JP2004265437A - Design method and verifying method for lsi - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To increase the secrecy of circuit design data higher than a conventional one by using encryption processing in the design of an LSI and to verify encrypted design data while maintaining their secrecy. <P>SOLUTION: In encryption processing SA, the encryption of circuit design data 11 requiring secrecy is carried out, and encrypted design data 12 and a decoding key 13 are created. The encrypted design data 12 are provided to a user executing designing/verifying processing S2, and the key 13 is also provided if necessary. In the designing/verifying processing SB, various kinds of processings are carried out on the encrypted design data 12 while keeping original contents of the circuit secret. In decoding processing SC, decoding of the encrypted design data 14 after the execution of the designing/verifying processing S2 is carried out, and the original circuit design data 15 are created. <P>COPYRIGHT: (C)2004,JPO&NCIPI

Description

  The present invention relates to LSI design and verification, and particularly to a technique for keeping design data confidential.

  In designing an LSI, there is a case where it is desired to keep the contents of a circuit confidential. For example, in an LSI related to data encryption, if the contents of the circuit are known, the logic of the encryption may be decrypted.

  Conventionally, in designing an LSI that requires such confidentiality, the circuit contents are not known to other people by limiting the persons engaged in the design or specifying the place where the design is performed. Was like that.

  With the recent increase in complexity and scale of LSIs, a large number of designers are involved in designing one LSI. Therefore, the limitation of the designer and the design place is not always enough to keep the circuit confidential.

  In view of the above problems, an object of the present invention is to employ encryption processing in the design of an LSI to increase the confidentiality of circuit design data as compared with the related art.

  Another object is to enable verification of encrypted design data while maintaining confidentiality.

  In order to solve the above-mentioned problem, a solution taken by the invention of claim 1 includes, as an LSI verification method, a step of verifying a circuit operation of encrypted circuit design data together with a reference operation model. The verification step includes: decrypting the encrypted circuit design data to obtain actual design data and the operation model; and executing a simulation on the actual design data to obtain an actual output value. And performing a simulation on the behavior model to obtain an expected output value, and comparing the actual output value with the expected output value and outputting a comparison result.

  The solving means according to the invention of claim 2 includes, as an LSI verification method, a step of verifying a circuit operation of circuit design data encrypted together with a protocol definition, and the verification step includes the step of verifying the encryption. Decoding the circuit design data thus obtained to obtain actual design data and the protocol definition; executing a simulation on the actual design data to obtain an actual output value; And outputting a comparison result.

  According to a third aspect of the present invention, there is provided an LSI verification method comprising a step of verifying encrypted circuit design data by simulation as an LSI verification method, wherein the verification step restricts simulation due to unauthorized access. It is.

  According to a fourth aspect of the present invention, the verification step in the LSI verification method according to the third aspect includes a step of decrypting the encrypted circuit design data to obtain actual design data, and executing a simulation on the actual design data. And a step of counting predetermined restriction information in the simulation, and a step of restricting the simulation when the count value exceeds an upper limit value.

  According to a fifth aspect of the present invention, in the LSI verification method according to the fourth aspect, the predetermined restriction information includes a combination of a simulation execution step, a simulation execution time, a toggle number of a specific signal in the circuit, and an input to the circuit. At least one of the following.

  According to a sixth aspect of the present invention, in the LSI verification method of the fifth aspect, predetermined restriction information is randomly selected.

  According to a seventh aspect of the present invention, the verification step in the LSI verification method according to the third aspect includes a step of decrypting the encrypted circuit design data to obtain actual design data, and executing a simulation on the actual design data. And a step of checking whether or not a predetermined protocol constraint condition is violated in the simulation, and a step of restricting the simulation when the condition is violated.

  In the invention of claim 8, the predetermined protocol constraint in the LSI verification method of claim 7 includes at least one of an input protocol and an operating protocol.

  According to a ninth aspect of the present invention, in the LSI verification method of the eighth aspect, the predetermined protocol constraint condition is randomly selected.

  According to the tenth aspect of the present invention, the restricting measures in the LSI verification method according to the fourth or seventh aspect include stopping the simulation, lowering the execution speed and executing abnormally, not outputting the simulation result, and not outputting the data or key passed to the next step. It shall include at least one of the generations.

  According to an eleventh aspect of the present invention, as a LSI verification method, a step of encrypting circuit design data including a check circuit for checking an unauthorized access in a simulation; And verifying by simulation. The verifying step operates the check circuit to limit the simulation due to unauthorized access.

  According to a twelfth aspect of the present invention, the check circuit in the LSI verification method according to the eleventh aspect checks in simulation whether or not the count value of predetermined restriction information has exceeded an upper limit value.

  According to a thirteenth aspect of the present invention, the check circuit in the LSI verification method of the eleventh aspect checks, in a simulation, whether there is a violation of a protocol constraint condition.

  According to another aspect of the present invention, there is provided an LSI design method comprising the steps of: extracting timing information from given circuit design data; Converting the encrypted design data according to a conversion rule and adding a buffer to at least one logic gate; adjusting the size of the buffer added to the encrypted design data; Decrypting the design data using the predetermined conversion rule as a key.

  According to another aspect of the present invention, there is provided an LSI design method that performs decryption on encrypted circuit design data together with a unique ID determination circuit, and compares actual design data with the unique ID determination circuit. And the step of defining a correct value in the circuit for determining the unique ID based on the input unique parameter.

  As described above, according to the present invention, it is possible to enhance the confidentiality of circuit design data by encryption, compared to the related art. In addition, the encrypted circuit design data can be designed and verified while keeping confidentiality.

  FIG. 1 is a diagram showing a circuit design style proposed by the present inventors. In the design style shown in FIG. 1, the design data encryption process SA and the decryption process SC are executed so that the design / verification process SB can be executed even if the contents of the confidential design data are not visible.

  In the encryption processing SA, encryption is performed on the design data 11 of the circuit requiring confidentiality, and encrypted design data 12 and a key 13 for decrypting the encrypted design data 12 are generated. The encrypted design data 12 is provided to a user who executes the design / verification processing SB. A key 13 is also provided as needed for the design / verification processing SB.

  In the design / verification process SB, various processes are performed on the encrypted design data 12 without disclosing the contents of the original circuit. In the decryption process SC, the encrypted design data 14 after the design / verification process SB is executed is decrypted using the key 15 to generate the original circuit design data 16.

  FIG. 2 is a diagram showing a pattern of a basic process in the circuit design style of FIG. In the figure, (a) shows the encryption A, (b) shows the process B1 with the encrypted data as it is, (c) shows the data conversion B2 while keeping the encryption, and (d) shows the decryption C. Processing B1 and processing B2 are different in that decryption and encryption are not performed in processing B1 and a new key is not generated, but new encrypted data is generated together with a new key in processing B2.

  FIG. 3 is a diagram showing the flow of processing according to the present invention, which is a combination of the patterns of the basic steps shown in FIG. In the figure, the process shown in (a) is a combination of the encryption A, the process B1 as it is, and the decryption C. For example, a process of encrypting RTL level or behavior level design data, performing logic synthesis on the encrypted data, outputting encrypted gate level design data, and then decrypting the encrypted gate level design data. Corresponds to this. Thereby, the confidentiality of the design data during the logic synthesis can be maintained. Further, there may be a case where logical synthesis and layout are performed on the encrypted data, and then the mask data is decrypted. The process shown in (b) is a combination of the encryption A, the data conversion B2 maintaining the encryption, and the decryption C.

  Hereinafter, specific examples of each processing will be sequentially described.

<Encryption processing>
(Circuit conversion)
FIG. 4 is a diagram showing circuit conversion as an example of the encryption processing according to the present invention. In FIG. 4, f0 is the original unencrypted circuit. Let n be the number of inputs and m be the number of outputs of the circuit f0. The circuit f0 may represent the whole of the original circuit, or may be a partial circuit of the original circuit.

  As shown in FIG. 4, (p-1) dummy circuits f1 to fp-1 having the same number of inputs and outputs as the circuit f0 are arranged in parallel with the circuit f0. Then, a rearrangement circuit 21 and a selector 22 are provided at the subsequent stage. The rearranging circuit 21 receives the output of the circuit f0 and the outputs of the dummy circuits f1 to fp-1, and rearranges and outputs these outputs. For example, from the output O1, the first bits of the outputs of the circuits f0 to fp-1 are collected and rearranged and output, and from the output O2, the second bits of the outputs of the circuits f0 to fp-1 are collected and rearranged. Output. As a result, the number of p-bit signals corresponding to the number of outputs of the original circuit f0, that is, m signals, is output from the rearrangement circuit 21.

  The selector 22 selects and outputs one bit from each output of the rearrangement circuit 21 according to the selection signal KEY. Thus, the same m signals as those of the circuit f0 are output from the selector 22. As a result of such circuit conversion, an encryption circuit as shown in FIG. 4 is generated.

  Here, the selection signal KEY is used as a key signal of the encryption circuit. Then, the value of the key signal KEY such that the output of the circuit f0 matches the output of the selector 22 is used as the key of the encryption circuit.

  Such encryption by circuit conversion has a simple conversion procedure and easy automatic conversion. The increase in delay due to encryption is only a delay in the selector 22, and is extremely small.

  FIG. 5 is a diagram showing a specific example of the circuit conversion shown in FIG. Now, it is assumed that a two-input two-output circuit as shown in FIG. 5A is provided as the original circuit f0. A dummy circuit f1 as shown in FIG. 5B is arranged for this circuit f0. FIG. 5C is a diagram illustrating a result of encrypting the circuit f0 using the dummy circuit f1. Further, the circuit shown in FIG. 5C is synthesized to obtain an encryption circuit as shown in FIG. The key for this circuit is (0,1).

  FIG. 6 is a diagram showing a method of generating a dummy circuit used for the circuit conversion shown in FIG. As shown in FIG. 6, a dummy logic database (DB) 26 including a dummy circuit candidate is generated for the original circuit f0 according to a predetermined conversion rule 25. Then, the dummy logic DB 26 outputs arbitrary dummy circuits f1 to fp-1 according to a predetermined output rule 27. According to such a generation method, the dummy circuits f1 to fp-1 can be flexibly generated by setting the conversion rule 25 and the output rule 27, and thus are suitable for automation processing.

  Examples of the conversion rule 25 include inversion of a logical value, conversion of a logical operator, change of the order of a logical operator, and the like. In the inversion of the logical value, in addition to the inversion of the input value and the inversion of the output value, a method of inverting some bits of the multi-bit signal can be considered. In the conversion of the logical operator, conversion between AND and OR can be considered. Examples of the output rule 27 include a method of selecting at random and a method of eliminating duplicate dummy circuits.

<Decryption processing>
When laying out the encryption circuit obtained by the circuit conversion as shown in FIG. 4, the layout is performed so that the input signal line of the key signal can be connected to both the power supply and the ground. Thus, the contents of the original circuit can be kept confidential until the layout process, and the decryption of the original circuit can be realized very easily using the key.

  FIG. 7 is a diagram for explaining the present decryption processing. In FIG. 7, (a) shows an example of the layout of the encryption circuit, and (b) shows the result of decrypting the circuit of (a) according to the key. FIG. As shown in FIG. 7A, the layout is performed so that the input signal line 31 of the key signal KEY input to the encryption circuit 30 can be connected to both the power supply VDD and the ground VSS. Then, as shown in FIG. 7B, the input signal line 31 of the key signal KEY is connected to either the power supply or the ground according to the key ((0, 1, 0) in the example of the figure) (ECO ( Engineering Change Order)). Thus, the layout of the original circuit is decoded.

<Design / verification process>
(Judgment)
When decrypting the encrypted design data and performing verification by simulation, an expected value for determining whether or not the simulation result is normal is required. However, if this expected value is visible from the outside, the contents of the circuit can be estimated from the expected value, and the confidentiality of the design data cannot be maintained.

  Therefore, here, when encrypting the circuit design data, the encryption is performed including the data which is the expected value of the simulation result or the data from which the expected value is obtained. Then, in the verification processing, it is determined whether or not the circuit operation is normal based on the comparison result between the simulation result and the expected value.

  FIG. 8 is a diagram showing a first determination method as a verification method according to the present invention. In this determination method, an operation model serving as a reference is used as data from which an expected value of a simulation result is obtained. That is, as shown in FIG. 8, first, the circuit design data 41 encrypted with the operation model is decrypted using the key 52 (S21), and the actual lower-level design data 43 (RTL or gate-level netlist ) And operation model design data 44 are obtained. Then, a simulation is performed on the lower-level design data 43 (S22), and an actual output value 45 is obtained. Further, a simulation is performed on the design data 44 of the operation model (S23), and an expected output value 46 is obtained. Then, the obtained actual output value 45 is compared with the expected output value 46, and it is determined whether or not the actual output value 45 and the expected output value 46 match at each simulation time (S24). In the example of FIG. 8, since the values match, a result notification 47 indicating that the simulation result is normal is output.

  FIG. 9 is a diagram showing a second determination method as a verification method according to the present invention. In this determination method, a protocol definition is used as data that becomes an expected value of the simulation result. That is, as shown in FIG. 9, first, the circuit design data 51 encrypted with the protocol definition is decrypted using the key 52 (S31), and the design data 53 and the protocol definition 54 are obtained. In the protocol definition 54, the operation state of the input / output of the circuit and the value of the intermediate node indicated by the design data 53 is defined. Then, a simulation is performed on the design data 53 (S32), and the obtained actual output value 55 is compared with the protocol definition 54 (S33).

  In the first and second determination methods, when a result indicating that the simulation result is abnormal may be obtained, the actual output values 45 and 55, which are the simulation execution results, may be encrypted and output.

(Simulation limit)
When a simulation is performed on the encrypted design data and the verification is performed, information on all signal lines in the design data is stored in the verification result output. If the simulation is executed with a large number of inputs and the output of the verification result obtained is analyzed, it is possible to know the contents of the encrypted circuit.

  Therefore, here, a method is described in which the simulation is limited so that the contents of the circuit cannot be known from the verification result output, in other words, in order to monitor and prevent unauthorized access.

  FIG. 10 is a diagram showing a simulation limiting method as a verification method according to the present invention. As shown in FIG. 10, in the check S43 of the simulation S42, the following predetermined restriction information 64 is counted during the simulation. Then, when the count value exceeds a predetermined upper limit value, a restriction measure is applied to the simulation S42.

Simulation execution step and execution time Toggle number of specific signal in circuit Combination of inputs to circuit These limit information may be selected at random. In addition, the following measures can be considered as simulation restriction measures.

-Stop simulation, decrease execution speed, abnormal execution-Non-output of simulation result-Stop output of data such as dump information of each signal line, judgment result, etc.-Non-generation of data or key to be passed to next step , Protocol constraints may be provided to determine in simulation whether or not the protocol constraints are violated. Protocol constraints include the following:

.Protocol acceptable for input to circuit (input protocol)
.Protocol that is acceptable for operation in the circuit (protocol during operation)
These protocol constraints may be randomly selected.

  The restriction information 64 may be encrypted and decrypted together with the encryption of the circuit design data, or may be given separately from the encrypted design data 61.

  Further, a circuit for checking for unauthorized access in the simulation may be included in the circuit design data in advance and encrypted. This check circuit needs to be configured so as to operate only at the time of simulation and to disable the operation after circuit design.

  FIG. 11 is a diagram showing an example of a circuit for checking an unauthorized access in a simulation. The check circuit shown in FIG. 11A fixes the output value to “0” regardless of the value of the signal B when the number of changes of the signal A exceeds a predetermined value (here, “8”). is there. At the time of simulation, “1” → “0” is given to the signal X, and an external reset is performed. Thereafter, as shown in FIG. 11B, the output value matches the value of the signal B until the number of changes of the signal A as the predetermined restriction information exceeds 8, but the number of changes of the signal A exceeds 8 , The output value is fixed to “0”. As a result, a correct simulation result cannot be obtained. At the time of circuit manufacture, the signal X is fixed at "1" so that this check circuit does not operate.

  FIG. 12 is a diagram showing another example of the check circuit. The check circuit shown in FIG. 12A sets the protocol constraint condition that both the signals A and B are “0” when the signal Y changes, and when one of the signals A and B changes to “0” when the signal Y changes. If not, it is recognized as a protocol violation, and the output value is fixed at "0" regardless of the value of the signal C. At the time of simulation, “1” → “0” is given to the signal X, and an external reset is performed. Thereafter, as shown in FIG. 12B, when the signal A and the signal B are not “0” when the signal Y changes, the output value is fixed to “0”. As a result, a correct simulation result cannot be obtained. When the circuit is manufactured, the signal X is fixed at "1" and the signal Y is fixed at "0" so that this check circuit does not operate.

(Timing adjustment)
FIG. 13 and FIG. 14 are diagrams showing a timing adjustment method as an LSI design method according to the present invention. This timing adjustment method includes the flow shown in FIG. 3A, that is, the flow of encryption A → process B1 → decryption C.

  As shown in FIG. 13, first, timing information 72 is extracted from the original circuit design data 71 (S51). Here, the timing information refers to a delay from each logic gate to a load at a connection destination. Then, according to a predetermined conversion rule 73, encryption is performed such that the contents of the original circuit are not known and the timing information 72 alone is adjusted, that is, without changing the delay from each logic gate to the load of the connection destination. A process is performed (S52), and encrypted design data 74 is generated. The content of the conversion rule 73 becomes the key 75 as it is. At this time, as shown in FIGS. 14A and 14B, a buffer 79 for timing adjustment is added to at least one of the converted logic gates 78.

  Then, for the encrypted design data 74, as shown in FIG. 14C, the size of the added buffer 79 is adjusted so as to satisfy the target timing (S53). Here, it is not necessary to use the key 75 generated in the encryption processing S52. After the buffer size adjustment, the original circuit 77 is decrypted using the key 75, that is, a predetermined conversion rule (S54). At this time, as shown in FIG. 14D, the data is converted into the original logic gate based on the adjusted buffer size. As a result, the target timing is achieved.

  According to such a timing adjustment method, the timing adjustment can be performed while keeping the circuit contents secret from the designer.

(Generate unique ID)
FIG. 15 is a diagram illustrating an example of a circuit configuration represented by the encrypted design data. As shown in FIG. 15, the encrypted design data has a circuit unique ID register as a unique ID determination circuit for determining the type of the product. The value of the unique ID input to the circuit unique ID register is defined by a variable. In addition, a unique parameter that gives the value of the variable of the unique ID is defined. The unique parameters are defined in a different order from the actual unique ID.

  When the simulation is performed, even if the input unique ID value is “110”, the sequence is different from the value of the circuit unique ID register, and “101” and the newly defined unique ID value are the circuit unique ID. Is generated in a normally operating circuit. In the next design step, even if the value of the input unique ID is “011”, it is newly defined as “101”.

  In the description here, the number of bits of the unique ID and the value of the input unique ID is 3, but this value is arbitrary. Further, the input unique ID and circuit unique ID register may not only be arranged but also have inverted logic.

  In the circuit shown in FIG. 16, not only the unique ID but also all the nodes fixed to the power supply or the ground in the logic circuit are all defined by variables.

  As the value of the variable, the value of the unique ID to be input and the other fixed value for normal operation are input. On the circuit, the circuit unique ID registers (A, B, C in the figure) and the It is difficult to distinguish the register from other registers (D and E in the figure), and the value of the unique ID cannot be easily known.

  Each of the above-described methods can be implemented by an apparatus including a computer that executes a program for implementing the method. Further, the present invention can be realized by recording a program for implementing the method on a computer-readable recording medium and causing a computer to execute the program recorded on the recording medium.

FIG. 3 is a diagram showing a circuit design style proposed by the present inventor. FIG. 2 is a diagram illustrating a pattern of a basic process in the circuit design style of FIG. 1. (A), (b) is a figure which shows the flow of a process concerning this invention. FIG. 14 is a diagram illustrating circuit conversion as an example of an encryption process. (A)-(d) is a figure which shows the specific example of the circuit conversion shown in FIG. FIG. 5 is a diagram illustrating a method of generating a dummy circuit used for the circuit conversion illustrated in FIG. 4. (A), (b) is a figure for demonstrating a decoding process. FIG. 7 is a diagram illustrating a first determination method as a verification process. It is a figure showing the 2nd judgment method as verification processing. It is a figure showing a simulation restriction method as verification processing. (A), (b) is a figure which shows an example of a check circuit. (A), (b) is a figure which shows an example of a check circuit. FIG. 4 is a diagram illustrating a timing adjustment method. FIG. 4 is a diagram illustrating a timing adjustment method. FIG. 9 is a diagram illustrating an example of a circuit configuration represented by encrypted design data. FIG. 9 is a diagram illustrating an example of a circuit configuration represented by encrypted design data.

Explanation of reference numerals

SA Encryption processing f0 Original circuit f1-fp-1 Dummy circuit KEY Key signal 11 Circuit design data 21 Rearrangement circuit 22 Selector 25 Conversion rule 26 Dummy logic database 27 Output rule 30 Encryption circuit 31 Key signal input signal line 41 Encrypted design data 43 Lower level design data (actual design data)
44 Reference IP design data (operation model)
45 Actual output value 46 Expected output value 51 Encrypted circuit design data 53 Actual design data 54 Protocol definition 55 Actual output value 61 Encrypted circuit design data 63 Actual design data 64 Restriction information 72 Timing information 73 Conversion rule 78 Logic gate 79 Buffer

Claims (15)

Verifying the circuit operation of the encrypted circuit design data together with the reference operation model,
The verification step includes:
Decrypting the encrypted circuit design data to obtain actual design data and the operation model;
Performing a simulation on the actual design data to obtain an actual output value;
Performing a simulation on the behavior model to obtain an expected output value;
Comparing the actual output value with the expected output value and outputting a comparison result. It includes a step of verifying the circuit operation of the circuit design data encrypted with the protocol definition,
The verification step includes:
Decrypting the encrypted circuit design data to obtain actual design data and the protocol definition;
Performing a simulation on the actual design data to obtain an actual output value;
Comparing the actual output value with the protocol definition and outputting a comparison result. Verifying the encrypted circuit design data by simulation,
The method of verifying an LSI according to claim 1, wherein the verifying step limits a simulation due to an unauthorized access. 4. The LSI verification method according to claim 3,
The verification step includes:
Decrypting the encrypted circuit design data to obtain actual design data;
Performing a simulation on the actual design data;
An LSI verification method, comprising: a step of counting predetermined restriction information in the simulation; and a step of performing a restriction measure on the simulation when the count value exceeds an upper limit value. The LSI verification method according to claim 4,
The LSI verification method, wherein the predetermined restriction information includes at least one of a simulation execution step, a simulation execution time, a toggle number of a specific signal in a circuit, and a combination of inputs to the circuit. . The LSI verification method according to claim 5,
An LSI verification method, wherein the predetermined restriction information is selected at random. 4. The LSI verification method according to claim 3,
The verification step includes:
Decrypting the encrypted circuit design data to obtain actual design data;
Performing a simulation on the actual design data;
In the simulation, a step of checking whether or not a predetermined protocol constraint is violated;
Subjecting the simulation to a restriction measure when the violation is violated. The LSI verification method according to claim 7,
The method according to claim 1, wherein the predetermined protocol constraint includes at least one of an input protocol and an operating protocol. The LSI verification method according to claim 8,
An LSI verification method, wherein the predetermined protocol constraint condition is selected at random. The LSI verification method according to claim 4 or 7,
The above-mentioned limiting measure includes at least one of stop of simulation, execution speed reduction and abnormal execution, non-output of simulation result, and non-generation of data or key to be passed to the next step. Method. Encrypting circuit design data including a check circuit for checking unauthorized access in simulation;
Verifying the encrypted circuit design data by simulation.
The LSI verification method according to claim 1, wherein the verification step operates the check circuit to limit a simulation due to an unauthorized access. The LSI verification method according to claim 11,
The LSI verification method according to claim 1, wherein the check circuit checks whether a count value of predetermined restriction information exceeds an upper limit value in a simulation. The LSI verification method according to claim 11,
An LSI verification method according to claim 1, wherein said check circuit checks whether there is a violation of a protocol constraint condition in a simulation. Extracting timing information from given circuit design data;
Converting the circuit design data into encrypted design data according to a predetermined conversion rule by combining only the extracted timing information, and adding a buffer to at least one logic gate;
Adjusting the size of the added buffer for the encrypted design data;
Decrypting the encrypted design data after adjusting the buffer size using the predetermined conversion rule as a key. Decrypting the circuit design data encrypted together with the unique ID determination circuit to obtain actual design data and the unique ID determination circuit;
An LSI design method, wherein the step includes a step of defining a correct value in the circuit for determining the unique ID based on the input unique parameter.

Images