JP2023047970A - Alteration detection circuit and alteration detection method - Google Patents

Abstract

To detect falsification of wiring and insertion of a malicious circuit that extracts noise signals superimposed on a power supply in order to analyze an encryption key.SOLUTION: An alteration detection circuit 20A of an IC chip 1A measures and stores a first noise waveform of a power supply voltage of a digital circuit 10A and a power supply circuit 30A when the digital circuit 10A performs a predetermined operation. Then, the alteration detection circuit 20A receives the second noise waveform measured in the IC chip 1B via a noise waveform data sharing bus B1, and calculates a cross-correlation value between the first noise waveform stored in the alteration detection circuit 20A and the received second noise waveform. When the calculated cross-correlation value is equal to or greater than a predetermined threshold compared with the past cross-correlation value, it is possible to detect falsification of wiring and insertion of a malicious circuit.SELECTED DRAWING: Figure 1

Description

The present invention relates to a tampering detection circuit and a tampering detection method capable of efficiently detecting fraud associated with insertion of a malicious circuit (hereinafter referred to as "malicious circuit").

2. Description of the Related Art Conventionally, fraudulent techniques are known in which an unauthorized voltage is applied to the power supply of a board on which an IC (Integrated Circuit) chip is mounted to cause the circuit to malfunction, or an internal signal such as power supply noise is read to extract the encryption key.

For example, Patent Literature 1 discloses a technology of a back-surface embedded wiring structure that prevents security attacks such as noise observation and fault injection through the back-surface silicon substrate of an IC chip and detects physical attacks from the back side, that is, exposure attacks. disclosed.

JP 2019-110293 A

However, in the above Patent Document 1, when a plurality of IC chips are mounted on a substrate and a malicious circuit is inserted into the power wiring that supplies power to each IC chip, the insertion of the malicious circuit cannot be detected and the power supply cannot be detected. Internal signals may be extracted by power supply noise flowing in wiring. Therefore, it is an important issue how to efficiently detect fraud associated with the insertion of a malicious circuit or the like.

SUMMARY OF THE INVENTION The present invention has been made to solve the problems (problems) of the prior art described above, and provides a tampering detection circuit and a tampering detection method that can efficiently detect fraud associated with the insertion of a malicious circuit or the like. intended to

In order to solve the above-described problems and achieve the object, the present invention provides a first IC chip having at least a first digital circuit and a first power supply circuit that supplies voltage to the first digital circuit; a second IC chip having a second digital circuit and a second power supply circuit for supplying voltage to the second digital circuit; A tampering detection circuit for detecting tampering with an operating substrate, the first measuring circuit measuring a first noise signal superimposed on a voltage supplied to the first power supply circuit; a first memory circuit for storing the first noise waveform measured by the measurement circuit; and a second measurement circuit for measuring a second noise signal superimposed on the voltage supplied to the second power supply circuit. , a second memory circuit for storing a second noise waveform measured by the second measurement circuit; a circuit for receiving the first noise waveform; and a received first noise waveform and the second noise waveform. and a determination circuit for determining whether or not the substrate has been tampered with based on the correlation.

Further, according to the present invention, in the above invention, the calculation circuit calculates a cross-correlation value between the first noise waveform and the second noise waveform.

Further, according to the present invention, in the above invention, the second storage circuit stores past cross-correlation values calculated by the calculation circuit, and the determination circuit stores the cross-correlation values calculated by the calculation circuit. and determining that the substrate has been tampered with when a difference from the past cross-correlation value stored in the second storage circuit is equal to or greater than a predetermined threshold value.

Further, in the present invention, in the above invention, the determination circuit determines that the difference between the cross-correlation value calculated by the calculation circuit and the past cross-correlation value stored in the second storage circuit exceeds a predetermined threshold. If it is equal to or greater than the value, it is determined that there is a possibility that a malicious circuit has been inserted into a common power line connecting the first power supply circuit and the second power supply circuit.

Further, in the above invention, the first noise waveform is measured by the first measurement circuit triggered by a reset signal input to the digital circuit of the first IC chip, and the first noise waveform is measured by the first measurement circuit. The second noise waveform is measured by the second measurement circuit with a reset signal input to the digital circuit of one IC chip as a trigger.

In the above-described invention, the present invention further includes a generation circuit that generates predetermined test data, and inputs the test data to the first digital circuit and the second digital circuit to cause predetermined operations to be performed. It is characterized by

Further, in the present invention, in the above invention, the calculation circuit includes a plurality of low-pass filter circuits each having a different cutoff frequency and removing high frequency components from the first noise waveform based on the cutoff frequency; a plurality of correlation value calculation circuits for calculating correlation values of a plurality of third noise waveforms obtained by removing high-frequency components from the first noise waveform and the second noise waveform by the low-pass filter circuit of The cutoff frequency at which the correlation value is maximized is calculated from the correlation values calculated by the plurality of correlation value calculation circuits.

Further, according to the present invention, in the above invention, the first measurement circuit and the first storage circuit are formed in the first IC chip, and the second measurement circuit, the second storage circuit, the calculation The circuit and the determination circuit are formed in the second IC chip.

Further, the present invention provides a first IC chip having at least a first digital circuit and a first power supply circuit that supplies voltage to the first digital circuit, a second digital circuit and the second digital circuit. and a second IC chip having a second power supply circuit for supplying voltage to the circuit is mounted, and the first digital circuit and the second digital circuit perform predetermined operations. A method for detecting tampering in a circuit, wherein the first IC chip measures a first noise signal superimposed on a voltage supplied to the first power supply circuit; a first storing step in which the IC chip stores the first noise waveform measured in the first measuring step in a first storage circuit; and the second IC chip stores in the second power supply circuit a second measuring step of measuring a second noise signal superimposed on the voltage supplied to the second IC chip, measuring the second noise waveform measured by the second measuring step; a calculating step of receiving the first noise waveform and calculating a correlation between the received first noise waveform and the second noise waveform; and the correlation and a determination step of determining whether or not the substrate has been tampered with based on the relationship.

According to the present invention, it is possible to efficiently detect fraud due to insertion of a malicious circuit or the like.

FIG. 1 is an explanatory diagram for explaining the outline of the tampering detection circuit according to the first embodiment. FIG. 2 is a configuration diagram showing the configuration of the falsification detection circuit shown in FIG. 3 is a diagram showing an example of noise waveform data and correlation value data in the noise storage circuit shown in FIG. 2. FIG. FIG. 4 is a configuration diagram showing the configuration of the noise analysis circuit shown in FIG. FIG. 5 is an explanatory diagram for explaining noise waveform measurement by the noise measurement circuit shown in FIG. FIG. 6 is a timing chart for measuring the noise waveform of the noise measurement circuit shown in FIG. FIG. 7 is an explanatory diagram for explaining the outline of the falsification detection circuit according to the second embodiment. FIG. 8 is a sequence diagram for explaining the operation of the falsification detection circuit shown in FIG. FIG. 9 is an explanatory diagram for explaining the outline of the tampering detection circuit according to the third embodiment. FIG. 10 is a diagram showing an example of a third noise waveform obtained by removing frequency components equal to or higher than the cutoff frequency of the low-pass filter circuit from the first noise waveform. 11 is a diagram showing an example of changes in the cutoff frequency of the falsification detection circuit shown in FIG. 9. FIG. FIG. 12 is an explanatory diagram for explaining the outline of Modification 1. As shown in FIG. FIG. 13 is an explanatory diagram for explaining the outline of Modification 2. As shown in FIG. FIG. 14 is an explanatory diagram for explaining an outline of Modification 3. As shown in FIG.

Embodiments of a tampering detection circuit and a tampering detection method according to the present invention will be described in detail below with reference to the drawings.

[Embodiment 1]
<Outline of tampering detection circuit>
First, an overview of the falsification detection circuit according to the first embodiment will be described. In the first embodiment, a case where a plurality of IC chips are mounted on a substrate and a malicious circuit is inserted into a common power supply line for externally supplying power to the power supply circuit of each IC chip will be described.

In recent years, there has been a threat of tampering with the wiring of a printed circuit board or inserting malicious circuits on a circuit board on which multiple IC chips are mounted for the purpose of causing circuit malfunction or reading the internal information of the IC chips (on-board tampering) exists. Also, inside the IC chip, there is a risk of unintended tampering (on-chip tampering) due to microfabrication technology for failure analysis.

In Embodiment 1, a plurality of IC chips are mounted on a substrate, and a first noise waveform is measured when the first IC chip performs a predetermined operation in a tampering detection circuit of the first IC chip, While storing, the second noise waveform measured in the second IC chip when the first IC chip performs a predetermined operation is received via the noise waveform common bus, and the measured first noise waveform and the cross-correlation value of the received second noise waveform. By comparing the calculated cross-correlation value with the stored past cross-correlation value, it is possible to detect whether or not the substrate on which the IC chip is mounted has been tampered with.

FIG. 1 is an explanatory diagram for explaining the outline of the falsification detection circuit according to the first embodiment. As shown in FIG. 1, the IC chip 1A and the IC chip 1B are mounted on an interposer 40. As shown in FIG. The interposer 40 is a substrate used to widen the input/output terminals of an IC chip, which are arranged at fine intervals, to an interval that can be mounted on a printed circuit board. The IC chips 1A and 1B are connected to a common power line L1 and a noise waveform data sharing bus B1 realized in the interposer 40. FIG. Also, the malicious circuit 80 is connected to the node N3 of the common power line L1 of the interposer 40 .

The IC chip 1A has a digital circuit 10A, a falsification detection circuit 20A and a power supply circuit 30A. The digital circuit 10A is a circuit that can be used in tablet terminals, wearable devices, drone devices, IoT terminals, and the like. In addition, the digital circuit 10A may include encryption and decryption circuits that enhance signal confidentiality. The IC chip 1B also has a digital circuit 10B, a falsification detection circuit 20B, and a power supply circuit 30B.

The falsification detection circuit 20A of the IC chip 1A measures and stores a first noise waveform of the power supply voltage of the digital circuit 10A and the power supply circuit 30A when the digital circuit 10A performs a predetermined operation. Then, the tampering detection circuit 20A receives the second noise waveform measured when the digital circuit 10A performs a predetermined operation in the tampering detection circuit 20B of the IC chip 1B via the noise waveform data shared bus B1. , the cross-correlation value between the first noise waveform stored in the tampering detection circuit 20A and the received second noise waveform is calculated. If the calculated cross-correlation value is greater than or equal to a predetermined threshold value compared with the past cross-correlation value, it is determined that tampering has occurred.

Specifically, detection of tampering with the common power line L1 that supplies power to the power circuits 30A and 30B of the IC chip 1A and the IC chip 1B will be described. Power is supplied to power circuits 30A and 30B of the IC chip 1A and the IC chip 1B through a common power line L1 on the interposer 40, respectively. The tampering detection circuit 20A measures and stores the first noise waveform at the node N1 on the common power line L1 of the power supply circuit 30A when the digital circuit 10A performs a predetermined operation. Then, the falsification detection circuit 20B measures and stores the second noise waveform at the node N2 on the common power line L1 of the power supply circuit 30B when the digital circuit 10A performs a predetermined operation. After that, the falsification detection circuit 20A receives the second noise waveform of the node N2 stored in the falsification detection circuit 20B via the noise waveform data sharing bus B1, and A cross-correlation value between the first noise waveform and the received second noise waveform at node N2 is calculated and stored.

The impedance of node N1 and the impedance of node N2 on common power supply line L1 differ due to the influence of malicious circuit 80 before malicious circuit 80 is connected and when malicious circuit 80 is connected to node N3. Therefore, since the first noise waveform measured at the node N1 and the second noise waveform measured at the node N2 are different from when there is no malicious circuit 80, the cross-correlation value calculated by the tampering detection circuit 20A is A value different from the cross-correlation value when the malicious circuit 80 is not connected is shown. Then, the past cross-correlation value when the malicious circuit 80 is not connected is compared with the cross-correlation value when the malicious circuit 80 is connected. It is possible to detect that L1 has been tampered with.

Further, since the operation of the tampering detection circuit 20A of the IC chip 1A and the operation of the tampering detection circuit 20B of the IC chip 1B are interchangeable, the result of tampering detection performed in the tampering detection circuit 20A of the IC chip 1A and the IC chip The accuracy of tampering detection can be improved by mutually detecting tampering based on the result of tampering detection performed by the tampering detection circuit 20B of 1B.

<Configuration of falsification detection circuit>
Next, the configuration of the falsification detection circuit 20A will be described. FIG. 2 is a configuration diagram showing the configuration of the falsification detection circuit 20A shown in FIG. As shown in FIG. 2, the tampering detection circuit 20A has a noise measurement circuit 21A, a noise storage circuit 24A and a noise analysis circuit 25A. The noise measurement circuit 21A has a plurality of measurement circuits 22A, and measures, for example, the core power supply voltage and core ground voltage of the digital circuit 10A, the substrate potential of the IC chip 1A, and the voltage of the common power line L1 of the power supply circuit 30A.

The noise storage circuit 24A stores the noise waveform measured by the noise measurement circuit 21A. It also stores the cross-correlation value calculated by the noise analysis circuit 25A. The noise analysis circuit 25A transfers the first noise waveform measured by the noise measurement circuit 21A and the second noise waveform stored in the noise storage circuit 24B of another IC chip, for example, the IC chip 1B, to a noise waveform data shared bus. Received via B1, the cross-correlation value of the received second noise waveform and the measured first noise waveform is calculated and stored in the noise storage circuit 24A. The noise analysis circuit 25A also compares the calculated cross-correlation value with the cross-correlation value stored in the past, and compares the difference between the cross-correlation values with a threshold value to determine whether falsification has occurred. judge.

<Noise waveform data and correlation value data>
Next, noise waveform data and correlation value data stored in the noise storage circuit 24A will be described. FIG. 3 is a diagram showing an example of noise waveform data and correlation value data stored in the noise storage circuit 24A shown in FIG. As shown in FIG. 3A, the noise waveform data is stored by associating time and voltage with each node. In FIG. 3A, for node n, voltage “V _n+2 ” at time “t _{n+2 ”, voltage “V n+1} ” at time “t _n+1 ”, and voltage “V _n+1 ” at time “t _n ”, the voltage “V _n ” at the time “t _n-1 ”, the voltage “V _n-1 ” at the time “t _n-2 ”, and the voltage “V n-2 ” at the time “t _n-2 ”. showing.

Further, for the node k, the voltage “V _k+2 ” at the time “t _k+2 ”, the voltage “V _{k+1 ”} at the time “t _k +1 ”, and the voltage "V _k ", time "t _k-1 " is associated with voltage "V _k-1 ", and time "t _k-2 " is associated with voltage "V _k-2 ". Also, for the node i, the voltage "V _i+2 " at the time "t i+ ₂ ", the voltage "V _{i+1 " at the time "t i+1} ", and the voltage "V _i+1 " at the time "t _i ": The voltage "V _i " and the time "t _i-1 " are associated with the voltage "V _i-1 ", and the time "t _i-2 " is associated with the voltage "V _i-2 ".

Further, as shown in FIG. 3(b), the correlation value data is stored by associating the time and the correlation value with the node. In FIG. 3B, for the node n, the correlation value "C12 _n+2 " at the time "t _n+2 ", the correlation value "C12 n _{+1 " at the time "t n+ 1} ", the time Correlation value “C12 _n ” at “t _n ”, correlation value “C12 _n-1 ” at time “t _n-1 ”, and correlation value “C12 n _{-2 ” at time “t n -2} ”. It shows the status of attachment.

Further, for the node k, the correlation value “C11 _k+2 ” at time “t _k+2 ”, the correlation value “C11 k+1 ” at time “t _k+1 ”, and the correlation value “C11 _k+1 ” at time “t _k ” , the correlation value “C11 _k ”, the correlation value “C11 _k-1 ” at the time “t _k-1 ”, and the correlation value “C11 k _{-2 ” at the time “t k -2} ”. showing. For node i, the correlation value is "C11i _{+2" at time "ti+2 "} , the correlation value is "C11i+1" at time "ti ₊₁ ", and the correlation value is "C11i ₊₁ " at time "ti+ ₁ ". Then, the correlation value “C11 _i ”, the correlation value “C11 _{i- 1 ” at the time “t i-1} ”, and the correlation value “C11 i _{-2 ” at the time “t i- 2} ” are associated. is shown. Here, the correlation value C12 represents the cross-correlation value, and the correlation value C11 represents the autocorrelation value. For the autocorrelation value, for example, the noise waveform of the core power supply voltage of the digital circuit 10A of the IC chip 1A is stored in advance in the noise storage circuit 24A at the time of shipment from the factory. This is the value obtained by correlating the noise waveform and the measured noise waveform.

<Configuration of noise analysis circuit>
Next, the configuration of the noise analysis circuit 25A will be described. FIG. 4 is a configuration diagram showing the configuration of the noise analysis circuit 25A shown in FIG. As shown in FIG. 4, the noise analysis circuit 25A has a noise waveform cross-correlation circuit 26A, a noise waveform autocorrelation circuit 26B, a noise waveform frequency spectrum analysis circuit 26C, and a falsification judgment circuit 26D. The noise waveform cross-correlation circuit 26A is a circuit that calculates the cross-correlation value of the noise waveforms of the same measurement node of two IC chips, for example, the common power line L1. Specifically, the first noise waveform at the node N1 of the common power supply line L1 of the IC chip 1A and the second noise waveform at the node N2 of the common power supply line L1 of the IC chip 1B received via the noise waveform data sharing bus B1. A cross-correlation value of the noise waveform is calculated and stored in the noise storage circuit 24A.

The noise waveform autocorrelation circuit 26B is a circuit that calculates the autocorrelation value of the noise waveform of the same measurement node on the IC chip, eg, the core power supply voltage node of the digital circuit 10A. Specifically, the noise waveform of the core power supply voltage node of the digital circuit 10A of the IC chip 1A is calculated with the past noise waveform of the core power supply voltage node of the digital circuit 10A of the IC chip 1A and the autocorrelation value, and the noise storage circuit 24A. Note that the past noise waveform may be a noise waveform measured in advance at the time of shipment from the factory.

The noise waveform frequency spectrum analysis circuit 26C is a circuit that analyzes the frequency spectrum of the noise waveform measured by the measurement circuit 22A. Specifically, the frequency components included in the noise waveform are analyzed, the absolute value of the signal for each frequency is calculated, and stored in the noise storage circuit 24A.

The tampering judgment circuit 26D compares past data of correlation values and frequency spectrum data calculated by the noise waveform cross-correlation circuit 26A, the noise waveform autocorrelation circuit 26B, and the noise waveform frequency spectrum analysis circuit 26C with the measured data, This is a circuit for judging whether or not tampering has occurred based on whether or not the compared difference exceeds a predetermined threshold value.

<Measurement of noise waveform>
Next, noise waveform measurement by the noise measurement circuit 21A will be described. FIG. 5(a) is an explanatory diagram for explaining noise waveform measurement by the noise measurement circuit 21A shown in FIG. As shown in FIG. 5A, the noise measurement circuit 21A has a plurality of measurement circuits 22A, and each measurement circuit 22A has an amplifier circuit 23A, an ADC (Analog Digital Converter) 23B, and a control circuit 23C. Here, the case of measuring the noise waveform of the common power supply line L1 when the malicious circuit 80 is not connected to the common power supply line L1 that supplies power from the external power supply circuit 31A to the power supply circuit 30A will be described.

The amplifier circuit 23A amplifies the noise signal superimposed on the common power supply voltage. ADC 23B converts an analog noise signal into a digital signal. Triggered by the reset signal of the digital circuit 10A, the control circuit 23C starts measuring the noise waveform of the common power supply voltage, and stops the operation after measuring for a predetermined time. Next, noise waveform measurement when the malicious circuit 80 is connected will be described. As shown in FIG. 5B, the malicious circuit 80 is inserted between the power supply circuit 30A and the external power supply circuit 31A. In this case as well, the operation of the measurement circuit 22A is the same as when the malicious circuit 80 is not inserted. The noise waveform received also changes.

Next, the operation when the noise measurement circuit 21A measures a noise waveform will be described. FIG. 6 is a timing chart for measuring the noise waveform of the noise measuring circuit 21A shown in FIG. As shown in FIG. 6, the noise waveform of the external power supply voltage is reset by the reset signal input to the digital circuit 10A at time t2 when the external power supply voltage is turned on at t1 and sufficiently stabilized. Measurement of the noise waveform is started from time t3 when the reset signal rises. Since the impedance of the measurement node changes when the noise waveform is tampered with by connecting the malicious circuit 80, the noise waveform measured as shown in FIG. different from

As described above, in the first embodiment, the falsification detection circuit 20A of the IC chip 1A measures the first noise waveform of the power supply of the digital circuit 10A and the power supply circuit 30A when the digital circuit 10A performs a predetermined operation. and memorize. Then, the falsification detection circuit 20A receives the second noise waveform measured when the digital circuit 10A performs a predetermined operation in the falsification detection circuit 20B of the IC chip 1B via the noise waveform data shared bus B1, and detects the falsification. A cross-correlation value is calculated between the first noise waveform stored in the detection circuit 20A and the received second noise waveform. If the difference between the calculated cross-correlation value and the past cross-correlation value is equal to or greater than a predetermined threshold value, it is determined that tampering has occurred. It is possible to efficiently detect fraud associated with the insertion of

[Embodiment 2]
By the way, in the first embodiment, the operation of the digital circuit 10A when measuring the noise waveform is not specified. Therefore, in the second embodiment, when measuring a noise waveform, specific test data is generated and the digital circuit 10A is operated.

<Outline of tampering detection circuit>
An overview of the falsification detection circuit according to the second embodiment will be described. FIG. 7 is an explanatory diagram for explaining the outline of the falsification detection circuit according to the second embodiment. The IC chip 1C and the IC chip 1D are mounted on the interposer 40. FIG. The IC chip 1C has a digital circuit 10C, a falsification detection circuit 20C and a power supply circuit 30A. The IC chip 1D also has a digital circuit 10D, a falsification detection circuit 20D, and a power supply circuit 30B.

The tampering detection circuit 20C of the IC chip 1C has a noise measurement circuit 21A, a noise storage circuit 24A, a noise analysis circuit 25A, a detection control circuit 27A and a test data generation circuit 28A. The noise measurement circuit 21A, noise storage circuit 24A, and noise analysis circuit 25A are the same as those in the first embodiment. The detection control circuit 27A sets test data to the test data generation circuit 28A to calculate the cross-correlation value.

Then, the detection control circuit 27A transmits a noise generation trigger signal to the test data generation circuit 28A, causes the digital circuit 10C to execute the test data, and measures the noise waveform. Specifically, for example, when the digital circuit 10C of the IC chip 1C is operating with test data, the noise measurement circuit 21A detects the first voltage of the node N1 on the common power line L1 of the power supply circuit 30A of the IC chip 1C. Measure the noise waveform of Also, in the IC chip 1D, when the digital circuit 10C operates with the test data, the noise measurement circuit 21B measures the second noise waveform at the node N2 on the common power line L1 of the power supply circuit 30B of the IC chip 1D. and stored in the noise storage circuit 24B. Then, the noise analysis circuit 25A of the IC chip 1C receives the second noise waveform measured by the IC chip 1D from the noise storage circuit 24B of the IC chip 1D via the noise waveform/detection control data shared bus B2, and A cross-correlation value is calculated between the first noise waveform measured at 1C and the received second noise waveform. Then, the calculated cross-correlation value is compared with the past cross-correlation value, and if the difference between the cross-correlation values is greater than a predetermined threshold value, it is determined that tampering has occurred.

Next, operation procedures of the tampering detection circuit 20C and the tampering detection circuit 20D according to the second embodiment will be described. FIG. 8 is a sequence chart for explaining the operation of the falsification detection circuit 20C shown in FIG. As shown in FIG. 8, the falsification detection circuit 20C of the IC chip 1C sets noise test data in the test data generation circuit 28A (S1). Next, the tampering detection circuit 20C of the IC chip 1C transmits a noise generation trigger to the test data generation circuit 28A of the IC chip 1C and the tampering detection circuit 20D of the IC chip 1D (S2).

The falsification detection circuit 20D of the IC chip 1D receives the noise generation trigger (S3). Upon receiving the noise generation trigger, the test data generation circuit 28A generates test data and causes the digital circuit 10C to execute the test data (S4). Then, the falsification detection circuit 20D of the IC chip 1D measures and stores the second noise waveform at the measurement node of the IC chip 1D (S5). The noise measurement circuit 21C of the IC chip 1C also measures and stores the first noise waveform at the measurement node of the IC chip 1C (S6).

Then, the falsification detection circuit 20D of the IC chip 1D transmits the second noise waveform stored in the noise storage circuit 24D of the IC chip 1D via the noise waveform/detection control data shared bus B2 (S7). The falsification detection circuit 20C calculates a cross-correlation value between the received second noise waveform and the measured first noise waveform (S8). Then, the falsification detection circuit 20C of the IC chip 1C compares the calculated cross-correlation value with the stored past cross-correlation value, and if the difference between the cross-correlation values is greater than a predetermined threshold value, falsification has occurred. If the difference is smaller than the predetermined threshold value, it is determined that no falsification has been performed (S9).

As described above, the tampering detection circuit according to the second embodiment includes the test data generation circuit 28A, so that the noise waveform can always be measured while the same test data is operated by the digital circuit 10A. The accuracy of correlation values can be improved.

[Embodiment 3]
By the way, in Embodiments 1 and 2, the similarity of noise waveforms is used as a correlation value, but in Embodiment 3, a case where the cross-correlation value of noise waveforms is associated with the cutoff frequency of the low-pass filter circuit will be described.

<Outline of tampering detection circuit>
An overview of the falsification detection circuit according to the third embodiment will be described. FIG. 9 is an explanatory diagram for explaining the outline of the falsification detection circuit according to the third embodiment. As shown in FIG. 9, the first noise waveform has different cutoff frequencies, and the high frequency components are removed by a plurality of low-pass filter circuits 32 that remove high frequency components from the first noise waveform based on the cutoff frequencies. A plurality of third noise waveforms are calculated. Then, the correlation value calculation circuit 33 calculates the correlation value at each cutoff frequency of the plurality of third noise waveforms and the second noise waveform. From the calculated correlation values at each cutoff frequency, the cutoff frequency (fc _PDN ) with the maximum correlation value is calculated. This cutoff frequency (fc _PDN ) is stored as an evaluation value corresponding to the feature quantity of the common power line L1, that is, the cross-correlation value.

Next, an example of a third noise waveform obtained by removing frequency components above the cutoff frequency from the first noise waveform in the low-pass filter circuit 32 having a different cutoff frequency will be described. FIG. 10 is a diagram showing an example of a third noise waveform obtained by removing frequency components equal to or higher than the cutoff frequency of the low-pass filter circuit from the first noise waveform. As shown in FIG. 10, here, the case of using four low-pass filter circuits 32 with different cutoff frequencies is shown. FIG. 10(a) shows a first noise waveform at the node N1 of the common power line L1 of the first IC chip. Also, FIG. 10(b) shows a second noise waveform of the common power line L1 of the second IC chip. As described above, the second noise waveform measured by the second IC chip is generated by a parasitic low-pass filter formed by the parasitic impedance of the common power line L1 in the interposer 40 on which the first IC chip and the second IC chip are mounted. has the effect of a low-pass filter on the propagation of noise waveforms, resulting in waveforms from which high-frequency components have been removed.

FIG. 10(c) shows a third noise waveform obtained by removing frequency components of 1 MHz or higher from the first noise waveform by a low-pass filter circuit 32 with a cutoff frequency of 1 MHz. FIG. 10(d) shows a third noise waveform obtained by removing frequency components of 10 MHz or higher from the first noise waveform by a low-pass filter circuit 32 with a cutoff frequency of 10 MHz. FIG. 10(e) shows a third noise waveform obtained by removing frequency components of 25 MHz or higher from the first noise waveform by a low-pass filter circuit 32 with a cutoff frequency of 25 MHz. FIG. 10(f) shows a third noise waveform obtained by removing high frequency components of 100 MHz or higher from the first noise waveform by a low-pass filter circuit 32 with a cutoff frequency of 100 MHz.

Calculation of the correlation value is not performed for the entire time of the first noise waveform, but for the vicinity of the peak waveform caused by, for example, the rise of the clock signal after resetting the digital circuit of the first IC chip. is provided with a correlation window as shown in FIG. 10(b), and the correlation is obtained within this range. When calculating the correlation value between the first noise waveform and the second noise waveform, the correlation window is set such that the correlation value of the correlation window of the second noise waveform is maximized. Calculate. Note that the correlation window may be set with a peak waveform caused by the fall of the clock signal or a peak waveform corresponding to the ringing component as a trigger.

Next, an example of change in the cutoff frequency of the tampering detection circuit will be described. 11 is a diagram showing an example of changes in the cutoff frequency of the falsification detection circuit shown in FIG. 9. FIG. As shown in FIG. 11, here, the case of using low-pass filter circuits 32 having 20 different cutoff frequencies is shown. When the malicious circuit 80 is connected to the common power supply line L1, the cutoff frequency vs. correlation value characteristics change. In FIG. 11, the cutoff frequency with the maximum correlation value of the common power line L1 that has not been tampered with is 29 MHz. The off frequency shows a state where it changes to 23 MHz.

As described above, the tampering detection circuit according to the third embodiment converts the first noise waveform into a plurality of third noise waveforms in which high-frequency components equal to or higher than the cutoff frequency are removed by the plurality of low-pass filter circuits 32 having different cutoff frequencies. The correlation values of the waveform and the second noise waveform are respectively calculated, and from the calculated correlation values, the cutoff frequency at which the correlation value is maximized is calculated and used as the feature quantity of the common power supply line L1. Alteration such as connecting the malicious circuit 80 to the common power supply line L1 can be detected by the change in the feature amount.

In Embodiments 1, 2, and 3 described above, the tampering detection circuits 20A, 20B, 20C, and 20D are formed in the IC chips 1A, 1B, 1C, and 1D, respectively. may be formed on the IC chip.

<Modification 1>
By the way, in each of the above embodiments, the case where the IC chips 1A, 1B, 1C, and 1D are connected by the interposer 40 has been described, but here, the IC chips 1A and 1B are mounted and connected to a printed circuit board. If there is

First, a case where a plurality of IC chips each having a tampering detection circuit 20A according to Modification 1 are mounted on a printed circuit board will be described. FIG. 12 is an explanatory diagram for explaining the outline of Modification 1. As shown in FIG. As shown in FIG. 12, IC chips 1A and 1B are enclosed in packages 50A and 50B. Here, the package is a resin package using a resin mold or a ceramic package using ceramics.

A plurality of packages 50A are mounted on one printed circuit board 60 . A common power line L1 and a noise waveform data sharing bus B1 applied to the IC chips 1A and 1B are realized as wiring on the printed circuit board 60, and terminals of the common power line L1 and the noise waveform data sharing bus B1 of the packages 50A and 50B are connected. are connected to the printed circuit board 60 by solder or solder bumps. The operation of the tampering detection circuit 20A is the same as that of the first embodiment, so a description thereof will be omitted. be able to.

<Modification 2>
Next, in Modified Example 2, a case where an electronic module is configured using a plurality of IC chip-mounted printed circuit boards will be described. FIG. 13 is an explanatory diagram for explaining the outline of Modification 2. As shown in FIG. As shown in FIG. 13, IC chips 1A and 1B are enclosed in packages 50A and 50B, respectively, and mounted on printed circuit boards 61 and 62, respectively. A common power line L1 and a noise waveform data sharing bus B1 are connected between the printed circuit boards 61 and 62 by cables or the like to form an electronic module 70. FIG.

The tampering detection circuit 20A of the IC chip 1A measures and stores the first noise waveform of the node N1 of the common power line L1 of the power supply circuit 30A of the IC chip 1A. Then, the falsification detection circuit 20B of the IC chip 1B measures and stores the second noise waveform at the node N2 of the common power line L1 of the power supply circuit 30B of the IC chip 1B. The falsification detection circuit 20A of the IC chip 1A performs cross-correlation between the first noise waveform of the node N1 and the second noise waveform of the node N2 received from the falsification detection circuit 20B of the IC chip 1B via the noise waveform data sharing bus B1. By calculating the value and comparing it with past cross-correlation values, if the difference in the cross-correlation values is greater than a predetermined threshold, it is determined that the cable connecting printed circuit board 61 and printed circuit board 62 has been tampered with. judge. Also, if the difference in cross-correlation value is smaller than a predetermined threshold value, it is determined that no falsification has occurred. Thus, the tampering detection circuit 20A can also detect tampering of the cable or the like connecting the printed circuit board 61 and the printed circuit board 62 .

<Modification 3>
Next, in Modification 3, a case where three IC chip-mounted packages 50A, 50B, and 50C are mounted on a printed circuit board 63 will be described. FIG. 14 is an explanatory diagram for explaining an outline of Modification 3. As shown in FIG. As shown in FIG. 14, IC chips 1A, 1B and 1C are enclosed in packages 50A, 50B and 50C, respectively, and three packages 50A, 50B and 50C are mounted on one printed circuit board 63. FIG. A common power supply line L1 and a noise waveform data sharing bus B1 for each of the packages 50A, 50B and 50C are implemented as wiring on the printed circuit board 63. FIG.

The tampering detection circuit 20A of the IC chip 1A measures and stores the first noise waveform of the node N1 of the common power line L1 of the power supply circuit 30A of the IC chip 1A. Then, the falsification detection circuit 20B of the IC chip 1B measures and stores the second noise waveform at the node N2 of the common power line L1 of the power supply circuit 30B of the IC chip 1B. The falsification detection circuit 20A of the IC chip 1A performs cross-correlation between the first noise waveform of the node N1 and the second noise waveform of the node N2 received from the falsification detection circuit 20B of the IC chip 1B via the noise waveform data sharing bus B1. By calculating the value and comparing it with the past cross-correlation value, if the difference between the cross-correlation values is larger than a predetermined threshold value, it is determined that the wiring between the IC chip 1A and the IC chip 1B has been tampered with.

Further, the falsification detection circuit 20B of the IC chip 1B measures and stores the second noise waveform of the node N2 of the common power line L1 of the power supply circuit 30B of the IC chip 1B. Then, the falsification detection circuit 20C of the IC chip 1C measures and stores the fourth noise waveform at the node N4 of the common power line L1 of the power supply circuit 30C of the IC chip 1C. The falsification detection circuit 20B of the IC chip 1B performs cross-correlation between the second noise waveform of the node N2 and the noise waveform of the fourth node N4 received from the falsification detection circuit 20C of the IC chip 1C via the noise waveform data sharing bus B1. By calculating the value and comparing it with the past cross-correlation value, if the difference between the cross-correlation values is larger than a predetermined threshold value, it is determined that the wiring between the IC chip 1B and the IC chip 1C has been tampered with.

Further, the falsification detection circuit 20C of the IC chip 1C measures and stores the fourth noise waveform at the node N4 of the common power line L1 of the power supply circuit 30C of the IC chip 1C. Then, the falsification detection circuit 20A of the IC chip 1A measures and stores the first noise waveform of the node N1 of the common power line L1 of the power supply circuit 30A of the IC chip 1A. The tampering detection circuit 20C of the IC chip 1C performs cross-correlation between the fourth noise waveform of the node N4 and the first noise waveform of the node N1 received from the tampering detection circuit 20A of the IC chip 1A via the noise waveform data sharing bus B1. By calculating the value and comparing it with the past cross-correlation value, if the difference between the cross-correlation values is larger than a predetermined threshold value, it is determined that the wiring between the IC chip 1C and the IC chip 1A has been tampered with. By comparing the tampering detection results of the IC chips 1A and 1B, the tampering detection results of the IC chips 1B and 1C, and the tampering detection results of the IC chips 1C and 1A, it is possible to estimate the location of the tampering.

Each configuration illustrated in each of the above-described embodiments and modifications is functionally schematic, and does not necessarily need to be physically configured as illustrated. That is, the form of distribution/integration of each device is not limited to the illustrated one, and all or part of them can be functionally or physically distributed/integrated in arbitrary units according to various loads and usage conditions. Can be configured.

INDUSTRIAL APPLICABILITY The tampering detection circuit and the tampering detection method according to the present invention are suitable for efficiently detecting fraud associated with the insertion of a malicious circuit or the like.

B1 Noise waveform data sharing bus B2 Noise waveform/detection control data sharing bus L1 Common power line 1A, 1B, 1C, 1D IC chip 10A, 10B, 10C, 10D Digital circuit 20A, 20B, 20C, 20D Tampering detection circuit 21A, 21B , 21C noise measurement circuit 22A measurement circuit 23A amplifier circuit 23B ADC
23C control circuit 24A, 24B, 24C noise storage circuit 25A, 25B, 25C noise analysis circuit 26A noise waveform cross-correlation circuit 26B noise waveform autocorrelation circuit 26C noise waveform frequency spectrum analysis circuit 26D falsification determination circuit 27A, 27B detection control circuit 28A, 28B test data generation circuit 30A, 30B, 30C power supply circuit 31 external power supply circuit 32 low-pass filter circuit 33 correlation value calculation circuit 40 interposer 50A, 50B, 50C package 60, 61, 62, 63 printed circuit board 70 electronic module 80 malicious circuit

Claims (9)

A first IC chip having at least a first digital circuit and a first power supply circuit that supplies voltage to the first digital circuit, a second digital circuit that supplies voltage to the second digital circuit A tampering detection circuit for detecting tampering with a substrate on which a second IC chip having a second power supply circuit is mounted, and the first digital circuit and the second digital circuit perform predetermined operations,
a first measurement circuit that measures a first noise signal superimposed on the voltage supplied to the first power supply circuit;
a first storage circuit that stores the first noise waveform measured by the first measurement circuit;
a second measurement circuit for measuring a second noise signal superimposed on the voltage supplied to the second power supply circuit;
a second storage circuit that stores the second noise waveform measured by the second measurement circuit;
a calculation circuit that receives the first noise waveform and calculates a correlation between the received first noise waveform and the second noise waveform;
A tampering detection circuit, comprising: a determination circuit that determines whether or not the substrate has been tampered with based on the correlation. The calculation circuit is
2. A tampering detection circuit according to claim 1, wherein a cross-correlation value between said first noise waveform and said second noise waveform is calculated. The second memory circuit is
storing past cross-correlation values calculated by the calculation circuit;
The determination circuit is
When the difference between the cross-correlation value calculated by the calculation circuit and the past cross-correlation value stored in the second storage circuit is equal to or greater than a predetermined threshold value, it is determined that the substrate has been tampered with. 3. The tampering detection circuit according to claim 2, wherein: The determination circuit is
When the difference between the cross-correlation value calculated by the calculation circuit and the past cross-correlation value stored in the second storage circuit is equal to or greater than a predetermined threshold, the first power supply circuit and the 4. The tampering detection circuit according to claim 3, wherein it is determined that there is a possibility that a malicious circuit has been inserted into a common power supply line connected to the second power supply circuit. Triggered by a reset signal input to the digital circuit of the first IC chip, the first noise waveform is measured by the first measurement circuit;
5. The second noise waveform is measured by the second measurement circuit using a reset signal input to the digital circuit of the first IC chip as a trigger. A tamper detection circuit according to one. further comprising a generation circuit that generates predetermined test data;
6. The tampering detection circuit according to claim 1, wherein the test data is input to the first digital circuit and the second digital circuit to cause a predetermined operation to be performed. The calculation circuit is
a plurality of low-pass filter circuits each having a different cutoff frequency and removing high frequency components from the first noise waveform based on the cutoff frequency;
a plurality of correlation value calculation circuits for calculating correlation values of a plurality of third noise waveforms obtained by removing high frequency components from the first noise waveform by the plurality of low-pass filter circuits and the second noise waveform, respectively; ,
The tampering detection circuit according to any one of claims 1 to 6, wherein a cutoff frequency at which the correlation value is maximized is calculated from the correlation values calculated by the plurality of correlation value calculation circuits. the first measurement circuit and the first memory circuit are formed in the first IC chip,
The second IC chip according to any one of claims 1 to 7, wherein the second measurement circuit, the second storage circuit, the calculation circuit, and the determination circuit are formed within the second IC chip. tampering detection circuit. A first IC chip having at least a first digital circuit and a first power supply circuit that supplies voltage to the first digital circuit, a second digital circuit that supplies voltage to the second digital circuit A tampering detection method in a tampering detection circuit for detecting tampering with respect to a substrate on which a second IC chip having a second power supply circuit is mounted and on which the first digital circuit and the second digital circuit perform predetermined operations. There is
a first measurement step in which the first IC chip measures a first noise signal superimposed on a voltage supplied to the first power supply circuit;
a first storing step in which the first IC chip stores the first noise waveform measured in the first measuring step in a first storage circuit;
a second measurement step in which the second IC chip measures a second noise signal superimposed on the voltage supplied to the second power supply circuit;
a second storing step in which the second IC chip stores the second noise waveform measured in the second measuring step in a second storage circuit;
a calculating step of receiving the first noise waveform and calculating a correlation between the received first noise waveform and the second noise waveform;
and a determination step of determining whether or not the substrate has been tampered with based on the correlation.

Images