WO2016114267A1 - オンチップモニタ回路及び半導体チップ - Google Patents
オンチップモニタ回路及び半導体チップ Download PDFInfo
- Publication number
- WO2016114267A1 WO2016114267A1 PCT/JP2016/050725 JP2016050725W WO2016114267A1 WO 2016114267 A1 WO2016114267 A1 WO 2016114267A1 JP 2016050725 W JP2016050725 W JP 2016050725W WO 2016114267 A1 WO2016114267 A1 WO 2016114267A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- chip
- monitor circuit
- semiconductor chip
- test
- security function
- Prior art date
Links
- 239000004065 semiconductor Substances 0.000 title claims abstract description 151
- 238000012360 testing method Methods 0.000 claims abstract description 147
- 238000000034 method Methods 0.000 claims abstract description 54
- 230000008569 process Effects 0.000 claims abstract description 20
- 238000003860 storage Methods 0.000 claims abstract description 17
- 238000012544 monitoring process Methods 0.000 claims abstract description 5
- 238000011156 evaluation Methods 0.000 claims description 32
- 239000000758 substrate Substances 0.000 claims description 19
- 238000012545 processing Methods 0.000 claims description 17
- 238000010998 test method Methods 0.000 claims description 14
- 230000001934 delay Effects 0.000 claims description 4
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 abstract description 17
- 238000004519 manufacturing process Methods 0.000 abstract description 10
- 230000006870 function Effects 0.000 description 51
- 238000005259 measurement Methods 0.000 description 39
- 239000000523 sample Substances 0.000 description 33
- 238000010586 diagram Methods 0.000 description 22
- 238000005070 sampling Methods 0.000 description 19
- 238000004458 analytical method Methods 0.000 description 18
- 238000000691 measurement method Methods 0.000 description 14
- 239000013598 vector Substances 0.000 description 12
- 238000006243 chemical reaction Methods 0.000 description 11
- 238000001514 detection method Methods 0.000 description 11
- XUIMIQQOPSSXEZ-UHFFFAOYSA-N Silicon Chemical compound [Si] XUIMIQQOPSSXEZ-UHFFFAOYSA-N 0.000 description 8
- 229910052710 silicon Inorganic materials 0.000 description 8
- 239000010703 silicon Substances 0.000 description 8
- 238000012986 modification Methods 0.000 description 7
- 230000004048 modification Effects 0.000 description 7
- 238000010219 correlation analysis Methods 0.000 description 5
- 238000013461 design Methods 0.000 description 5
- 230000000875 corresponding effect Effects 0.000 description 4
- 230000005672 electromagnetic field Effects 0.000 description 4
- 230000008054 signal transmission Effects 0.000 description 4
- 235000012431 wafers Nutrition 0.000 description 4
- 239000003990 capacitor Substances 0.000 description 3
- 230000001276 controlling effect Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 230000007547 defect Effects 0.000 description 2
- 230000007123 defense Effects 0.000 description 2
- 230000003111 delayed effect Effects 0.000 description 2
- 238000003745 diagnosis Methods 0.000 description 2
- 230000007613 environmental effect Effects 0.000 description 2
- 230000007274 generation of a signal involved in cell-cell signaling Effects 0.000 description 2
- 238000011056 performance test Methods 0.000 description 2
- 230000036316 preload Effects 0.000 description 2
- 238000011158 quantitative evaluation Methods 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 230000001360 synchronised effect Effects 0.000 description 2
- 240000005020 Acaciella glauca Species 0.000 description 1
- 239000008000 CHES buffer Substances 0.000 description 1
- MKWKNSIESPFAQN-UHFFFAOYSA-N N-cyclohexyl-2-aminoethanesulfonic acid Chemical compound OS(=O)(=O)CCNC1CCCCC1 MKWKNSIESPFAQN-UHFFFAOYSA-N 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000002238 attenuated effect Effects 0.000 description 1
- 230000004888 barrier function Effects 0.000 description 1
- 239000002131 composite material Substances 0.000 description 1
- 238000007796 conventional method Methods 0.000 description 1
- 230000002596 correlated effect Effects 0.000 description 1
- 230000008878 coupling Effects 0.000 description 1
- 238000010168 coupling process Methods 0.000 description 1
- 238000005859 coupling reaction Methods 0.000 description 1
- 238000009795 derivation Methods 0.000 description 1
- 239000006185 dispersion Substances 0.000 description 1
- 230000005670 electromagnetic radiation Effects 0.000 description 1
- 238000011065 in-situ storage Methods 0.000 description 1
- 239000000463 material Substances 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000005855 radiation Effects 0.000 description 1
- 235000003499 redwood Nutrition 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
- 239000000243 solution Substances 0.000 description 1
- 230000006641 stabilisation Effects 0.000 description 1
- 238000011105 stabilization Methods 0.000 description 1
- -1 that is Substances 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/556—Detecting local intrusion or implementing counter-measures involving covert channels, i.e. data leakage between processes
-
- G—PHYSICS
- G01—MEASURING; TESTING
- G01R—MEASURING ELECTRIC VARIABLES; MEASURING MAGNETIC VARIABLES
- G01R31/00—Arrangements for testing electric properties; Arrangements for locating electric faults; Arrangements for electrical testing characterised by what is being tested not provided for elsewhere
- G01R31/28—Testing of electronic circuits, e.g. by signal tracer
- G01R31/2851—Testing of integrated circuits [IC]
- G01R31/2884—Testing of integrated circuits [IC] using dedicated test connectors, test elements or test circuits on the IC under test
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/22—Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing
-
- H—ELECTRICITY
- H01—ELECTRIC ELEMENTS
- H01L—SEMICONDUCTOR DEVICES NOT COVERED BY CLASS H10
- H01L21/00—Processes or apparatus adapted for the manufacture or treatment of semiconductor or solid state devices or of parts thereof
- H01L21/70—Manufacture or treatment of devices consisting of a plurality of solid state components formed in or on a common substrate or of parts thereof; Manufacture of integrated circuit devices or of parts thereof
- H01L21/77—Manufacture or treatment of devices consisting of a plurality of solid state components or integrated circuits formed in, or on, a common substrate
- H01L21/78—Manufacture or treatment of devices consisting of a plurality of solid state components or integrated circuits formed in, or on, a common substrate with subsequent division of the substrate into plural individual devices
- H01L21/82—Manufacture or treatment of devices consisting of a plurality of solid state components or integrated circuits formed in, or on, a common substrate with subsequent division of the substrate into plural individual devices to produce devices, e.g. integrated circuits, each consisting of a plurality of components
- H01L21/822—Manufacture or treatment of devices consisting of a plurality of solid state components or integrated circuits formed in, or on, a common substrate with subsequent division of the substrate into plural individual devices to produce devices, e.g. integrated circuits, each consisting of a plurality of components the substrate being a semiconductor, using silicon technology
-
- H—ELECTRICITY
- H01—ELECTRIC ELEMENTS
- H01L—SEMICONDUCTOR DEVICES NOT COVERED BY CLASS H10
- H01L27/00—Devices consisting of a plurality of semiconductor or other solid-state components formed in or on a common substrate
- H01L27/02—Devices consisting of a plurality of semiconductor or other solid-state components formed in or on a common substrate including semiconductor components specially adapted for rectifying, oscillating, amplifying or switching and having potential barriers; including integrated passive circuit elements having potential barriers
- H01L27/04—Devices consisting of a plurality of semiconductor or other solid-state components formed in or on a common substrate including semiconductor components specially adapted for rectifying, oscillating, amplifying or switching and having potential barriers; including integrated passive circuit elements having potential barriers the substrate being a semiconductor body
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/10—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols with particular housing, physical features or manual controls
-
- G—PHYSICS
- G01—MEASURING; TESTING
- G01R—MEASURING ELECTRIC VARIABLES; MEASURING MAGNETIC VARIABLES
- G01R31/00—Arrangements for testing electric properties; Arrangements for locating electric faults; Arrangements for electrical testing characterised by what is being tested not provided for elsewhere
- G01R31/28—Testing of electronic circuits, e.g. by signal tracer
- G01R31/317—Testing of digital circuits
- G01R31/31719—Security aspects, e.g. preventing unauthorised access during test
Definitions
- the present invention is mounted on a semiconductor chip having a cryptographic module that encrypts an input signal and outputs a cryptographic signal, such as a large scale integrated circuit (LSI), and monitors the signal waveform of the semiconductor chip, for example, analog On-chip monitor circuit having a monitor circuit such as a front-end circuit, a semiconductor chip having the on-chip monitor circuit, a semiconductor chip test system for testing the semiconductor chip, and a test for the semiconductor chip for testing the semiconductor chip With respect to methods.
- LSI large scale integrated circuit
- Security and reliability in integrated circuits are research areas that have attracted attention in the last 10 years.
- an encryption core that is resistant to physical attacks that exploit physical implementations and side-channel attacks is required.
- trojans that embed malicious circuits in the manufacturing stage are also attracting attention.
- security and reliability can be performance indicators that should be inspected before shipping.
- SoC complex system on chip
- SCA side-channel attack
- the low-side method has a problem that the signal level is low, and the high-side method is exposed to a large power supply noise from the power supply source. These mean that the signal-to-noise ratio (SNR) becomes low. Since the inserted resistor behaves as a low-pass filter, the high-frequency component of the signal is suppressed.
- SNR signal-to-noise ratio
- EM (Electro-Magnetic) probe is also used as a highly accurate side channel attack technique (for example, see Non-Patent Document 6). Measurement with an electromagnetic probe may be low noise but depends on the measurement location. The measurement band of the electromagnetic field probe is about several GHz, which is wider than that of the low resistance method.
- the biggest problems with the above-mentioned electromagnetic field probe are (1) probe position control in a three-dimensional space with respect to the semiconductor chip and evaluation board, and (2) stabilization of the surrounding environment such as spatial electromagnetic waves and physical vibrations. .
- the evaluation value of information leakage changes due to fluctuations in the probe position and electromagnetic field. Furthermore, changes due to the circuit design and physical layout design of the evaluation board cannot be ignored. Thus, in order to verify the side channel leakage amount as a test item related to the hardware security of the semiconductor chip, selection of an appropriate measurement method and measurement environment management are important issues.
- Another object of the present invention is to provide a semiconductor chip including the on-chip monitor circuit, a semiconductor chip test system including the semiconductor chip and a test apparatus, and a method for testing the semiconductor chip.
- An on-chip monitor circuit is an on-chip monitor circuit mounted on a semiconductor chip including a security function module that performs security function processing on an input signal and outputs a security function signal.
- an on-chip monitor circuit having a monitor circuit for monitoring a signal waveform of a semiconductor chip, First storage means for storing data designating a window period for testing the semiconductor chip; And a control means for controlling the monitor circuit to operate during the window period when a predetermined test signal is input to the security function module.
- control means includes: Counting means for counting the clock signal and outputting the count value data after receiving the reset signal; Comparing means for controlling the monitor circuit to operate when the data for comparing the window period data is compared with the data of the count value and the respective data coincide with each other.
- the window period is a time period in which information leakage of the security function module is maximized.
- the on-chip monitor circuit further comprises second storage means for storing an input delay code, The control means delays the timing of the window period by a delay time corresponding to the delay code.
- the delay code indicates a delay amount for designating a timing at which information leakage of the security function module is maximized.
- the monitor circuit monitors a signal waveform of a substrate potential of the semiconductor chip or a power supply potential of the security function module.
- control means stops the operation of the monitor circuit after the test of the semiconductor chip is completed.
- control means logically stores a predetermined value in at least one of the first storage means and the second storage means after completion of the test of the semiconductor chip. It is characterized by making it non-rewritable.
- the security function module is a cryptographic module.
- a semiconductor chip including a security function module that performs security function processing on an input signal and outputs a security function signal.
- the on-chip monitor circuit is provided.
- a semiconductor chip test system is: The semiconductor chip; A semiconductor chip test system comprising a test device for testing the semiconductor chip, The test equipment is Test signal generating means for generating a test signal and outputting it to the semiconductor chip so that an information leakage period from the security function module is included in the window period; And determining means for determining security evaluation by quantifying information leakage from the security function module based on the signal waveform from the monitor circuit.
- a semiconductor chip test method is an on-chip monitor circuit mounted on a semiconductor chip including a security function module that performs security function processing on an input signal and outputs a security function signal,
- the semiconductor chip test method using an on-chip monitor circuit provided with a monitor circuit for monitoring the signal waveform of the semiconductor chip, Storing in the first storage means data specifying a window period for testing the semiconductor chip; And a step of controlling the monitor circuit to operate during the window period when a predetermined test signal is input to the security function module.
- the method further includes the step of delaying the timing of the window period by a delay time corresponding to the delay code.
- the semiconductor chip test method further includes a step of stopping the operation of the monitor circuit after the test of the semiconductor chip is completed.
- the method further includes a step of making a predetermined value logically unrewritable by storing a predetermined value in at least one of the first storage unit and the second storage unit.
- the security function module is a cryptographic module.
- a malicious circuit is embedded at the manufacturing stage of a semiconductor chip provided with a security function module by using the on-chip monitor circuit in a semiconductor chip that requires security.
- An on-chip monitor circuit or the like for testing the semiconductor chip can be provided so that a security attack such as a horse can be prevented.
- FIG. 1 is a circuit diagram showing a basic configuration of an on-chip monitor circuit according to Embodiment 1.
- FIG. 1 is a circuit diagram showing a basic configuration of an on-chip monitor circuit according to Embodiment 1.
- FIG. It is a top view which shows the layout of the semiconductor chip to be measured.
- 1 is a block diagram showing a configuration of a prototype semiconductor chip test system according to Embodiment 1.
- FIG. 3A is a photograph showing the appearance of the prototype semiconductor chip test system.
- FIG. 4 is a graph showing a leakage analysis result by the semiconductor chip test system of FIG. 3 and showing an SNR for a selected plain text. It is a leakage analysis result by the semiconductor chip test system of Drawing 3, and is a graph which shows presumed entropy with respect to each measurement.
- FIG. 4 is a graph showing a correlation value in the frequency domain, which is an analysis result obtained by using a 1 ⁇ (high side) method among correlation analysis attack methods of high frequency component analysis by the semiconductor chip test system of FIG. 3. It is an analysis result obtained using the on-chip monitor method among the correlation analysis attack methods of the high frequency component analysis by the semiconductor chip test system of FIG. 3, and is a graph showing correlation values in the frequency domain.
- It is a block diagram which shows the structure of another semiconductor chip test system which concerns on Embodiment 1.
- FIG. It is a timing chart of each signal which shows operation of the semiconductor chip test system of Drawing 6A. It is a flowchart which shows the test process of the semiconductor chip by the semiconductor chip test system of FIG. 6A.
- FIG. 6B is a schematic external view when a probe card is connected to a semiconductor chip in the semiconductor chip test system of FIG. 6A.
- 1 is a block diagram illustrating a configuration of a semiconductor chip 10 including an on-chip monitor circuit 20 that is used in an example according to Embodiment 1.
- FIG. FIG. 10 is a graph showing an experimental result of the on-chip monitor circuit 20 of FIG. 9 and a noise waveform of the power line of the ground side power supply voltage Vss.
- FIG. 10 is a graph showing experimental results of the on-chip monitor circuit 20 of FIG. 9 and the number of logic gates with respect to the number of active cryptographic modules.
- FIG. 10 is a graph showing an experimental result of the on-chip monitor circuit 20 of FIG.
- FIG. 6 is a plan view showing a configuration of a system LSI chip with a cryptographic function having an on-chip monitor circuit according to a second embodiment.
- FIG. 10 is a plan view showing a configuration of a system LSI chip with a cryptographic function having an on-chip monitor circuit according to a modification of the second embodiment.
- 10 is a block diagram of Example 1 of an on-chip monitor circuit of a system LSI chip with encryption function according to a second embodiment.
- FIG. FIG. 15B is a circuit diagram showing a first circuit example of the analog front-end circuit of FIG. 15A.
- FIG. 15B is a circuit diagram showing a second circuit example of the analog front-end circuit of FIG. 15A. It is a timing chart of each signal which shows operation of the on-chip monitor circuit of Drawing 15A.
- FIG. 10 is a block diagram of Example 2 of the on-chip monitor circuit of the system LSI chip with encryption function according to the second embodiment. It is a timing chart of each signal which shows the modification of the operation
- FIG. 10 is a circuit diagram illustrating a configuration of an on-chip monitor circuit according to a modification of the second embodiment. It is a block diagram which shows the characteristic part of the whole structure of the semiconductor chip test system which concerns on Embodiment 2.
- FIG. 10 is a circuit diagram illustrating a configuration of an on-chip monitor circuit according to a modification of the second embodiment. It is a block diagram
- Embodiment 1 FIG. 1-1.
- on-chip noise measurement means on-chip monitor circuit
- on-chip monitor circuit is applied to quantitative diagnosis and testing of side channel information leakage.
- an on-chip monitor circuit hardware security application particularly an on-chip measurement method for side channel leakage
- an on-chip measurement method for side channel leakage is proposed, and its superiority over existing measurement methods is clarified.
- FIG. 1A is a circuit diagram showing a basic configuration of an on-chip monitor circuit 20 according to the first embodiment.
- the on-chip monitor circuit 20 includes a sample hold circuit 1 including a sampling switch SW1 and a capacitor C1, and a unity gain amplifier 2.
- the embedded sample and hold circuit 1 acquires an on-chip waveform such as power supply noise inside the semiconductor chip.
- the sample hold circuit 1 captures the analog voltage to be measured according to the sampling clock, holds the DC voltage, and outputs it to an external circuit of the semiconductor chip 10.
- the sampling switch SW1 and the capacitor C1 are configured using high voltage (3.3V) elements, and the power supply voltage (Vdd) of the encryption core of 1.8V is directly connected to the sample hold circuit 1, and the output DC voltage Is buffered by a unity gain amplifier (UGA) 2 having a gain of 1 and output.
- Vdd power supply voltage
- UUA unity gain amplifier
- FIG. 1B is a circuit diagram showing a basic configuration of the on-chip monitor circuit 20A according to the first embodiment. Since the ground voltage (Vss) and the silicon substrate voltage (Vsub) are 0 V, as shown in FIG. 1B, the input voltage is sampled and held by a P-type source follower circuit 3 composed of P-channel MOS transistors Q1 and Q2. It is necessary to shift to a potential suitable for.
- Vss ground voltage
- Vsub silicon substrate voltage
- the on-chip monitor circuits 20 and 20A shown in FIGS. 1A and 1B are created with the in mind to be incorporated into a semiconductor test flow, and can be easily incorporated into an automatic test equipment (ATE), thereby reducing the design cost. Can be reduced.
- An automatic test device (hereinafter referred to as A / D conversion) is used for generating highly accurate sample timing necessary for the operation of the on-chip monitor circuits 20 and 20A and for analog / digital conversion (hereinafter referred to as A / D conversion) in a wide voltage range.
- ATE analog / digital conversion
- the power supply noise waveform observed inside the semiconductor chip follows the dynamic power consumption change of the semiconductor chip and reflects the logic processing circuit operation that handles secret information. Furthermore, power consumption due to the operation of hardware trojans and malicious circuits is also included. Although it is a very small voltage fluctuation measurement, since it is observed in-situ within the semiconductor chip by the embedded sample and hold circuit 1, it is hardly affected by the position and environment.
- An automatic test apparatus (ATE) is excellent in generality and stability as a test environment. As described above, the side channel leakage evaluation by the cooperation of the on-chip monitor circuit 20 and the automatic test apparatus (ATE) is useful for the test related to the hardware security of the semiconductor chip.
- FIG. 2 is a plan view showing a layout of a semiconductor chip to be measured
- FIG. 3A is a block diagram showing a configuration of a prototype semiconductor chip test system according to Embodiment 1
- FIG. 3B is a prototype semiconductor chip test system shown in FIG. 3A. It is a photograph which shows the external appearance.
- FIG. 2 a semiconductor chip on which an embedded sample-and-hold circuit 1 and an encryption circuit are mounted was fabricated on a 0.18 ⁇ m CMOS process.
- AES-A and AES-B are cryptographic modules
- Switch is a sampling switch SW1
- UGA is a unity gain amplifier 2.
- the AES (Advanced Encryption Standard) encryption circuit was selected as the target of power supply noise evaluation using the on-chip monitor circuit 20.
- the AES cryptographic module is an implementation that processes one round in one clock cycle, and the implementation of “S-box”, which is the internal logical structure, is a composite implementation. Since it focuses on the evaluation of the side channel measurement method, no countermeasure circuit against side channel attacks is implemented.
- the input channel of the on-chip monitor circuit 20 is connected to the power supply node (Vdd) of the AES encryption module at two different locations in the chip, and either one can be selected.
- the power supply domain of the sample and hold circuit 1 is 3.3V, which is separated from the AES encryption module 1.8V. By separating both the power wiring and the ground wiring, noise coupling between the power domains can be eliminated, and highly reproducible measurement can be realized.
- the semiconductor chip 10 includes cryptographic modules (AES) 11 and 12, and an on-chip monitor circuit 20 including a sample hold circuit 1 and a unity gain amplifier 2.
- AES cryptographic modules
- FPGA field programmable gate array
- the sampling timing is generated using a trigger signal synchronized with the clock signal (CLK) of the AES core of the cryptographic modules 11 and 12, and the delay is controlled using the delay line (DL) 15 on the board of the FPGA 14. .
- the DC signal output buffered by the sample hold circuit 1 is converted into a digital code by an on-board A / D conversion circuit (ADC) 13.
- ADC on-board A / D conversion circuit
- the FPGA 14 controls the delay line (DL) 15 and the A / D conversion circuit 13, acquires a voltage waveform, and transfers the digital code to the personal computer 16 for data processing.
- the FPGA 14 also controls encryption processing of the AES encryption circuit.
- On-chip monitor and hardware security The evaluation method of side channel leakage using an on-chip monitor is described below from the viewpoint of hardware security. As a result, the vulnerability (or robustness) against the side channel attack of the encryption circuit to be tested is confirmed.
- the high-side measurement method in which 1 ⁇ is inserted in the power supply line and the magnetic field probe measurement method are also performed.
- E [•] is a function indicating the time average value of the arguments
- Var [•] is a function indicating the variance of the arguments.
- T is a measured waveform
- X is a 1-byte partial plaintext used for an attack among plaintext (plain text) that is input to the AES core of the cryptographic modules 11 and 12.
- a high SNR means that the degree of information leakage is high and is easily used by an attacker (see, for example, Non-Patent Document 4).
- the correlation analysis attack Correlation (power analysis: CPA) method (for example, see Non-Patent Document 1), which is an actual attack method, is performed.
- the CPA attacks by taking the Pearson correlation coefficient ⁇ between the measured waveform T of the side channel leakage and the predicted leakage model L.
- frequency components will be evaluated.
- a CPA attack is performed for each frequency component, and the degree of information leakage with respect to the frequency component is evaluated. If leakage of information with a high frequency component is observed in the waveform by the on-chip monitor, the off-chip measurement method has a narrow frequency band, and this component is difficult to measure.
- FIG. 4A is a leakage analysis result by the semiconductor chip test system of FIG. 3, and is a graph showing the SNR for the selected plain text
- FIG. 4B is a leakage analysis result by the semiconductor chip test system of FIG.
- FIG. 6 is a graph showing estimated entropy for each measurement.
- FIG. 4A shows a plot of the SNR expressed by equation (1) for each measurement. The points with the highest SNR in each 1 byte when divided into 16 partial keys are plotted for each measurement. It is clear that the measurement by the on-chip monitor circuit 20 has a higher SNR than other measurements.
- an attack using the on-chip monitor circuit 20 can specify a key with a small number of waveforms, 1,200 waveforms.
- the 1 ⁇ measurement method and the EM measurement method EM1 require 2,000 waveforms
- the EM measurement method EM2 requires 3,100 waveforms. From these evaluations, it can be said that the measurement using the on-chip monitor circuit 20 has the highest SNR and the high degree of information leakage.
- FIG. 5A is an analysis result obtained by using the 1 ⁇ (high side) method of the correlation analysis attack method of the high frequency component analysis by the semiconductor chip test system of FIG. It is.
- FIG. 5B is an analysis result obtained by using the on-chip monitor method in the correlation analysis attack method of the high frequency component analysis by the semiconductor chip test system of FIG. 3, and is a graph showing the correlation value in the frequency domain.
- FIG. 5A and FIG. 5B show the results of converting the measurement waveform similar to the previous section into the frequency domain using FFT and performing CPA. From the attack result for each frequency against the power supply noise waveform by the on-chip monitor circuit 20, it can be seen that there are many leaks at both low and high frequencies. Specifically, information leakage can be confirmed in a wide range of 300 MHz, 620 MHz, 800 MHz, and 1 GHz. On the other hand, the measurement using the 1 ⁇ method has a lot of noise at a high frequency and evaluation is insufficient. This is because, in the 1 ⁇ method, 1 ⁇ and the circuit capacitance act as a low-pass filter to suppress high-frequency components of information leakage.
- the evaluation of side channel information leakage by the on-chip monitor circuit 20 is considered useful even in a high-speed encryption circuit.
- the frequency at which information leakage occurs varies depending on the circuit method and device mounting method.
- the on-chip monitor circuit 20 can acquire voltages at any position within the chip.
- a typical measurement target is the power supply voltage terminal (Vdd) of the cryptographic modules 11 and 12.
- Vdd power supply voltage terminal
- the physical arrangement and wiring between the circuit under test and the on-chip monitor circuit 20 are limited, and there are barriers such as routing of probe wiring from the on-chip monitor circuit 20.
- potential fluctuation of the silicon substrate that is, substrate noise can be considered. It is known that the substrate noise is strongly correlated with the operation of the digital circuit in the chip, as in the case of power supply noise (see, for example, Non-Patent Document 3).
- substrate noise is greatly attenuated with distance, it can be observed from any location on the chip, and there is no need to limit the probe position near the circuit under test. That is, the board noise of the cryptographic modules 11 and 12 arranged at different positions on the same chip can be observed in the vicinity of the arrangement position of the on-chip monitor circuit, and side channel leakage can be performed without changing the physical design. The quantity can
- the measurement of the substrate noise by the on-chip monitor circuit 20 can be a standard evaluation means for side channel leakage via the silicon substrate. If the mounting flow of the on-chip monitor circuit 20 in the semiconductor chip is automated, the chip area and the number of pins occupied by the on-chip monitor circuit 20 and the detection and calibration method of the characteristic variation of the on-chip monitor circuit 20 are established, It is thought that the application of security uses will progress.
- FIG. 6A is a block diagram showing a configuration of another semiconductor chip test system according to the first embodiment.
- FIG. 6B is a timing chart of signals showing the operation of the semiconductor chip test system of FIG. 6A.
- a device under test (DUT) 100 includes a system-on-chip (SoC) 101, a cryptographic module 102, an on-chip monitor circuit 20 including a sample hold circuit 1, a selection switch circuit 105, and a unity gain amplifier 108.
- the selection logic circuit 106 and the bias voltage generator 107 are provided.
- the automatic test apparatus (ATE) 300 includes a digital signal generation circuit 301, an arbitrary waveform generator (AWG) 302, and an A / D conversion circuit 303.
- AMG arbitrary waveform generator
- the test environment for semiconductor chips is expanded as shown in FIG. 6A.
- the on-chip monitor circuit 20 having the sample and hold circuit 1 having a plurality of input channels and the automatic test apparatus 300 having the mixed signal extension function in addition to the function / performance test in the semiconductor IC chip for security.
- a device under test (DUT: Device Under Test) 100 outputs a processing result to an input test vector generated by the automatic test apparatus 300.
- the automatic test apparatus 300 compares the output value of the device under test 100 with the expected value, and determines whether the hardware security requirements are met or not, and the semiconductor chip pass / fail is determined.
- a test vector used for testing a semiconductor chip is generated so as to include all flip-flop operations.
- the test vector also controls the on-chip monitor circuit 20 to selectively operate the sampling circuit 1 that receives the power supply wiring and substrate potential of the device under test 100 or the substrate potential in the vicinity of the on-chip monitor circuit 20 as input.
- a noise waveform during the operation time of the cryptographic module 102 is acquired.
- the voltage is held at the sampling timing generated by the automatic test apparatus 300 and converted into a digital value by the A / D conversion circuit 303 of the automatic test apparatus 300.
- the on-chip monitor circuit 20 and the cryptographic module 102 are synchronized with the system clock. In the clock cycle of interest, the on-chip monitor circuit 20 repeatedly captures the voltage value while shifting the sampling timing of the on-chip monitor circuit 20 with respect to the system clock, and the voltage waveform is obtained. Obtain (see FIG. 6B).
- FIG. 7 is a flowchart showing a semiconductor chip test process by the semiconductor chip test system of FIG. 6A.
- the semiconductor chip test process includes a calibration process (S1), a waveform measurement process (S2), and a waveform detection process (S3).
- step S1 first, the amplitude characteristic of the on-chip monitor circuit 20 is calibrated.
- the device under test 100 is accessed in step S11, and the sample hold circuit 1 is calibrated in step S12.
- step S2 waveform measurement processing is executed in step S2. That is, various functions and performances of the device under test 100 are evaluated using n test vectors.
- a side channel leakage amount test in the cryptographic module 102 is performed using the i-th test vector (S13 to S20).
- This test vector includes a signal set related to the control of the on-chip monitor circuit 20, and obtains a waveform in a clock cycle period of interest.
- the division number k of the waveform acquisition range determines the time resolution of the waveform, and a voltage value is obtained every time the sampling time is delayed by j with respect to the clock signal.
- the determination as to whether the hardware security requirement is satisfied or not is performed including evaluation of the acquired noise waveform. That is, in the waveform detection process (S3), the function value evaluation (S21), the waveform evaluation (S22), and the determination as to whether or not the hardware security requirements for the device under measurement 100 are met (S23). )I do.
- the waveform acquisition characteristics of the on-chip monitor circuit 20 are calibrated based on the input / output characteristics for a sine wave signal with a known amplitude level.
- the sine wave is output from the arbitrary waveform generator 302 of the automatic test apparatus 300.
- the waveform acquisition characteristics of the on-chip monitor circuit 20 are determined by the input / output characteristics of the sample hold circuit 1 and the like constituting the on-chip monitor circuit 20, and the time resolution and timing accuracy of the sampling timing generation by the automatic test apparatus 300.
- Device variations associated with the manufacture of the semiconductor chip cause offset DC voltage and gain shift of the on-chip monitor circuit 20, but both can be removed by calibration with a sine wave.
- test vector (i) is used in the device under test 100 whose authenticity is guaranteed in advance.
- the power supply noise waveform acquired for the clock cycle section focused on in step 1 is defined as a reference waveform (Golden model).
- the average and variation of reference waveforms in a set of wafers and semiconductor chips whose authenticity has been confirmed are stored as a database, and compared with the average and variation of waveforms of power supply noise and substrate noise on the entire wafer surface including the semiconductor chip to be evaluated. If there is a significant difference between the two in consideration of characteristic variations after calibration of the on-chip monitor circuit 20 and measurement environment variations such as temperature and power supply voltage, the requirements for hardware security are not satisfied. Judge.
- FIG. 8 is a schematic external view when a probe card is connected to a semiconductor chip in the semiconductor chip test system of FIG. 6A. That is, FIG. 8 shows a concept for minimizing the mounting cost of the test method using the on-chip monitor circuit 20 relating to the hardware security requirements of the semiconductor chip.
- the probe card 200 has pads 201 to 203, 211 to 213 and probes 221 to 223 and 231 to 233 connected to the pads 121 to 123 and 131 to 133 of the device under test 100 on the uppermost surface thereof. Is provided.
- the pads 201 to 203 and 211 to 213 are connected to the automatic test apparatus 300.
- the measurement object by the on-chip monitor circuit 20 is set to the substrate noise in the vicinity thereof, so that the physical arrangement of the on-chip monitor circuit 20 and the dedicated pads 121 to 123 and 131 to 133 is limited to the unused area of the chip. Can be limited.
- the execution time related to waveform acquisition of the on-chip monitor circuit 20 is also a factor of the test cost.
- the sample hold circuit 1 and the like are repeatedly operated together with the device under test 100, and the sampling timing is changed within the range of the clock cycle period of interest.
- the time resolution is 0.1 ns, if the clock cycle interval is 100 ns (for example, 10 ns clock cycle ⁇ 10 cycle interval), 1,000 samplings are required.
- the total time length depends on the length of the test vector and the conversion time of the analog-digital converter, and can be improved by devising the test vector, paralleling the circuit, increasing the resource throughput of the automatic test apparatus 300, etc. And equipment price.
- the first embodiment has proposed a hardware security application of the on-chip monitor circuit 20, particularly an on-chip measurement method for side channel leakage. Compared with the conventional method of measuring the power supply current by using an on-board resistor or magnetic field probe, remarkably high reproducibility can be obtained. By mounting the on-chip monitor circuit 20 on a semiconductor chip having a security function, it can be applied to quantitative evaluation of side channel information leakage and detection of hardware trojans.
- FIG. 9 is a block diagram showing a configuration of the semiconductor chip 10 including the on-chip monitor circuit 20 used in the example according to the first embodiment.
- FIG. 10 is a graph showing the experimental result of the on-chip monitor circuit 20 of FIG. 9 and the noise waveform of the power supply line of the ground side power supply voltage Vss.
- a plurality of cryptographic modules (AES cores) 11, 12, 11A, 12A,... are embedded on a semiconductor chip 10, and each cryptographic module (AES core) 11, 12, 11A, 12A,.
- a power supply line that supplies a positive power supply voltage Vdd and a power supply line that supplies a ground-side power supply voltage Vss are connected.
- the on-chip monitor circuit 20 measures the voltage Vss of the power supply line of the ground-side power supply voltage Vss during the most important clock cycle of the AES operation from the viewpoint of information leakage.
- the magnitude of the noise measured in the clock cycle is obtained as a noise voltage Vnoise as shown in FIG.
- FIG. 11 is a graph showing experimental results of the on-chip monitor circuit 20 of FIG.
- FIG. 12 is a graph showing experimental results of the on-chip monitor circuit 20 of FIG. 9 and showing the noise voltage Vnoise with respect to the number of active cryptographic modules.
- the number of logic gates per cryptographic module (AES core) varies depending on the design, but is approximately 12.824 kgates / core.
- the noise voltage Vnoise per cryptographic module (AES core) reaches 0.75 mV / core from the measurement of the voltage Vss of the on-chip ground side power supply line.
- a noise voltage Vnoise of approximately 2 mV exists as background noise, and is recognized as a minimum measurable noise voltage in the measurement of the noise voltage Vnoise.
- the noise voltage Vnoise changes in a linear relationship of 0.75 mV / core
- the noise voltage Vnoise is approximately 60 nV / gate per gate from a division operation of 0.75 mV / 12824.
- the threshold value of the number of detectable gates is about 100.
- the number of gates of a Trojan horse circuit is 190, which corresponds to about 2.5% of the original circuit of a small cryptographic module (AES core). Therefore, it can be said that a circuit such as a Trojan horse can be reliably detected using the on-chip monitor circuit 20 according to the first embodiment.
- FIG. FIG. 13 is a plan view showing a configuration of a system LSI chip 400 with a cryptographic function having the on-chip monitor circuit 20 according to the second embodiment.
- the second embodiment is characterized in that an on-chip monitor circuit 20 is provided in a system VLSI chip 400 having a cryptographic module 402 in addition to various function modules 401.
- the system input signal reaches the cryptographic module 402 via the signal transmission path 403, and then outputs a predetermined system output signal.
- the potential of the silicon substrate that is the observation target 25 is measured, and the monitor output signal of the measurement result Is output.
- the cryptographic module 402 is buried together with the various functional modules 401, an attacker cannot be identified. Therefore, the circuit configuration of the cryptographic module 402 and the physical arrangement in the chip are not known. Absent. Further, the on-chip monitor circuit 20 observes the potential of the nearby silicon substrate and does not have an explicit probing wiring leading to the cryptographic module 402, so that the attacker cannot follow the signal transmission path 403. There is.
- FIG. 14 is a plan view showing a configuration of a system LSI chip with a cryptographic function having an on-chip monitor circuit according to a modification of the second embodiment.
- the on-chip monitor circuit 20 may observe power supply wiring and ground wiring inside the cryptographic module 402.
- the signal transmission path 403 of the probing wiring leading to the cryptographic module 402 can be made difficult to trace by displacing it in the VLSI internal wiring.
- FIG. 15A is a block diagram of Example 1 of the on-chip monitor circuit 20 of the system LSI chip with encryption function according to the second embodiment.
- the on-chip monitor circuit 20 includes a window register 21, a clock counter 22, a comparator 23, and an analog front end circuit 24.
- the window register 21 is given a predetermined preload value that designates a window period from, for example, an automatic test device (for example, a value of 1 is given when the window is opened, and a value of 0 is given when the window is closed, for example). For example, digital data such as “000001111110000” is loaded and temporarily stored.
- the clock counter 22 counts the number of clock cycles, compares the preloaded window register value with the comparator 23, and outputs a sampling pulse when they match. Generated and output to the analog front-end circuit 24. Thereby, the on-chip monitor circuit 20 that self-determines the observation timing can be realized.
- the analog front end circuit 24 observes the waveform of the potential of the silicon substrate to be observed (FIG. 13) or the internal power supply node (FIG. 14) of the cryptographic module 402 during the predetermined window period.
- the signal waveform to be observed is measured in the time period required for information leakage unique to the cryptographic processing of the cryptographic module 402, and it is determined whether the hardware security requirement is satisfied or not satisfied. If it is configured so as to be able to, it is possible to further prevent attacks from Service-to-Self.
- FIG. 15B is a circuit diagram showing a first circuit example of the analog front-end circuit of FIG. 15A.
- FIG. 15C is a circuit diagram showing a second circuit example of the analog front-end circuit of FIG. 15A.
- the analog front end circuit 24 of the on-chip monitor circuit 20 in FIG. 15A may have any circuit configuration such as the sample hold type (SH) in FIG. 15B or the comparator type (SF + LC) in FIG. 15C.
- 15C includes a source follower circuit 3 including two P-channel MOS transistors Q11 and Q12 and a latch comparator 4.
- FIG. 16 is a timing chart of each signal showing the operation of the on-chip monitor circuit 20 of FIG. 15A.
- the window register value is set so that the sampling pulse of the on-chip monitor circuit 20 is generated in the clock cycle in which the side channel information leakage of the cryptographic module 402 is maximized.
- FIG. 17 is a block diagram of Example 2 of the on-chip monitor circuit 20A of the system LSI chip with encryption function according to the second embodiment.
- the on-chip monitor circuit 20A in FIG. 17 delays the trigger signal by a delay register 26 that temporarily stores a delay code and a delay time corresponding to the delay code, as compared with the on-chip monitor circuit 20 in FIG. 15A.
- This further includes a delay generator 27 that delays the start timing of the window period and generates a sampling pulse ( ⁇ ).
- ⁇ the delay time specified by the delay register value by the delay generator 27 is used.
- a sampling pulse ( ⁇ ) is generated at a delayed timing.
- FIG. 18 is a timing chart of each signal showing the operation of the on-chip monitor circuit 20A of FIG. As shown in FIG. 18, by the designated delay code (FIG. 17), the timing at which the information leakage becomes maximum or most noticeable (start) in the clock cycle in which the information leakage of the cryptographic module occurs, and the on-chip monitor In order to match the sampling timing, a delay time controlled in advance can be added.
- FIG. 19 is a flowchart showing a test process of a system LSI chip with encryption function having the on-chip monitor circuit 20 of FIG. 15A.
- step S31 a predetermined preload value Nw is set in the window register 21.
- the conditions are embedded in the test vector generation flow for the function test use of the system VLSI chip 400.
- step S33 the test of the target semiconductor chip is repeatedly executed to quantify the information leakage in the information leakage cycle and meet / do not satisfy the hardware security requirements (ie, a malicious circuit such as a Trojan horse, for example) Security evaluation (whether it is included or information is leaked from the cryptographic module 402) is determined, and the determination result is output.
- the window register 21 is set to zero (or a dummy value), and the test process is finished.
- step S31 the timing at which information leakage is most prominent is evaluated and extracted in advance, and the delay amount of the delay generator 27 is set in the delay register 26. Also good.
- step S34 at least one of the window register 21 and the delay register 26 may be set to a zero value or a dummy value that is not known to the Service-to-Self, and the processing may be terminated logically as “unchangeable”.
- the delay register 26 is configured using a one-time memory (a memory that can be rewritten only once).
- a hidden bit is set, and control is performed so that rewriting is impossible when the hidden bit is “1”.
- FIG. 20 is a circuit diagram showing a configuration of an on-chip monitor circuit 20B according to a modification of the second embodiment.
- an SNR calculator 5 for performing CPA may be provided after the on-chip monitor analog front-end circuit 24 including the source follower circuit 3 and the latch comparator 4.
- FIG. 21 is a block diagram showing a characteristic part of the entire configuration of the semiconductor chip test system according to the second embodiment.
- a monitor sampling timing using a delay generator 27 capable of digitally adjusting a predetermined critical path delay amount in the combinational logic 410 of the cryptographic module 402
- the noise waveform can be extracted in advance by evaluating the timing at which information leakage becomes most prominent.
- the cryptographic module 402 cannot be tested by using a kill signal input via the kill signal pad 29 or by setting a zero value or a dummy value in the window register 21 (FIGS. 15A and 17). It can be.
- the semiconductor chip provided with the cryptographic module has been described.
- the present invention is not limited to this, and physical copying such as PRNG (pseudo random number generator) or PUF (element variation) is not possible.
- Security functions such as security ID generation function, digital signature function falsification function, individual identification function, etc., and security function processing for input signals and output security function signals It may be a module.
- a zero value or a dummy value not known to the Service-to-Self is set in at least one of the window register 21 and the delay register 26 to logically
- the operation of the on-chip monitor circuit 20 is stopped by ending as “unchangeable”, but the present invention is not limited to this, and the operation of the on-chip monitor circuit 20 is forcibly stopped after the test of the semiconductor chip is completed. May be.
- the on-chip monitor circuit in the semiconductor chip requiring security is malicious in the manufacturing stage of the semiconductor chip provided with the security function module.
- an on-chip monitor circuit for testing the semiconductor chip can be provided so as to prevent a security attack such as a Trojan horse embedding the circuit.
- SoC System on chip
- 102 Cryptographic module
- 103, 104 ... source follower circuit, 105 ... selection switch circuit
- 106 ... selection logic circuit
- 107 Bias voltage generator, 121-123, 131-133 ... pads, 200 ... probe card, 201-203, 211-213 ... pads, 221 to 223, 231 to 233 ... probe, 300 ... automatic test equipment (ATE), 301: Digital signal generation circuit, 302 ... Arbitrary waveform generator (AWG), 303 ... A / D conversion circuit
- 400 System LSI chip, 401 ... functional module
- 402 Cryptographic module
- 403 Signal transmission path, C1 to C3 ... capacitors, Q1-Q12 ... MOS transistors, S1 ... calibration process, S2 ... Waveform measurement processing, S3 ... Waveform detection processing, SW1, SW11 to SW13: Sampling switches.
Landscapes
- Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Microelectronics & Electronic Packaging (AREA)
- Power Engineering (AREA)
- Computer Security & Cryptography (AREA)
- Condensed Matter Physics & Semiconductors (AREA)
- Software Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Quality & Reliability (AREA)
- Manufacturing & Machinery (AREA)
- Semiconductor Integrated Circuits (AREA)
- Testing Of Individual Semiconductor Devices (AREA)
- Tests Of Electronic Circuits (AREA)
Abstract
Description
上記半導体チップのテストを行うウィンドウ期間を指定するデータを記憶する第1の記憶手段と、
上記セキュリティ機能モジュールに所定のテスト信号を入力したときに、上記ウィンドウ期間において上記モニタ回路を動作させるように制御する制御手段とを備えたことを特徴とする。
リセット信号を受信した後、クロック信号を計数して計数値のデータを出力する計数手段と、
上記ウィンドウ期間を指定するデータを、上記計数値のデータと比較して各データが一致するときに上記モニタ回路を動作させるように制御する比較手段とを備えたことを特徴とする。
上記制御手段は、上記遅延コードに対応する遅延時間だけ上記ウィンドウ期間のタイミングを遅延させることを特徴とする。
上記オンチップモニタ回路を備えたことを特徴とする。
上記半導体チップと、
上記半導体チップをテストするテスト装置とを備えた半導体チップテストシステムであって、
上記テスト装置は、
上記セキュリティ機能モジュールからの情報漏洩期間が上記ウィンドウ期間に含まれるようにテスト信号を発生して上記半導体チップに出力するテスト信号発生手段と、
上記モニタ回路からの信号波形に基づいてセキュリティ機能モジュールからの情報漏洩を定量化してセキュリティ評価の判断を行う判断手段とを備えたことを特徴とする。
上記半導体チップのテストを行うウィンドウ期間を指定するデータを第1の記憶手段に記憶するステップと、
上記セキュリティ機能モジュールに所定のテスト信号を入力したときに、上記ウィンドウ期間において上記モニタ回路を動作させるように制御するステップとを含むことを特徴とする。
入力される遅延コードを第2の記憶手段に記憶するステップと、
上記遅延コードに対応する遅延時間だけ上記ウィンドウ期間のタイミングを遅延させるステップをさらに含むことを特徴とする。
上記セキュリティ機能モジュールからの情報漏洩期間が上記ウィンドウ期間に含まれるようにテスト信号を発生して上記半導体チップに出力するステップと、
上記モニタ回路からの信号波形に基づいてセキュリティ機能モジュールからの情報漏洩を定量化してセキュリティ評価の判断を行うステップとをさらに含むことを特徴とする。
上記半導体チップのテスト終了後に、上記第1の記憶手段と上記第2の記憶手段の少なくとも1つに所定値を記憶することで論理的に書き換え不能にするステップをさらに含むことを特徴とする。
1-1.はじめに
暗号等のセキュリティ機能を有する半導体チップについて、その電源ノイズがセキュリティ機能の内部回路動作と強く相関することが知られている。ハードウェアセキュリティにかかる半導体チップ技術要件として、電源ノイズによるサイドチャネル情報漏洩の定量化や抑制手段の搭載が求められる。実施形態1では、オンチップのノイズ測定手段(オンチップモニタ回路)をサイドチャネル情報漏洩の定量的な診断やテストに応用する。オンチップモニタ回路によるノイズ波形の取得とサイドチャネル漏洩の標準的な評価環境を示すとともに、半導体チップのセキュリティに関するテストフローへの組込みを提案する。
図1Aは実施形態1に係るオンチップモニタ回路20の基本的な構成を示す回路図である。図1Aにおいて、オンチップモニタ回路20は、サンプリングスイッチSW1及びキャパシタC1にてなるサンプルホールド回路1と、ユニティーゲインアンプ2とを備えて構成される。埋め込み型のサンプルホールド回路1により、半導体チップ内部の電源ノイズ等のオンチップ波形を取得する。サンプルホールド回路1は、被測定アナログ電圧をサンプリングクロックに従って捕捉し、そのDC電圧を保持し半導体チップ10の外部回路に出力する。サンプリングスイッチSW1とキャパシタC1は高電圧(3.3V)の素子を用いて構成し、1.8Vの暗号化コアの電源電圧(Vdd)は直接にサンプルホールド回路1に接続し、出力のDC電圧を、利得1のユニティーゲインアンプ(UGA)2でバッファリングして出力する。
以下、ハードウェアセキュリティの視点から、オンチップモニタを用いたサイドチャネル漏洩の評価法について述べる。これにより、テスト対象となる暗号化回路のサイドチャネル攻撃に対する脆弱性(もしくは堅牢性)を確認する。オンチップモニタによる評価法と比較するため、1Ωを電源ラインに挿入したハイサイド測定法と磁界プローブ測定法もあわせて行う。
図4Aは図3の半導体チップテストシステムによる漏洩解析結果であって、選択されたプレインテキストに対するSNRを示すグラフであり、図4Bは図3の半導体チップテストシステムによる漏洩解析結果であって、各測定に対する推定エントロピーを示すグラフである。
図5Aは図3の半導体チップテストシステムによる高周波成分解析の相関解析攻撃法のうち1Ω(ハイサイド)法を用いて得られた解析結果であって、周波数領域の相関値を示すグラフである。また、図5Bは図3の半導体チップテストシステムによる高周波成分解析の相関解析攻撃法のうちオンチップモニタ法を用いて得られた解析結果であって、周波数領域の相関値を示すグラフである。
1-6-1.サイドチャネル情報漏洩の評価
半導体チップにおけるサイドチャネル情報漏洩の標準評価手段として、オンチップモニタ回路(OCM)20の利用を提案する。前章のとおり、オンチップモニタ回路20による測定はその他の測定法に比べて高いSNRを得ることから、情報漏洩の程度をより小さいレベルまで評価できる。漏洩評価の不確かさの要因として、プロセスばらつきと環境ノイズが考えられる。オンチップモニタ回路20によるオンチップ測定は、環境ノイズの影響を受けにくい。一方、プロセスばらつきは製造テクノロジに応じて普遍的に存在する。OCMを用いた測定について、適切な較正によりばらつきの影響を低減できる。
半導体チップに悪意あるトロイが混入するシナリオとして、ウェハプロセスの製造者がマスクを改変し悪意ある回路や構造を埋め込むことが考えられる(例えば、非特許文献7参照)。サイドチャネル情報の測定によるトロイ検知手法では、基準となる動作モデル(golden model)が必要であることが知られており、その導出法は未解決の技術課題である。オンチップモニタ回路20の活用により、真正であることの保証されたチップにおいて再現性の高い電源ノイズあるいは基板ノイズの測定データを収集し、これをもとに基準データあるいは動作モデルを構築することが考えられる。
1-7-1.テスト環境
図6Aは実施形態1に係る別の半導体チップテストシステムの構成を示すブロック図である。また、図6Bは図6Aの半導体チップテストシステムの動作を示す各信号のタイミングチャートである。図6Aにおいて、被測定デバイス(DUT)100は、システムオンチップ(SoC)101と、暗号モジュール102と、サンプルホールド回路1、選択スイッチ回路105及びユニティーゲインアンプ108を備えたオンチップモニタ回路20と、選択ロジック回路106と、バイアス電圧発生器107とを備えて構成される。また、自動テスト装置(ATE)300は、デジタル信号発生回路301と、任意波形発生器(AWG:Arbitrary Waveform Generator)302と、A/D変換回路303とを備えて構成される。
図7は図6Aの半導体チップテストシステムによる半導体チップのテスト処理を示すフローチャートである。半導体チップのテストフローを図7のように拡張することで、オンチップモニタ回路20を用いたハードウェアセキュリティに関する評価項目を組込むことができる。半導体チップのテスト処理は、較正処理(S1)と、波形測定処理(S2)と、波形検出処理(S3)とを含む。
図8は図6Aの半導体チップテストシステムにおいてプローブカードを半導体チップに接続する場合の概略外観図である。すなわち、半導体チップのハードウェアセキュリティ要件に関するオンチップモニタ回路20を用いたテスト手法の実装コストを最小化する構想を図8に示す。プローブカード200は、その最上面において、パッド201~203,211~213及び各パッドに接続されて被測定デバイス100のパッド121~123,131~133に接続されるプローブ221~223,231~233を備える。なお、パッド201~203,211~213は自動テスト装置300に接続される。すなわち、ウェハレベルのテストアクセスを前提としたオンチップモニタ回路20専用パッド121~123,131~133を備えることで、被評価半導体チップのコア回路への入出力パッドへの影響を最小化し、半導体チップのアセンブリ工程にかかわる入出力パッドと分離する。上述したように、オンチップモニタ回路20による測定対象をその近傍の基板ノイズとすることで、オンチップモニタ回路20及び専用パッド121~123,131~133の物理配置をチップの未使用領域のみに限定できる。
以上説明したように、実施形態1では、オンチップモニタ回路20のハードウェアセキュリティ応用、とりわけサイドチャネル漏洩のオンチップ測定法を提案した。オンボードの抵抗器や磁界プローブを用いで電源電流を測定する従来手法に比較して、格段に高い再現性が得られる。セキュリティ機能を有する半導体チップにオンチップモニタ回路20を搭載することで、サイドチャネル情報漏洩の定量的な評価やハードウェアトロイの検出に応用できる。
図13は実施形態2に係る、オンチップモニタ回路20を有する暗号機能付きシステムLSIチップ400の構成を示す平面図である。実施形態2は、図13に示すように、各種機能モジュール401に加えて暗号モジュール402を有するシステムVLSIチップ400において、オンチップモニタ回路20を備えたことを特徴としている。図13において、システム入力信号は信号伝達経路403を介して暗号モジュール402に到達した後、所定のシステム出力信号を出力する。このとき、例えば、オンチップモニタ回路20を用いて、例えば自動テスト装置300からのモニタ制御信号に応答して、観測対象25であるシリコン基板の電位を測定して、その測定結果のモニタ出力信号を出力する。
(1)遅延レジスタ26を、ワンタイムメモリ(一回のみ書換え可能なメモリ)を用いて構成する。
(2)隠れビットを設定して、当該隠れビットが”1”のときに書換え不能となるよう制御する。
2…ユニティーゲインアンプ、
3…ソースフォロア回路、
4…コンパレータ、
5…演算器、
10…半導体チップ、
11,12,11A,12A…暗号モジュール、
13…A/D変換回路、
14…フィールドプログラマブルゲートアレイ(FPGA)、
15…遅延ライン、
16…パーソナルコンピュータ、
20,20A,20B…オンチップモニタ回路、
21…ウィンドウレジスタ、
22…クロックカウンタ、
23…コンパレータ、
24,24A…アナログフロントエンド回路、
25…観測対象、
26…遅延レジスタ、
27…遅延発生器、
28…キルスイッチ、
29…キル信号パッド、
100…被測定デバイス(DUT)、
101…システムオンチップ(SoC)、
102…暗号モジュール、
103,104…ソースフォロア回路、
105…選択スイッチ回路、
106…選択ロジック回路、
107…バイアス電圧発生器、
121~123,131~133…パッド、
200…プローブカード、
201~203,211~213…パッド、
221~223,231~233…プローブ、
300…自動テスト装置(ATE)、
301…デジタル信号発生回路、
302…任意波形発生器(AWG)、
303…A/D変換回路、
400…システムLSIチップ、
401…機能モジュール、
402…暗号モジュール、
403…信号伝達経路、
C1~C3…キャパシタ、
Q1~Q12…MOSトランジスタ、
S1…較正処理、
S2…波形測定処理、
S3…波形検出処理、
SW1、SW11~SW13…サンプリングスイッチ。
Claims (17)
- 入力信号に対してセキュリティ機能処理を行ってセキュリティ機能信号を出力するセキュリティ機能モジュールを備えた半導体チップに実装されたオンチップモニタ回路であって、上記半導体チップの信号波形をモニタするモニタ回路を備えたオンチップモニタ回路において、
上記半導体チップのテストを行うウィンドウ期間を指定するデータを記憶する第1の記憶手段と、
上記セキュリティ機能モジュールに所定のテスト信号を入力したときに、上記ウィンドウ期間において上記モニタ回路を動作させるように制御する制御手段とを備えたことを特徴とするオンチップモニタ回路。 - 上記制御手段は、
リセット信号を受信した後、クロック信号を計数して計数値のデータを出力する計数手段と、
上記ウィンドウ期間を指定するデータを、上記計数値のデータと比較して各データが一致するときに上記モニタ回路を動作させるように制御する比較手段とを備えたことを特徴とする請求項1記載のオンチップモニタ回路。 - 上記ウィンドウ期間は、上記セキュリティ機能モジュールの情報漏洩が最大になる時間期間であることを特徴とする請求項1又は2記載のオンチップモニタ回路。
- 入力される遅延コードを記憶する第2の記憶手段をさらに備え、
上記制御手段は、上記遅延コードに対応する遅延時間だけ上記ウィンドウ期間のタイミングを遅延させることを特徴とする請求項1~3のうちのいずれか1つに記載のオンチップモニタ回路。 - 上記遅延コードは、上記セキュリティ機能モジュールの情報漏洩が最大になるタイミングを指定する遅延量を示すことを特徴とする請求項4記載のオンチップモニタ回路。
- 上記モニタ回路は、上記半導体チップの基板電位又は上記セキュリティ機能モジュールの電源電位の信号波形をモニタすることを特徴とする請求項1~5のうちのいずれか1つに記載のオンチップモニタ回路。
- 上記制御手段は、上記半導体チップのテスト終了後に、上記モニタ回路の動作を停止させることを特徴とする請求項1~6のうちのいずれか1つに記載のオンチップモニタ回路。
- 上記制御手段は、上記半導体チップのテスト終了後に、上記第1の記憶手段と上記第2の記憶手段の少なくとも1つに所定値を記憶することで論理的に書き換え不能にすることを特徴とする請求項4記載のオンチップモニタ回路。
- 上記セキュリティ機能モジュールは暗号モジュールであることを特徴とする請求項1~8のうちのいずれか1つに記載のオンチップモニタ回路。
- 入力信号に対してセキュリティ機能処理を行ってセキュリティ機能信号を出力するセキュリティ機能モジュールを備えた半導体チップにおいて、
請求項1~9のうちのいずれか1つに記載のオンチップモニタ回路を備えたことを特徴とする半導体チップ。 - 請求項10記載の半導体チップと、
上記半導体チップをテストするテスト装置とを備えた半導体チップテストシステムであって、
上記テスト装置は、
上記セキュリティ機能モジュールからの情報漏洩期間が上記ウィンドウ期間に含まれるようにテスト信号を発生して上記半導体チップに出力するテスト信号発生手段と、
上記モニタ回路からの信号波形に基づいてセキュリティ機能モジュールからの情報漏洩を定量化してセキュリティ評価の判断を行う判断手段とを備えたことを特徴とする半導体チップテストシステム。 - 入力信号に対してセキュリティ機能処理を行ってセキュリティ機能信号を出力するセキュリティ機能モジュールを備えた半導体チップに実装されたオンチップモニタ回路であって、上記半導体チップの信号波形をモニタするモニタ回路を備えたオンチップモニタ回路を用いた上記半導体チップのテスト方法において、
上記半導体チップのテストを行うウィンドウ期間を指定するデータを第1の記憶手段に記憶するステップと、
上記セキュリティ機能モジュールに所定のテスト信号を入力したときに、上記ウィンドウ期間において上記モニタ回路を動作させるように制御するステップとを含むことを特徴とする半導体チップのテスト方法。 - 入力される遅延コードを第2の記憶手段に記憶するステップと、
上記遅延コードに対応する遅延時間だけ上記ウィンドウ期間のタイミングを遅延させるステップをさらに含むことを特徴とする請求項12記載の半導体チップのテスト方法。 - 上記セキュリティ機能モジュールからの情報漏洩期間が上記ウィンドウ期間に含まれるようにテスト信号を発生して上記半導体チップに出力するステップと、
上記モニタ回路からの信号波形に基づいてセキュリティ機能モジュールからの情報漏洩を定量化してセキュリティ評価の判断を行うステップとをさらに含むことを特徴とする請求項12又は13記載の半導体チップのテスト方法。 - 上記半導体チップのテスト終了後に、上記モニタ回路の動作を停止させるステップをさらに含むことを特徴とする請求項12~14のうちのいずれか1つに記載の半導体チップのテスト方法。
- 上記半導体チップのテスト終了後に、上記第1の記憶手段と上記第2の記憶手段の少なくとも1つに所定値を記憶することで論理的に書き換え不能にするステップをさらに含むことを特徴とする請求項13記載の半導体チップのテスト方法。
- 上記セキュリティ機能モジュールは暗号モジュールであることを特徴とする請求項12~16のうちのいずれか1つに記載の半導体チップのテスト方法。
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP16737338.0A EP3246717B1 (en) | 2015-01-13 | 2016-01-12 | On-chip monitor circuit and semiconductor chip |
JP2016569363A JP6555486B2 (ja) | 2015-01-13 | 2016-01-12 | オンチップモニタ回路及び半導体チップ |
US15/543,501 US10776484B2 (en) | 2015-01-13 | 2016-01-12 | On-chip monitor circuit and semiconductor chip |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2015004346 | 2015-01-13 | ||
JP2015-004346 | 2015-01-13 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2016114267A1 true WO2016114267A1 (ja) | 2016-07-21 |
Family
ID=56405811
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2016/050725 WO2016114267A1 (ja) | 2015-01-13 | 2016-01-12 | オンチップモニタ回路及び半導体チップ |
Country Status (4)
Country | Link |
---|---|
US (1) | US10776484B2 (ja) |
EP (1) | EP3246717B1 (ja) |
JP (1) | JP6555486B2 (ja) |
WO (1) | WO2016114267A1 (ja) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107577965A (zh) * | 2017-09-27 | 2018-01-12 | 天津津航计算技术研究所 | 一种门延时差异的fpga加密方法 |
Families Citing this family (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10444892B2 (en) * | 2015-10-07 | 2019-10-15 | Microchip Technology Incorporated | Capacitance measurement device with reduced noise |
DE102016201262A1 (de) * | 2016-01-28 | 2017-08-17 | Robert Bosch Gmbh | Verfahren und Vorrichtung zum Bereitstellen eines Computerprogramms |
US10680797B2 (en) * | 2017-04-28 | 2020-06-09 | University Of South Florida | Security-adaptive voltage conversion as a lightweight counter measure against LPA attacks |
US11308239B2 (en) * | 2018-03-30 | 2022-04-19 | Seagate Technology Llc | Jitter attack protection circuit |
US11170106B2 (en) * | 2018-05-10 | 2021-11-09 | Robotic Research, Llc | System for detecting hardware trojans in integrated circuits |
CN109639275B (zh) * | 2018-11-12 | 2023-04-14 | 北京精密机电控制设备研究所 | 一种高可靠模拟数字转换器自动化监测控制系统 |
US11322460B2 (en) | 2019-01-22 | 2022-05-03 | X-Celeprint Limited | Secure integrated-circuit systems |
US11251139B2 (en) | 2019-01-22 | 2022-02-15 | X-Celeprint Limited | Secure integrated-circuit systems |
US10970046B2 (en) | 2019-02-22 | 2021-04-06 | International Business Machines Corporation | Random number generator compatible with complementary metal-oxide semiconductor technology |
US11196575B2 (en) * | 2019-04-24 | 2021-12-07 | International Business Machines Corporation | On-chipset certification to prevent spy chip |
CN110197086B (zh) * | 2019-06-17 | 2022-04-15 | 中国人民解放军陆军工程大学 | 一种集成电路旁路信号自差分放大采样方法与系统 |
US11880454B2 (en) | 2020-05-14 | 2024-01-23 | Qualcomm Incorporated | On-die voltage-frequency security monitor |
TWI769484B (zh) * | 2020-07-13 | 2022-07-01 | 鴻海精密工業股份有限公司 | 晶片腳位連接狀態顯示方法、電腦裝置及儲存介質 |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH05251523A (ja) * | 1992-03-06 | 1993-09-28 | Fujitsu Ltd | 電圧測定装置 |
JP2009089045A (ja) * | 2007-09-28 | 2009-04-23 | Toshiba Solutions Corp | 暗号モジュール選定装置およびプログラム |
Family Cites Families (24)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6298458B1 (en) * | 1999-01-04 | 2001-10-02 | International Business Machines Corporation | System and method for manufacturing test of a physical layer transceiver |
US6614384B2 (en) * | 2000-09-14 | 2003-09-02 | Time Domain Corporation | System and method for detecting an intruder using impulse radio technology |
US7131034B2 (en) * | 2002-11-12 | 2006-10-31 | Sun Microsystems, Inc. | On-chip measurement of signal state duration |
KR100517554B1 (ko) * | 2002-12-05 | 2005-09-28 | 삼성전자주식회사 | 보안 기능을 갖는 반도체 집적 회로 |
US20050066189A1 (en) * | 2003-09-18 | 2005-03-24 | MOSS Robert | Methods and structure for scan testing of secure systems |
US7877621B2 (en) | 2004-09-03 | 2011-01-25 | Virginia Tech Intellectual Properties, Inc. | Detecting software attacks by monitoring electric power consumption patterns |
US20060050929A1 (en) * | 2004-09-09 | 2006-03-09 | Rast Rodger H | Visual vector display generation of very fast moving elements |
US7478294B2 (en) * | 2005-06-14 | 2009-01-13 | Etron Technology, Inc. | Time controllable sensing scheme for sense amplifier in memory IC test |
US7487419B2 (en) * | 2005-06-15 | 2009-02-03 | Nilanjan Mukherjee | Reduced-pin-count-testing architectures for applying test patterns |
JP2009071533A (ja) * | 2007-09-12 | 2009-04-02 | Advantest Corp | 差動信号伝送装置および試験装置 |
KR101436982B1 (ko) * | 2007-10-12 | 2014-09-03 | 삼성전자주식회사 | 반도체 집적 회로 및 그것의 검사 방법 |
WO2009072547A1 (ja) | 2007-12-05 | 2009-06-11 | Nec Corporation | サイドチャネル攻撃耐性評価装置、方法及びプログラム |
FR2928060B1 (fr) | 2008-02-25 | 2010-07-30 | Groupe Des Ecoles De Telecommunications Get Ecole Nat Superieure Des Telecommunications Enst | Procede de test de circuits de cryptographie, circuit de cryptographie securise apte a etre teste, et procede de cablage d'un tel circuit. |
US7525331B1 (en) * | 2008-03-06 | 2009-04-28 | Xilinx, Inc. | On-chip critical path test circuit and method |
US8020138B2 (en) * | 2008-06-02 | 2011-09-13 | International Business Machines Corporation | Voltage island performance/leakage screen monitor for IP characterization |
JP2010134677A (ja) * | 2008-12-04 | 2010-06-17 | Renesas Electronics Corp | マイクロコンピュータ及び組み込みソフトウェア開発システム |
US8305725B2 (en) * | 2009-08-21 | 2012-11-06 | Motorola Solutions, Inc. | Current limiting apparatus and method |
US20130070651A1 (en) * | 2010-05-27 | 2013-03-21 | Kyocera Corporation | Power line communication device, security level setting method, and storage medium storing security level setting program |
JP2012182784A (ja) * | 2011-02-09 | 2012-09-20 | Elpida Memory Inc | 半導体装置 |
US8614571B2 (en) * | 2011-11-18 | 2013-12-24 | Taiwan Semiconductor Manufacturing Co., Ltd. | Apparatus and method for on-chip sampling of dynamic IR voltage drop |
WO2014144857A2 (en) | 2013-03-15 | 2014-09-18 | Power Fingerprinting Inc. | Systems, methods, and apparatus to enhance the integrity assessment when using power fingerprinting systems for computer-based systems |
CN105092930B (zh) * | 2014-05-06 | 2020-10-30 | 恩智浦美国有限公司 | 片上电流测试电路 |
US9804222B2 (en) * | 2014-11-14 | 2017-10-31 | Allegro Microsystems, Llc | Magnetic field sensor with shared path amplifier and analog-to-digital-converter |
US9835680B2 (en) * | 2015-03-16 | 2017-12-05 | Taiwan Semiconductor Manufacturing Company, Ltd. | Method, device and computer program product for circuit testing |
-
2016
- 2016-01-12 WO PCT/JP2016/050725 patent/WO2016114267A1/ja active Application Filing
- 2016-01-12 JP JP2016569363A patent/JP6555486B2/ja active Active
- 2016-01-12 US US15/543,501 patent/US10776484B2/en active Active
- 2016-01-12 EP EP16737338.0A patent/EP3246717B1/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH05251523A (ja) * | 1992-03-06 | 1993-09-28 | Fujitsu Ltd | 電圧測定装置 |
JP2009089045A (ja) * | 2007-09-28 | 2009-04-23 | Toshiba Solutions Corp | 暗号モジュール選定装置およびプログラム |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107577965A (zh) * | 2017-09-27 | 2018-01-12 | 天津津航计算技术研究所 | 一种门延时差异的fpga加密方法 |
CN107577965B (zh) * | 2017-09-27 | 2019-07-02 | 天津津航计算技术研究所 | 一种门延时差异的fpga加密方法 |
Also Published As
Publication number | Publication date |
---|---|
EP3246717A4 (en) | 2018-10-10 |
US20180004944A1 (en) | 2018-01-04 |
US10776484B2 (en) | 2020-09-15 |
EP3246717A1 (en) | 2017-11-22 |
EP3246717B1 (en) | 2022-03-23 |
JPWO2016114267A1 (ja) | 2017-10-26 |
JP6555486B2 (ja) | 2019-08-07 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP6555486B2 (ja) | オンチップモニタ回路及び半導体チップ | |
Hoque et al. | Golden-free hardware Trojan detection with high sensitivity under process noise | |
Salmani et al. | On design vulnerability analysis and trust benchmarks development | |
Li et al. | At-speed delay characterization for IC authentication and Trojan horse detection | |
Narasimhan et al. | Hardware Trojan detection by multiple-parameter side-channel analysis | |
Narasimhan et al. | Multiple-parameter side-channel analysis: A non-invasive hardware Trojan detection approach | |
JP6608457B2 (ja) | 信頼性を高めた物理的クローン不能関数ビットストリーム生成方法 | |
Ngo et al. | Hardware Trojan detection by delay and electromagnetic measurements | |
Ngo et al. | Method taking into account process dispersion to detect hardware Trojan Horse by side-channel analysis | |
Tebelmann et al. | Side-channel analysis of the TERO PUF | |
US20190347416A1 (en) | System for detecting hardware trojans in integrated circuits | |
Majéric et al. | Electromagnetic security tests for SoC | |
Weiner et al. | A calibratable detector for invasive attacks | |
Kutzner et al. | Hardware trojan design and detection: a practical evaluation | |
Yang et al. | Golden-free hardware trojan detection using self-referencing | |
Karimi et al. | On the effect of aging in detecting hardware trojan horses with template analysis | |
Hutter et al. | Exploiting the difference of side-channel leakages | |
Liu et al. | Scca: Side-channel correlation analysis for detecting hardware trojan | |
Lecomte et al. | Thoroughly analyzing the use of ring oscillators for on-chip hardware trojan detection | |
Sharma et al. | A state-of-the-art reverse engineering approach for combating hardware security vulnerabilities at the system and pcb level in iot devices | |
Fujimoto et al. | On-chip power noise measurements of cryptographic VLSI circuits and interpretation for side-channel analysis | |
Fujimoto et al. | A novel methodology for testing hardware security and trust exploiting on-chip power noise measurement | |
Giridharan et al. | A MUX based Latch Technique for the detection of HardwareTrojan using Path Delay Analysis | |
Paul et al. | Rihann: Remote iot hardware authentication with intrinsic identifiers | |
Knichel et al. | The risk of outsourcing: Hidden SCA trojans in third-party IP-cores threaten cryptographic ICs |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 16737338 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2016569363 Country of ref document: JP Kind code of ref document: A |
|
REEP | Request for entry into the european phase |
Ref document number: 2016737338 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 15543501 Country of ref document: US |
|
NENP | Non-entry into the national phase |
Ref country code: DE |