Latchup effect in CMOS IC: a solution for crypto-processors protection against fault injection attacks ?

N. Buard 1, F.Miller 1, C. Ruby 1, R. Gaillard 2 1 EADS France, 2 INFODUC nadine.buard@eads.net

Abstract
Latchup is a short-circuit that can be triggered in CMOS ICs when a current pulse is produced by parasitic perturbations. It is usually regarded as very disturbing for reliability, especially in space applications where it is triggered by ionizing particles naturally present in the environment. But in another context, the one of crypto-processors, it could be used as a way to protect the device from attacks by fault injections. Indeed, if all the parts of the ICs containing the secret data have the property to be more sensitive to latchup than to upsets, it will be impossible for attackers to retrieve the key with fault injections attacks. This paper describes how to design a cryptoprocessor with such features, and how to verify its properties.

power is removed or the device fails due to thermal runaway. If a limitation of current is applied on the supply of the circuit, it becomes again functional after switching power off and on. The level of charge able to trigger the event is very dependant on the position of the VCC and ground contacts in the component. ICs manufacturers usually try to raise this level, considering the fact that the mechanism can be triggered by the natural radiation environment (Single Event Latchup [2]), by electrostatic discharges or even by electromagnetic noise on the inputs/outputs. Nevertheless, the task is not so easy and it is very common to find on the commercial market some ICs very sensitive to latchup. Thats the reason why the users of circuits in severe radiation environment (such as for example space) have to carry out a systematic screening of the commercial components they are using. Here, a way to exploit latchup to protect the data contained in a crypto-processor from fault injections is presented, the conditions to ensure this protection are described and some example of circuits are proposed and tested. The crypto-processor as a whole (or at least the part containing the bits of the secret key) is made up of a CMOS process chosen to be deliberately latchup sensitive, with a triggering threshold sufficiently low so that it will be impossible to inject faults (change bit states) without triggering latchup: in the case of fault injection by any means, the parasitic structure will be triggered, leading to a brutal rise of the supply current of the circuit. A simple circuit monitoring and limiting this current (as applied in circuit boards for space) will prevent the circuit destruction. The crypto-processor will not be functional any more until powering off and on, making any data read-out impossible. In fact the

1. Introduction
A new class of threat appeared recently, aiming at extracting the data contained in a crypto-processor by injecting faults while analyzing the outputs obtained. The methods of fault injections are various (temperature, voltages, glitch, particles) but those which are seen today as being the most dangerous are the one allowing to inject faults in precise locations of the device (for example in the SRAM memory part where the secret key is stored during operations) [1]. Attacks using laser or ions micro beams enter this category. As described by F.W Sexton [2], latchup is a mechanism existing potentially in any CMOS structure, and resulting from the triggering of a parasitic thyristor, developing a low resistance path and a high current between power and ground. Once latched, this high current condition will continue until

13th IEEE International On-Line Testing Symposium (IOLTS 2007) 0-7695-2918-6/07 $25.00 2007

idea is combine a latchup sensitive crypto-processor to current limiting circuits in order to detect and prevent the attack. All the methods to inject faults in ICs, in precise location or not, will probably trigger latchup in a sufficiently sensitive component since it is the cause of the fault (the introduction of charges inside bits) which triggers it. We will show that it is possible at least to design or select circuits protected by latchup from attacks by continuous or pulsed laser and by ionizing particles.

2. Attacks of crypto-processor by fault injections

2.1. Crypto-processor
The digital data protection has always been done by data coding using a key, which must imperatively remain secret. A crypto-processor is a processor dedicated to the operations of cryptography (coding and decoding data thanks to the secret key). It is usually made up at least of: - a non-volatile memory which stores permanently the keys when power is down, - a buffer memory (for example SRAM or D flipflop) in which the key is charged by the operating system during power on, and remains during deciphering. - a combinational part (microcontroller or microprocessor core) able to carry out the operations of coding and deciphering of the messages using the secret key.

2.2. Principle of key extraction by fault injection:

In digital electronic components, data is stored and carried by charges, more exactly by electron-hole pairs which are trapped or directed within silicon thanks to the action of electric fields. MOS Transistor, the elementary structure of all digital electronic components can be viewed as a switch allowing or not charges to be transferred from its source to its drain, depending on applied voltage on its gate. The attack of a crypto-processor by fault injection consists in injecting charges locally in order to modify the information stored. The analysis of the corresponding response (outputs) of the cryptoprocessor provides to the attackers information enabling them to reduce the number of possible combinations and then to identify more quickly the key. The more the attack is precise, spatially and temporally, the easier is the deduction.

Various techniques of fault injection exist [3], with variable difficulties of implementation, the most effective being fortunately the most difficult to implement. 1- The simplest techniques inject faults in a random way in the component: this is the case of an attack by temperature rise, electromagnetic (radar, microwave, radio) waves, by nuclear particles (heavy ions, neutrons, protons): in these 3 cases, the attack disturbs the component as a whole, and if it is possible to determine an area, it is impossible to target one nor even several bits. Nevertheless, with a very powerful mathematical treatment, it is possible to exploit the results of the attack. These kinds of attacks are very easy to implement because it does not require any access to the die, and can be carried out from far away, but analysis of the results are very difficult to perform. 2- A little more sophisticated attacks use the inputs/outputs of the circuit, by disturbing the power voltages by means of a voltage generator. They can be conducted in phase (temporally) compared to the operating cycles and the clock of the circuit. The consequence of the attack is always rather random, which means that the number of combinations to try to extract the key remains high, but this technique is quite easy to implement if one has access to the circuit. 3- Lastly, the more powerful techniques allow to inject faults at selected times and with perfectly controlled localizations (in theory, one specific bit can be chosen). The attacker is then able for example to modify one by one the bits containing the key, or to interrupt an operation of deciphering This is the case of attacks by focused and pulsed laser [4] or micro beams of ions. These techniques are difficult to implement because they require high level technologies and an access to the die, i.e. the opening of the package. To prevent this kind of attacks the crypto-processor manufacturers set up countermeasures more or less effective to prevent the package opening.

3. The latchup phenomenon and its application to crypto- processor protection

3.1. Latchup phenomenon description:
This event results from the triggering of a parasitic thyristor (p-n-p-n) structure inherent in CMOS inverters (cf. Figure 1). It consists in two bipolar transistors in a feedback loop configuration. If a sufficient quantity of charges is deposited in the substrate and near the reversed biased well/substrate

13th IEEE International On-Line Testing Symposium (IOLTS 2007) 0-7695-2918-6/07 $25.00 2007

junction, this structure can turn on and allow the passage of a strong current between the supply contact and the ground. If current is not limited, it is able to induce irreversible damage and the component breaks definitely

Figure 1: parasitic bipolar structures in a CMOS inverter This phenomenon is particularly studied and observed in the case of the natural aggression or not of the electronic components by particles, neutrons, protons or heavy ions (Single Event Latchup). Nevertheless, for the most sensitive components, they can also occur following an electrostatic discharge, a sharp variation of supply voltage or an electromagnetic perturbation. Figure 2 shows the typical evolution of the current in the structure as a function of the applied voltage. Vhold corresponds to a threshold: below its value, it is not possible to establish a latchup in the structure. Above its value, for a given voltage, there are two different current states: Part I : Low current, it corresponds to the normal operation mode (blocked state of the thyristor) Part II : Instable part, the thyristor structure is being triggered Part III : High current, it corresponds to latchup (low impedance state of the thyristor) When the operating voltage exceeds Vtrig, an electrical latchup is triggered.

latchup effect to protect the data stored in from fault injections. Indeed, if the latchup trigger threshold is sufficiently low so that it is impossible to modify information stored in the component by fault injection without triggering latchup, data will be fully protected: in the case of a fault (charge) injection by any way, the parasitic structure will be triggered, leading to a brutal rise of the supply current. If the current delivered by the power supply is monitored and limited, the destruction of the circuit will be avoided, but the circuit will not be functional any more, making any data read-out impossible. In order to make it work again, one will have to switch off the supply, then switch on again. . A latchup sensitive crypto-processor combined to a current limiting circuit is then able to detect and prevent the attack.: the crypto-processor itself is used as a detector of the attack. To summarize: 1- the parts of the crypto-processor susceptible to be attacked by fault injection will be chosen or manufactured in order to get a latchup triggering threshold (in term of charges deposition) slightly lower than the threshold to change the state of the bits. The areas which are interesting to make sensitive to latchup are in particular: - the buffer memory (protection against fault injection of category 1, 2 and 3 described in part II.B) - the combinational part (protection against fault injection of category 1, 2 and 3 described in part II.B) - inputs/outputs (I/O) (protection against fault injection of category 2 described in part II.B) - the power supply of the circuits will be monitored and the current delivered will be limited. We will now show that it is possible to find such parts on the commercial market or to manufacture it on purpose.

4. The demonstration of feasibility

4.1. CMOS technologies more sensitive to latchup than to bit flips are available

III II I
Figure 2 : static I(V) latchup curve

3.2. A way to protect crypto-processors from fault injection:

Here, we would like on the contrary to exploit

CMOS technologies more sensitive to latchup than to upsets are not exotic. In fact, it can be easily found on the commercial market. Most electronic components used in space environment are tested with heavy ions prior to their use on-board satellites, and the data bases of test results are available (NASA, JPL, ESA database). One example of this type of results for various SRAM is shown in Table 1.

13th IEEE International On-Line Testing Symposium (IOLTS 2007) 0-7695-2918-6/07 $25.00 2007

Table 1: Summary of SEE test results ([5])

contact and L the distance to the well contact (cf. Figure 3)

The ionizing power of heavy ions is measured with LET (Linear Energy Transfer), which represents the charge deposited per unit of length inside the component. The threshold LET is the minimum LET for which latchup is triggered. For the technologies presented here, the threshold LET for bit-flip (called SEU, Single Event Upset) is typically between 1 and 10 MeV/cm2-mg. As a consequence, the five last components are probably naturally protected from fault injection. Here are presented extraordinary sensitive devices, but it is also possible to find very sensitive microcontrollers (one example is described in part B). It is usually estimated that currently (for technologies 0.18m and 0.13m), approximately 10% of the components on the market are latchup sensitive. In fact, a few crypto-processors are certainly already protected !

Figure 3: Well and substrate resistances in the CMOS inverter A larger V will trigger more easily the source/well junction. Then, for larger values of L (that is, impact far from the well contact), the bipolar transistor turns on more easily [6] [7] [8]. This confirms that, from the manufacturer point of view, the design of the device layout (mainly the positions of the Vcc and GND contacts) can be adjusted to increase the sensitivity to latchup. Regarding the possible adjustment of electrical parameters to favour latchup, one can use voltage. Indeed, another interesting property is the fact that latchup threshold diminish when applied voltage increases. On the contrary, upset threshold is higher when applied voltage increases since the critical charge necessary to flip the bit is increased. So, for a given IC whose latchup threshold is superior to upset threshold, an increase of the applied voltage will allow to get the protective property. For instance, in [9], the authors report an important increase of the latchup sensitivity of a microprocessor when the power supply voltage was changed from 4.5V to 5.5V.

4.2. Manufacturing on purpose or adjusting electrical parameters

A manufacturer will certainly be able to fit the process parameters to make a technology sensitive. Indeed, 3D device simulation shows that the sensitivity to latchup greatly depends on: - the positioning of VCC and ground contacts, - the doping levels in the well/substrate, - the presence or not of an epilayer, - the electrical and thermal environments. The first point will be detailed: latchup is based on the coupled triggering of two bipolar transistors. The first one is triggered thanks to potential variation induced by the generated charges. The second one turns on due to the charges injected by the first bipolar transistor In the case of charge creation inside the well, the triggering of the first bipolar transistor happens when the potential near the source is locally modified by the charges in the well that flow to the well contact. The potential variation due to this current is given by :

4.3. Monitoring of the power supply and current limitation:

The easiest way to avoid the destruction of a device due to latchup is to limit the supply current, using, for example a resistor. The circuit allowing to perform this function is well know for accelerated testing of Single Event Latchup due to ionising radiation. A schematic of a latchup detection circuit is described Figure 4 and the way the latchup detection works is presented Figure 5.

V = R W .I =

.L
S

.I , where is the resistivity of

the well, S the section, I the current flowing to the well

13th IEEE International On-Line Testing Symposium (IOLTS 2007) 0-7695-2918-6/07 $25.00 2007

established for simulation of various SEE effects: Single Event Upset, Single Event Transient, Single Event Burnout, and Single Event Latchup. This facility has the same characteristics than the one dedicated to crypto-processor attacks. The facility is described in Figure 6: the wavelength of the laser is 1,06m, and pulse duration is 600 ps. The laser is focused thanks to a lens, and spot size diameter is 4m Figure 4 : Schematic of the latchup detection part of the test board

Figure 5 : Schematic of the latchup detection in the test board The circuit monitors the supply current of the IC. When its value exceeds a threshold value, the current is hold on (during a time defined prior to the test). If the current remains at the threshold value, it indicates that the increase of the current is due to a latchup, and not to a normal operation of the IC like a write cycle. Then, the next step is to switch off the device. At the end, the power is switch on and the IC returns to a normal current state.

Figure 6: schematic of the EADS laser test facility The main features of this facility are: An industrial design: its components are widely used and robust. The facility is compact and eye safe: the beam is guided into an optical fiber. A fully automated bench: a motorized attenuator is used to change the laser energy and the DUT is placed on XYZ motorized stages. A CCD camera enables to visualize the DUT and the laser spot. The whole facility is driven by a computer A quick sample preparation of ICs: it requires only a localized opening of the package and for backside testing, no wafer thinning is needed. The test board monitoring the circuit is able to write pattern in the DUT (Device Under Test), wait for the laser shot, then read the potentially modified pattern in the IC, and to monitor the power supply of the circuit as described in part IV C. When a latchup is detected, the power supply is switch off and on again. 3- Upset and latchup sensitivity mapping for 2 commercial circuits One of the major advantages of the laser is its ability to precisely localize the sensitive areas of a device. Laser mappings have been performed on different SRAMs. It consists in scanning a part of a device with given steps along the X axis and Y axis. For each step of the scan, the laser energy is adjusted to reach the threshold of the event(s) (cf. Figure 7). In

4.4. Validation by laser fault injections

1- Introduction : The component can be chosen in radiation database, manufactured on purpose, or selected thanks to real laser fault injection. In all the case, it will be necessary to identify by laser the sensitive area of the component and to check that the protection of the data is really addressed. From a theoretical point of view, a laser with an appropriate wavelength (<1.1m) is able to interact with Silicon and to create electron/hole pairs (charges) in silicon.

2- Presentation of EADS France laser facility: EADS France has settled a laser facility dedicated to the industrial testing of Single Event Effects (events induced by ionising particles) in electronic component. The suitability of this laser facility has already been

13th IEEE International On-Line Testing Symposium (IOLTS 2007) 0-7695-2918-6/07 $25.00 2007

the case of SRAMs, both upsets and latchup were investigated at the same time. Results will be presented for two different commercial ICs, widely used in different types of applications: the first one which presents an upset threshold lower than the latchup threshold (8 bit PIC microcontroller), the second one with the inverse property (4 Mbit SRAM).
Y High threshold energy Low threshold energy Sensitive areas

(b)

Figure 8 : physical mapping of logic address inside the memory of the PIC microcontroller. Same colour corresponds to same logic word Here, one can remark that the 8 bits of the same word are scattered in the memory. This information can be very useful when one wants to know if several bit flips can occur in the same logic word, for example, in case of particle ionisation (SWMBU, Single Word Multiple Bit Upsets). Indeed in case of SWMBU, usual error correction codes are inefficient.
Figure 9 shows the results of scan on a surface of 200 m per 200 m, that represents around 2 bits per 2 bits. The left part of the figure shows thanks to a colour scale the laser energy necessary to flip a bit in each position. The separation of each bit can be clearly seen. The right part show the same surface scanned, but this time it is the laser energy necessary to trigger latchup that has been shown. The pink and red areas are the most sensitive, the dark one, the less sensitive. From this figure, it can be seen that the memory part of this microcontroller is naturally sensitive to latchup when used at nominal voltage. But the energy (quantity of charge deposited by unit length) required to trigger latchup is, for every position, higher than the energy required to flip (or upset) the bit.

Figure 7 : Schematic of a laser mapping

4.5. Commercial PIC Microcontroller

The first IC tested is the memory part of a 8 bit PIC microcontroller. The technology is not known. The power supply is 5V. The architecture of the memory of the microcontroller can be revealed thanks to laser mapping: the memory is first written with a known pattern, for example all one. If the laser energy is above the upset threshold of the bits, then a bit-flip occurs and is detected by the test-board by reading the memory content. The address of the bit which has been flipped is stored together with the laser position. Later on, a reconstruction of the memory architecture and logic addressing can be done. Figure 8 shows the physical implementation of logic address in the memory of this microcontroller, as revealed by laser testing.

Figure 9 : Mapping of the Laser Energy necessary to trigger the event (bit flip or upset on the left side, Latchup on the right side) for PIC microcontroller

13th IEEE International On-Line Testing Symposium (IOLTS 2007) 0-7695-2918-6/07 $25.00 2007

As a consequence (but with a lot of chance since the difference is not so big !), even if latchup exists in this IC, an attacker still have a chance to flip bits by fault injection attacks, without triggering the protective effect of latchup.

4.6. Commercial 4 Mbit SRAM :

The second IC tested is a 4 Mbit SRAM memory, based on a 0.35m 6T CMOS technology. The power supply is 5V. For this memory, a technological analysis has been achieved.
Figure 10 presents a view of the frontside of the device.

The shape of the memory cell (6T) is highlighted. It also indicates that the distance between two Vcc (or ground) rails is about 8m.

Additional comments: From Figure 11, this memory shows two different types of latchup sensitive areas: the one at the top, which corresponds to a part of the memory array, and the one below, which corresponds to driving circuits around the memory plan. The most sensitive position is located in the memory cells (the laser energy required to trigger latchup is less important in the memory cells than in the peripheral parts). Regarding the latchup area corresponding to bit position, on Figure 12, the laser latchup threshold mapping is superimposed to the picture of the device at the silicon level. This clearly shows that each latchup sensitive area is common to several bits (at least 14 cells). It seems to be due to the fact that these cells share the same well.

8m

Vcc GND
Memory cell

Figure 10: Frontside view of the 4Mbit SRAM. Following the same principle than in Figure 9, Figure 11 presents a 50m*50m laser energy threshold mapping of the memory. The left part shows the upset mapping and the right part shows the latchup mapping. Only a few points of the scanned area are detected as sensitive to upsets. It is because the memory exhibits a so high sensitivity to latchup, that almost all the positions have a latchup threshold lower than the upset threshold (upset cant be detected when latchup occurs). This memory is fully protected from fault injection attack, since the fault injection will automatically trigger latchup before bit-flip.

Figure 12: Threshold energy laser mappings (25 m x 25 m) of latchup for 4Mbit SRAM, and correspondence with layout From Figure 12, the distance between two identical sensitive areas can be measured (8m). It has to be correlated with the distance between two Vcc (or ground) rails.

5. Sensitivity to the Natural Radiation Environment

It has already been pointed out that the parasitic structure involved in latchup can also be triggered by the Natural Radiation Environment (NRE). Therefore, a compromise should be found in order to have a fully protected device, whose parasitic structure is triggered each time an injection attack is performed but which should not be too much sensitive towards the NRE. In this part, the example of the Commercial 4 Mbit SRAM which has been presented in part IV is taken. It has already been shown that this device is fully protected against injection attacks. Its sensitivity to the Natural Radiation Environment was characterized under beam. The neutron latchup saturated cross section is close to 3.10-9 cm. Taking into account that, at ground level, the flux of neutrons is 20/cm/h, the Soft Error Rate (SER) can be evaluated. It corresponds

Figure 11: Mapping of the Laser Energy necessary to trigger the event (bit flip or upset on the left side, Latchup on the right side) for 4 Mbit SRAM

13th IEEE International On-Line Testing Symposium (IOLTS 2007) 0-7695-2918-6/07 $25.00 2007

to the number of latchup that can be triggered in one hour: SER =Flux (/cm/h).(cm)=6.10-8/h. In other words, it means that one latchup is triggered by the NRE at the ground level every 1900 years. Finally, it shows that this device is still a good choice since, on one hand, it is fully protected against injection attack and, on the other hand, NRE doesnt triggered latchup in an untimely way.

[1] A. Merle et al., Security testing for hardware products: the security evaluations practice, 11th IEEE international On-line Testing Symposium, 6-8 July 2005. [2] F. W. Sexton and al, Destructive Single-Event Effects in Semiconductor Devices and ICs, IEEE Trans. Nuc. Sci, Vol 50, No 3, pp 603-621, june 2003. [3] H. Bar-El et al, The sorcerer's apprentice guide to fault attacks, Proceedings of the IEEE, Vol. 94, Issue 2, Feb. 2006, pp370 382 [4] Sergei P. Skorobogatov et al., Optical Fault Induction Attacks, http://www.cl.cam.ac.uk/~sps32/ches02optofault.pdf [5] T. E. Page et al., Extreme latchup suceptibility in modern commercial-off-the-shelf (COTS) monolithic 1M and 4M CMOS static random-access memory (SRAM) devices, 2005 IEEE Radiation Effects Data Workshop, Seattle, 11-15 July 2005. [6] P. Fouillat, Contribution ltude de lintraction entre un faisceau laser et un milieu semiconducteur. Application ltude du latchup et lanalyse dtats logiques dans les circuits intgrs en technologie CMOS, PHD report, University of Bordeaux I, France, 1990. [7] G. Bruguier et al., Single particle-induced latchup, IEEE Trans. Nucl Sci., vol. 43, pp 522-532, April 1996. [8] A.H. Johnston The influence of VLSI technology evolution on radiation-induced latchup in Space Systems, IEEE Trans. Nucl Sci., vol. 43, pp 505-521, April 1996.

6. Conclusion and Discussion

We have shown that it is possible to find on the commercial market or to manufacture on purpose Integrated Circuits comprising a crypto-processor based on CMOS technology and on a latchup detection circuit, that have the property to react to a fault injection by the triggering of a parasitic thyristor (latchup), before that any information can be extracted. It has been proved to be valid for attacks thanks to ionizing particles (heavy ions, neutrons, protons), and focused pulsed laser beam. Regarding laser attack, it will be valid also for laser of different wavelength, pulse duration (even continuous), since [6] has shown that latchup is also easily triggered by continuous 0,532m laser. Further works will have to be done to show the efficiency of this kind of protection against electromagnetic or voltage glitch through input/outputs, but it should be effective since latchup is also known to be easily triggered in these circuits [6]. Another point to be looked at is the reliability of such a circuit. We have shown that it is quite easy to prevent the destruction of the IC by current limitation, but an optimization has to be made, since the latchup effect should not be triggered too often by natural environment. For example, it is known that temperature can increase latchup sensitivity, and the combined effect of hot temperature and electromagnetic perturbation by an antenna may be able to trig the effect in a too much sensitive circuit. Thats why further studies and sensitivity optimization (for example thanks to voltage adjustment under laser testing) have to be done to prove the interest of the proposed protection. This method of protection for crypto-processor against attacks by fault injections is protected by an EADS patent (FR 2006 051681).

[9] D. K. Nichols et al., An observation of proton-induced latchup, IEEE Trans. Nucl. Sci., vol. 39, pp. 16541656, 1992.

7. References

13th IEEE International On-Line Testing Symposium (IOLTS 2007) 0-7695-2918-6/07 $25.00 2007