern.
  • the scrambled I/O circuits 22 appear to the external device to be behaving normally and there is no specific "decoded correctly" signal for a possible attacker to tie off or monitor in order to circumvent the authentication scheme.
  • the core circuits 18 may provide storage for a "smart card” that electronically stores a person's vital information in encrypted form. This vital information may be, for example, credit card information, bank account information, health related information, social security number, or the like. Until the scrambled I/O circuits 22 and authentication circuits 20 are successfully programmed, the information is effectively locked inside the core circuits 18 of the secure IC 16 in encrypted form. Note that the secure IC 16 may be used for various types of applications.
  • a "smart card” is an example and is not intended to limit the scope of the present invention.
  • the secure IC 16 may be used in any application where the owner or manufacturer of the secure IC 16 wants to prevent or thwart reverse engineering, reconfiguration, or observation of the internal operations of the secure IC 16.
  • the essentially random functionality of the core circuits 18 and the scrambled I/O circuits 22 when the external device is not authenticated gives the attacker relatively little data with which to control a systematic attack on the authentication circuits 20. However, if an attacker with sufficient resources has full knowledge of the authentication and the scrambled I/O circuits 20 and 22, the attacker may then use sophisticated debug methods to observe, modify, or observe and modify the internal operations of the secure IC 16.
  • FIB focused ion beam
  • PICA focused ion beam
  • LVP low-power integrated circuit
  • methods and circuits are also provided to make various types of semi-invasive and non-invasive attacks such as those using PICA, LVP, power supply movement, clock glitching or stopping more difficult, if not impossible.
  • the intrusion detection and self-disable circuitry 24 generally operates to detect attacks on the secure IC 16 and disable the secure IC 16 in response thereto. More specifically, the intrusion detection and self-disable circuitry 24 may include multiple copies of the same intrusion detection and self-disable circuit distributed on the secure IC 16, where each copy of the intrusion detection and self-disable circuit is located at a different location on the secure IC 16. The intrusion detection and self-disable circuitry 24 may include one or more observation circuits for observing actions consistent with attacks directed towards authentication and attacks using semi-invasive or non-invasive probing techniques.
  • the one or more observation circuits include clock glitch or stopping observation circuits, power supply movement observation circuits, and observation circuits to determine when unsuccessful authentication attempts are being made. Note that, due to their nature, these attacks take considerable time. For example, it is desirable for the secure IC 16 to be able to determine if unsuccessful authentication attempts are being made. If so, the secure IC 16, and more specifically the intrusion detection and self-disable circuitry 24, can take an appropriate response such as, for example, self-destruction. For instance, if a fixed number of unsuccessful authentication attempts have been made, the secure IC 16 may trigger circuits that render the secure IC 16 permanently non-operational.
  • the intrusion detection and self-disable circuitry 24 may have thicker gate oxides than the core circuits 18 to minimize power loss due to leakage currents. Further, the intrusion detection and self-disable circuitry 24 may have higher threshold voltages than the core circuits 18 to minimize power loss due to leakage currents. Additionally, the intrusion detection and self- disable circuitry 24 may operate with a supply voltage below about 250 millivolts. [0052] However, a typical IC, when powered up, does not know how long it has been since the last time it was powered up, or if the power is being cycled to allow repeated security attacks. Another attack method is to look at the circuit power to determine a circuit state.
  • the secure IC 16 has internal observation circuits that can remain powered up, at least temporarily, when an external power supply V DDIO to the secure IC 16 is removed so that the event can be registered in some form of non-volatile memory. For instance, when the external power supply V DDIO is removed, the internal observation circuit may check if successful operations (showing a successful authentication) were made before the removal of the external power supply V DDIO - If not, the internal observation circuit can register this fact in a non-volatile storage.
  • the authentication circuits 20 of the secure IC 16 may have constant power dissipation independent of the circuit state. Such internal observation and authentication circuits will successfully mitigate the two most common forms of power attacks.
  • the secure IC 16 may receive power through any number of external power supply inputs from any number of external power supplies, which may be at different voltages.
  • the term external power supply V DDIO is used throughout this document to represent any external power supply providing power to the secure IC 16 at its appropriate voltage.
  • the secure IC 16 may implement one or more of the following defense mechanisms, which are discussed below in more detail: 1. Defense Mechanisms Related to Authentication Start up Cycle: a) Distributed fuses to count failed attempts; b) Short authentication/programming interval before IC self-destruct; and c) Distributed self destruct circuits to disable the core power supply.
  • each of these defense mechanisms may be used alone or in combination with one or more of the other defense mechanisms.
  • Defense mechanisms related to authentication start up cycle are presented.
  • the authentication circuits 20 require that a correct programming code, or key, be entered into the authentication circuits 20 before the core circuits 18, the scrambled I/O circuits 22, or both are enabled to function properly.
  • a typical circuit would not be capable of determining a number of failure attempts that had previously occurred.
  • the intrusion detection and self-disable circuitry 24 may include observation circuits that observe failed authentication attempts. In response, the intrusion detection and self-disable circuitry 24 utilize a persistent storage mechanism to record the failed authentication attempts.
  • the persistent storage mechanism is formed by a number of fuses distributed over the secure IC 16. When a failed authentication attempt is detected, a fuse is burned. When a predetermined number of failed authentication attempts have been recorded, the intrusion detection and self-disable circuitry 24 operate to disable the secure IC 16 via, for example, a self-destruct mechanism.
  • the secure IC 16 may utilize a short authentication/programming interval before being self-disabled. More specifically, after a relatively small number of failed authentication attempts, the intrusion detection and self-disable circuitry 24 may self-disable the secure IC 16.
  • distributed diodes may be used to connect the power supply to the core circuits 18, the authentication circuits 20, the scrambled I/O circuits 22, and the intrusion detection and self-disable circuitry 24.
  • an attacker cannot disable the power supply by editing out of the circuit a single diode. Since the likelihood of success in any combination of circuit modifications, using for instance FIB equipment, diminishes rapidly with each additional modification, it will be very difficult to disable all of the protection circuits.
  • PMOS devices and PMOS ratioed logic may be used in order to impede chip hacking and reverse engineering of logic states.
  • the primary concerns addressed here are defeating PICA and LVP, both of which gather waveforms from an operating chip by observing the back side of the die optically.
  • PICA watches the light emitted from currents flowing through "on" transistors to detect transitions, while LVP observes the polarity of laser light reflected back from the drains of transistors to observe voltage levels.
  • LVP and PICA have a limited optical resolution.
  • the lens would need to be about 40nm from the nodes to be viewed.
  • the distance to the lens is about a factor of 10 smaller than the resolution of the nodes one is trying to discern.
  • Figure 4A is a graph showing a relationship between minimum gate separation and minimum semiconductor diffusion spacings versus various process technology modes. Since the energy band gap of silicon (Si) dictates the optical resolution of LVP and PICA, as technology progresses and dimensions associated with technology modes decrease, the techniques provided by the present invention will become more effective at minimizing the effectiveness of LVP and PICA.
  • One purpose of limiting the authentication time and including self-destruct circuitry on the protected IC is to limit the time available to an attacker to gather optical signals which might betray key information.
  • NMOS drain nodes emit few photons per second, on the order of one photon per 100,000 switching events.
  • PMOS transistors have much lower photon emission, on the order of 10,000 times less.
  • PICA optical probing techniques
  • PICA specifically observes hot electron effects, which are much less common in PMOS transistors.
  • utilizing PMOS-only circuits may be used to substantially increase the difficulty level of PICA.
  • PMOS ratioed gates have a smaller peak current.
  • the smaller peak current also reduces the maximum light emitted, thereby further increasing the difficulty level of PICA. Since hot electron effects are directly proportional to the current, the current can be considered as being directly proportional to the PICA signal strength, i.e., the number of photons emitted over time. Additionally, ratioed PMOS circuits have constant DC currents. The constant DC currents produce a reduced SNR (since the noise floor is no longer quiet), thereby further increasing the difficultly of PICA.
  • the currents through the PMOS ratioed gates are determined primarily by the size of the load devices. Since the switching device must be larger than the load device to maintain noise margin, the load device limits the current in the ON state. In the OFF state, the leakage through the switching device limits the current, but the current during the OFF state is much smaller than the current during the ON state. Increasing the size of the switching device changes the voltage levels and signal swing, but has a minimal effect on the currents. The peak current can be reduced by reducing the width to length ratio on the load transistor. However, reducing the width to length ratio below minimum width requires increasing the transistor length. Note that since photoemission is a based on the electric fields within the devices, longer channels may be used to further lower the transistor photoemission levels.
  • FIG. 4B illustrates a PMOS ratioed inverter 26 according to one embodiment of the present invention.
  • the PMOS ratioed inverter 26 is a digital circuit and includes the first PMOS transistor element 12 and a PMOS load transistor element 28 coupled in series between the power supply V SUPPLY and ground.
  • Gates of the first PMOS transistor element 12 and the PMOS load transistor element 28 are coupled together and receive a second inverter input signal V
  • the following table compares values for the CMOS inverter 10 ( Figure 1 ) having a 1.5:1 PMOS to NMOS ratio to the PMOS ratioed inverter 26 having a 6:1 switching to load ratio, each of which is implemented in a low power foundry 130 nm technology.
  • the PFET switching transistor is the same size (720 nm wide and 100 nm long) for both gates.
  • the PMOS ratioed inverter 26 reduced the peak current by about one order of magnitude, and increased the off current by a factor of four. This reduces the PICA SNR by about 40, thereby making PICA more difficult.
  • PMOS ratioed logic is used to obscure or confuse optical probing through the backside of the secure IC 16.
  • FIGs 4C and 4D illustrate a PMOS ratioed NOR gate 30 and a PMOS ratioed NAND gate 34, respectively, according to one embodiment of the present invention.
  • the PMOS ratioed NOR gate 30 includes the first PMOS transistor element 12, a second PMOS transistor element 32, and the PMOS load transistor element 28 coupled in series between the power supply V SUPPLY and ground.
  • the gate of the first PMOS transistor element 12 receives an NOR B input signal V NORBIN and the gate of the second PMOS transistor element 32 receives an NOR A input signal V NORAIN -
  • the drains of the first PMOS transistor element 12 and the PMOS load transistor element 28 are coupled together and provide a NOR output signal V NOROUT , which is a logic "O" whenever either the NOR A input signal V NORAIN , the NOR B input signal VNORBIN, or both, is a logic "1 ".
  • the PMOS ratioed NAND gate 34 includes the first PMOS transistor element 12 and the second PMOS transistor element 32 coupled in parallel, and the PMOS load transistor element 28 coupled in series with the parallel combination of the first PMOS transistor element 12 and the second PMOS transistor element 32 between the power supply V SUPPLY and ground.
  • the gate of the first PMOS transistor element 12 receives a NAND A input signal V NANDAIN and the gate of the second PMOS transistor element 32 receives a NAND B input signal V NANDBIN -
  • the drains of the first PMOS transistor element 12 and the PMOS load transistor element 28 are coupled together and provide a NAND output signal V NANDOUT , which is a logic "O" whenever the NAND A input signal VNANDAIN and the NAND B input signal VNANDBIN are both a logic "1 ".
  • the PMOS ratioed NOR and NAND gates 30, 34 have substantially reduced on currents as compared to their CMOS counterparts, thus reducing the PICA SNR and making PICA more difficult.
  • Figures 5A and 5B are duplicates of Figures 2A and 2B, respectively, for clarification, and Figures 5C and 5D are graphs illustrating the second inverter output signal V
  • the second inverter output signal V INV2OUT illustrated in Figure 5C shows about one-half a voltage swing of the first inverter output signal V
  • differential circuits having tight layout of complementary nodes are presented below. According to one embodiment of the present invention, differential circuits, such as CVSL circuits, may be designed having a tight layout of complementary nodes such that optical probing techniques are made substantially more difficult, if not impossible.
  • differential circuits such as CVSL circuits
  • CVSL circuits consume substantially less power at equal frequencies of interest for these applications than PMOS-only circuits or PMOS ratioed circuits and are therefore preferable for larger circuits.
  • differential circuits such as CVSL circuits, for circuits outside the authentication or programming loop, i.e., the I/O encryption. Note that while the following discussion is focused on CVSL, other types of differential logic may be used.
  • CVSL can be laid out with sufficient density to provide both the positive and negative differential signals to the semi-invasive probes, rendering them unusable.
  • CVSL security circuits are designed to have layouts where their differential nodes and transistors are densely interleaved such that both the positive and negative nodes and transistors are within the spatial resolution of the optical probing techniques. For PICA and LVP through a Silicon (Si) substrate, the spatial resolution may be approximately 900 nm.
  • the transistors are spaced closely together so that any photonic emissions from current flow cannot be traced back to a single gate.
  • the diffusion nodes are placed close together to thwart probing such as LVP, which relies upon the state of the node.
  • LVP thwart probing
  • the spatial resolution is based on the physics of the transmission through Si, and is a physical parameter of the Si band gap. As such, it is unlikely that this method of jamming PICA and LVP probing will fall to future innovative optical approaches. Nearby jamming circuits can also be employed as desired.
  • CVSL has excellent speed and low power capabilities. This greatly widens the applicable circuit applications that may be implemented in the secure IC 16.
  • FIGS 6A and 6B illustrate a schematic and layout implementation 68 of a first buffered CVSL NAND2 gate 38, respectively, according to one embodiment of the present invention.
  • the first buffered CVSL NAND2 gate 38 is formed by first, second, third, fourth, fifth, and sixth PMOS transistor elements 12, 32, 40, 42, 44, 64 and second, third, fourth, fifth, sixth, seventh, eighth, ninth, tenth, and eleventh NMOS transistor elements 46, 48, 50, 52, 54, 56, 58, 60, 62, 66 arranged as shown.
  • the second and the eleventh NMOS transistor elements 46, 66 may be represented as M1 and M2, respectively.
  • first, second, third, fourth, fifth, and sixth PMOS transistor elements 12, 32, 40, 42, 44, 64 may be represented as M5, M6, M7, M8, M3, and M4, respectively.
  • Differential input signals include a non-inverted A side A , an inverted A side A , a non-inverted B side B , and an inverted B side B .
  • Differential output signals include a non-inverted output signal OUT and an inverted output signal OUT .
  • Internal differential signals include a non-inverted internal signal X and an inverted internal signal X .
  • the non-inverted output signal OUT is a logic "0" and the inverted output signal OUT is a logic “1 " when the non-inverted A side A and the non-inverted B-side B are both a logic "1", and the inverted A side A and the inverted B side B are both a logic "0". Otherwise, the non-inverted output signal OUT is a logic "1 " and the inverted output signal OUT is a logic "0".
  • the first and the second PMOS transistor elements 12, 32 would be omitted and the sources of the third and the fourth PMOS transistor elements 40, 42 would be coupled to a power supply; the third and the fourth NMOS transistor elements 48, 50 would be omitted; and the eighth and the tenth NMOS transistor elements 58, 62 would be omitted and the sources of the seventh and the ninth NMOS transistor elements 56, 60 would be coupled to ground.
  • any transition in the first buffered CVSL NAND2 gate 38 will balance the number of complementary drains being transitioned, thereby allowing symmetrical layout jamming to be done. Therefore, the four stacked transistor pairs 48/50, 52/54, 56/58, and 60/62 may be arranged to closely couple the top drain of each stack close to one another.
  • the arrangement may be rectangular or square having an interweaving between non-inverting drains and inverting drains.
  • Figure 6B illustrates a layout implementation 68 of the first buffered CVSL NAND2 gate 38 illustrated in Figure 6A.
  • Gates 70, sources 72, and drains 74 of the second, third, fourth, fifth, sixth, seventh, eighth, ninth, tenth, and eleventh NMOS transistor elements 46, 48, 50, 52, 54, 56, 58, 60, 62, 66 are shown.
  • the second and the eleventh NMOS transistor elements 46, 66 are split to create four different drains 74 to facilitate interweaving of complementary drains 74.
  • Drain edges 76 of the stacked transistor pairs 48/50, 52/54, 56/58, and 60/62 and the second and eleventh NMOS transistor elements 46, 66 may have a particularly high concentration of "hot" electron caused photon emissions that may contribute to PICA signals. Therefore, the drain edges 76 may be coupled together as closely as possible.
  • Drain regions 78 are rectangles that capture the drains 74 of the stacked transistor pairs 48/50, 52/54, 56/58, and 60/62 and the second and the eleventh NMOS transistor elements 46, 66. Each drain region 78 may have a width 80 and a length 82.
  • the width 80 of the drain regions 78 that capture the drains 74 of the stacked transistor pairs 48/50, 52/54, 56/58, and 60/62 and the second and the eleventh NMOS transistor elements 46, 66 may be on the order of about 700 nm and the length 82 of the drain regions 78 that capture the drains 74 of the stacked transistor pairs 48/50, 52/54, 56/58, and
  • Each drain region 78 has a first set of opposite corners and a second set of opposite corners, and may include four drains, such that drains 74 in the first set of opposite corners are complementary to drains in the second set of opposite corners, as shown.
  • the gates 70 may be longer than normal to reduce "hot" electron caused optical photon emissions. Further, the stacked transistor pairs 48/50, 52/54, 56/58, and 60/62 may be arranged to skew arrival times of complementary signals, which may cause false current conduction and jam the real signals from detection.
  • each drain 74 along the width 80 may be less than about 200 nm and each drain 74 along the length 82 may be less than about 420 nm.
  • Alternate embodiments of the present invention may include other buffered CVSL gates having one or more groups of complementary drains, such that the complementary drains in each group are in close proximity to one another. Further, any transition in a buffered CVSL gate may result in a balanced number of complementary drains 74 being transitioned. Additionally, a buffered CVSL gate may have one or more drain regions 78, such that each drain region 78 has a first set of opposite corners and a second set of opposite corners, and may include four drains 74, such that drains 74 in the first set of opposite corners are complementary to drains 74 in the second set of opposite corners.
  • the secure IC 16 may use differential circuitry other than CVSL circuitry, and the differential circuitry is layout balanced between photon emissions from complementary signal nodes to obscure or confuse optical probing through the backside of the secure IC 16.
  • the technique of different circuits having tight layouts of complementary nodes does not have to be perfectly un-probeable. In general, as long as this technique provides sufficient time for observation circuits to detect an attack and take appropriate responsive action, this defensive technique is acceptable. It is preferable for current transitions and probability of generating hot electrons to be made symmetrical.
  • devices are stacked to provide two stacks of positive polarity and two stacks of opposite polarity, as shown in Figures 6A and 6B.
  • the transistors which may conduct current may be placed in a symmetrical fashion at about a central point such that they are closer together than the best resolution of the PICA probe equipment, which may be about 900 nm.
  • longer channel devices may be used. In the exemplary embodiment of Figures 6A and 6B, a longer channel length (L) of 100 nm was used as compared to the standard L of 80 nm. Both of these techniques will reduce the number of hot electrons generated and thus the number of photons emitted. Use of lower VDD also reduces photon emissions commensurately.
  • CVSL circuits One other beneficial aspect of CVSL circuits is that the arrival of the input signals will not, in general, happen at the same time, which may cause all transistors to conduct simultaneously. While not good for power, it may act as a local jamming signal and reduce the SNR of the true gate switching. In addition, local jamming circuits may be used as desired.
  • Figure 7 illustrates a second buffered CVSL NAND2 gate 84 according to another embodiment of the present invention. More specifically, this embodiment of the second buffered CVSL NAND2 gate 84 is formed primarily from PMOS transistors, rather than NMOS transistors. Functional equivalents of the transistors in Figure 6A are represented as primes in Figure 7. For example, the first PMOS transistor element 12 shown in Figure 6A has a functional equivalent NMOS transistor in Figure 7 and is identified as 12'. As discussed above, the PMOS transistors further increase the difficultly of optical probing techniques. This is because PICA probing depends upon photon emissions from hot carrier collisions. The PMOS devices have a much lower probability of hot electron generation and thus are more secure against PICA probing.
  • Figures 8A, 8B, 8C, 8D, and 8E are graphs illustrating signals associated with the first buffered CVSL NAND2 gate 38 illustrated in Figure 6A.
  • Figures 8A and 8C show a non-inverted output signal OUT and an inverted output signal OUT , respectively, from a traditional CVSL buffered NAND2 gate (not shown).
  • Figures 8B and 8D show possible PICA or LVP probe signals V PROBE of the non-inverted output signal OUT and the inverted output signal
  • Figure 8E may be representative of the combination of the M2 and M1 NMOS transistor elements.
  • Figure 9 illustrates a process for forming the dual rail CVSL netlist and chip layout from a single ended netlist design like one based upon standard CMOS.
  • APR automatic place and route
  • CMOS design A register transfer layer (RTL) representation of a single rail CMOS design that needs timing skews is received (Step 200).
  • the CMOS design is synthesized using a CMOS reduced cell library, which provides the base CVSL architecture, to create a netlist (Step 202).
  • the netlist is flattened to create a very high speed IC hardware description language (VHDL) netlist of the CMOS design (Step 204).
  • VHDL very high speed IC hardware description language
  • the CMOS design is converted into the CVSL design using a CAD program to create the VHDL netlist of the CVSL design (Step 206).
  • the VHDL netlist of the CVSL design is converted into a verilog netlist of the CVSL design (Step 208).
  • the CVSL design is placed and routed using APR software to create a CVSL layout (Step 210).
  • the one or more keys used for authentication and encryption are stored as dynamically moving keys. More specifically, time-varying pseudorandom key storage may be utilized after power-up. Consequently, the power supply attack detection circuits will render a DC attack untenable due to a very limited window of opportunity.
  • the secure IC 16 may include the scrambled I/O circuits 22. Until there is a proper authentication, the scrambling is essentially a random pattern. However, once authentication is properly performed, the scrambling is as expected by the external device. In operation, the scrambled I/O circuits 22 are programmed to provide an expected scrambling pattern, which can be unscrambled by the receiving device. [0088]
  • the observation circuits may have a daunting task, namely determining when attacks such as power supply and clock glitching have or are occurring. In order to assist the observation circuits, it may be desirable to keep power supplied to the observation circuits, at least for a reasonable length of time, after the power supply is removed.
  • FIG 10A illustrates one embodiment of a power supply system 86 where power is supplied to the intrusion detection and self-disable circuitry 24, or at least the one or more observation circuits of the intrusion detection and self- disable circuitry 24, after the external power supply V DDIO has been disrupted according to one embodiment of the present invention. More specifically, as shown in Figure 10A, the intrusion detection and self-disable circuitry 24 are powered by a first isolated virtual supply VDDRETAINI , which in this case is a first capacitive element C1.
  • the first isolated virtual supply V DDRETAINI provides power to the intrusion detection and self-disable circuitry 24 for operation after power provided by the external power supply V DDIO is removed.
  • a power supply coupling circuit 88 operates to couple the external power supply V DDIO to the first capacitive element C1 to provide the first isolated virtual supply VDDRETAINI to the intrusion detection and self-disable circuitry 24.
  • Figure 10B shows details of the power supply coupling circuit 88 illustrated in Figure 10A.
  • the power supply coupling circuit 88 includes a first diode element CR1 , such that when the external power supply V DDIO provides power, the external power supply V DDIO provides the first isolated virtual supply VDDRETAINI and charges the first capacitive element C1 , and when the external power supply V DDIO does not provide power, the first diode element CR1 isolates the first capacitive element C1 from the external power supply V DDIO and the first capacitive element C1 provides the first isolated virtual supply VDDRETAINI - [0091]
  • the power supply coupling circuit 88 may be an NMOS source-follower circuit, a Multi-Threshold CMOS (MTCMOS) circuit, multiple diode elements, or the like.
  • MTCMOS Multi-Threshold CMOS
  • the multiple diode elements may be comprised of many smaller diodes that distributed around to avoid their being disabled easily by an invasive attack, such as FIB, and rapid turn-off. Another concern is laser assisted discharge. Keeping the diodes small and distributed mitigates this threat as well and only one small target is provided by each and the total current that can be produced is limited.
  • the power supply coupling circuit 88 also isolates the internal power supply V DD from the external power supply V DDIO , thereby making power analysis impossible as well.
  • FIG 11 illustrates the power supply system 86 according to an alternate embodiment of the present invention. Power is supplied to the intrusion detection and self-disable circuitry 24, or at least the one or more observation circuits of the intrusion detection and self-disable circuitry 24, after the external power supply V DDIO has been disrupted. More specifically, as shown in Figure 11 , the intrusion detection and self-disable circuitry 24 are powered by the first isolated virtual supply V DDRETAINI , which in this case is the first capacitive element C1 , and a second isolated virtual supply V D DRETAIN2, which in this case is a second capacitive element C2.
  • the first and the second isolated virtual supplies VDDRETAINI , V D DRETAIN2 provide power to the intrusion detection and self-disable circuitry 24 for operation after the external power supply V DDIO is removed.
  • the power supply coupling circuit 88 operates to couple the external power supply V DDIO to the first and the second capacitive elements C1 , C2 to provide the first and the second isolated virtual supplies VDDRETAINI , V D DRETAIN2 to the intrusion detection and self-disable circuitry 24.
  • FIG 12 shows details of the power supply system 86 illustrated in Figure 11.
  • the power supply coupling circuit 88 includes the first diode element CR1 and a second diode element CR2.
  • the external power supply V DDIO provides the first isolated virtual supply V DDRETAINI and charges the first capacitive element C1 through the first diode element CR1 , and provides the second isolated virtual supply V D DRETAIN2 and charges the second capacitive element C2 through the second diode element CR2.
  • the first diode element CR1 isolates the first capacitive element C1 from the external power supply V DDIO and the first capacitive element C1 provides the first isolated virtual supply VDDRETAINI
  • the second diode element CR2 isolates the second capacitive element C2 from the external power supply V DDIO and the second capacitive element C2 provides the second isolated virtual supply
  • the intrusion detection and self-disable circuitry 24 includes a power supply monitor 90 and fuse circuitry 92, which are powered by the first and the second isolated virtual supplies VDDRETAINI , V D DRETAIN2, respectively.
  • the power supply monitor 90 monitors the status of the external power supply V DDIO and the internal power supply V DD and, according to one embodiment of the present invention, any time the external power supply V DDIO is removed before proper authentication has been completed, the power supply monitor 90 directs the fuse circuitry 92 to blow a fuse to keep track of the condition permanently.
  • the fuse circuitry 92 uses the energy provided by the second isolated virtual supply VDDRETAIN2 to blow the fuse.
  • the power supply monitor 90 monitors the fuse circuitry 92 and when the number of blown fuses exceeds a threshold, the power supply monitor 90 disables the secure IC 16 by providing a disable signal DISABLE. In another embodiment of the present invention, when an authentication attempt fails, the power supply monitor 90 directs the fuse circuitry 92 to blow a fuse to keep track of the condition permanently. Therefore, an attacker has a limited number of attempts to optically probe authentication keys that are protected using one of the protection methods previously presented, such as ratioed PMOS logic or differential logic. Since there may be many authentication key nodes, the secure IC 16 should be permanently disabled before the attacker can achieve a successful pirated authentication.
  • the first capacitive element C1 , the second capacitive element C2, or both may be monolithic capacitors, analog Metal-insulator-metal (MIM) capacitors, interdigitated metal (IM) capacitors, or the like. Analog MIM capacitors have the advantage of requiring only two upper metal layers, thereby allowing other circuits to be under them. IM capacitors are illustrated in Figures 13A and 13B. An IM capacitor may provide approximately 1 OpF in a 100x100 ⁇ m region. A first set of fingers 94 is interdigitated with a second set of fingers 96 to provide the two sides of the IM capacitor, as shown in Figures 13A and 13B.
  • MIM Metal-insulator-metal
  • IM interdigitated metal
  • Another technique to deter the attacker from destroying the first or the second capacitive elements C1 , C2 is to occasionally route important signals in metal through the first and the second capacitive elements C1 , C2. This will increase the chances of destroying the circuit when the first or the second capacitive elements C1 , C2 are attacked.
  • FIGs 14A and 14B graphically illustrate an operation of active circuits powered by the first isolated virtual supply VDDRETAINI after the external power supply V DDIO has been removed according to an exemplary embodiment of the present invention.
  • the active circuits may be implemented such that they have thick gates and high threshold voltages to limit gate and drain to source leakage and employ dual stacks to limit drain to source leakage currents.
  • the low voltages at least as the supply collapses, limit the source leakage currents due to junction band to band tunneling and gate-induced drain leakage (GIDL).
  • GIDL gate-induced drain leakage
  • sub-threshold circuits may operate down to and below 250 mV, albeit at low frequencies, i.e., tens of kHz. These speeds are more than adequate for the observation circuits discussed herein.
  • the sub-threshold circuits allow detection of various passive and semi-invasive attacks, i.e., raising and lowering the supplies, rapid power-up and power down, as well as determination of repeated vectors required in semi-invasive probing.
  • the active test circuit used for Figures 14A and 14B is a 51 stage inverter chain with one-hundred percent (100%) activity factor.
  • a 10 pF capacitance was used as the first capacitive element C1. This size, in line with the need to distribute the security circuits to thwart invasive attacks, makes distributed detection possible. Due to the leakage mitigating circuits used, most of the energy is expended by active operation.
  • circuit speed is limited (note that the circuit fails due to timing violations as the supply falls below 0.5 V in Figure 14A).
  • Sub-threshold circuits also operate faster when hot, which is different than their above-threshold counterparts.
  • the circuits here are usable under a wide range of supplies, i.e., 250 mV to 2 V, to further ensure that supply attacks on the IC does not disrupt the intrusion detection functionality. [0098] It is important that the intrusion detection and self-disable circuitry 24 not be disabled by an attacker using fully invasive techniques, such as FIB.
  • signals important to operation can be interleaved through capacitors forming the isolated virtual supply, especially the IM capacitors.
  • one of the capacitors may be used as a Phase-Lock-Loop (PLL) filter in addition to being interleaved with, or being part of, the isolated virtual supply.
  • PLL Phase-Lock-Loop
  • the observation circuits can be self-tested when the supply is fully operational.
  • FIG. 15A, 15B, 15C, 15D, and 15E illustrate different embodiments of power supply ripple current variation reduction circuitry and power supply current confusion circuitry.
  • the power supply ripple current variation reduction circuitry, the power supply current confusion circuitry, or both may be used to minimize side channel information leakage obtained by monitoring the external power supply V DDIO -
  • Figure 15A shows power supply ripple current variation reduction circuitry 98, which receives power from the external power supply V DDIO and provides the internal power supply V DD to the secure IC 16 (not shown) based on the external power supply V DDIO -
  • the power supply ripple current variation reduction circuitry 98 operates to reduce instantaneous changes in power supply current demanded from the external power supply V DDIO -
  • the power supply ripple current variation reduction circuitry 98 operates to minimize or obscure ripple current demanded from the external power supply V DDIO , which provides power to the secure IC 16.
  • Figure 15B shows another embodiment of the power supply ripple current variation reduction circuitry 98, which receives power from the external power supply VDDIO and provides a first internal power supply V D DI , a second internal power supply V DD2 , up to and including an Nth internal power supply
  • the power supply ripple current variation reduction circuitry 98 operates to reduce time predictability and variability of the supply ripple current seen by the external power supply V D DIO-
  • Figure 15C shows power supply current confusion circuitry 100, which receives power from the external power supply V DDIO and provides the internal power supply V DD to the secure IC 16 (not shown) based on the external power supply V DDIO -
  • the power supply current confusion circuitry 100 operates to vary the IC supply current seen by the external power supply V DDIO SO as to confuse an attacker to minimize side channel information leakage.
  • the power supply current confusion circuitry 100 operates to blur or otherwise mask power consumption across multiple clock cycles to minimize side channel information leakage.
  • Figure 15D shows another embodiment of the power supply current confusion circuitry 100, which receives power from the external power supply V DDIO and provides a first internal power supply V DD1 , a second internal power supply V D D2, up to and including an Nth internal power supply V DDN to the secure IC 16 (not shown) based on the external power supply V DDIO -
  • Each of the first, the second, up to and including the Nth internal power supplies V D DI , V D D2, VDDN may provide power to specific circuits in the secure IC 16.
  • the power supply current confusion circuitry 100 operates to vary the input current seen by the external power supply VDDIO- [00103]
  • Figure 15E shows a combination of the power supply ripple current reduction circuitry 98 illustrated in Figure 15A and the power supply current confusion circuitry 100 illustrated in Figure 15D.
  • the power supply ripple current variation reduction circuitry 98 receives power from the external power supply V DDIO and provides a power supply ripple current reduced internal power supply V DDIRCR to the power supply current confusion circuitry 100 based on the external power supply V DDIO -
  • the power supply ripple current variation reduction circuitry 98 operates to reduce the IC supply current predictability and hence side-channel information leakage as seen at the external power supply V DDIO -
  • the power supply current confusion circuitry 100 receives power from the input ripple current reduced internal power supply V DDIRCR and provides a first internal power supply V DDI , a second internal power supply V DD2 , up to and including an Nth internal power supply V DDN to the secure IC 16 (not shown) based on the input ripple current reduced internal power supply V DDIRCR -
  • Each of the first, the second, up to and including the Nth internal power supplies V D DI , V D D2, V D DN may provide power to specific circuits in the secure IC 16.
  • Figures 16A, 16B, 16C, and 16D illustrate details of different embodiments of power supply ripple current variation reduction circuitry 98 illustrated in Figure 15A.
  • Figure 16A shows one embodiment of the power supply ripple current variation reduction circuitry 98, which includes a low pass filter 102.
  • the low pass filter 102 receives power from the external power supply V DDIO and provides the internal power supply V DD to the secure IC 16 (not shown) based on the external power supply V DDIO -
  • the low pass filter 102 operates to reduce the IC supply current variations as seen by the external power supply V DDIO by substantially filtering out frequency content above a break frequency presented by the external power supply V DDIO - Such frequency content may include IC power supply ripple current.
  • Alternate embodiments of the present invention may use a band pass filter or a band stop filter in place of the low pass filter.
  • FIG 16B shows details of the low pass filter 102 illustrated in Figure 16A.
  • the low pass filter 102 includes a first resistive element R1 and a third capacitive element C3 coupled in series between the external power supply V DDIO and ground.
  • the first resistive element R1 is coupled between the external power supply V DDIO and the internal power supply V DD
  • the third capacitive element C3 is coupled between the internal power supply V DD and ground.
  • Figure 16C shows details of the low pass filter 102 illustrated in Figure 16A.
  • the low pass filter 102 illustrated in Figure 16C is similar to the low pass filter 102 illustrated in Figure 16B, except the low pass filter 102 illustrated in Figure 16C replaces the first resistive element R1 with a PMOS transistor element 104, which may function as a variable resistive element.
  • the source of the PMOS transistor element 104 is coupled to the external power supply V DDIO and the drain of the PMOS transistor element 104 is coupled to the internal power supply V DD -
  • An output of an operational amplifier 106 feeds the gate of the PMOS transistor element 104.
  • FIG. 16D shows details of the power supply ripple current variation reduction circuitry 98 illustrated in Figure 15A, according to one embodiment of the present invention.
  • a current source 108 is coupled between and provides current from the external power supply V DDIO to the internal power supply V DD -
  • the third capacitive element C3 is coupled between the internal power supply V DD and ground.
  • a shunt voltage regulator 110 is coupled between the internal power supply V DD and ground.
  • the internal power supply V DD provides power to the secure IC 16 (not shown).
  • the current source 108 provides a constant current, which must be equal to or exceed the average current needed by the secure IC 16 for proper operation.
  • the shunt voltage regulator 110 regulates the voltage of the internal power supply V DD by shunting current to ground to maintain the voltage of the internal power supply V DD at a setpoint. If the voltage of the internal power supply V DD drops below the setpoint, then the shunt voltage regulator 110 stops shunting current to ground.
  • any instantaneous current demands on the internal power supply V DD in excess of the current supplied by the current source 108 are taken from the third capacitive element C3, which may cause the voltage of the internal power supply V 0D to drop below the setpoint.
  • the excess current will be used to recharge the third capacitive element C3.
  • any excess current will be shunted by the shunt voltage regulator 110 to ground.
  • This embodiment may be inefficient from an energy usage perspective. However, power supply ripple current time variability based on the actual internal IC state or mode of operation may be virtually eliminated.
  • FIG 17 illustrates details of one embodiment of the power supply current confusion circuitry 100 illustrated in Figure 15D.
  • the power supply current confusion circuitry 100 includes a first PMOS supply switching transistor element 112, a second PMOS supply switching transistor element 114, up to and including an Nth PMOS supply switching transistor element 116, a fourth capacitive element C4, a fifth capacitive element C5, a sixth capacitive element C6, and control circuitry 118.
  • the first PMOS supply switching transistor element 112 is coupled between the external power supply V DDIO and the first internal power supply V DDI -
  • the second PMOS supply switching transistor element 114 is coupled between the external power supply V DDIO and the second internal power supply V DD2 -
  • the Nth PMOS supply switching transistor element 116 is coupled between the external power supply V DDIO and the Nth internal power supply V DDN -
  • the fourth capacitive element C4 is coupled between the first internal power supply V DDI and ground.
  • the fifth capacitive element C5 is coupled between the second internal power supply V DDI and ground.
  • the sixth capacitive element C6 is coupled between the Nth internal power supply V DDI and ground.
  • the control circuitry 118 provides first, second, up to and including Nth control signals V CT RLI , V C TRL.2, V CT RLN to gates of the first, the second, and the Nth PMOS supply switching transistor elements 112, 114, 116, respectively.
  • the control circuitry 118 can select whether each of the first, the second, up to and including the Nth internal power supplies V DDI , V DD2 , V DDN , receives power from the external power supply V DDIO or from the fourth, the fifth, or the sixth capacitive elements C4, C5, C6, respectively.
  • Such selections may be used to create power supply current confusion making it harder for an attacker to obtain relevant side channel leakage information since the current is to first order related to the operation of the supply switching transistors and not the circuit internal logic state.
  • Figures 18A, 18B, 18C, and 18D are graphs illustrating timing relationships between a system clock SYSCLK and the first, the second, and the Nth control signals V C TRLI , V C TRL2, VCTRLN, respectively, according to one embodiment of the present invention.
  • the first control signal V CTRLI is low on every low phase of the system clock SYSCLK; therefore, the first internal power supply V DDI (not shown) receives power from the external power supply V DDIO on every low phase of the system clock SYSCLK.
  • the second control signal V CTRL2 is low on every other low phase of the system clock SYSCLK; therefore, the second internal power supply V DD2 receives power from the external power supply V DDIO on every other low phase of the system clock SYSCLK.
  • the Nth control signal V CTRLN is low on every third low phase of the system clock SYSCLK; therefore, the Nth internal power supply V DDN receives power from the external power supply V DDIO on every third low phase of the system clock SYSCLK.
  • Such phasing may cause power supply current confusion, thereby making it harder for an attacker to obtain relevant side channel leakage information.
  • Other embodiments of the present invention may use any type of scheme to cause power supply current confusion.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Microelectronics & Electronic Packaging (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Semiconductor Integrated Circuits (AREA)

Abstract

Methods and systems are provided for thwarting semi-invasive and non-invasive security attacks on an integrated circuit. The methods and systems generally make reverse engineering, reconfiguration, decryption, observation, or any combination thereof, of the internal operations of the integrated circuit substantially more difficult if not impossible without damaging the integrated circuit.

Description

METHODS AND CIRCUITS FOR THWARTING SEMI-INVASIVE AND NONINVASIVE INTEGRATED CIRCUIT SECURITY ATTACKS
[0001] This application claims the benefit of provisional patent application serial number 61/053,150, filed May 14, 2008, the disclosure of which is hereby incorporated herein by reference in its entirety.
Statement Regarding Federally Sponsored Research or Development [0002] This invention was made with funding from the U.S. Missile Defense Agency under contract/grant number DWS0221. The U.S. Government has certain rights in the invention.
Background of the Invention
[0003] Integrated circuits used in applications such as financial transactions, personal medical information, and military use must be secure against unauthorized access. More specifically, it is desirable for such integrated circuits to be secure against security attacks by an unauthorized user, such as an attacker or intruder, having a chip in his or her possession and potentially having sophisticated resources at his or her disposal. For example, a field programmable gate array (FPGA) is a device having programmable logic circuits that are programmed with an FPGA bitstream, which encodes the circuit configuration. The programmable logic circuits of the FPGA may be generic and known. However, the FPGA bitstream program may represent a design that must be secure against unauthorized access. Therefore, such an FPGA bitstream program needs to be encrypted when stored outside the FPGA to avoid the design being copied. Thus, there is a need for a secure integrated circuit that thwarts such security attacks.
Summary of the Invention [0004] The present invention relates to methods and systems for thwarting semi-invasive and non-invasive security attacks on an integrated circuit (IC). The methods and systems generally make reverse engineering, reconfiguration, and observation of the internal operations of the IC substantially more difficult, if not impossible. In a first embodiment of the present invention, all or a portion of the IC is implemented utilizing P-type Metal-Oxide-Semiconductor (PMOS) ratioed logic. By using the PMOS ratioed logic, photo emissions are reduced and a Signal-to-Noise Ratio (SNR) is reduced, thereby making optical probing techniques, such as Picosecond Imaging Circuit Analysis (PICA) or Time Resolved Emission Microscopy (TRE), substantially more difficult, if not impossible. In addition, the PMOS ratioed logic gates have a lower swing voltage than Complementary Metal-Oxide-Semiconductor (CMOS) gates, thereby increasing the difficulty of Laser Voltage Probing (LVP). PICA and LVP may involve receiving photo emissions produced by IC circuitry through the backside of the ICs semiconductor die. Long-channel circuits, stacked transistors, or both may also be used to further reduce the PICA SNR and to limit the PMOS circuit power consumption.
[0005] In a second embodiment of the present invention, differential circuits combined with a tight physical layout of adjacent complementary nodes may be utilized to make probing techniques such as PICA and LVP substantially more difficult, if not impossible. The differential circuits may also thwart power attacks due to consistent current draw. In one embodiment, the layout of the differential circuits is such that spacing between complementary nodes is less than a specific spatial resolution of the probing techniques. For example, for an IC fabricated on a Silicon (Si) substrate, the optical probing spatial resolution is approximately 900 nanometers (nm), where the optical probing spatial resolution is a physical limitation resulting from the band gap of Si. As such, the layout of the differential circuits may be designed such that the spacing between complementary nodes is less than 900 nm. Note that the difficulty of optical probing begins to increase with spacing of approximately 1100 nm. As the spacing decreases, the difficulty of optical probing increases. At approximately 900 nm, the difficulty of optical probing reaches a point that begins to adequately thwart optical probing techniques. Long-channel circuits, stacked transistors, or both may also be used to further reduce the PICA SNR and to limit power consumption. Local node jamming may also be used to thwart good LVP signals. Local jamming can also arise from skewing the arrival times of the differential inputs to differential Cascode Voltage Switch Logic (CVSL) gates by causing temporary current flow in neighboring transistors.
[0006] In a third embodiment of the present invention, authentication and Input/Output (I/O) scrambling may be performed using one or more keys. In one embodiment, the one or more keys are dynamically moving keys in order to complicate LVP attacks intended to obtain the one or more keys. More specifically, time-varying pseudo-random key storage after power-up may be used to provide the dynamically moving keys. By using the dynamically moving keys, an attacker is prevented from simply reading the one or more keys from the IC using LVP. [0007] In a fourth embodiment of the present invention, the IC may include one or more intrusion detection and self-disable circuits for detecting attacks on the IC and disabling the ICs response thereto. Multiple copies of the intrusion detection and self-disable circuits may be distributed on the IC for the purpose of making disabling edits more difficult to perform and thus raising the risk of destroying the device. Each intrusion detection and self-disable circuit may include one or more observation circuits. The one or more observation circuits may observe glitches or stopping of a clock provided to the IC as a type of security attack, changes in a power supply provided to the IC as a type of security attack, or the like. In one embodiment, one or more monolithic capacitors are utilized to provide at least a temporary power supply for the one or more observation circuits when the power supply is disconnected from the IC. The temporary power supply enables the one or more observation circuits to, for example, record information to thereafter assist the intrusion detection and self- disable circuits in determining whether a security attack is being made upon the IC. If so, the intrusion detection and self-disable circuits may cause the IC to self-destruct or otherwise become inoperable. [0008] In a fifth embodiment of the present invention, power supply ripple current variation reduction circuitry is used to minimize side channel information leakage, otherwise detection of input currents may be used to extract information about the IC. For example, by monitoring the power supply current of a field programmable gate array (FPGA) circuit or other circuit containing a decryption circuit, it may be possible to determine when some bits of the key have been successfully guessed. In such circuit operating states using power supply side- channel attacks. If a sixth embodiment of the present invention, power supply current confusion circuitry is used to minimize side channel information leakage, otherwise detection of input currents may be used to extract information about the IC state or keys. For example, the power supply current confusion circuitry may minimize or eliminate an intruder's ability to differentiate between when an FPGA is being programmed or the relative accuracy of authentication keys that have been guessed. For instance, in a smart-card, guessing the PIN number may leave the power supply current draw behavior relatively unaffected.
[0009] In one embodiment of the present invention, methods, circuits, or both, of any or all of the first embodiment, the second embodiment, the third embodiment, the fourth embodiment, the fifth embodiment, and the sixth embodiment of the present invention described above may be combined in any manner.
[0010] Those skilled in the art will appreciate the scope of the present invention and realize additional aspects thereof after reading the following detailed description of the preferred embodiments in association with the accompanying drawing figures.
Brief Description of the Drawing Figures
[0011] The accompanying drawing figures incorporated in and forming a part of this specification illustrate several aspects of the invention, and together with the description serve to explain the principles of the invention. [0012] Figure 1 illustrates a Complementary Metal-Oxide-Semiconductor (CMOS) inverter according to the prior art. [0013] Figures 2A and 2B are graphs illustrating a first inverter output signal and a possible Picosecond Imaging Circuit Analysis (PICA) or a Laser Voltage Probing (LVP) probe signal of the CMOS inverter, respectively, illustrated in Figure 1. [0014] Figure 3 illustrates a secure Integrated Circuit (IC) according to one embodiment of the present invention.
[0015] Figure 4A is a graph showing a relationship between minimum gate separation and semiconductor diffusion spacings versus various process technology modes. [0016] Figure 4B illustrates a ratioed P-type Metal-Oxide-Semiconductor (PMOS) inverter according to one embodiment of the present invention; [0017] Figure 4C illustrates a ratioed PMOS NOR gate according to one embodiment of the present invention. [0018] Figure 4D illustrates a ratioed PMOS NAND gate according to one embodiment of the present invention.
[0019] Figures 5A and 5B are duplicates of Figures 2A and 2B, respectively, for clarity, and Figures 5C and 5D are graphs illustrating a second inverter output signal and a possible PICA or LVP probe signal of the ratioed PMOS inverter, respectively, illustrated in Figure 4B. [0020] Figures 6A and 6B illustrate a first differential NAND2 gate having a tight layout of complementary nodes in order to thwart semi-invasive and invasive attacks according to one embodiment of the present invention; [0021] Figures 7 illustrates a second differential NAND2 gate, which has a substantially PMOS implementation according to an alternate embodiment of the present invention.
[0022] Figures 8A, 8B, 8C, 8D, and 8E are graphs illustrating signals associated with the first differential NAND2 gate illustrated in Figure 6A; [0023] Figure 9 illustrates a process for forming a Cascode Voltage Switch Logic (CVSL) netlist and automatic place and routed chip layout beginning with a single-ended register transfer layer (RTL) description of a single-ended logic netlist. [0024] Figure 10A illustrates a power supply system enabling power to be supplied to observation circuits that detect attacks on the secure IC after the main power supply has been disconnected according to one embodiment of the present invention. [0025] Figure 10B shows details of a power supply coupling circuit illustrated in Figure 10A.
[0026] Figure 11 illustrates the power supply system according to an alternate embodiment of the present invention. [0027] Figure 12 shows details of the power supply system illustrated in Figure 11.
[0028] Figures 13A and 13B illustrate an exemplary monolithic capacitor that can be used as a virtual power supply for retaining power for the observation circuits of the secure IC as discussed with respect to Figure 10A according to one embodiment of the present invention. [0029] Figure 14A and 14B graphically illustrate the operation of active circuits utilizing a virtual power supply after the main power supply of the secure IC has been disconnected according to one embodiment of the present invention. [0030] Figures 15A, 15B, 15C, 15D, and 15E illustrate different embodiments of power supply ripple current variation reduction circuitry and power supply current confusion circuitry.
[0031] Figures 16A, 16B, 16C, and 16D illustrate details of different embodiments of the power supply ripple current variation reduction circuitry illustrated in Figure 15A. [0032] Figure 17 illustrates details of one embodiment of the power supply current confusion circuitry illustrated in Figure 15C.
[0033] Figures 18A, 18B, 18C, and 18D are graphs illustrating timing relationships between a system clock and first, second, and Nth control signals, respectively, according to one embodiment of the present invention. Detailed Description of the Preferred Embodiments
[0034] The embodiments set forth below represent the necessary information to enable those skilled in the art to practice the invention and illustrate the best mode of practicing the invention. Upon reading the following description in light of the accompanying drawing figures, those skilled in the art will understand the concepts of the invention and will recognize applications of these concepts not particularly addressed herein. It should be understood that these concepts and applications fall within the scope of the disclosure and the accompanying claims. [0035] The present invention relates to methods and systems for thwarting semi-invasive and non-invasive security attacks on an integrated circuit (IC). The methods and systems generally make reverse engineering, reconfiguration, and observation of the internal operations of the IC substantially more difficult, if not impossible. In a first embodiment of the present invention, all or a portion of the IC is implemented utilizing P-type Metal-Oxide-Semiconductor (PMOS) ratioed logic. By using the PMOS ratioed logic, photo emissions are reduced and the photo emission Signal-to-Noise Ratio (SNR) is reduced, thereby making optical probing techniques, such as Picosecond Imaging Circuit Analysis (PICA) or Time Resolved Emission Microscopy (TRE), substantially more difficult, if not impossible. In addition, the PMOS ratioed logic gates have a lower swing voltage than Complementary Metal-Oxide-Semiconductor (CMOS) gates, thereby increasing the difficulty of Laser Voltage Probing (LVP). PICA and LVP may involve receiving photo emissions produced by IC circuitry through the backside of the ICs semiconductor die. Long-channel circuits, stacked transistors, or both may also be used to further reduce the PICA SNR and to limit power consumption.
[0036] In a second embodiment of the present invention, differential circuits combined with a tight physical layout of adjacent complementary nodes may be utilized to make probing techniques such as PICA and LVP substantially more difficult, if not impossible. These differential circuits also thwart power attacks due to steady current draw. In one embodiment, the layout of the differential circuits is such that spacing between complementary nodes is less than a special resolution of the probing techniques. For example, for an IC fabricated on a Silicon (Si) substrate, the optical probing spatial resolution is approximately 900 nanometers (nm), where the optical probing spatial resolution is a physical limitation resulting from the band gap of Si. As such, the layout of the differential circuits may be designed such that the spacing between complementary nodes is less than 900 nm. Note that the difficulty of optical probing begins to increase with spacing of approximately 1100 nm. As the spacing decreases, the difficulty of optical probing increases. At approximately 900 nm, the difficulty of optical probing reaches a point that begins to adequately thwart optical probing techniques. Long-channel circuits, stacked transistors, or both may also be used to further reduce the PICA SNR and to limit power consumption. Local node jamming may also be used to thwart good LVP signals. Local jamming can also arise from skewing the arrival times of the differential inputs to differential Cascode Voltage Switch Logic (CVSL) gates by causing temporary current flow in neighboring transistors.
[0037] In a third embodiment of the present invention, authentication and Input/Output (I/O) scrambling may be performed using one or more keys. In one embodiment, the one or more keys are dynamically moving keys in order to complicate LVP attacks intended to obtain the one or more keys. More specifically, time-varying pseudo-random key storage after power-up may be used to provide the dynamically moving keys. By using the dynamically moving keys, an attacker is prevented from simply reading the one or more keys from the IC using LVP. [0038] In a fourth embodiment of the present invention, the IC may include one or more intrusion detection and self-disable circuits for detecting attacks on the IC and disabling the ICs response thereto. Multiple copies of the intrusion detection and self-disable circuits may be distributed on the IC for the purpose of making disabling edits more difficult to perform and thus raising the risk of destroying the device. Each intrusion detection and self-disable circuit may include one or more observation circuits. The one or more observation circuits may observe glitches or stopping of a clock provided to the IC as a type of security attack, changes in a power supply provided to the IC as a type of security attack, or the like. In one embodiment, one or more monolithic capacitors are utilized to provide at least a temporary power supply for the one or more observation circuits when the power supply is disconnected from the IC. The temporary power supply enables the one or more observation circuits to, for example, record information to thereafter assist the intrusion detection and self- disable circuits in determining whether a security attack is being made upon the IC. If so, the intrusion detection and self-disable circuits may cause the IC to self-destruct or otherwise become inoperable. [0039] In a fifth embodiment of the present invention, power supply ripple current variation reduction circuitry is used to minimize side channel information leakage, otherwise detection of input currents may be used to extract information about the IC. For example, by monitoring the power supply current of a smart- card circuit, it may be possible to determine when some portion of the key or PIN has been successfully guessed. Power supply ripple current variation reduction circuitry may minimize or eliminate an intruder's ability to differentiate between when an FPGA is being programmed with an FPGA load and when the FPGA is operating using the FPGA load. In a sixth embodiment of the present invention, power supply current confusion circuitry is used to minimize side channel information leakage, otherwise detection of supply currents may be used to extract information about the IC. For example, the power supply current confusion circuitry may minimize or eliminate an intruder's ability to differentiate between when an FPGA is being programmed with an FPGA bitstream and when the FPGA is operating using the FPGA successfully decrypted bitstream. [0040] In one embodiment of the present invention, methods, circuits, or both, of any or all of the first embodiment, the second embodiment, the third embodiment, the fourth embodiment, the fifth embodiment, and the sixth embodiment of the present invention described above may be combined in any manner. [0041] Figure 1 illustrates a CMOS inverter 10 according to the prior art. The CMOS inverter 10 is a digital circuit and includes a first PMOS transistor element 12 and a first N-type Metal-Oxide-Semiconductor (NMOS) transistor element 14 coupled in series between a power supply VSUPPLY and ground. Gates of the first PMOS and the first NMOS transistor elements 12, 14 are coupled together and receive a first inverter input signal VINVHN and drains of the first PMOS and the first NMOS transistor elements 12, 14 are coupled together and provide a first inverter output signal V|Nviouτ, which is a complement of the first inverter input signal VINVHN-
[0042] Figures 2A and 2B are graphs illustrating the first inverter output signal ViNviouτ and a possible PICA or LVP probe signal VPROBE of the CMOS inverter 10, respectively, illustrated in Figure 1. When the first inverter input signal VINVHN is a logic "0", the first inverter output signal V|Nviouτ is a logic "1 ", such that the first PMOS transistor element 12 is in an ON state and the first NMOS transistor element 14 is in an OFF state. When the first inverter input signal VINVHN transitions from a logic "O" to a logic "1 ", the first inverter output signal V|Nviouτ transitions from a logic "1 " to a logic "0", such that the first PMOS transistor element 12 transitions from an ON state to an OFF state and the first NMOS transistor element 14 transitions from an OFF state to an ON state. During the transitioning, current may flow simultaneously through both the first PMOS and NMOS transistor elements 12, 14 between the power supply VSUPPLY and ground, and current flows through the first NMOS transistor element 14 as circuit capacitances coupled to the drain of the first NMOS transistor element 14 are coupled to ground. These currents, which flow through the drain of the first NMOS transistor element 14, produce photo emissions, which may be detected through the backside of a semiconductor die providing the CMOS inverter 10, using PICA to produce the probe signal VPROBE as shown in Figure 2B.
[0043] Similarly, when the first inverter input signal VINVHN transitions from a logic "1 " to a logic "0", the first inverter output signal V|Nviouτ transitions from a logic "0" to a logic "1 ", such that the first PMOS transistor element 12 transitions from an OFF state to an ON state and the first NMOS transistor element 14 transitions from an ON state to an OFF state. During the transitioning, current may flow simultaneously through both the first PMOS and NMOS transistor elements 12, 14 between the power supply VSUPPLY and ground, and current flows through the first PMOS transistor element 12 as circuit capacitances coupled to the drain of the first PMOS transistor element 12 are coupled to the power supply VSUPPLY- The current which flows through the drain of the first NMOS transistor element 14, produce photo emissions, which may be detected through the backside of a semiconductor die providing the CMOS inverter 10, using PICA to produce the probe signal VPROBE as shown in Figure 2B. [0044] The peak current through the first NMOS transistor element 14 when the first inverter output signal V|Nviouτ transitions from a logic "0" to a logic "1 " may be significantly smaller than the peak current through the first NMOS transistor element 14 when the first inverter output signal V|Nviouτ transitions from a logic "1 " to a logic "0", because this current is due to rush-through current rather than load discharge current. As a result, the magnitude of the probe signal VPROBE may be significantly smaller on rising edges of the first inverter output signal V|Nviouτ than on falling edges of the first inverter output signal V|Nviouτ as shown in Figure 2B. As such, an intruder using PICA may be able to accurately detect and reproduce the first inverter output signal V|NViouτ- [0045] Some embodiments of the present invention relate to making signals undetectable using PICA or LVP, to making it difficult or impossible to discern rising edges from falling edges of signals, or both.
[0046] Figure 3 illustrates a secure IC 16 according to one embodiment of the present invention. In general, in this embodiment, the secure IC 16 includes one or more core circuits 18 protected by one or more authentication circuits 20, one or more scrambled I/O circuits 22, and one or more intrusion detection and self- disable circuitry 24. In exemplary embodiments of the present invention, the core circuits 18 may include an FPGA or a nonvolatile memory that stores an FPGA bitstream program, be used in a "smart card", or the like. However, the present invention is not limited thereto. [0047] The core circuits 18 are protected by the authentication circuits 20. The authentication circuits 20 require that a correct programming code, or key, be entered into the authentication circuits 20 before the core circuits 18, the scrambled I/O circuits 22, or both, are enabled to function properly. The authentication circuits 20 contain pre-programmed unique codes, set during manufacturing or at some other time by, for example, burning fuses. Note that if the secure IC 16 is mass produced, each instance, or individual IC, of the secure IC 16 is preferably programmed with a different code. In one embodiment, encrypted data or a decryption key is entered into the authentication circuits 20 from an external device. When the encryption of the data or the decryption key matches the code contained in the authentication circuits 20, or is otherwise authenticated against the code contained in the authentication circuits 20, the external device is authenticated. As a result, the core circuits 18, the scrambled I/O circuits 22, or both are enabled to function properly. When the scrambled I/O circuits 22 are enabled to function properly, the I/O scrambling will match the values expected by the external device with which the secure IC 16 is communicating. If the external device is not authenticated, the core circuits 18 will function incorrectly and the I/O scrambling will appear to be a random pattern. In this mode, the device will not communicate properly with the board or system and is thus disabled.
[0048] As an example, the core circuits 18 may be an FPGA. In operation, the authentication circuits 20 decode encrypted data that is entered through an authentication programming path. If the decryption key for the encrypted data matches the code contained in the authentication circuits 20, the FPGA functions as intended. If the decryption key does not match the code contained in the authentication circuits 20, the FPGA is programmed with an incorrect configuration. For example, the FPGA may be programmed with an arbitrary configuration. The scrambled I/O circuits 22 are programmed similarly. If the programming code does not set the scrambled I/O circuits 22 to the expected configuration after being decoded, the scrambled I/O circuits 22 output an essentially pseudo-random pattern rather than the intended pattern. Preferably, the scrambled I/O circuits 22 appear to the external device to be behaving normally and there is no specific "decoded correctly" signal for a possible attacker to tie off or monitor in order to circumvent the authentication scheme. [0049] In another application, the core circuits 18 may provide storage for a "smart card" that electronically stores a person's vital information in encrypted form. This vital information may be, for example, credit card information, bank account information, health related information, social security number, or the like. Until the scrambled I/O circuits 22 and authentication circuits 20 are successfully programmed, the information is effectively locked inside the core circuits 18 of the secure IC 16 in encrypted form. Note that the secure IC 16 may be used for various types of applications. A "smart card" is an example and is not intended to limit the scope of the present invention. In general, the secure IC 16 may be used in any application where the owner or manufacturer of the secure IC 16 wants to prevent or thwart reverse engineering, reconfiguration, or observation of the internal operations of the secure IC 16. [0050] The essentially random functionality of the core circuits 18 and the scrambled I/O circuits 22 when the external device is not authenticated gives the attacker relatively little data with which to control a systematic attack on the authentication circuits 20. However, if an attacker with sufficient resources has full knowledge of the authentication and the scrambled I/O circuits 20 and 22, the attacker may then use sophisticated debug methods to observe, modify, or observe and modify the internal operations of the secure IC 16. For example, focused ion beam (FIB) equipment may be used to modify the secure IC 16. As another example, PICA, LVP, or both, may be used to observe the internal operations of the secure IC 16. Consequently, it is desirable to further improve the security of the secure IC 16 in order to make attacks using such debug methods substantially more difficult, or impossible. Thus, methods and circuits are also provided to make various types of semi-invasive and non-invasive attacks such as those using PICA, LVP, power supply movement, clock glitching or stopping more difficult, if not impossible.
[0051] The intrusion detection and self-disable circuitry 24 generally operates to detect attacks on the secure IC 16 and disable the secure IC 16 in response thereto. More specifically, the intrusion detection and self-disable circuitry 24 may include multiple copies of the same intrusion detection and self-disable circuit distributed on the secure IC 16, where each copy of the intrusion detection and self-disable circuit is located at a different location on the secure IC 16. The intrusion detection and self-disable circuitry 24 may include one or more observation circuits for observing actions consistent with attacks directed towards authentication and attacks using semi-invasive or non-invasive probing techniques. Preferably, the one or more observation circuits include clock glitch or stopping observation circuits, power supply movement observation circuits, and observation circuits to determine when unsuccessful authentication attempts are being made. Note that, due to their nature, these attacks take considerable time. For example, it is desirable for the secure IC 16 to be able to determine if unsuccessful authentication attempts are being made. If so, the secure IC 16, and more specifically the intrusion detection and self-disable circuitry 24, can take an appropriate response such as, for example, self-destruction. For instance, if a fixed number of unsuccessful authentication attempts have been made, the secure IC 16 may trigger circuits that render the secure IC 16 permanently non-operational. The intrusion detection and self-disable circuitry 24 may have thicker gate oxides than the core circuits 18 to minimize power loss due to leakage currents. Further, the intrusion detection and self-disable circuitry 24 may have higher threshold voltages than the core circuits 18 to minimize power loss due to leakage currents. Additionally, the intrusion detection and self- disable circuitry 24 may operate with a supply voltage below about 250 millivolts. [0052] However, a typical IC, when powered up, does not know how long it has been since the last time it was powered up, or if the power is being cycled to allow repeated security attacks. Another attack method is to look at the circuit power to determine a circuit state. Such methods, which are part of a class of IC security attacks known as "power attacks," have been very successful in the past. Methods and circuits are provided to thwart these attacks in two ways. First, in one embodiment, the secure IC 16 has internal observation circuits that can remain powered up, at least temporarily, when an external power supply VDDIO to the secure IC 16 is removed so that the event can be registered in some form of non-volatile memory. For instance, when the external power supply VDDIO is removed, the internal observation circuit may check if successful operations (showing a successful authentication) were made before the removal of the external power supply VDDIO- If not, the internal observation circuit can register this fact in a non-volatile storage. Second, in one embodiment, the authentication circuits 20 of the secure IC 16 may have constant power dissipation independent of the circuit state. Such internal observation and authentication circuits will successfully mitigate the two most common forms of power attacks. Typically, the secure IC 16 may receive power through any number of external power supply inputs from any number of external power supplies, which may be at different voltages. The term external power supply VDDIO is used throughout this document to represent any external power supply providing power to the secure IC 16 at its appropriate voltage. [0053] More specifically, the secure IC 16 may implement one or more of the following defense mechanisms, which are discussed below in more detail: 1. Defense Mechanisms Related to Authentication Start up Cycle: a) Distributed fuses to count failed attempts; b) Short authentication/programming interval before IC self-destruct; and c) Distributed self destruct circuits to disable the core power supply.
2. Defense Mechanisms Hindering the Physical Observation of the Stored Secure Keys and Other Circuit Nodes: a) PMOS ratioed circuits to greatly reduce PICA or LVP SNR; b) Differential ratioed circuits such as NMOS or PMOS CVSL to diminish the PICA or LVP SNR; c) Long-channel circuits and/or stacked transistors to further reduce PICA signal to noise ratio and limit power; d) Local node jamming to thwart good PICA or LVP signals; e) Power supply ripple current variation reduction circuitry; and f) Power supply current confusion circuitry.
3. Defense Mechanisms Hindering the Logical Observation of the Secure Keys and Other Circuit Nodes: a) Dynamically moving keys to complicate an LVP attack; and b) Scrambling of the I/O circuit to further increase the chance of a failure. 4. Intrusion Detection Circuitry: a) Multi-threshold Complementary Metal-Oxide-Semiconductor (MTCMOS) or diode isolated power supplies to alleviate power attacks. This is helped by constant DC power usage of the PMOS ratioed circuits or by uniform power used by CVSL with H→L and L→H transitions; b) Clock glitch or stopping observation circuits; c) Power supply movement observation circuits; d) Observation circuits that retain power independent of the supply; and e) Distributed copies of the intrusion detection circuitry.
Again, each of these defense mechanisms may be used alone or in combination with one or more of the other defense mechanisms. [0054] Defense mechanisms related to authentication start up cycle are presented. As discussed above, the authentication circuits 20 require that a correct programming code, or key, be entered into the authentication circuits 20 before the core circuits 18, the scrambled I/O circuits 22, or both are enabled to function properly. However, after power-up, a typical circuit would not be capable of determining a number of failure attempts that had previously occurred. As such, the intrusion detection and self-disable circuitry 24 may include observation circuits that observe failed authentication attempts. In response, the intrusion detection and self-disable circuitry 24 utilize a persistent storage mechanism to record the failed authentication attempts. In one embodiment, the persistent storage mechanism is formed by a number of fuses distributed over the secure IC 16. When a failed authentication attempt is detected, a fuse is burned. When a predetermined number of failed authentication attempts have been recorded, the intrusion detection and self-disable circuitry 24 operate to disable the secure IC 16 via, for example, a self-destruct mechanism. [0055] In addition or alternatively, the secure IC 16 may utilize a short authentication/programming interval before being self-disabled. More specifically, after a relatively small number of failed authentication attempts, the intrusion detection and self-disable circuitry 24 may self-disable the secure IC 16. [0056] In addition or alternatively, distributed diodes may be used to connect the power supply to the core circuits 18, the authentication circuits 20, the scrambled I/O circuits 22, and the intrusion detection and self-disable circuitry 24. Thus, an attacker cannot disable the power supply by editing out of the circuit a single diode. Since the likelihood of success in any combination of circuit modifications, using for instance FIB equipment, diminishes rapidly with each additional modification, it will be very difficult to disable all of the protection circuits. [0057] Defense mechanisms hindering the physical observation of the stored secure keys and other circuit nodes are presented.
[0058] In general, PMOS devices and PMOS ratioed logic may be used in order to impede chip hacking and reverse engineering of logic states. The primary concerns addressed here are defeating PICA and LVP, both of which gather waveforms from an operating chip by observing the back side of the die optically. PICA watches the light emitted from currents flowing through "on" transistors to detect transitions, while LVP observes the polarity of laser light reflected back from the drains of transistors to observe voltage levels. [0059] LVP and PICA have a limited optical resolution. The theoretical limit for optical resolution is given by the Raleigh Criterion: s = 0.61 λ / (n * sin(θ)) = 0.61 λ / NA, where n is the refractive index of the medium separating the object from the objective, θ is the half angle subtended by the lens at the object, and NA is called the numerical aperture. Since silicon absorbs light of wavelength energy less than or equal to the energy band gap of silicon, 1.12eV, the smallest transparent wavelength is given by the following equation:
Figure imgf000019_0001
where h is Plank's constant, c is the speed of light, and Egap is the silicon bandgap energy. Assuming air is the medium and a very wide lens is used, the best theoretical resolution satisfying the Raleigh criterion is 675nm. By using liquid or solid emersion, one can get practical NA values of up to 1.66 leading to λmιn values of 407nm. There is a cost and ease of use tradeoff by making NA larger. Depth of focus DfOcus decreases as NA grows which is given by the following equation:
Dfocus = λ/(4*NA)2.
Therefore, the lens would need to be about 40nm from the nodes to be viewed. In other words, the distance to the lens is about a factor of 10 smaller than the resolution of the nodes one is trying to discern. One can also circumvent the Raleigh criterion by placing a blocking mask with an opening whose diameter is less than 0.61 times the wavelength of light one is using. This can theoretically increase resolution, but a significant amount of light is blocked and collection times would have to increase. Therefore, a practical resolution limit may be about 675nm when there are two competing signals present (one signal and one jamming).
[0060] Figure 4A is a graph showing a relationship between minimum gate separation and minimum semiconductor diffusion spacings versus various process technology modes. Since the energy band gap of silicon (Si) dictates the optical resolution of LVP and PICA, as technology progresses and dimensions associated with technology modes decrease, the techniques provided by the present invention will become more effective at minimizing the effectiveness of LVP and PICA. One purpose of limiting the authentication time and including self-destruct circuitry on the protected IC is to limit the time available to an attacker to gather optical signals which might betray key information.
[0061] NMOS drain nodes emit few photons per second, on the order of one photon per 100,000 switching events. PMOS transistors have much lower photon emission, on the order of 10,000 times less. Hence, by using PMOS only circuits, the amount of time required to acquire a signal using optical probing techniques, such as PICA, is substantially increased. Signal level and transition detection can take hundreds of millions of cycles. These have to be repeated cycles. As such, one defense mechanism may not be allowing repeats rapidly in time. [0062] PICA specifically observes hot electron effects, which are much less common in PMOS transistors. As such, utilizing PMOS-only circuits may be used to substantially increase the difficulty level of PICA. In addition, PMOS ratioed gates have a smaller peak current. The smaller peak current also reduces the maximum light emitted, thereby further increasing the difficulty level of PICA. Since hot electron effects are directly proportional to the current, the current can be considered as being directly proportional to the PICA signal strength, i.e., the number of photons emitted over time. Additionally, ratioed PMOS circuits have constant DC currents. The constant DC currents produce a reduced SNR (since the noise floor is no longer quiet), thereby further increasing the difficultly of PICA.
[0063] Since LVP and PICA have a relatively low resolution (approximately 700 nm), using tightly packed, small process PMOS circuits also substantially increases the difficulty of such techniques and may potentially make such techniques impossible. For this reason, nodes that are expected to be of interest during debugging may be drawn more isolated, using "design for debug" techniques. In addition, the smaller swing levels offered by PMOS ratioed gates, normally considered a disadvantage, require a more accurate LVP voltage reading, and reducing, albeit linearly, the SNR seen by the probe. Since NMOS drains have a much higher emission, they are attractive as nearby jammers, emitting photons to raise the signal noise floor. The NMOS drains will not affect LVP.
[0064] The currents through the PMOS ratioed gates are determined primarily by the size of the load devices. Since the switching device must be larger than the load device to maintain noise margin, the load device limits the current in the ON state. In the OFF state, the leakage through the switching device limits the current, but the current during the OFF state is much smaller than the current during the ON state. Increasing the size of the switching device changes the voltage levels and signal swing, but has a minimal effect on the currents. The peak current can be reduced by reducing the width to length ratio on the load transistor. However, reducing the width to length ratio below minimum width requires increasing the transistor length. Note that since photoemission is a based on the electric fields within the devices, longer channels may be used to further lower the transistor photoemission levels.
[0065] Figure 4B illustrates a PMOS ratioed inverter 26 according to one embodiment of the present invention. The PMOS ratioed inverter 26 is a digital circuit and includes the first PMOS transistor element 12 and a PMOS load transistor element 28 coupled in series between the power supply VSUPPLY and ground. Gates of the first PMOS transistor element 12 and the PMOS load transistor element 28 are coupled together and receive a second inverter input signal V|NV2IN and drains of the first PMOS transistor element 12 and the PMOS load transistor element 28 are coupled together and provide a second inverter output signal V|Nv2ouτ, which is a complement of the second inverter input signal VINV2IN- The following table compares values for the CMOS inverter 10 (Figure 1 ) having a 1.5:1 PMOS to NMOS ratio to the PMOS ratioed inverter 26 having a 6:1 switching to load ratio, each of which is implemented in a low power foundry 130 nm technology. The PFET switching transistor is the same size (720 nm wide and 100 nm long) for both gates.
Figure imgf000022_0001
Table 1 [0066] A gate output swing, an output high voltage minus an output low voltage (Voh - VoI), is approximately 0.5 volts (V) for the PMOS ratioed inverter 26, compared to 1.2 V for the CMOS inverter 10 (with an internal power supply Vdd at 1.2 V). This requires LVP to be twice as accurate to acquire the same amount of information (since it only has half as much voltage difference to work with). With a 6:1 switching to load ratio, the PMOS ratioed inverter 26 has an on current of approximately 15 μA and an off current of approximately four nA. In comparison to the CMOS inverter which has a maximum current of 144 μA switching and less than 1 nA when stable. The PMOS ratioed inverter 26 reduced the peak current by about one order of magnitude, and increased the off current by a factor of four. This reduces the PICA SNR by about 40, thereby making PICA more difficult. In general, PMOS ratioed logic is used to obscure or confuse optical probing through the backside of the secure IC 16.
[0067] Figures 4C and 4D illustrate a PMOS ratioed NOR gate 30 and a PMOS ratioed NAND gate 34, respectively, according to one embodiment of the present invention. As illustrated in Figure 4C, the PMOS ratioed NOR gate 30 includes the first PMOS transistor element 12, a second PMOS transistor element 32, and the PMOS load transistor element 28 coupled in series between the power supply VSUPPLY and ground. The gate of the first PMOS transistor element 12 receives an NOR B input signal VNORBIN and the gate of the second PMOS transistor element 32 receives an NOR A input signal VNORAIN- The drains of the first PMOS transistor element 12 and the PMOS load transistor element 28 are coupled together and provide a NOR output signal VNOROUT, which is a logic "O" whenever either the NOR A input signal VNORAIN, the NOR B input signal VNORBIN, or both, is a logic "1 ".
[0068] As illustrated in Figure 4D, the PMOS ratioed NAND gate 34 includes the first PMOS transistor element 12 and the second PMOS transistor element 32 coupled in parallel, and the PMOS load transistor element 28 coupled in series with the parallel combination of the first PMOS transistor element 12 and the second PMOS transistor element 32 between the power supply VSUPPLY and ground. The gate of the first PMOS transistor element 12 receives a NAND A input signal VNANDAIN and the gate of the second PMOS transistor element 32 receives a NAND B input signal VNANDBIN- The drains of the first PMOS transistor element 12 and the PMOS load transistor element 28 are coupled together and provide a NAND output signal VNANDOUT, which is a logic "O" whenever the NAND A input signal VNANDAIN and the NAND B input signal VNANDBIN are both a logic "1 ". As with the PMOS ratioed inverter 26 of Figure 4B, the PMOS ratioed NOR and NAND gates 30, 34 have substantially reduced on currents as compared to their CMOS counterparts, thus reducing the PICA SNR and making PICA more difficult.
[0069] Figures 5A and 5B are duplicates of Figures 2A and 2B, respectively, for clarification, and Figures 5C and 5D are graphs illustrating the second inverter output signal V|Nv2ouτ and the possible PICA probe signal VPROBE of the PMOS ratioed inverter 26 illustrated in Figure 4B. The second inverter output signal VINV2OUT illustrated in Figure 5C shows about one-half a voltage swing of the first inverter output signal V|Nviouτ illustrated in Figure 5A. Since the PMOS ratioed inverter 26 is constructed of PMOS devices and has about one-half a voltage swing of the CMOS inverter 10 (Figure 1 ), magnitudes of the probe signal VPROBE and the PMOS ratioed inverter 26 that are illustrated in Figure 5D are significantly smaller than the magnitudes of the probe signal VPROBE associated with the CMOS inverter 10 (Figure 1 ) that is illustrated in Figure 5B, and may be virtually undetectable by PICA or LVP. [0070] Differential circuits having tight layout of complementary nodes are presented below. According to one embodiment of the present invention, differential circuits, such as CVSL circuits, may be designed having a tight layout of complementary nodes such that optical probing techniques are made substantially more difficult, if not impossible. More specifically, complementary nodes are spaced or interleaved such that the spatial resolution of the optical probing techniques is too large to focus on one circuit node. In effect, both positive and negative polarity signals will be detected in any probing attempt, thereby making reliable determination of the circuit state impossible. In addition, differential circuits, such as CVSL circuits, consume substantially less power at equal frequencies of interest for these applications than PMOS-only circuits or PMOS ratioed circuits and are therefore preferable for larger circuits. Also, it may also be desirable to use differential circuits, such as CVSL circuits, for circuits outside the authentication or programming loop, i.e., the I/O encryption. Note that while the following discussion is focused on CVSL, other types of differential logic may be used. [0071] At the 90 nm technology node and beyond, CVSL can be laid out with sufficient density to provide both the positive and negative differential signals to the semi-invasive probes, rendering them unusable. This has the added advantage in that this density defense should be effective not just against emission based techniques, such as PICA, but also against LVP, since the latter has a laser spot size limited by the optics and Si transmission characteristics. In one embodiment, CVSL security circuits are designed to have layouts where their differential nodes and transistors are densely interleaved such that both the positive and negative nodes and transistors are within the spatial resolution of the optical probing techniques. For PICA and LVP through a Silicon (Si) substrate, the spatial resolution may be approximately 900 nm. The transistors are spaced closely together so that any photonic emissions from current flow cannot be traced back to a single gate. The diffusion nodes are placed close together to thwart probing such as LVP, which relies upon the state of the node. It should be noted that the spatial resolution is based on the physics of the transmission through Si, and is a physical parameter of the Si band gap. As such, it is unlikely that this method of jamming PICA and LVP probing will fall to future innovative optical approaches. Nearby jamming circuits can also be employed as desired. Unlike the PMOS ratioed circuits, CVSL has excellent speed and low power capabilities. This greatly widens the applicable circuit applications that may be implemented in the secure IC 16. [0072] Figures 6A and 6B illustrate a schematic and layout implementation 68 of a first buffered CVSL NAND2 gate 38, respectively, according to one embodiment of the present invention. The first buffered CVSL NAND2 gate 38 is formed by first, second, third, fourth, fifth, and sixth PMOS transistor elements 12, 32, 40, 42, 44, 64 and second, third, fourth, fifth, sixth, seventh, eighth, ninth, tenth, and eleventh NMOS transistor elements 46, 48, 50, 52, 54, 56, 58, 60, 62, 66 arranged as shown. The second and the eleventh NMOS transistor elements 46, 66 may be represented as M1 and M2, respectively. Further, the first, second, third, fourth, fifth, and sixth PMOS transistor elements 12, 32, 40, 42, 44, 64 may be represented as M5, M6, M7, M8, M3, and M4, respectively. Differential input signals include a non-inverted A side A , an inverted A side A , a non-inverted B side B , and an inverted B side B . Differential output signals include a non-inverted output signal OUT and an inverted output signal OUT . Internal differential signals include a non-inverted internal signal X and an inverted internal signal X . The non-inverted output signal OUT is a logic "0" and the inverted output signal OUT is a logic "1 " when the non-inverted A side A and the non-inverted B-side B are both a logic "1", and the inverted A side A and the inverted B side B are both a logic "0". Otherwise, the non-inverted output signal OUT is a logic "1 " and the inverted output signal OUT is a logic "0".
[0073] In a traditional buffered CVSL NAND2 gate without jamming, the first and the second PMOS transistor elements 12, 32 would be omitted and the sources of the third and the fourth PMOS transistor elements 40, 42 would be coupled to a power supply; the third and the fourth NMOS transistor elements 48, 50 would be omitted; and the eighth and the tenth NMOS transistor elements 58, 62 would be omitted and the sources of the seventh and the ninth NMOS transistor elements 56, 60 would be coupled to ground. However, by including the first and the second PMOS transistor elements 12, 32, the third and the fourth NMOS transistor elements 48, 50, and the eighth and the tenth NMOS transistor elements 58, 62, any transition in the first buffered CVSL NAND2 gate 38 will balance the number of complementary drains being transitioned, thereby allowing symmetrical layout jamming to be done. Therefore, the four stacked transistor pairs 48/50, 52/54, 56/58, and 60/62 may be arranged to closely couple the top drain of each stack close to one another. The arrangement may be rectangular or square having an interweaving between non-inverting drains and inverting drains.
[0074] Figure 6B illustrates a layout implementation 68 of the first buffered CVSL NAND2 gate 38 illustrated in Figure 6A. Gates 70, sources 72, and drains 74 of the second, third, fourth, fifth, sixth, seventh, eighth, ninth, tenth, and eleventh NMOS transistor elements 46, 48, 50, 52, 54, 56, 58, 60, 62, 66 are shown. The second and the eleventh NMOS transistor elements 46, 66 are split to create four different drains 74 to facilitate interweaving of complementary drains 74. Drain edges 76 of the stacked transistor pairs 48/50, 52/54, 56/58, and 60/62 and the second and eleventh NMOS transistor elements 46, 66 may have a particularly high concentration of "hot" electron caused photon emissions that may contribute to PICA signals. Therefore, the drain edges 76 may be coupled together as closely as possible. Drain regions 78 are rectangles that capture the drains 74 of the stacked transistor pairs 48/50, 52/54, 56/58, and 60/62 and the second and the eleventh NMOS transistor elements 46, 66. Each drain region 78 may have a width 80 and a length 82. In an exemplary embodiment of the present invention, the width 80 of the drain regions 78 that capture the drains 74 of the stacked transistor pairs 48/50, 52/54, 56/58, and 60/62 and the second and the eleventh NMOS transistor elements 46, 66 may be on the order of about 700 nm and the length 82 of the drain regions 78 that capture the drains 74 of the stacked transistor pairs 48/50, 52/54, 56/58, and
60/62 and the second and the eleventh NMOS transistor elements 46, 66 may be on the order of about 900 nm. Each drain region 78 has a first set of opposite corners and a second set of opposite corners, and may include four drains, such that drains 74 in the first set of opposite corners are complementary to drains in the second set of opposite corners, as shown.
[0075] The gates 70 may be longer than normal to reduce "hot" electron caused optical photon emissions. Further, the stacked transistor pairs 48/50, 52/54, 56/58, and 60/62 may be arranged to skew arrival times of complementary signals, which may cause false current conduction and jam the real signals from detection.
[0076] The drain edges 76 of the stacked transistor pairs 48/50, 52/54, 56/58, and 60/62 are very close together, which in an exemplary embodiment, may be within a 575 nm radius, thereby making PICA probing very difficult, if not impossible. LVP is also very difficult due to the interweaving of the non-inverted internal signal X and the inverted internal signal X , and the interweaving the non-inverted output signal OUT and the inverted output signal OUT . In an exemplary embodiment, each drain 74 along the width 80 may be less than about 200 nm and each drain 74 along the length 82 may be less than about 420 nm. As noted above, M1 and M2 were split into two parts to facilitate the interleaving of the nodes and the gates [0077] On a 90 nm bulk CMOS process the horizontal node separation may be under 200 nm; therefore, optical probing will not be able to distinguish the circuit state whatsoever and transitions on either side of the gate will be picked up indiscriminately. Large transistors, when needed, may be laid out using many interleaved legs in folded transistor configurations. [0078] Output buffer inverters may be laid out similarly to also jam the probing techniques in exactly the same manner. Additionally, any attempt to modify the circuit output via laser is prone to the same Silicon (Si) penetration and wavelength limitations. Hence the circuit will not allow targeted state modification as the beam will create a common-mode shift in both the intended signal and its complement. For flip-flops and other circuits, a similar style of circuit may be used, which is also fully differential.
[0079] Alternate embodiments of the present invention may include other buffered CVSL gates having one or more groups of complementary drains, such that the complementary drains in each group are in close proximity to one another. Further, any transition in a buffered CVSL gate may result in a balanced number of complementary drains 74 being transitioned. Additionally, a buffered CVSL gate may have one or more drain regions 78, such that each drain region 78 has a first set of opposite corners and a second set of opposite corners, and may include four drains 74, such that drains 74 in the first set of opposite corners are complementary to drains 74 in the second set of opposite corners. In general, the secure IC 16 may use differential circuitry other than CVSL circuitry, and the differential circuitry is layout balanced between photon emissions from complementary signal nodes to obscure or confuse optical probing through the backside of the secure IC 16. [0080] Note that the technique of different circuits having tight layouts of complementary nodes does not have to be perfectly un-probeable. In general, as long as this technique provides sufficient time for observation circuits to detect an attack and take appropriate responsive action, this defensive technique is acceptable. It is preferable for current transitions and probability of generating hot electrons to be made symmetrical. [0081] Using a layout technique of the present invention, devices are stacked to provide two stacks of positive polarity and two stacks of opposite polarity, as shown in Figures 6A and 6B. In addition, the transistors which may conduct current may be placed in a symmetrical fashion at about a central point such that they are closer together than the best resolution of the PICA probe equipment, which may be about 900 nm. In addition to stacking gates where possible, longer channel devices may be used. In the exemplary embodiment of Figures 6A and 6B, a longer channel length (L) of 100 nm was used as compared to the standard L of 80 nm. Both of these techniques will reduce the number of hot electrons generated and thus the number of photons emitted. Use of lower VDD also reduces photon emissions commensurately.
[0082] One other beneficial aspect of CVSL circuits is that the arrival of the input signals will not, in general, happen at the same time, which may cause all transistors to conduct simultaneously. While not good for power, it may act as a local jamming signal and reduce the SNR of the true gate switching. In addition, local jamming circuits may be used as desired.
[0083] Figure 7 illustrates a second buffered CVSL NAND2 gate 84 according to another embodiment of the present invention. More specifically, this embodiment of the second buffered CVSL NAND2 gate 84 is formed primarily from PMOS transistors, rather than NMOS transistors. Functional equivalents of the transistors in Figure 6A are represented as primes in Figure 7. For example, the first PMOS transistor element 12 shown in Figure 6A has a functional equivalent NMOS transistor in Figure 7 and is identified as 12'. As discussed above, the PMOS transistors further increase the difficultly of optical probing techniques. This is because PICA probing depends upon photon emissions from hot carrier collisions. The PMOS devices have a much lower probability of hot electron generation and thus are more secure against PICA probing. The NMOS load transistors can be long channel to reduce their emissions. [0084] Figures 8A, 8B, 8C, 8D, and 8E are graphs illustrating signals associated with the first buffered CVSL NAND2 gate 38 illustrated in Figure 6A. Figures 8A and 8C show a non-inverted output signal OUT and an inverted output signal OUT , respectively, from a traditional CVSL buffered NAND2 gate (not shown). Figures 8B and 8D show possible PICA or LVP probe signals VPROBE of the non-inverted output signal OUT and the inverted output signal
OUT , respectively, which may be representative of the M2 and M1 NMOS transistor elements, respectively. Since the traditional CVSL buffered NAND2 gate does not take steps to obscure detection of the non-inverted output signal
OUT and the inverted output signal OUT signals, rising edge transitions and falling edge transitions of these signals may be easily discerned from one another. However, in the first buffered CVSL NAND2 gate 38, rising edge transitions and falling edge transitions of an equivalent non-inverted output signal
OUT and inverted output signal OUT may not be discernable from one another as illustrated in Figure 8E. Therefore, Figure 8E may be representative of the combination of the M2 and M1 NMOS transistor elements. [0085] Figure 9 illustrates a process for forming the dual rail CVSL netlist and chip layout from a single ended netlist design like one based upon standard CMOS. When using traditional automatic place and route (APR) software hold time violations may occur and are traditionally fixed by inserting single ended delay buffers, which naturally undoes the jamming techniques employed using complementary nodes. However, a practical extraction report language (PERL) script may be written to take all of the single ended min delay buffers and convert these to dual rail buffers such that the signal and its complementary signal will go through the dual ended min delay buffer with layout jamming techniques applied. A register transfer layer (RTL) representation of a single rail CMOS design that needs timing skews is received (Step 200). The CMOS design is synthesized using a CMOS reduced cell library, which provides the base CVSL architecture, to create a netlist (Step 202). The netlist is flattened to create a very high speed IC hardware description language (VHDL) netlist of the CMOS design (Step 204). The CMOS design is converted into the CVSL design using a CAD program to create the VHDL netlist of the CVSL design (Step 206). The VHDL netlist of the CVSL design is converted into a verilog netlist of the CVSL design (Step 208). The CVSL design is placed and routed using APR software to create a CVSL layout (Step 210).
[0086] Defense mechanisms hindering the logical observation of the secure keys and other circuit nodes are presented. Some probing techniques, such as LVP, can read essentially DC signals with sufficient effort. Hence, it may be desirable to confound such DC probing techniques to provide key security. Thus, in one embodiment, the one or more keys used for authentication and encryption are stored as dynamically moving keys. More specifically, time-varying pseudorandom key storage may be utilized after power-up. Consequently, the power supply attack detection circuits will render a DC attack untenable due to a very limited window of opportunity.
[0087] As discussed above with respect to Figure 3, the secure IC 16 may include the scrambled I/O circuits 22. Until there is a proper authentication, the scrambling is essentially a random pattern. However, once authentication is properly performed, the scrambling is as expected by the external device. In operation, the scrambled I/O circuits 22 are programmed to provide an expected scrambling pattern, which can be unscrambled by the receiving device. [0088] The observation circuits may have a formidable task, namely determining when attacks such as power supply and clock glitching have or are occurring. In order to assist the observation circuits, it may be desirable to keep power supplied to the observation circuits, at least for a reasonable length of time, after the power supply is removed. This allows the observation circuits to determine, potentially record, and respond to such attacks. A conventional circuit simply does not know if power was recently shut down. Hence, power attacks have been successfully employed to breach IC security functions in the past. [0089] Figure 10A illustrates one embodiment of a power supply system 86 where power is supplied to the intrusion detection and self-disable circuitry 24, or at least the one or more observation circuits of the intrusion detection and self- disable circuitry 24, after the external power supply VDDIO has been disrupted according to one embodiment of the present invention. More specifically, as shown in Figure 10A, the intrusion detection and self-disable circuitry 24 are powered by a first isolated virtual supply VDDRETAINI , which in this case is a first capacitive element C1. The first isolated virtual supply VDDRETAINI provides power to the intrusion detection and self-disable circuitry 24 for operation after power provided by the external power supply VDDIO is removed. A power supply coupling circuit 88 operates to couple the external power supply VDDIO to the first capacitive element C1 to provide the first isolated virtual supply VDDRETAINI to the intrusion detection and self-disable circuitry 24. [0090] Figure 10B shows details of the power supply coupling circuit 88 illustrated in Figure 10A. The power supply coupling circuit 88 includes a first diode element CR1 , such that when the external power supply VDDIO provides power, the external power supply VDDIO provides the first isolated virtual supply VDDRETAINI and charges the first capacitive element C1 , and when the external power supply VDDIO does not provide power, the first diode element CR1 isolates the first capacitive element C1 from the external power supply VDDIO and the first capacitive element C1 provides the first isolated virtual supply VDDRETAINI - [0091] In alternate embodiments of the present invention, the power supply coupling circuit 88 may be an NMOS source-follower circuit, a Multi-Threshold CMOS (MTCMOS) circuit, multiple diode elements, or the like. The multiple diode elements may be comprised of many smaller diodes that distributed around to avoid their being disabled easily by an invasive attack, such as FIB, and rapid turn-off. Another concern is laser assisted discharge. Keeping the diodes small and distributed mitigates this threat as well and only one small target is provided by each and the total current that can be produced is limited. The power supply coupling circuit 88 also isolates the internal power supply VDD from the external power supply VDDIO, thereby making power analysis impossible as well.
[0092] Figure 11 illustrates the power supply system 86 according to an alternate embodiment of the present invention. Power is supplied to the intrusion detection and self-disable circuitry 24, or at least the one or more observation circuits of the intrusion detection and self-disable circuitry 24, after the external power supply VDDIO has been disrupted. More specifically, as shown in Figure 11 , the intrusion detection and self-disable circuitry 24 are powered by the first isolated virtual supply VDDRETAINI , which in this case is the first capacitive element C1 , and a second isolated virtual supply VDDRETAIN2, which in this case is a second capacitive element C2. The first and the second isolated virtual supplies VDDRETAINI , VDDRETAIN2 provide power to the intrusion detection and self-disable circuitry 24 for operation after the external power supply VDDIO is removed. The power supply coupling circuit 88 operates to couple the external power supply VDDIO to the first and the second capacitive elements C1 , C2 to provide the first and the second isolated virtual supplies VDDRETAINI , VDDRETAIN2 to the intrusion detection and self-disable circuitry 24.
[0093] Figure 12 shows details of the power supply system 86 illustrated in Figure 11. The power supply coupling circuit 88 includes the first diode element CR1 and a second diode element CR2. When the external power supply VDDIO provides power, the external power supply VDDIO provides the first isolated virtual supply VDDRETAINI and charges the first capacitive element C1 through the first diode element CR1 , and provides the second isolated virtual supply VDDRETAIN2 and charges the second capacitive element C2 through the second diode element CR2. When the external power supply VDDIO does not provide power, the first diode element CR1 isolates the first capacitive element C1 from the external power supply VDDIO and the first capacitive element C1 provides the first isolated virtual supply VDDRETAINI , and the second diode element CR2 isolates the second capacitive element C2 from the external power supply VDDIO and the second capacitive element C2 provides the second isolated virtual supply
VDDRETAIN2- [0094] The intrusion detection and self-disable circuitry 24 includes a power supply monitor 90 and fuse circuitry 92, which are powered by the first and the second isolated virtual supplies VDDRETAINI , VDDRETAIN2, respectively. The power supply monitor 90 monitors the status of the external power supply VDDIO and the internal power supply VDD and, according to one embodiment of the present invention, any time the external power supply VDDIO is removed before proper authentication has been completed, the power supply monitor 90 directs the fuse circuitry 92 to blow a fuse to keep track of the condition permanently. The fuse circuitry 92 uses the energy provided by the second isolated virtual supply VDDRETAIN2 to blow the fuse. The power supply monitor 90 monitors the fuse circuitry 92 and when the number of blown fuses exceeds a threshold, the power supply monitor 90 disables the secure IC 16 by providing a disable signal DISABLE. In another embodiment of the present invention, when an authentication attempt fails, the power supply monitor 90 directs the fuse circuitry 92 to blow a fuse to keep track of the condition permanently. Therefore, an attacker has a limited number of attempts to optically probe authentication keys that are protected using one of the protection methods previously presented, such as ratioed PMOS logic or differential logic. Since there may be many authentication key nodes, the secure IC 16 should be permanently disabled before the attacker can achieve a successful pirated authentication.
[0095] The first capacitive element C1 , the second capacitive element C2, or both, may be monolithic capacitors, analog Metal-insulator-metal (MIM) capacitors, interdigitated metal (IM) capacitors, or the like. Analog MIM capacitors have the advantage of requiring only two upper metal layers, thereby allowing other circuits to be under them. IM capacitors are illustrated in Figures 13A and 13B. An IM capacitor may provide approximately 1 OpF in a 100x100 μm region. A first set of fingers 94 is interdigitated with a second set of fingers 96 to provide the two sides of the IM capacitor, as shown in Figures 13A and 13B. Another technique to deter the attacker from destroying the first or the second capacitive elements C1 , C2 is to occasionally route important signals in metal through the first and the second capacitive elements C1 , C2. This will increase the chances of destroying the circuit when the first or the second capacitive elements C1 , C2 are attacked.
[0096] Figures 14A and 14B graphically illustrate an operation of active circuits powered by the first isolated virtual supply VDDRETAINI after the external power supply VDDIO has been removed according to an exemplary embodiment of the present invention. The active circuits may be implemented such that they have thick gates and high threshold voltages to limit gate and drain to source leakage and employ dual stacks to limit drain to source leakage currents. The low voltages, at least as the supply collapses, limit the source leakage currents due to junction band to band tunneling and gate-induced drain leakage (GIDL). Note that sub-threshold circuits may operate down to and below 250 mV, albeit at low frequencies, i.e., tens of kHz. These speeds are more than adequate for the observation circuits discussed herein. The sub-threshold circuits allow detection of various passive and semi-invasive attacks, i.e., raising and lowering the supplies, rapid power-up and power down, as well as determination of repeated vectors required in semi-invasive probing. [0097] The active test circuit used for Figures 14A and 14B is a 51 stage inverter chain with one-hundred percent (100%) activity factor. A 10 pF capacitance was used as the first capacitive element C1. This size, in line with the need to distribute the security circuits to thwart invasive attacks, makes distributed detection possible. Due to the leakage mitigating circuits used, most of the energy is expended by active operation. Since well designed, low power circuits have on the order of a seven percent (7%) activity factor, this behavior is indicative of a circuit with up to 1000 gates. In sub-threshold operation, circuit speed is limited (note that the circuit fails due to timing violations as the supply falls below 0.5 V in Figure 14A). Sub-threshold circuits also operate faster when hot, which is different than their above-threshold counterparts. The circuits here are usable under a wide range of supplies, i.e., 250 mV to 2 V, to further ensure that supply attacks on the IC does not disrupt the intrusion detection functionality. [0098] It is important that the intrusion detection and self-disable circuitry 24 not be disabled by an attacker using fully invasive techniques, such as FIB. To thwart such an attack, two approaches may be used. First, signals important to operation can be interleaved through capacitors forming the isolated virtual supply, especially the IM capacitors. For example, one of the capacitors may be used as a Phase-Lock-Loop (PLL) filter in addition to being interleaved with, or being part of, the isolated virtual supply. As such, if the capacitors are disabled by FIB techniques, the signals are disrupted and such disruption can be detected. Second, the observation circuits can be self-tested when the supply is fully operational. This merely requires a gated supply to test that the capacitor has the requisite value and no more (i.e., that the external power supply VDDIO has not been shorted to the internal power supply VDD) to ensure the observation detection and self-disable circuitry 24 are properly operational. In the event that they are not, the IC disabling mechanisms can be immediately invoked. [0099] Figures 15A, 15B, 15C, 15D, and 15E illustrate different embodiments of power supply ripple current variation reduction circuitry and power supply current confusion circuitry. The power supply ripple current variation reduction circuitry, the power supply current confusion circuitry, or both may be used to minimize side channel information leakage obtained by monitoring the external power supply VDDIO- Figure 15A shows power supply ripple current variation reduction circuitry 98, which receives power from the external power supply VDDIO and provides the internal power supply VDD to the secure IC 16 (not shown) based on the external power supply VDDIO- The power supply ripple current variation reduction circuitry 98 operates to reduce instantaneous changes in power supply current demanded from the external power supply VDDIO- In one embodiment of the present invention, the power supply ripple current variation reduction circuitry 98 operates to minimize or obscure ripple current demanded from the external power supply VDDIO, which provides power to the secure IC 16. [00100] Figure 15B shows another embodiment of the power supply ripple current variation reduction circuitry 98, which receives power from the external power supply VDDIO and provides a first internal power supply VDDI , a second internal power supply VDD2, up to and including an Nth internal power supply
VDDN to the secure IC 16 based on the external power supply VDDIO- Each of the first, the second, up to and including the Nth internal power supplies VDD1, VDD2, VDDN, may provide power to specific circuits in the secure IC 16 (not shown). The power supply ripple current variation reduction circuitry 98 operates to reduce time predictability and variability of the supply ripple current seen by the external power supply VDDIO-
[00101] Figure 15C shows power supply current confusion circuitry 100, which receives power from the external power supply VDDIO and provides the internal power supply VDD to the secure IC 16 (not shown) based on the external power supply VDDIO- The power supply current confusion circuitry 100 operates to vary the IC supply current seen by the external power supply VDDIO SO as to confuse an attacker to minimize side channel information leakage. In one embodiment of the present invention, the power supply current confusion circuitry 100 operates to blur or otherwise mask power consumption across multiple clock cycles to minimize side channel information leakage. [00102] Figure 15D shows another embodiment of the power supply current confusion circuitry 100, which receives power from the external power supply VDDIO and provides a first internal power supply VDD1, a second internal power supply VDD2, up to and including an Nth internal power supply VDDN to the secure IC 16 (not shown) based on the external power supply VDDIO- Each of the first, the second, up to and including the Nth internal power supplies VDDI , VDD2, VDDN, may provide power to specific circuits in the secure IC 16. The power supply current confusion circuitry 100 operates to vary the input current seen by the external power supply VDDIO- [00103] Figure 15E shows a combination of the power supply ripple current reduction circuitry 98 illustrated in Figure 15A and the power supply current confusion circuitry 100 illustrated in Figure 15D. The power supply ripple current variation reduction circuitry 98 receives power from the external power supply VDDIO and provides a power supply ripple current reduced internal power supply VDDIRCR to the power supply current confusion circuitry 100 based on the external power supply VDDIO- The power supply ripple current variation reduction circuitry 98 operates to reduce the IC supply current predictability and hence side-channel information leakage as seen at the external power supply VDDIO- The power supply current confusion circuitry 100 receives power from the input ripple current reduced internal power supply VDDIRCR and provides a first internal power supply VDDI , a second internal power supply VDD2, up to and including an Nth internal power supply VDDN to the secure IC 16 (not shown) based on the input ripple current reduced internal power supply VDDIRCR- Each of the first, the second, up to and including the Nth internal power supplies VDDI , VDD2, VDDN, may provide power to specific circuits in the secure IC 16. The power supply current confusion circuitry 100 operates to vary the IC supply current seen by the external power supply VDDIO via the power supply ripple current reduced internal power supply VDDIRCR in a manner which is inconsistent with the actual internal IC operating mode or state.
[00104] Figures 16A, 16B, 16C, and 16D illustrate details of different embodiments of power supply ripple current variation reduction circuitry 98 illustrated in Figure 15A. Figure 16A shows one embodiment of the power supply ripple current variation reduction circuitry 98, which includes a low pass filter 102. The low pass filter 102 receives power from the external power supply VDDIO and provides the internal power supply VDD to the secure IC 16 (not shown) based on the external power supply VDDIO- The low pass filter 102 operates to reduce the IC supply current variations as seen by the external power supply VDDIO by substantially filtering out frequency content above a break frequency presented by the external power supply VDDIO- Such frequency content may include IC power supply ripple current. Alternate embodiments of the present invention may use a band pass filter or a band stop filter in place of the low pass filter.
[00105] Figure 16B shows details of the low pass filter 102 illustrated in Figure 16A. The low pass filter 102 includes a first resistive element R1 and a third capacitive element C3 coupled in series between the external power supply VDDIO and ground. The first resistive element R1 is coupled between the external power supply VDDIO and the internal power supply VDD, and the third capacitive element C3 is coupled between the internal power supply VDD and ground. [00106] Figure 16C shows details of the low pass filter 102 illustrated in Figure 16A. The low pass filter 102 illustrated in Figure 16C is similar to the low pass filter 102 illustrated in Figure 16B, except the low pass filter 102 illustrated in Figure 16C replaces the first resistive element R1 with a PMOS transistor element 104, which may function as a variable resistive element. The source of the PMOS transistor element 104 is coupled to the external power supply VDDIO and the drain of the PMOS transistor element 104 is coupled to the internal power supply VDD- An output of an operational amplifier 106 feeds the gate of the PMOS transistor element 104. An inverting input of the operational amplifier 106 receives a reference signal VREF and a non-inverting input of the operational amplifier 106 receives a sense signal VSENSE, which may be based on circuitry that is powered using the internal power supply VDD- Therefore, the effective resistance of the PMOS transistor element 104 is based on operating conditions of the circuitry that is powered using the internal power supply VDD- [00107] Figure 16D shows details of the power supply ripple current variation reduction circuitry 98 illustrated in Figure 15A, according to one embodiment of the present invention. A current source 108 is coupled between and provides current from the external power supply VDDIO to the internal power supply VDD- The third capacitive element C3 is coupled between the internal power supply VDD and ground. Additionally, a shunt voltage regulator 110 is coupled between the internal power supply VDD and ground. The internal power supply VDD provides power to the secure IC 16 (not shown). The current source 108 provides a constant current, which must be equal to or exceed the average current needed by the secure IC 16 for proper operation. The shunt voltage regulator 110 regulates the voltage of the internal power supply VDD by shunting current to ground to maintain the voltage of the internal power supply VDD at a setpoint. If the voltage of the internal power supply VDD drops below the setpoint, then the shunt voltage regulator 110 stops shunting current to ground. Therefore, any instantaneous current demands on the internal power supply VDD in excess of the current supplied by the current source 108 are taken from the third capacitive element C3, which may cause the voltage of the internal power supply V0D to drop below the setpoint. When instantaneous current demands on the internal power supply VDD drop below the current supplied by the current source 108, the excess current will be used to recharge the third capacitive element C3. Once the setpoint is reached, any excess current will be shunted by the shunt voltage regulator 110 to ground. This embodiment may be inefficient from an energy usage perspective. However, power supply ripple current time variability based on the actual internal IC state or mode of operation may be virtually eliminated. [00108] Figure 17 illustrates details of one embodiment of the power supply current confusion circuitry 100 illustrated in Figure 15D. The power supply current confusion circuitry 100 includes a first PMOS supply switching transistor element 112, a second PMOS supply switching transistor element 114, up to and including an Nth PMOS supply switching transistor element 116, a fourth capacitive element C4, a fifth capacitive element C5, a sixth capacitive element C6, and control circuitry 118. The first PMOS supply switching transistor element 112 is coupled between the external power supply VDDIO and the first internal power supply VDDI - The second PMOS supply switching transistor element 114 is coupled between the external power supply VDDIO and the second internal power supply VDD2- The Nth PMOS supply switching transistor element 116 is coupled between the external power supply VDDIO and the Nth internal power supply VDDN- The fourth capacitive element C4 is coupled between the first internal power supply VDDI and ground. The fifth capacitive element C5 is coupled between the second internal power supply VDDI and ground. The sixth capacitive element C6 is coupled between the Nth internal power supply VDDI and ground. The control circuitry 118 provides first, second, up to and including Nth control signals VCTRLI , VCTRL.2, VCTRLN to gates of the first, the second, and the Nth PMOS supply switching transistor elements 112, 114, 116, respectively. By controlling the first, the second, up to and including the Nth control signals VcTRu, VCTRL2, VCTRLN, the control circuitry 118 can select whether each of the first, the second, up to and including the Nth internal power supplies VDDI , VDD2, VDDN, receives power from the external power supply VDDIO or from the fourth, the fifth, or the sixth capacitive elements C4, C5, C6, respectively. Such selections may be used to create power supply current confusion making it harder for an attacker to obtain relevant side channel leakage information since the current is to first order related to the operation of the supply switching transistors and not the circuit internal logic state.
[00109] Figures 18A, 18B, 18C, and 18D are graphs illustrating timing relationships between a system clock SYSCLK and the first, the second, and the Nth control signals VCTRLI , VCTRL2, VCTRLN, respectively, according to one embodiment of the present invention. The first control signal VCTRLI is low on every low phase of the system clock SYSCLK; therefore, the first internal power supply VDDI (not shown) receives power from the external power supply VDDIO on every low phase of the system clock SYSCLK. The second control signal VCTRL2 is low on every other low phase of the system clock SYSCLK; therefore, the second internal power supply VDD2 receives power from the external power supply VDDIO on every other low phase of the system clock SYSCLK. The Nth control signal VCTRLN is low on every third low phase of the system clock SYSCLK; therefore, the Nth internal power supply VDDN receives power from the external power supply VDDIO on every third low phase of the system clock SYSCLK. Such phasing may cause power supply current confusion, thereby making it harder for an attacker to obtain relevant side channel leakage information. Other embodiments of the present invention may use any type of scheme to cause power supply current confusion.
[00110] Those skilled in the art will recognize improvements and modifications to the preferred embodiments of the present invention. All such improvements and modifications are considered within the scope of the concepts disclosed herein and the claims that follow.

Claims

ClaimsWhat is claimed is:
1. A secure integrated circuit comprising: core circuitry; and authentication circuitry associated with the core circuitry and adapted to: authenticate an external source desiring to communicate with the secure integrated circuit; enable the core circuitry to function properly if the external source is authenticated; and obscure optical probing through a backside of the secure integrated circuit.
2. The secure integrated circuit of claim 1 wherein the authentication circuitry comprises P-type Metal-Oxide-Semiconductor (PMOS) ratioed logic adapted to obscure the optical probing through the backside of the secure integrated circuit.
3. The secure integrated circuit of claim 1 wherein the authentication circuitry comprises differential circuitry, which is arranged to obscure or confuse optical probing of the secure integrated circuit.
4. The secure integrated circuit of claim 3 wherein the differential circuitry is layout balanced between photon emissions from complementary signal nodes to obscure or confuse the optical probing through the backside of the secure integrated circuit.
5. The secure integrated circuit of claim 4 wherein the differential circuitry comprises a one or more groups of complementary drains, such that complementary drains in each group of complementary drains are in close proximity to one another.
6. The secure integrated circuit of claim 5 wherein the each group of complementary drains has a drain region comprising a first set of opposite corners and a second set of opposite corners, such that drains in the first set of opposite corners are complementary to drains in the second set of opposite corners.
7. The secure integrated circuit of claim 4 wherein any transition in the differential circuitry results in a balanced number of complementary drains being transitioned.
8. The secure integrated circuit of claim 4 wherein the differential circuitry has a layout, such that the complementary signal nodes are spaced by a distance less than a threshold distance related to a spatial resolution of an optical probing technique.
9. The secure integrated circuit of claim 1 further comprising power supply ripple current variation reduction circuitry adapted to: minimize or obscure input ripple current demanded from an external power supply, which provides power to the secure integrated circuit; and minimize side channel information leakage.
10. The secure integrated circuit of claim 9 wherein the power supply ripple current variation reduction circuitry comprises one selected from a group consisting of a low pass filter, a band pass filter, and a band stop filter.
11. The secure integrated circuit of claim 1 further comprising power supply current confusion circuitry adapted to blur or otherwise mask power consumption across multiple clock cycles to minimize side channel information leakage.
12. The secure integrated circuit of claim 1 further comprising intrusion detection and self-disable circuitry adapted to detect an intrusion on the secure integrated circuit and disable the secure integrated circuit in response thereto.
13. The secure integrated circuit of claim 1 wherein the core circuitry comprises a field programmable gate array (FPGA).
14. The secure integrated circuit of claim 1 wherein the core circuitry is used in a smart card.
15. The secure integrated circuit of claim 1 wherein in order to authenticate the external source, the authentication circuitry is adapted to: perform a comparison of an internally stored code to one of a group consisting of encryption of input data provided by the external source and a key provided by the external source; and authenticate the external source if the comparison provides a match.
16. The secure integrated circuit of claim 15 wherein the internally stored code is a dynamically moving code.
17. The secure integrated circuit of claim 1 wherein local node jamming is utilized to secure at least one circuit node.
18. A secure integrated circuit comprising: core circuitry; and authentication circuitry comprising P-type Metal-Oxide- Semiconductor (PMOS) ratioed logic adapted to obscure optical probing through a backside of the secure integrated circuit wherein the authentication circuitry is: associated with the core circuitry; adapted to authenticate an external source desiring to communicate with the secure integrated circuit; and adapted to enable the core circuitry to function properly if the external source is authenticated.
19. A secure integrated circuit comprising: core circuitry; and authentication circuitry comprising differential circuitry that is layout balanced between photon emissions from complementary signal nodes to obscure optical probing through a backside of the secure integrated circuit wherein the authentication circuitry is: associated with the core circuitry; adapted to authenticate an external source desiring to communicate with the secure integrated circuit; and adapted to enable the core circuitry to function properly if the external source is authenticated.
20. A secure integrated circuit comprising: core circuitry; and authentication circuitry associated with the core circuitry and adapted to: authenticate an external source desiring to communicate with the secure integrated circuit; and enable the core circuitry to function properly if the external source is authenticated; and power supply ripple current variation reduction circuitry adapted to: minimize instantaneous changes in current demand from an external power supply, which provides power to the secure integrated circuit; and minimize side channel information leakage.
21. A secure integrated circuit comprising: core circuitry; and authentication circuitry associated with the core circuitry and adapted to: authenticate an external source desiring to communicate with the secure integrated circuit; and enable the core circuitry to function properly if the external source is authenticated; and power supply current confusion circuitry adapted to blur or otherwise mask power consumption across multiple clock cycles to minimize side channel information leakage.
22. A secure integrated circuit comprising: core circuitry; and authentication circuitry associated with the core circuitry and adapted to: authenticate an external source desiring to communicate with the secure integrated circuit; enable the core circuitry to function properly if the external source is authenticated; and intrusion detection and self-disable circuitry adapted to detect an intrusion on the secure integrated circuit and disable the secure integrated circuit in response thereto.
23. The secure integrated circuit of claim 22 further comprising an isolated virtual supply adapted to provide power to the intrusion detection and self- disable circuitry after power provided by an external power supply is removed.
24. The secure integrated circuit of claim 23 wherein the isolated virtual supply comprises at least one capacitive element.
25. The secure integrated circuit of claim 23 further comprising at least one diode element coupled between the external power supply and the isolated virtual supply.
26. The secure integrated circuit of claim 22 wherein the intrusion detection and self-disable circuitry has thicker gate oxides and higher threshold voltages than the core circuitry.
27. The secure integrated circuit of claim 22 wherein the intrusion detection and self-disable circuitry is adapted to operate with a supply voltage below about 250 millivolts.
PCT/US2009/043994 2008-05-14 2009-05-14 Methods and circuits for thwarting semi-invasive and non-invasive integrated circuit security attacks WO2010011399A2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US5315008P 2008-05-14 2008-05-14
US61/053,150 2008-05-14

Publications (2)

Publication Number Publication Date
WO2010011399A2 true WO2010011399A2 (en) 2010-01-28
WO2010011399A3 WO2010011399A3 (en) 2010-05-27

Family

ID=41570797

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2009/043994 WO2010011399A2 (en) 2008-05-14 2009-05-14 Methods and circuits for thwarting semi-invasive and non-invasive integrated circuit security attacks

Country Status (1)

Country Link
WO (1) WO2010011399A2 (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2488583A (en) * 2011-03-03 2012-09-05 Nds Ltd Preventing unauthorized access to data stored in non-volatile memories
US9405917B2 (en) 2014-05-30 2016-08-02 Apple Inc. Mechanism for protecting integrated circuits from security attacks
US9946899B1 (en) 2016-10-14 2018-04-17 Google Llc Active ASIC intrusion shield
US10262956B2 (en) 2017-02-27 2019-04-16 Cisco Technology, Inc. Timing based camouflage circuit
CN110659510A (en) * 2019-09-12 2020-01-07 苏州浪潮智能科技有限公司 Configuration file decryption method, device, equipment and readable storage medium
CN110768779A (en) * 2019-01-16 2020-02-07 哈尔滨安天科技集团股份有限公司 Chip power supply circuit for preventing side channel information leakage
US10579536B2 (en) 2016-08-09 2020-03-03 Arizona Board Of Regents On Behalf Of Arizona State University Multi-mode radiation hardened multi-core microprocessors
WO2021048101A1 (en) * 2019-09-10 2021-03-18 Carl Zeiss Meditec Ag Computer hardware for a computer-controlled medical device and method for controlling a computer-controlled medical device
US20230016420A1 (en) * 2019-12-10 2023-01-19 Cryptography Research, Inc. Share domain arrangements for masked hardware implementations
US12307000B2 (en) * 2020-11-30 2025-05-20 Cryptography Research, Inc. Share domain arrangements for masked hardware implementations

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6973570B1 (en) * 1999-12-31 2005-12-06 Western Digital Ventures, Inc. Integrated circuit comprising encryption circuitry selectively enabled by verifying a device
FR2813972B1 (en) * 2000-09-14 2003-12-12 St Microelectronics Sa METHOD OF INTERFERING THE ELECTRICAL CONSUMPTION OF AN INTEGRATED CIRCUIT
JP2003177938A (en) * 2001-12-07 2003-06-27 Fujitsu Ltd Electronic device and debug authentication method thereof
DE102004020576B4 (en) * 2004-04-27 2007-03-15 Infineon Technologies Ag Data processing device with switchable charge neutrality and method for operating a dual-rail circuit component
US8074082B2 (en) * 2004-10-08 2011-12-06 Aprolase Development Co., Llc Anti-tamper module
US7230454B2 (en) * 2005-02-18 2007-06-12 Cirrus Logic, Inc. Serial audio output driver circuits and methods

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
None

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2488583A (en) * 2011-03-03 2012-09-05 Nds Ltd Preventing unauthorized access to data stored in non-volatile memories
US8760954B2 (en) 2011-03-03 2014-06-24 Cisco Technology Inc. Protection of stored data using optical emitting elements
US9405917B2 (en) 2014-05-30 2016-08-02 Apple Inc. Mechanism for protecting integrated circuits from security attacks
US10579536B2 (en) 2016-08-09 2020-03-03 Arizona Board Of Regents On Behalf Of Arizona State University Multi-mode radiation hardened multi-core microprocessors
US9946899B1 (en) 2016-10-14 2018-04-17 Google Llc Active ASIC intrusion shield
US10262956B2 (en) 2017-02-27 2019-04-16 Cisco Technology, Inc. Timing based camouflage circuit
US10396043B2 (en) 2017-02-27 2019-08-27 Cisco Technology, Inc. Timing based camouflage circuit
CN110768779A (en) * 2019-01-16 2020-02-07 哈尔滨安天科技集团股份有限公司 Chip power supply circuit for preventing side channel information leakage
WO2021048101A1 (en) * 2019-09-10 2021-03-18 Carl Zeiss Meditec Ag Computer hardware for a computer-controlled medical device and method for controlling a computer-controlled medical device
CN110659510A (en) * 2019-09-12 2020-01-07 苏州浪潮智能科技有限公司 Configuration file decryption method, device, equipment and readable storage medium
US20230016420A1 (en) * 2019-12-10 2023-01-19 Cryptography Research, Inc. Share domain arrangements for masked hardware implementations
US12307000B2 (en) * 2020-11-30 2025-05-20 Cryptography Research, Inc. Share domain arrangements for masked hardware implementations

Also Published As

Publication number Publication date
WO2010011399A3 (en) 2010-05-27

Similar Documents

Publication Publication Date Title
WO2010011399A2 (en) Methods and circuits for thwarting semi-invasive and non-invasive integrated circuit security attacks
Bhargava et al. Reliability enhancement of bi-stable PUFs in 65nm bulk CMOS
Chuang et al. A physically unclonable function using soft oxide breakdown featuring 0% native BER and 51.8 fJ/bit in 40-nm CMOS
Vijayakumar et al. Physical design obfuscation of hardware: A comprehensive investigation of device and logic-level techniques
Helfmeier et al. Cloning physically unclonable functions
US7498644B2 (en) Prevention of tampering in electronic devices
Maes et al. Intrinsic PUFs from flip-flops on reconfigurable devices
JP5519308B2 (en) Semiconductor integrated circuit and data processing system
US7969763B2 (en) Detector circuit for detecting an external manipulation of an electrical circuit, circuit arrangement comprising a plurality of detector circuits, memory device and method for operating a detector circuit
CN205069628U (en) Integrated circuit
JP2004206680A (en) Semiconductor integrated circuit and ic card
Matsuda et al. A 286 f 2/cell distributed bulk-current sensor and secure flush code eraser against laser fault injection attack on cryptographic processor
Wan et al. An invasive-attack-resistant PUF based on switched-capacitor circuit
US20180218177A1 (en) Physical uncloneable function circuit
WO2008027966A2 (en) Detecting radiation-based attacks
US11769740B2 (en) Detection of laser-based security attacks
US20180349600A1 (en) Integrated Circuit With Tamper Protection And Method Therefor
Jain et al. Special session: Novel attacks on logic-locking
Alioto Aggressive design reuse for ubiquitous zero-trust edge security—From physical design to machine-learning-based hardware patching
US20220392854A1 (en) Integrated circuit with intentional radiation intolerance
JP2008198700A (en) Semiconductor integrated circuit device
US8174285B2 (en) Component provided with an integrated circuit comprising a cryptorocessor and method of installation thereof
US11152314B2 (en) Integrated circuit with supply circuit comprising field-effect transistors
JP4987584B2 (en) Semiconductor integrated circuit and IC card using the same
KR20230009204A (en) Laser detecting circuit and semiconductor apparatus including the same

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09800729

Country of ref document: EP

Kind code of ref document: A2

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09800729

Country of ref document: EP

Kind code of ref document: A2

点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载