Takeshi Sugawara

Reversing Stealthy Dopant-Level Circuits

A successful detection of the stealthy dopant-level circuit trojan, proposed by Becker et al. at CHES 2013 [1], is reported. Contrary to an assumption made by Becker et al., dopant types in active region are visible with either scanning electron microscopy SEM or focused ion beam FIB imaging. The successful measurement is explained by an LSI failure analysis technique called the passive voltage contrast [2]. The experiments are conducted by measuring a dedicated chip. The chip uses the diffusion programmable device [3]: an anti-reverse-engineering technique by the same principle as the stealthy dopant-level trojan. The chip is delayered down to the contact layer, and images are taken with 1 an optical microscope, 2 SEM, and 3 FIB. As a result, the four possible dopant-well combinations, namely i p+/n-well, ii p+/p-well, iii n+/n-well and iv n+/p-well are distinguishable in the SEM images. Partial but sufficient detection is also achieved with FIB. Although the stealthy dopant-level circuits are visible, however, they potentially make a detection harder. That is because the contact layer should be measured. We show that imaging the contact layer is at most 16-times expensive than that of a metal layer in terms of the number of images.

Reversing stealthy dopant-level circuits

A successful detection of the stealthy dopant-level circuit (trojan), proposed by Becker et al. at CHES 2013 (LNCS 8086:197–214, 2013), is reported. Contrary to an assumption made by Becker et al. dopant types in active region are visible with either scanning electron microscopy (SEM) or focused ion beam (FIB) imaging. The successful measurement is explained by a technique called the passive voltage contrast (Rosenkranz J Mater Sci Mater Electron 22(10):1523–1535, 2011) which is used to analyze failures in large-scale integration (LSI). The experiments are conducted by measuring a dedicated chip. The chip uses the diffusion programmable device (Shiozaki et al. Diffusion programmable device: a device to prevent reverse engineering, IACR Cryptology ePrint Archive 2014/109 2014): an anti-reverse engineering technique by the same principle as the stealthy dopant-level trojan. The chip is delayered down to the contact layer, and images are taken with (1) an optical microscope, (2) SEM, and (3) FIB. As a result, the four possible dopant–well combinations, namely (i) p+/n-well, (ii) p+/p-well, (iii) n+/n-well and (iv) n+/p-well are distinguishable in the SEM images. Partial but sufficient detection is also achieved with FIB. Although the stealthy dopant-level circuits are visible, they potentially make a detection harder. That is because the contact layer should be measured. We show that imaging the contact layer is at most 16 times more expensive than that of a metal layer in terms of the number of images.

Two Operands of Multipliers in Side-Channel Attack

The single-shot collision attack on RSA proposed by Hanleyi¾?eti¾?al. is studied focusing on the difference between two operands of multipliers. There are two consequences. Firstly, designing order of operands can be a cost-effective countermeasure.We show a concrete example in which operand order determines success and failure of the attack. Secondly, countermeasures can be ineffective if the asymmetric leakage is considered. In addition to the main results, the attack by Hanley et al. is extended using the signal-processing technique of the big mac attack. An experimental result to successfully analyze an FPGA implementation of RSA with the multiply-always method is also presented.

On measurable side-channel leaks inside ASIC design primitives

Leaks inside semi-custom application-specific integrated circuit design primitives are rigorously investigated. The study is conducted by measuring a dedicated test element group chip with a small magnetic field probe on the chip surface. Measurement targets are standard cells and a memory macro cell. Leaks inside the primitives are focused, as many of conventional countermeasures place measurability boundaries on these primitives. Firstly, it is shown that the current-path leak: a leak based on input-dependent active current path within a standard cell (Takahashi 2012; Takahashi and Matsumoto IEICE Electron Express 9:458–463, 2012) is measurable. Major gate-level countermeasures [Random Switching Logic (RSL), MDPL, and WDDL] become vulnerable if the current-path leak is considered. Secondly, it is shown that the internal-gate leak: a leak based on non-linear sub-circuit within an XOR cell is measurable. It can be exploited to bias the distribution of the random mask. Thirdly, it is shown that the geometric leak: a leak based on geometric layout of the memory matrix structure is measurable. It is a leak correlated to integer representation (cf. Hamming weight) of the memory address. We also show that a ROM-based countermeasure (dual-rail RSL memory; Hashimoto et al. 2012) becomes vulnerable with the geometric leak. A general transistor-level design method to counteract the current-path and internal-gate leaks is also shown.

PUF as a sensor

The idea to use physical unclonable function (PUF) as a sensor is proposed. Environment-dependent behavior of PUF, which is conventionally unwanted, is used for sensing. Such PUF-based sensor has advantages over ordinary sensors. As a proof of concept, a voltage sensor is prototyped using an ASIC implementation of glitch PUF. The performance of the PUF-based sensor is evaluated by injecting pulses to power supply. The experiment emulates a hostile environment in which an attacker is attempting to inject fault. As a result, the PUF-based sensor successfully detects the injected pulses at high accuracy.