CN109934021A - Layout method of probe-proof switched capacitor PUF circuit - Google Patents

Abstract

The invention discloses a layout method of a switched capacitor PUF circuit which is anti-probe detection. The capacitor sampled by the switched capacitor PUF only adopts the parasitic capacitance formed by the upper metal, the lower metal and the insulating layer between them which form the capacitive protective layer. Fixed capacitors are not included; then an analog amplifier/comparator with no feedback path for input and output is used to amplify the output voltage difference of the switched capacitor to obtain the final output key. At the same time, instead of using a long metal wire mesh to protect the sensitive area of the chip, multiple short metal wires or metal blocks with a small area are used as the pole plates of the switched capacitor PUF sampling capacitor to cover the sensitive area. By reducing the area of the sampling capacitor to prevent damage + reconstruction + detection attacks on the same layer and different layers at the same time, the probe detection sensitivity of the metal capacitive protective layer is increased.

Description

Layout method of probe-proof switched capacitor PUF circuit

technical field

The invention relates to a security chip secret key generation circuit and a safety protection circuit, in particular to a switched capacitor PUF secret key generation circuit and an anti-probe detection layout method based on the circuit, belonging to the technical field of hardware information security.

Background technique

In the face of increasingly serious threats to information security, the application of security chips is becoming more and more extensive, from traditional banking and telecommunications industries, to mobile payments, e-passports, e-ID cards, anti-counterfeiting equipment, smart grids, and intellectual property protection, etc. Using a security chip to ensure data security, security has become a basic and essential feature of an electronic product. Today, hackers' attack methods are no longer limited to software attacks such as viruses and Trojan horses, but have adopted invasive attacks that are more aggressive and more difficult to protect, and directly steal users' key information. The so-called invasive attack refers to the direct observation of the key in the chip through reverse engineering, or the use of probes combined with laser etching, Focused Ion Beam (FIB) and other violent means to directly detect the key in the chip. The attack is strong, and the damage caused is also very large.

In order to avoid direct reverse engineering attacks, the most effective method is to use a Physically Unclonable Function (PUF) to provide the key. PUF detects random changes in the physical properties of the materials that make up circuit devices during the production of integrated circuits, even if It is impossible for chip manufacturers to use the same circuit to copy the exact same key, and the attacker cannot deduce the key through layout analysis. Although PUF technology can prevent direct reverse engineering attacks, it cannot prevent detection attacks. Attackers can use probes to directly detect the electrical signals of sensitive parts inside the chip; if the sensitive information is at the bottom of the chip, attackers can also use destruction + detection attacks. Remove the top layer layout, and then use microprobes to probe internal sensitive signals; in addition, if the top layer protection layer has electrical signal characteristics, after destroying the layout of the top layer protection layer, in order to maintain the electrical signal connection state of the destroyed circuit, it needs to be located elsewhere Perform signal line reconstruction. The reconstruction + destruction + detection attack uses the FIB to reconnect the damaged signal lines in other positions to maintain the correct connection state of the circuit, and then uses the probe to probe the sensitive information inside the chip in the damaged area. It can be seen that the above three attack methods using probe detection, such as direct detection, destruction + detection, destruction + reconstruction + detection, have very strong attack capabilities and are very difficult to defend.

In order to prevent the above-mentioned detection attacks, the existing research mainly uses the capacitive protection layer to protect the sensitive area, and associates the capacitive characteristics of the protection layer with the key. For example, the Chinese invention patent "An Anti-cracking PUF Structure" (Patent No. CN 104052604B) proposes an anti-cracking structure based on a switched capacitor PUF, as shown in FIG. 1 . Since the switched capacitor PUF samples the process random deviation of the capacitance ratio, and the upper and lower plates of the sampled capacitor lead to the top and sub-top metal of the chip, if the external probe detects the top or sub-top metal, the top or sub-top metal is connected to The capacitance value of the sampling capacitor will also change, so that the ratio of the capacitance sampled by the switched capacitor PUF will also change, thereby changing the output key of the switched capacitor PUF. When an external sabotage attack occurs, the key generation circuit or detection circuit connected to the protection layer detects the change of the circuit characteristics of the protection layer, and then changes the output key, so that the probe detects the wrong key. However, it should be pointed out that the invention patent has the following four problems:

(1) First, the capacitor sampled by the switched capacitor PUF is composed of two parts: fixed capacitor and parasitic capacitor. The parasitic capacitor formed by the metal wire mesh used to detect external detection attacks is only a part of the sampling capacitor, which will definitely reduce external detection attacks. sensitivity;

(2) Secondly, it adopts the mixed winding of the signal metal wire and the ground wire connected to the sampling capacitor plate on the top layer and the sub-top layer. The purpose is to make the signal metal wire and the ground wire closely distributed and increase the difficulty of external probe detection. : Since the distance between the signal metal wire and the ground wire is very small, a large probe will definitely short-circuit them; for the destruction + reconstruction attack, if the operation is performed on the same layer, the operation space is also very small, and it can only be used in the The operation between the metal line and the ground line is shown in Figure 2. Under a certain 0.18-micron CMOS process, the space for reconstruction of the same layer is only 0.36 microns, which greatly increases the difficulty. This kind of layout method of mixed wiring of signal metal wire and ground wire can effectively prevent large probe detection and same-layer destruction + reconstruction + detection attack, but there are still serious risks: as shown in Figure 3, the current common method of FIB is Lead the metal signal below the passivation layer to the outside of the passivation layer through the FIB, and then reconnect the passivation layer. In this case, there is no problem of small operation space. The attacker can easily connect the top layer and the passivation layer. The sub-top layer metals are respectively led to the passivation layer for reconnection, and the important signal lines at the bottom layer are leaked and probed with probes. For this kind of attack, the above-mentioned invention patents have almost no protection capability;

(3) Again, although the patent only leads the upper plate of the capacitor connected to the fixed potential to the top metal, and the sensitive signals N and P are in the sub-top metal, the top metal does not appear to be sensitive when the secret key is generated. Signal. However, it should be pointed out that, as shown in Figure 4, the switched capacitor PUF uses a latch-type comparator to compare the sensitive information points N and P. When the enable signal EN becomes 1, N, P The voltage of the two points of P is the voltage after the charge is redistributed, but immediately the Latch-type comparator will amplify and compare the two points of N and P, and quickly amplify the N and P sensitive signals into the actual output rail-to-rail " 0/1" digital key, it can be seen that the two points N and P will rapidly change from the DC level to "0/1", that is, undergo a rapid pulse change. Since the charge stored in the capacitor cannot undergo sudden change, that is, the capacitor has a high-frequency coupling effect, and the rapid changes in the voltages of N and P will also be coupled to the metal signal line on the upper plate of the capacitor connected to the top metal. If an external attacker Probe the top metal with a probe, and you can judge the final voltage value (that is, the final key value) of the corresponding N and P by observing whether there is a pulse on the detected metal wire: if a negative pulse or burr occurs, the corresponding N or P is 0, otherwise if a positive pulse or glitch occurs, the corresponding N or P is 1. At the same time, it should be pointed out that after the probe is connected to the top metal, it is equivalent to connecting a parasitic capacitance introduced by a probe between the upper plate and the ground, but since the upper plate is connected to a fixed potential, it will not affect the original The mismatched sampling of capacitors has an impact, that is, the attack method that observes positive or negative glitches or pulses on the top metal will not affect the original key, and the attack is very effective;

(4) In addition, the invention patent uses a capacitive metal wire mesh connected to the sampling capacitor of the switched capacitor PUF to protect other sensitive areas that need to be protected. If the sensitive area is large, the actual capacitive metal wire mesh is also very long. This will greatly reduce the sensitivity of the capacitive metal shield. If an external attacker cuts and destroys the metal wire mesh in a very small range, and leads it to the top passivation layer for reconstruction, then for the entire metal wire mesh, the actual capacitance value of the metal wire mesh is The change will be very small, which is likely to be lower than the ability of the comparator to distinguish, which is ultimately equivalent to that the external probe can detect other sensitive information under the protective layer without destroying the capacitive protective layer, thereby greatly reducing the capacitance. The anti-detection sensitivity of the metal protective layer.

To sum up, it can be seen that the existing capacitive metal protection layer based on switched capacitor PUF has problems such as low detection sensitivity of external probe detection attack and serious protection defects. In order to make the capacitive metal protection layer based on switched capacitor PUF have The real anti-detection attack capability, first of all, the sampled capacitors should not introduce fixed capacitors, but all parasitic capacitors composed of capacitive metals; The wiring should be too long, and multiple metal blocks or metal lines with smaller area or shorter length should be used for layout; finally, and most importantly, the amplifier that compares and amplifies the N and P points must not use input and output coupling. The latch type amplifier, the voltage of N and P points cannot change abruptly.

SUMMARY OF THE INVENTION

In view of the problems of the background technology, the present invention proposes a layout method of a switched capacitor PUF circuit that is anti-probe detection. The parasitic capacitance formed by the insulating layer of the switch capacitor does not include the fixed capacitor; then the output voltage difference of the switched capacitor is amplified by an analog amplifier/comparator with no feedback path for input and output, and the final output key is obtained. At the same time, instead of using a long metal wire mesh to protect the sensitive area of the chip, multiple short metal wires or metal blocks with a small area are used as the pole plates of the switched capacitor PUF sampling capacitor to cover the sensitive area. By reducing the area of the sampling capacitor to prevent damage + reconstruction + detection attacks on the same layer and different layers at the same time, the probe detection sensitivity of the metal capacitive protective layer is increased.

In order to achieve the above object, the present invention adopts the following scheme:

A layout method for a switched capacitor PUF circuit that is anti-probe detection, comprising: the capacitor sampled by the switched capacitor PUF only adopts the parasitic capacitance composed of the upper metal, the lower metal and the insulating layer between the capacitive protective layers, excluding fixed capacitances. capacitor; then use an analog amplifier/comparator with no feedback path for input and output to amplify the output voltage difference of the switched capacitor to obtain the final output key, which is characterized in that:

The two layers of metal that form the upper and lower plates of the switched capacitor PUF sampling capacitor can be any two adjacent layers of metal, or they can be non-adjacent metals without other metal traces between each other, but the two layers of metal have the same area and completely overlap. ;

The insulating layer constituting the switched capacitor PUF sampling capacitor dielectric layer can be a general insulating layer between adjacent metal layers in a CMOS process, or a high dielectric constant insulating layer of a metal-insulating layer-metal capacitor device in the CMOS process.

Further, the area of each sampling metal capacitor of the switched capacitor PUF is several square microns, and multiple metal capacitor arrays are used to cover the sensitive area in the chip to increase the sensitivity of anti-probe detection;

The metal capacitance value sampled by the switched capacitor PUF is at the fF level, which can be a linear structure with a length of several micrometers to several dozen micrometers, or a block structure with an area of several square micrometers.

Further, the comparator used to amplify and compare the output voltage difference of the switched capacitor is composed of an analog comparator, and there is no feedback path from the output key to the input sensitive signal point, preventing external attackers from connecting to the fixed potential by detecting the upper layer. The metal wire gets the output key value.

The beneficial effects of the present invention are:

Under the premise of ensuring the realization of the function of the switch capacitor PUF secret key generating circuit, the sampled capacitor only includes the parasitic capacitance formed by the capacitive metal protective layer, and does not include the fixed capacitance, thereby increasing the inspection sensitivity of external probe detection. At the same time, multiple metal short wires or metal blocks with a small area are used to cover the sensitive area, so as to avoid using a long metal wire mesh with low sensitivity, which can further improve the detection sensitivity of external probe detection. In addition, avoiding the use of a latch-type input-output coupling amplifier and using an analog amplifier/comparator can effectively prevent the leakage of secret key information caused by capacitive coupling and improve security.

Description of drawings

Fig. 1 is a kind of anti-cracking structure based on switched capacitor PUF proposed with reference to the invention patent;

FIG. 2 is a schematic diagram of the layout structure used for anti-destruction + reconstruction + detection attack on the same layer with reference to the invention patent;

Figure 3 is a schematic diagram of the structure of different layers of destruction + reconstruction + detection attack;

FIG. 4 is a waveform diagram of the N, P transient signals coupled to the top metal through capacitance by referring to the invention patent;

Fig. 5 is the anti-probe detection layout mode based on switched capacitor PUF proposed by the present invention;

Fig. 6 is the schematic diagram that the reference invention patent and the present invention are damaged + reconstruction + detection attack at the same layer;

7 is a schematic diagram of the reference invention patent and the present invention being destroyed + reconstructed + detection attack at different layers;

FIG. 8 is a schematic structural diagram of an analog amplifier/comparator with no feedback between input and output used in the present invention.

Detailed ways

The present invention is further described below with reference to the accompanying drawings and specific embodiments, examples of which are shown in the accompanying drawings, wherein the same or similar reference numerals represent the same or similar elements or elements with the same or similar functions throughout. The embodiments described below with reference to the accompanying drawings are exemplary and are intended to be used to explain the present invention, but should not be construed as a limitation of the present invention, and any modifications, equivalent replacements, or Improvements, etc., should be included within the scope of the claims of the present invention, and those not described in detail in this technical solution are all known technologies.

Implementation example: The anti-probe detection layout based on the switched capacitor PUF shown in Figure 5, the PUF still adopts the switched capacitor principle, and detects the mismatch between the two capacitor ratios C _UP1 /C _DN1 and C _UP2 /C _DN2 , among which the four sampling capacitors C _UP1 , C _DN1 , C _UP2 , and C _DN2 can be parasitic metal-insulating layer-metal structure capacitors, and the upper metal and the lower metal respectively form the two pole plates of the capacitor, and the two layers of metal can be Any two adjacent layers of metal, or two non-adjacent layers of metal without other signal lines between them, can also be used, and the general insulating layer between the metal layers in the CMOS process constitutes a dielectric; the dielectric layers of the four sampling capacitors can also be used. A special dielectric layer with high dielectric constant used in metal-insulator-metal capacitors in the CMOS process is used. For the SC PUFi unit, in design, C _UP1 =C _UP2 , C _DN1 =C _DN2 , so that C _UP1 /C _DN1 =C _UP2 /C _DN2 . However, due to deviations in the CMOS process, C _UP1 and C _DN1 will not be exactly equal to C _UP2 and C _DN2 respectively, but will introduce a mismatch between the two capacitance ratios: C _UP1 /C _DN1 =δ+C _UP2 / _CDN2 . The circuit first goes through the discharge stage, that is, EN=0, and both ends of all capacitors are connected to GND, so that the stored charges of all capacitors are 0; then EN=1, the circuit enters the state of charge redistribution, and the upper poles of C _UP1 and C _UP2 Both boards are connected to VDD, and the voltages of P and N will be related to C _UP1 /C _DN1 and C _UP2 /C _DN2 . At this point, the mismatch δ in the capacitance ratio will introduce a voltage difference between P and N:

This converts the capacitance ratio mismatch into a voltage difference, which is then amplified by the comparator and finally converted into a rail-to-rail output digital key Key[i].

The above-mentioned secret key generation principle based on SC PUF is consistent with the reference invention patent, but in order to improve the detection sensitivity of the probe detection attack of the capacitive metal protective layer, the sampling capacitors C _UP1 , C _UP2 , C _DN1 , and C _DN2 in the present invention no longer include The fixed capacitance is only composed of the parasitic capacitance composed of two layers of metal and the insulating layer between them, so that the change of the metal protective layer will be fully reflected in the switched capacitor PUF, which increases the detection sensitivity of probe detection attacks.

In addition, in FIG. 5 , the metals constituting the sampling capacitors C _UP1 , C _UP2 , C _DN1 , and C _DN2 are block-shaped structures with smaller area or line-shaped structures with shorter lengths, instead of referring to the long metals in the invention patent Wire mesh, when external attack attempts to destroy or rebuild these metal protective layers, as shown in Figure 6(a) and Figure 7(a), for the long metal wire mesh referenced to the invention patent, due to each The metal wire is very long. If the same layer or different layers of the metal wire are destroyed + reconstructed in a small area to leak the important and sensitive information under the metal wire mesh, the capacitance change caused by it may be insignificant compared to the total capacitance. Therefore, , it is very possible for the attacker to obtain the correct information by using the destruction + reconstruction + probe detection attack without causing the change of the output key of the switched capacitor PUF. For the present invention, each metal capacitor uses either a metal wire with a shorter length, or a metal block with a smaller area, whose length or area is in the same order of magnitude as the minimum area (a few square microns) required by an external attack, And use multiple metal wires or metal block arrays to cover the entire area to be protected. If an external damage + reconstruction attack occurs, it will inevitably cause a wide range of changes in the sampling capacitance, thus greatly improving the sensitivity of anti-external detection attacks, as shown in the attached picture 6(b,c) and Figure 7(b,c). Taking the existing destruction + reconstruction capability as an example, the minimum operation area that can be _performed by _FIB is about a _few square _microns . The total area of the metal block is also about a few square microns, and the corresponding capacitance is between a few fF and tens of fF.

Finally, in order to avoid external attacks caused by voltage mutation at sensitive signal points N and P, the output can be obtained by detecting that the upper metal connected to the upper plate of CUP1/CUP2 also has positive or negative pulses related to the final voltages of N and P. The key value, N, P voltage should avoid sudden change, this patent avoids the use of latch-type input-output coupling amplifier, but adopts the amplifier/comparator with no feedback between the input and output commonly used in analog circuits. At the end, the voltages of N and P will not change, and external attacks cannot obtain the final key value of the PUF by detecting the upper layer metal. An example of implementation is shown in Figure 8.

The above-mentioned embodiments merely illustrate the principles and effects of the present invention, but are not intended to limit the present invention. Anyone skilled in the art can modify or change the above embodiments without departing from the spirit and scope of the present invention. Therefore, all equivalent modifications or changes made by those with ordinary knowledge in the technical field without departing from the spirit and technical idea disclosed in the present invention should still be covered by the claims of the present invention.

Claims (3)

1. the layout method of the switching capacity PUF circuit of anti-probe detection, comprising: the capacitor that switching capacity PUF is sampled only is adopted With by constitute capacitive protective layer upper layer metal, lower metal and between the parasitic capacitance that constitutes of insulating layer, do not include fixing Capacitor；Then it is carried out using output voltage difference of Simulation scale-up/comparator of the input and output without feedback network to switching capacity Amplification, obtains final output code key, it is characterised in that:

Constituting the double layer of metal of bottom crown on switching capacity PUF sampling capacitance is arbitrary neighborhood double layer of metal, or mutually it Between without other metal routings non-conterminous metal, but this double layer of metal area is identical and completely overlapped；

The insulating layer of composition switching capacity PUF sampling capacitance dielectric layer is the general insulation in CMOS technology between adjacent metal The high-k insulating layer of metal-insulating layer-metal capacitor part in layer or CMOS technology.

2. the layout method of the switching capacity PUF circuit of anti-probe detection according to claim 1, which is characterized in that open The powered-down each sampling metal capacitance area of appearance PUF is a few square microns, and in multiple metal capacitance arrays covering chip Sensitizing range increases the sensitivity of anti-probe detection；

The metal capacitance capacitance of switching capacity PUF sampling is the linear structure that length is several microns to more than ten microns in fF rank, Or area is the block structure of several square microns.

3. the layout method of the switching capacity PUF circuit of anti-probe detection according to claim 1, which is characterized in that use It amplifies the comparator compared in the output voltage difference to switching capacity to be made of analog comparator, there is no output code keys To the feedback network of input sensitive signal point, the metal wire for avoiding external attacker from being connected to fixed current potential by detecting upper layer is obtained Code key value must be exported.