CN105391542A

CN105391542A - Detection method and detector applied to integrated circuit for detecting electromagnetic fault injection attack

Info

Publication number: CN105391542A
Application number: CN201510695426.8A
Authority: CN
Inventors: 赵毅强; 刘阿强; 何家骥; 李跃辉
Original assignee: Tianjin University
Current assignee: Tianjin University
Priority date: 2015-10-22
Filing date: 2015-10-22
Publication date: 2016-03-09
Anticipated expiration: 2035-10-22
Also published as: CN105391542B

Abstract

The invention relates to information security, cryptography and encryption circuits, provides detection of electromagnetic fault injection attacks for integrated circuits related to information security such as encryption circuits, and ensures timely response when attacks occur. For this reason, the technical solution adopted by the present invention is to be used for integrated circuit detection electromagnetic fault injection attack detector, the structure is: A1, A2, A3, A4, A5 are 5 inverters, cascaded to form a ring oscillator, ring The oscillation signal output by the oscillator after being buffered by the inverter B is directly input to the combination logic delay comparison structure Detector1, and the other way is input to another combination logic delay comparison structure Detector2 after the reverse of the inverter C; The input signals of the two Detectors are output to the trigger clock input end of the Detector through the combinational logic of the Detector. The invention is mainly applied to integrated circuit safety design.

Description

Electromagnetic fault injection attack detection method and detector for integrated circuit detection

技术领域 technical field

本发明涉及信息安全、密码学与加密电路，具体讲,涉及用于集成电路检测电磁故障注入攻击探测器。 The invention relates to information security, cryptography and encryption circuits, in particular, to a detector for detecting electromagnetic fault injection attacks in integrated circuits.

技术背景 technical background

随着信息社会的发展，信息安全越来越受到人们的重视。密码学与加密电路是现代信息安全的重要保障，能够防止未经授权的访问与非法信息获取，并且在目前的科技水平下，理论上无法通过数学分析与暴力手段破解。然而加密算法的实现离不开实际的芯片电路，例如利用加密过程产生的功耗、电磁等侧信道信息的侧信道攻击，或者利用加密过程中发生错误的故障攻击，均可以通过后续数学分析进而获取密钥等敏感信息[1]。 With the development of information society, people pay more and more attention to information security. Cryptography and encryption circuits are an important guarantee for modern information security, which can prevent unauthorized access and illegal information acquisition, and at the current level of technology, it is theoretically impossible to crack through mathematical analysis and violent means. However, the implementation of the encryption algorithm is inseparable from the actual chip circuit. For example, side-channel attacks using side-channel information such as power consumption and electromagnetics generated during the encryption process, or attacks using faults that occur during the encryption process can be further analyzed through subsequent mathematical analysis. Obtain sensitive information such as keys [1].

故障注入攻击是一种主动的侧信道攻击方式，引起电路产生错误的手段有多种，例如电磁脉冲、激光照射、时钟毛刺、电压毛刺等等，目前已经成为对安全芯片实施攻击最有效的手段[2]。这种攻击方式在已知加密电路所用加密算法的基础上，通过对正在运行中的加密电路进行特定的干扰，使其在特定的时刻发生运算错误，然后攻击者通过采集到的错误的加密结果或者记录分析电路运算错误后的表现，最后经过差分故障分析等手段就可以获取加密电路的密钥等信息。 Fault injection attack is an active side-channel attack method. There are many ways to cause circuit errors, such as electromagnetic pulse, laser irradiation, clock glitch, voltage glitch, etc. It has become the most effective means of attacking security chips. [2]. This attack method is based on the encryption algorithm used by the known encryption circuit, through specific interference to the encryption circuit in operation, so that an operation error occurs at a specific moment, and then the attacker uses the collected wrong encryption result Or record and analyze the performance of the circuit after the operation error, and finally obtain the key and other information of the encryption circuit through differential fault analysis and other means.

电磁故障注入攻击作为一种局部性高精度的攻击手段[3]，由于其操作相对简单、攻击成功率高、电路影响范围小等优点，得到了人们的广泛关注。这种攻击方式通过将电场探头或者磁场探头置于加密电路附近[4]，在电路运行到某一时刻进行触发，通过探头产生一个脉冲信号，从而在芯片内部引发电磁干扰，变化的电磁场耦合到芯片的电源线或者关键信号线，使得电路运行出错。 Electromagnetic fault injection attack, as a local high-precision attack method [3], has attracted widespread attention due to its advantages such as relatively simple operation, high attack success rate, and small circuit influence range. This attack method places an electric field probe or a magnetic field probe near the encryption circuit [4], triggers the circuit at a certain point in operation, and generates a pulse signal through the probe, thereby causing electromagnetic interference inside the chip, and the changing electromagnetic field is coupled to the The power line or key signal line of the chip makes the circuit run wrong.

加密电路的安全主要在于保护电路中密钥的安全，而近年来，电磁故障注入攻击技术的提出，对信息安全造成了极大的威胁，因此需要开展针对电磁故障注入的防御措施。在这方面，一部分研究者在算法改进方面进行了研究，还有一部分在改变电路结构方面进行了研究[5]。经过相关文献和专利的检索，目前关于检测电磁故障注入攻击结构的研究很少，尚未有一种行之有效的检测方法。本专利提出的基于组合逻辑延时的结构配合环形振荡器作为内嵌检测结构可以及时发现攻击，并产生预警信号。 The security of the encryption circuit is mainly to protect the security of the key in the circuit. In recent years, the electromagnetic fault injection attack technology has been proposed, which has caused a great threat to information security. Therefore, it is necessary to carry out defense measures against electromagnetic fault injection. In this regard, some researchers have conducted research on algorithm improvement, and some have conducted research on changing the circuit structure [5]. After searching relevant literature and patents, there are few studies on the detection of electromagnetic fault injection attack structures, and there is no effective detection method yet. The combined logic delay-based structure proposed in this patent cooperates with the ring oscillator as an embedded detection structure to detect attacks in time and generate early warning signals.

参考文献 references

1、刘辉志,赵东艳,张海峰,等.近红外激光故障注入系统在密码芯片攻击中的应用[J].科学技术与工程,2014,14(22):225-230.DOI:10.3969/j.issn.1671-1815.2014.22.043. 1. Liu Huizhi, Zhao Dongyan, Zhang Haifeng, et al. Application of Near Infrared Laser Fault Injection System in Cryptographic Chip Attack[J]. Science Technology and Engineering, 2014,14(22):225-230.DOI:10.3969/j. issn.1671-1815.2014.22.043.

2、ZhouYB,FengDG,ZhouYB,etal.Side-ChannelAttacks:TenYearsAfterItsPublicationandtheImpactsonCryptographicModuleSecurityTesting.[J].CryptologyEprintArchive,2005,2005.3、Dehbaoui,A,Dutertre,J.-M,Robisson,B,etal.ElectromagneticTransientFaultsInjectiononaHardwareandaSoftwareImplementationsofAES[C]//2013WorkshoponFaultDiagnosisandToleranceinCryptography.IEEE,2012:7-15. 2、ZhouYB,FengDG,ZhouYB,etal.Side-ChannelAttacks:TenYearsAfterItsPublicationandtheImpactsonCryptographicModuleSecurityTesting.[J].CryptologyEprintArchive,2005,2005.3、Dehbaoui,A,Dutertre,J.-M,Robisson,B,etal.ElectromagneticTransientFaultsInjectiononaHardwareandaSoftwareImplementationsofAES[C]//2013WorkshoponFaultDiagnosisandToleranceinCryptography .IEEE,2012:7-15.

4、OmarouayacheR,RaoultJ,JarrixS,etal.MagneticmicroprobedesignforEMfaultattack[C]//ElectromagneticCompatibility(EMCEUROPE),2013InternationalSymposiumon.IEEE,2013:949-954. 4. OmarouayacheR, RaoultJ, JarrixS, et al. Magnetic microprobe design for EMfault attack [C] // Electromagnetic Compatibility (EMCEUROPE), 2013 International Symposium on. IEEE, 2013: 949-954.

5、MoroN,HeydemannK,DehbaouiA,etal.Experimentalevaluationoftwosoftwarecountermeasuresagainstfaultattacks[C]//Hardware-OrientedSecurityandTrust(HOST),2014IEEEInternationalSymposiumon.IEEE,2014:112-117。 5. Moro N, Heydemann K, Dehbaoui A, et al. Experimental evaluation of two software counter measures against fault attacks [C] // Hardware-Oriented Security and Trust (HOST), 2014 IEEE International Symposium on. IEEE, 2014: 112-117.

发明内容 Contents of the invention

为克服现有技术的不足，为加密电路等信息安全相关集成电路提供针对电磁故障注入攻击的检测，保证在攻击发生时能够及时进行响应。为此，本发明采取的技术方案是，用于集成电路检测电磁故障注入攻击探测器，结构为：A1、A2、A3、A4、A5为5个反相器，级联形成环形振荡器，环形振荡器经反相器B缓冲后输出的振荡信号一路直接输入到组合逻辑延时比较结构Detector1中，另一路经过反相器C的反向，输入到另一个组合逻辑延时比较结构Detector2中；实现延时功能的组合逻辑D1和触发器E1组成了Detector1，组合逻辑D2和触发器E2组成了Detector2；两个Detector的输入信号连接到该Detector的触发器输入端；两个Detector的输入信号经过该Detector的组合逻辑输出到该Detector的触发器时钟输入端；两个Detector的输出经过一个或门F得到最终的报警信号Alarm。 In order to overcome the deficiencies of existing technologies, the detection of electromagnetic fault injection attacks is provided for information security-related integrated circuits such as encryption circuits, so as to ensure timely response when attacks occur. For this reason, the technical solution adopted by the present invention is to be used for integrated circuit detection electromagnetic fault injection attack detector, the structure is: A1, A2, A3, A4, A5 are 5 inverters, cascaded to form a ring oscillator, ring The oscillation signal output by the oscillator after being buffered by the inverter B is directly input to the combination logic delay comparison structure Detector1, and the other way is input to another combination logic delay comparison structure Detector2 after the reverse of the inverter C; Combination logic D1 and trigger E1 to realize the delay function constitute Detector1, combination logic D2 and trigger E2 constitute Detector2; the input signals of the two Detectors are connected to the trigger input terminals of the Detector; the input signals of the two Detectors pass through The combined logic of the Detector is output to the trigger clock input of the Detector; the outputs of the two Detectors pass through an OR gate F to obtain the final alarm signal Alarm.

通过增大环形振荡器中反相器内晶体管的沟道宽度W_eff，减小反相器的晶体管数目N来提高灵敏度。 The sensitivity is improved by increasing the channel width W _eff of the transistor in the inverter in the ring oscillator and reducing the transistor number N of the inverter.

用于集成电路检测电磁故障注入攻击探测方法，借助前述探测器实现，并包括下列步骤， The method for detecting electromagnetic fault injection attack detection for integrated circuits is realized by means of the aforementioned detectors, and includes the following steps,

首先对探测器的组合逻辑延时模块D1和D2进行调试，使其延时等于环形振荡器输出信号周期的3/4；然后根据电路面积和安全性的需求，将一定数量的探测器内嵌于需要保护的集成电路之中。 Firstly, debug the combined logic delay modules D1 and D2 of the detector so that the delay is equal to 3/4 of the cycle of the ring oscillator output signal; then, according to the circuit area and safety requirements, a certain number of detectors are embedded in integrated circuits that need to be protected.

对于需要保护的集成电路内核心敏感模块，探测器的布局相对密一些，对于电路其余部分，探测器的布局相对稀松。 For the core sensitive module in the integrated circuit that needs to be protected, the layout of the detector is relatively dense, and for the rest of the circuit, the layout of the detector is relatively loose.

本发明的特点及有益效果是： Features and beneficial effects of the present invention are:

利用本发明的注入攻击的结构，能够有效地检测到电磁故障注入攻击的发生，该结构简单易用，而且面积小，可以根据电路需要选择不同数量的探测结构布局在不同的位置，实现对芯片不同程度的保护。 Utilizing the injection attack structure of the present invention, the occurrence of electromagnetic fault injection attack can be effectively detected. The structure is simple and easy to use, and has a small area. Different numbers of detection structures can be selected and arranged in different positions according to the needs of the circuit. varying degrees of protection.

附图说明： Description of drawings:

图1检测电磁故障注入攻击的结构。 Fig. 1 Architecture for detecting electromagnetic fault injection attacks.

图2组合逻辑延时比较结构原理示意图一。 Fig. 2 Schematic diagram 1 of combinational logic delay comparison structure principle.

图3组合逻辑延时比较结构原理示意图二。 Fig. 3 Schematic diagram 2 of combinational logic delay comparison structure principle.

图4组合逻辑延时比较结构原理示意图三。 Fig. 4 Schematic diagram of combinational logic delay comparison structure principle III.

图5组合逻辑延时比较结构原理示意图四。 Fig. 5 Schematic diagram 4 of combinational logic delay comparison structure principle.

图6整体探测结构示意图。 Figure 6 is a schematic diagram of the overall detection structure.

具体实施方式 detailed description

本发明为加密电路等信息安全相关集成电路提供针对电磁故障注入攻击的检测，可根据电路面积的需要改变检测结构的数量与位置，与原有电路进行很好的融合，保证在攻击发生时能够及时进行响应。 The invention provides information security-related integrated circuits such as encryption circuits with the detection of electromagnetic fault injection attacks, and can change the number and position of the detection structures according to the needs of the circuit area, and can be well integrated with the original circuit to ensure that the attack can be detected when the attack occurs. Respond promptly.

本发明使用一种基于组合逻辑延时的结构配合环形振荡器作为内嵌检测结构，设计了可以为加密电路等安全芯片检测电磁故障注入攻击的结构。 The present invention uses a combined logic delay-based structure and a ring oscillator as an embedded detection structure, and designs a structure that can detect electromagnetic fault injection attacks for security chips such as encryption circuits.

1.本发明提出的检测电磁故障注入攻击的结构以组合逻辑延时比较结构和环形振荡器为核心，将其内嵌于原始电路中构成最终结构。 1. The structure for detecting electromagnetic fault injection attacks proposed by the present invention takes the combinational logic delay comparison structure and the ring oscillator as the core, and embeds them in the original circuit to form the final structure.

如图1所示，是检测电磁故障注入攻击探测器(以下简称电磁攻击探测器)的结构图，A1、A2、A3、A4、A5为5个反相器，级联形成环形振荡器。反相器B起到缓冲的作用，输出的振荡信号一路直接输入到组合逻辑延时比较结构Detector1中，另一路经过反相器C的反向，输入到另一个组合逻辑延时比较结构Detector2中。实现延时功能的组合逻辑D1和触发器E1组成了Detector1，组合逻辑D2和触发器E2组成了Detector2。两个Detector的输出经过一个或门F得到最终的报警信号Alarm。 As shown in Figure 1, it is a structural diagram of a detection electromagnetic fault injection attack detector (hereinafter referred to as an electromagnetic attack detector). A1, A2, A3, A4, and A5 are five inverters, which are cascaded to form a ring oscillator. Inverter B acts as a buffer, and the output oscillating signal is directly input to the combinational logic delay comparison structure Detector1, and the other way is input to another combinational logic delay comparison structure Detector2 through the reverse of inverter C. . Combination logic D1 and flip-flop E1 that realize the delay function form Detector1, and combination logic D2 and flip-flop E2 form Detector2. The output of the two Detectors passes through an OR gate F to obtain the final alarm signal Alarm.

2.电磁故障注入对电路的影响原理 2. The principle of the influence of electromagnetic fault injection on the circuit

电磁故障注入一般利用线圈中通过上升沿为纳秒级的脉冲电流,在脉冲电流的激励下，线圈中产生感应脉冲磁场，该磁场以介质磁化的方式向外传播，从而对线圈附近的电路芯片造成影响。当线圈中通以稳恒电流时，根据毕奥萨伐尔定律，线圈上任取一点Q，电流密度为(单位A/m²),则空间任意一点P的磁场： Electromagnetic fault injection generally utilizes a pulse current with a rising edge of nanosecond level in the coil. Under the excitation of the pulse current, an induced pulse magnetic field is generated in the coil, and the magnetic field propagates outward in the form of medium magnetization, thereby affecting the circuit chip near the coil. make an impact. When a steady current is passed through the coil, according to Biot Savart's law, any point Q is taken on the coil, and the current density is (unit A/m ² ), then the magnetic field at any point P in space:

$\overset{&RightArrow; &Right Arrow;}{B B} = = \frac{{μ μ}_{00}}{44 π π} &Integral; &Integral; \frac{\overset{&RightArrow; &Right Arrow;}{j j} \times \times \overset{&RightArrow; &Right Arrow;}{Q Q P P}}{| | \overset{&RightArrow; &Right Arrow;}{Q Q P P} | |} {dU U}_{Q Q}$

其中为磁感应强度(单位T)，μ₀为真空磁导率，其值为4π×10^-7H/m，dU_Q为线圈在Q点处的微分，为Q到P的距离向量。虽然进行故障注入时，通入的是脉冲电流，直流激励的磁场情况可以代表脉冲激励稳定时的情况，稳定时线圈中心的磁场为： in is the magnetic induction intensity (unit T), μ ₀ is the vacuum magnetic permeability, its value is 4π×10 ^-7 H/m, dU _Q is the differential of the coil at point Q, is the distance vector from Q to P. Although the pulse current is injected during fault injection, the magnetic field of DC excitation can represent the situation when the pulse excitation is stable. The magnetic field at the center of the coil is:

$\overset{&RightArrow; &Right Arrow;}{B B} = = \frac{{μ μ}_{00}}{22} \frac{{a a}^{22} I I}{{(({a a}^{22} + + {z z}^{22}))}^{33 / / 22}}$

其中和μ₀与上面相同，a为线圈的半径(单位m)，I为脉冲稳定时的电流(单位A)，z为距离线圈中心的长度(单位m)。 in And μ ₀ is the same as above, a is the radius of the coil (unit m), I is the current (unit A) when the pulse is stable, and z is the length (unit m) from the center of the coil.

由上式可见，当线圈中流过电流后，线圈中的磁感强度与电流成正比，因而，电流的方程和波形与磁场的方程和波形只差一个比例因子。比例因子只与线圈的结构有关，当线圈固定后，这个因子是一个常数。因此，磁场是一个非周期的脉冲波形。 It can be seen from the above formula that when the current flows through the coil, the magnetic induction in the coil is proportional to the current. Therefore, the equation and waveform of the current and the equation and waveform of the magnetic field are only different by a proportional factor. The scale factor is only related to the structure of the coil, when the coil is fixed, this factor is a constant. Therefore, the magnetic field is a non-periodic pulse waveform.

任何处于电磁场中的导体都能感应出电压。当电路芯片被置于这样的电磁环境中时，耦合到电路的电磁场能量会造成一个大的电压或电流脉冲，而芯片中的供电线路组成的环是主要受到电磁影响的部分。用于近场故障注入的磁场探头本质上是一个同轴线，它是感性的，有一个低的串联电阻。磁场探头和电路之间的电感耦合可以用互感系数来表示： Any conductor exposed to an electromagnetic field can induce a voltage. When a circuit chip is placed in such an electromagnetic environment, the electromagnetic field energy coupled to the circuit will cause a large voltage or current pulse, and the loop formed by the power supply line in the chip is the part that is mainly affected by electromagnetic waves. A magnetic field probe for near-field fault injection is essentially a coaxial line, which is inductive and has a low series resistance. The inductive coupling between a magnetic field probe and a circuit can be expressed in terms of mutual inductance:

${M m}_{1212} = = {\frac{{φ φ}_{22}}{{I I}_{11}}}_{{I I}_{22} = = 00} = = \frac{μ μ \cdot \cdot \underset{S S}{&Integral; &Integral;} \overset{&RightArrow; &Right Arrow;}{{H h}_{i i}} \cdot \cdot d d \overset{&RightArrow; &Right Arrow;}{S S}}{{I I}_{11}}$

上式中M12为互感系数(单位H)，φ₂为穿过导体2的磁通量(单位Wb)，I1为导体1的电流(单位A)，I2为导体2的电流(单位A)，μ为磁导率(单位H/m)，为垂直于导体2的磁场强度分量(单位H)，为导体2的面元微分。 In the above formula, M12 is the mutual inductance coefficient (unit H), φ2 is the magnetic flux passing through conductor ₂ (unit Wb), I1 is the current of conductor 1 (unit A), I2 is the current of conductor 2 (unit A), μ is Magnetic permeability (unit H/m), is the magnetic field strength component (unit H) perpendicular to the conductor 2, is the panel differential of conductor 2.

假定耦合到电源线，会造成输出有一个高低之间的跳变，进而导致整个功能模块无法输出正确的信息。这里，“耦合”的概念指的是电路、设备、系统与其它电路、设备、系统之间的电能量联系，耦合起着把电磁能量从一个电路、设备、系统“传输”到另一个电路、设备、系统的作用。电路中的电源网络是最容易受到电磁干扰的部分，它们也作为天线接收线圈产生的磁通量，该磁通量会在电源网络上产生感应电动势。这样一个电磁线圈会在电路中产生电压降(IRdrop)。 Assuming that it is coupled to the power line, it will cause the output to jump between high and low, which will cause the entire functional module to fail to output correct information. Here, the concept of "coupling" refers to the electrical energy connection between circuits, equipment, systems and other circuits, equipment, systems, coupling plays the role of "transmitting" electromagnetic energy from one circuit, equipment, system to another circuit, The role of equipment and systems. The power network in the circuit is the most susceptible part to electromagnetic interference, and they also act as antennas to receive the magnetic flux generated by the coil, which will induce an electromotive force on the power network. Such a solenoid creates a voltage drop (IRdrop) in the circuit.

另外，当电磁脉冲通过不同耦合渠道在芯片输入端产生的电压或电流高达一定程度时，可导致输出端逻辑值改变，即由1变为0或相反，从而产生误码。 In addition, when the voltage or current generated by the electromagnetic pulse through different coupling channels reaches a certain level at the input end of the chip, the logic value of the output end will change, that is, from 1 to 0 or vice versa, resulting in bit errors.

3.环形振荡器检测电磁攻击原理 3. Ring oscillator detection electromagnetic attack principle

对于由N个反相器组成的单端CMOS环形振荡器，假定NMOS和PMOS的沟道长度相同、阈值电压的绝对值相同，则振荡频率为： For a single-ended CMOS ring oscillator composed of N inverters, assuming that the channel lengths of NMOS and PMOS are the same and the absolute value of the threshold voltage is the same, the oscillation frequency is:

${f f}_{00} = = \frac{{μ μ}_{e e f f f f} {W W}_{e e f f f f} {C C}_{o o x x} ((\frac{{V V}_{D D. D D.}}{22} - - {V V}_{T T}))}{88 {ηNLq ηNLq}_{max max}}$

其中Cox是单位面积的栅氧化层电容(单位F/m₂)，VDD是电源电压(单位V)，VT是晶体管的阈值电压(单位V)，L是晶体管的沟道长度(单位m)，q_max是晶体管通断转换期间节点接收的总电荷量(单位C)，N是组成环形振荡器的反相器数目(单位为无量纲)，η是一个约等于1的常数(单位为无量纲)，W_eff是等效沟道宽度(单位m)，表达式为： Where Cox is the capacitance of the gate oxide layer per unit area (unit F/m ₂ ), VDD is the power supply voltage (unit V), VT is the threshold voltage of the transistor (unit V), L is the channel length of the transistor (unit m), q _max is the total charge received by the node during the transistor on-off transition (unit C), N is the number of inverters that make up the ring oscillator (unit is dimensionless), η is a constant approximately equal to 1 (unit is dimensionless ), W _eff is the equivalent channel width (unit m), the expression is:

W_eff＝W_n+W_p W _eff =W _n +W _p

其中Wn是NMOS管的沟道宽度(单位m)，Wp是PMOS管的沟道宽度(单位m)。μ_eff是等效载流子迁移率(单位m²/V·s)，表达式为： Where Wn is the channel width (unit m) of the NMOS transistor, and Wp is the channel width (unit m) of the PMOS transistor. μ _eff is the equivalent carrier mobility (unit m ² /V·s), the expression is:

${μ μ}_{e e f f f f} = = \frac{{μ μ}_{n no} {W W}_{n no} + + {μ μ}_{p p} {W W}_{p p}}{{W W}_{n no} + + {W W}_{p p}}$

其中μ_n是电子迁移率(单位m²/V·s)，μ_p是空穴迁移率(单位m²/V·s)。 Where μ _n is electron mobility (unit m ² /V·s), μ _p is hole mobility (unit m ² /V·s).

电磁故障注入主要影响到集成电路的电源网络，会导致供电电压升高，进而产生一系列的影响，比如导致CMOS门电路的延时减小。根据这种原理，在脉冲影响的短时间内，环形振荡器的频率会由于电磁故障注入而改变。 Electromagnetic fault injection mainly affects the power supply network of the integrated circuit, which will lead to an increase in the supply voltage, and then produce a series of effects, such as reducing the delay of the CMOS gate circuit. According to this principle, during the short time affected by the pulse, the frequency of the ring oscillator changes due to electromagnetic fault injection.

另外电磁辐射最强的地方，也往往是对电磁干扰最敏感的地方(例如金属线相互交叉形成环的位置，相当于接收电磁信号的探头)。而环形振荡器会辐射较强的与振荡信号同频的电磁信号，因此设计采用环形振荡器来探测电磁故障注入攻击的影响。 In addition, the place with the strongest electromagnetic radiation is often the place most sensitive to electromagnetic interference (for example, the position where metal wires cross each other to form a ring is equivalent to a probe that receives electromagnetic signals). The ring oscillator will radiate a strong electromagnetic signal with the same frequency as the oscillation signal, so the ring oscillator is designed to detect the impact of electromagnetic fault injection attacks.

4.组合逻辑延时比较结构的工作原理 4. Working principle of combinational logic delay comparison structure

上述环形振荡器，或者由于电磁脉冲耦合到电源线造成电压的变化，进而造成输出波形发生变化；或者由于电磁脉冲直接耦合到输出端，在输出信号上，有与干扰信号同频的信号叠加上去。这种变化体现为毛刺的形式，而这种毛刺可以被本发明中的基于组合逻辑的延时比较结构检测到。 The above-mentioned ring oscillator, or because the electromagnetic pulse is coupled to the power line, causes the voltage to change, which in turn causes the output waveform to change; or because the electromagnetic pulse is directly coupled to the output terminal, a signal with the same frequency as the interference signal is superimposed on the output signal . This change is reflected in the form of glitches, which can be detected by the delay comparison structure based on combinational logic in the present invention.

假定电路正常工作未受到攻击时，环形振荡器的输出频率为f0，因此其周期为1/f₀。调整图1中组合逻辑D1和D2的延时为周期的3/4,也就是3/4f₀。因此当电路芯片未受到攻击时，对于Detector1，D触发器的时钟是对输入信号的3/4延时，所以时钟信号的上升沿采样到的数据均为低电平，D触发器的输出为低电平。对于Detector2，与此同理，输出也为低电平。因此经过或门F之后，报警信号Alarm也为低电平。电路检测到这个信号，不采取动作。 Assuming that the circuit works normally and is not under attack, the output frequency of the ring oscillator is f0, so its period is 1/f ₀ . Adjust the delay of combinational logic D1 and D2 in Fig. 1 to be 3/4 of the period, that is, 3/4f ₀ . Therefore, when the circuit chip is not attacked, for Detector1, the clock of the D flip-flop is 3/4 delay of the input signal, so the data sampled by the rising edge of the clock signal are all low level, and the output of the D flip-flop is low level. For Detector2, in the same way, the output is also low. Therefore, after passing through the OR gate F, the alarm signal Alarm is also at a low level. The circuit detects this signal and takes no action.

然后假定发生了电磁故障注入，由于前述两种原因，会造成输出信号产生毛刺。由于攻击时间的不同，产生的毛刺对于原始振荡信号的相对位置关系会有所不同。图2展示了毛刺位于原始振荡信号低电平前半部分的情况，图中D1是Detector1的D触发器的输入数据信号，C1是Detector1的D触发器的输入时钟信号，D2是Detector2的D触发器的输入数据信号，C2是Detector2的D触发器的输入时钟信号。以下若不特殊说明，均采用这种表示方法。 Then assume that electromagnetic fault injection has occurred, due to the aforementioned two reasons, it will cause glitches in the output signal. Due to the different attack times, the relative positions of the generated burrs to the original oscillating signal will be different. Figure 2 shows the situation where the glitch is located in the first half of the low level of the original oscillation signal. In the figure, D1 is the input data signal of the D flip-flop of Detector1, C1 is the input clock signal of the D flip-flop of Detector1, and D2 is the D flip-flop of Detector2. The input data signal of C2 is the input clock signal of D flip-flop of Detector2. Unless otherwise specified below, this notation is used.

由图2可见，对于毛刺位于原始振荡信号低电平前半部分这种情况，由图中虚线所示，C1的上升沿可以采到D1信号的高电平，因此Detector1可以检测到，而C2的上升沿采到的D1信号均为低电平，因此Detector2检测不到。 It can be seen from Figure 2 that for the case where the burr is located in the first half of the low level of the original oscillation signal, as shown by the dotted line in the figure, the rising edge of C1 can pick up the high level of the D1 signal, so Detector1 can detect it, and the C2’s The D1 signals collected on the rising edge are all low level, so Detector2 cannot detect them.

由图3可见，对于毛刺位于原始振荡信号低电平后半部分这种情况，由图中虚线所示，C1的上升沿采到的D1信号均为低电平，因此Detector1检测不到，而C2的上升沿可以采到D1信号的高电平，因此Detector2可以检测到。 It can be seen from Figure 3 that for the case where the glitch is located in the second half of the low level of the original oscillation signal, as shown by the dotted line in the figure, the D1 signal collected by the rising edge of C1 is all low level, so Detector1 cannot detect it, and The rising edge of C2 can pick up the high level of the D1 signal, so Detector2 can detect it.

由图4可见，对于毛刺位于原始振荡信号高电平前半部分这种情况，由图中虚线所示，C1的上升沿采到的D1信号均为低电平，因此Detector1检测不到，而C2的上升沿可以采到D1信号的高电平，因此Detector2可以检测到。 It can be seen from Figure 4 that for the case where the glitch is located in the first half of the high level of the original oscillation signal, as shown by the dotted line in the figure, the D1 signal collected by the rising edge of C1 is all low level, so Detector1 cannot detect it, and C2 The rising edge of the D1 signal can be taken to the high level, so Detector2 can detect it.

由图5可见，对于毛刺位于原始振荡信号高电平后半部分这种情况，由图中虚线所示，C1的上升沿可以采到D1信号的高电平，因此Detector1可以检测到，而C2的上升沿采到的D1信号均为低电平，因此Detector2检测不到。 It can be seen from Figure 5 that for the case where the burr is located in the second half of the high level of the original oscillation signal, as shown by the dotted line in the figure, the rising edge of C1 can pick up the high level of the D1 signal, so Detector1 can detect it, and C2 The D1 signals collected by the rising edge of the signal are all low level, so Detector2 cannot detect it.

综上所述，对于毛刺位于原始振荡信号低电平前半部分和高电平后半部分这两种情况，Detector1可以检测到，而Detector2检测不到；对于毛刺位于原始振荡信号低电平后半部分和高电平前半部分这两种情况，Detector2可以检测到，而Detector1检测不到。因此电磁攻击探测器中同时采用了Detector1和Detector2，并将它们的输出信号进行或运算，得到最终的报警信号，这样可以将对于原始振荡信号不同相对位置处的毛刺全部检测到，保证了检测率。 To sum up, for the two cases where the glitch is located in the first half of the low level of the original oscillation signal and the second half of the high level, Detector1 can detect it, but Detector2 cannot detect it; for the glitch located in the second half of the original low level of the oscillation signal Part and the first half of the high level, Detector2 can detect it, but Detector1 cannot detect it. Therefore, Detector1 and Detector2 are used in the electromagnetic attack detector at the same time, and their output signals are ORed to obtain the final alarm signal, so that all the glitches at different relative positions to the original oscillation signal can be detected, ensuring the detection rate. .

5.检测结构在实际使用中的灵敏性 5. Sensitivity of detection structure in practical use

由上述原理分析可知，为了提高该检测结构在实际使用时的灵敏性，需要在由电磁故障注入攻击导致电源电压发生变化时，环形振荡器的输出频率变化越大越好，从而使输出的振荡信号产生一个毛刺，以方便后面组合逻辑延时比较结构检测到。根据环形振荡器输出信号的频率公式可知，频率相对电源电压的变化是： According to the analysis of the above principles, in order to improve the sensitivity of the detection structure in actual use, it is necessary that when the power supply voltage changes due to electromagnetic fault injection attacks, the greater the change in the output frequency of the ring oscillator, the better, so that the output oscillation signal A burr is generated to facilitate detection by the combinational logic delay comparison structure later. According to the frequency formula of the ring oscillator output signal, the change of frequency relative to the supply voltage is:

$\frac{{Δf Δf}_{00}}{{ΔV ΔV}_{D D. D D.}} = = \frac{{μ μ}_{e e f f f f} {W W}_{e e f f f f} {C C}_{o o x x}}{1616 {ηNLq ηNLq}_{max max}}$

因此实际使用时，可以通过增大晶体管的沟道宽度W_eff，减小反相器的晶体管数目N来提高灵敏度。 Therefore, in actual use, the sensitivity can be improved by increasing the channel width W _eff of the transistor and reducing the number N of transistors of the inverter.

若电磁干扰信号较弱，以致电源电压的变化较小，不足以使探测器检测到时，由于此时的攻击也同样无法引起电路运算出错，因此可以不必考虑这种情况。 If the electromagnetic interference signal is weak, so that the change of the power supply voltage is small enough to be detected by the detector, since the attack at this time also cannot cause circuit operation errors, it is not necessary to consider this situation.

6.使用核心检测结构构建电路整体探测结构 6. Use the core detection structure to build the overall detection structure of the circuit

如图6所示，是利用核心检测结构(电磁攻击探测器)内嵌于原始电路之中，实现最终检测结构的示意图。 As shown in Figure 6, it is a schematic diagram of the final detection structure realized by embedding the core detection structure (electromagnetic attack detector) in the original circuit.

图中最外侧的方框代表整个电路芯片，右下角的空心方框代表电路中的核心敏感单元(例如AES加密模块的S盒)，其余的黑色实心方框代表上述的电磁攻击探测器。在使用之前，首先需要对该探测器的组合逻辑延时模块D1和D2进行调试，使其延时等于环形振荡器输出信号周期的3/4。然后根据电路面积和安全性的需求，将一定数量的该探测器内嵌于原始电路之中。例如电路芯片的面积足够，并且对安全性要求较高时，可以多嵌入一定数量的探测器。 The outermost box in the figure represents the entire circuit chip, the hollow box in the lower right corner represents the core sensitive unit in the circuit (such as the S box of the AES encryption module), and the remaining black solid boxes represent the above-mentioned electromagnetic attack detectors. Before use, it is first necessary to debug the combined logic delay modules D1 and D2 of the detector so that the delay is equal to 3/4 of the period of the ring oscillator output signal. Then, according to the circuit area and safety requirements, a certain number of the detectors are embedded in the original circuit. For example, when the area of the circuit chip is sufficient and the safety requirements are high, a certain number of detectors can be embedded.

为了达到最好的效果，既需要保持较小的面积，又有足够的安全性，可以有选择地进行探测器布局。对于核心敏感模块，探测器的布局相对密一些，对于电路其余部分，探测器的布局可以相对稀松。 In order to achieve the best effect, it is necessary to keep the area small and have enough safety, so that the detector layout can be selectively carried out. For the core sensitive module, the layout of the detector is relatively dense, and for the rest of the circuit, the layout of the detector can be relatively loose.

本发明的一个具体实例如图6所示，使用前先确定电路的核心敏感单元(攻击者最可能攻击的位置)，然后根据电路总体面积、电路空余面积以及所需芯片安全程度这三项参数确定所需电磁攻击探测器的数量，将其均匀分布于原始电路之中，然后对于核心敏感单元，适当增加一定数量的电磁攻击探测器内嵌与其中。本发明的保护范围并不以上述实施方式为限，本领域普通技术人员根据本发明所揭示内容所作的等效修饰或变化，皆应纳入保护范围。 A specific example of the present invention is shown in Figure 6, before using, determine the core sensitive unit of the circuit (the location where the attacker is most likely to attack), and then according to these three parameters of the overall circuit area, the circuit vacant area and the required chip security degree Determine the number of required electromagnetic attack detectors, distribute them evenly in the original circuit, and then appropriately increase a certain number of electromagnetic attack detectors to be embedded in the core sensitive unit. The scope of protection of the present invention is not limited to the above-mentioned embodiments, and equivalent modifications or changes made by those skilled in the art based on the content disclosed in the present invention should be included in the scope of protection.

Claims

1. A detector for integrated circuit detection electromagnetic fault injection attack is characterized in that the structure is: A1, A2, A3, A4, A5 are 5 inverters, cascaded to form a ring oscillator, and the ring oscillator is passed through One way of the oscillation signal buffered by the inverter B is directly input to the combinational logic delay comparison structure Detector1, and the other way is input to another combinational logic delay comparison structure Detector2 through the reverse of the inverter C; to realize the delay Functional combinational logic D1 and trigger E1 form Detector1, combinational logic D2 and trigger E2 form Detector2; the input signals of the two Detectors are connected to the trigger input of the Detector; the input signals of the two Detectors pass through the Detector The combinational logic is output to the trigger clock input of the Detector; the outputs of the two Detectors pass through an OR gate F to obtain the final alarm signal Alarm.

2. be used for integrated circuit detection electromagnetic fault injection attack detector as claimed in claim 1, it is characterized in that, by increasing the channel width W _eff of the transistor in the inverter in the ring oscillator, reduce the frequency of the inverter Transistor number N to increase sensitivity.

3. A detection method for integrated circuit detection electromagnetic fault injection attack, characterized in that, for integrated circuit detection electromagnetic fault injection attack detection method, realized by means of the aforementioned detector, and includes the following steps, at first to the combined logic of the detector The delay modules D1 and D2 are debugged so that the delay is equal to 3/4 of the cycle of the ring oscillator output signal; then according to the circuit area and safety requirements, a certain number of detectors are embedded between the integrated circuits to be protected middle.

4. The method for detecting electromagnetic fault injection attack detection for integrated circuits as claimed in claim 3, characterized in that, for the core sensitive modules in the integrated circuits that need to be protected, the layout of the detectors is relatively dense, and for the rest of the circuit, the detection The layout of the device is relatively loose.