Chip Device and Method for a Randomized Logic Encryption

Abstract

A chip device with a logic circuitry (105) protected by a randomized logic encryption based on a key (K) for preventing a designated usage of the logic circuitry (105) by an unauthorized user comprises: a physically unclonable function, PUF, (110), a storage (120), and a chip enabler (130) with one or more registers (132). The physically unclonable function, PUF, (110) is configured to generate a device-individual response (Re) based on a challenge (Ch). The storage (120) has stored the challenge (Ch) and a data element (C), the data element (C) being an encryption of the key (K) with the response (Re) of the PUF (110) as encryption key. The enabler (130) is configured to enable the logic circuitry (105) for the designated usage only, when the key (K) is transferred to the register(s) (132), the key (K) being a decryption of the data element (C) with the response (Re) as the encryption key.

Claims

1. A chip device with a logic circuitry protected by a randomized logic encryption based on a key for preventing a designated usage of the logic circuitry by an unauthorized user, the device comprising: a physically unclonable function (PUF) being configured to generate a device-individual response based on a challenge; a storage having stored the challenge and a data element, the data element being an encryption of the key with the response of the PUF as encryption key; and a chip enabler with one or more registers, the enabler being configured to enable the logic circuitry for the designated usage only, when the key is transferred to the register(s), the key being a decryption of the data element with the response as the encryption key.

2. The device according to claim 1, wherein the chip enabler includes cryptographic module and/or a processing unit to perform the decryption of the data element to generate the key.

3. The device according to claim 1, wherein the logic circuitry comprises regular gates and a plurality of logic key gates defining the logic encryption, wherein the logic encryption is defined in that the designated usage is enabled only if bits of the key in the register(s) are correctly received by the logic key gates, which are connected to the register(s).

4. The device according to claim 1, wherein the device comprises an additively manufactured component and the PUF is included in at least a part of the component, the additively manufactured component having a device-specific microstructure resulting in a device-specific characteristic, wherein the response of the PUF depends on the device-specific characteristic.

5. The device according to claim 4, wherein the additively manufactured component is at least one of the following: a packaging, a circuit board, a soldering layer, or an encapsulation.

6. The device according to claim 4, wherein the component includes an additive manufactured electric circuitry with at least one of the following additively manufactured elements: a capacitor, a coil, a resistor, a stripline, a microstrip, whose electric characteristics is device-specific due to the additive manufacturing.

7. The device according to claim 2, where the device-specific characteristic is defined by one or more of the following: a form factor, a movement, resistive values, latency or phase shifts, complex impedance values, a resonance circuit or its resonance frequency, or electromagnetic radiation or shielding thereof.

8. The device according to claim 4, where the device-specific characteristic is defined by one or more of the following optical identifications: unique label inprint, intended error pixel, or inprinted optical light source.

9. The device according to claim 1, further comprising at least one finite state machine configured to: utilize the PUF to generate the response from the challenge, and/or decrypt the data element using the response as key for the decryption.

10. The device according to claim 1, wherein the additive manufacturing includes an inkjet process or a laser sinter process, configured to form dielectric structures and electrically conductive structures.

11. A method for protecting a logic circuitry by a randomized logic encryption based on a key for preventing a designated usage of the logic circuitry by an unauthorized user, the method comprising: generating, by using a physically unclonable function (PUF) a device-individual response based on a challenge; storing, in a storage, the challenge and a data element, the data element being an encryption of the key with the response of the PUF as encryption key; and enabling, by a chip enabler with one or more registers, the logic circuitry for the designated usage by transferring the key into the register(s), the key being a decryption of the data element with the response as the encryption key.

12. The method of claim 11, further comprising one or more of the following steps: generating the response of the PUF based on the challenge; encrypting the key with the response of the PUF as encryption key and providing a result as the data element; decrypting the data element be using the response of the PUF as decryption key.

13. A computer program product comprising program code for carrying out the method according to claim 11 when the program code is executed on a processing unit.

Description

BRIEF DESCRIPTION OF DRAWINGS

[0048] Various embodiments of the present invention will be described in the following by way of examples only, and with respect to the accompanying drawings, in which:

[0049] FIG. 1 depicts a chip device according to an embodiment of the present invention.

[0050] FIG. 2 illustrates the logic encryption implemented by embodiments in the chip device.

[0051] FIG. 3 illustrates the microstructures resulting from an additive manufacturing providing the randomness used in embodiments for the PUF.

[0052] FIG. 4 depicts stripline as an embodiment for the component in the chip device for implementing the PUF.

[0053] FIG. 5 shows a schematic flow chart for a method for protecting a logic circuitry by a randomized logic encryption.

DETAILED DESCRIPTION

[0054] Various examples will now be described more fully with reference to the accompanying drawings in which some examples are illustrated.

[0055] The terminology used herein is for the purpose of describing illustrative examples only and is not intended to be limiting. As used herein, the singular forms “a,” “an” and “the” are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms “comprises,” “comprising,” “includes” and/or “including,” when used herein, specify the presence of stated features, steps, operations, elements and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, elements, components and/or groups thereof.

[0056] Unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which examples belong. It will be further understood that terms, e.g., those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the relevant art and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein.

[0057] FIG. 1 depicts an exemplary SoC device with a logic circuitry 105 that, according to embodiments, is protected by a randomized logic encryption based on a key K for preventing a designated usage of the logic circuitry 105 by an unauthorized user. In other words, the logic circuitry 105 is enabled only if the correct key K is received by the logic circuitry 105.

[0058] The SoC device comprises: a physically unclonable function, PUF, 110, a storage 120, and a chip enabler 130 with one or more registers 132. The physically unclonable function, PUF, 110 is configured to generate a device-individual response Re based on a challenge Ch. The storage 120 has stored the challenge Ch and a data element C, the data element C being an encryption of the key K (e.g. a logic locking key) with the response Re of the PUF 110 as encryption key. The enabler 130 is configured to enable the logic circuitry 105 for the designated usage only, when the key K is transferred to the register(s) 132, the key K being a decryption of the data element C with the response Re as the encryption key. Embodiments are applicable for any kind of chip devices. In particular, the chip device may be SoC (System on Chip) device or part thereof.

[0059] The underlying logic encryption scheme utilized in embodiments can be summarized as illustrated in FIG. 2. The purpose of the Logic Encryption (LE) (logic locking/obfuscation) is to protect the integrity of a hardware design throughout the IC supply chain. LE is based on the insertion of additional gates into a gate-level netlist (NL) to mask the original functionality and structure of a design, by locking it with a secret key K.

[0060] In detail, FIG. 2 depicts an example where additional key gates KG0, KG1 are inserted in a design with regular (logic) gates G0, G1, G2, . . . G5. It is understood that the number of regular and key gates can be arbitrary. The regular gates G0, G1, . . . are adapted to provide the designated purpose of the underlying chip, i.e. generating desired output signals O1, O2 based on a set of input signals (values) I1, I2, . . . .

[0061] For example, a zeroth regular gate G0 receives two input values I2 and I3 and produces an output value which is received by a second gate G2 and by a third gate G3. The second gate G2 receives as further input the input signal I1. The third logic gate G3 receives as further input the output of a first logic gate KG1 which receives as input values a second key value KI2 and the output value of a first logic gate G1. The first logic gate G1 receives as input a fourth input signal 14 and a fifth input signal IS. The output of the second logic gate G2 is input into a zeroth key gate KG0 which receives as further input the first key value KI1. The output of the zeroth key gate KG0 is, together with output of the third logic gate G3, received by the fourth gate G4 which produces the first output value O1. The output of the third logic gate G3 is received by the fifth gate G5 which receives as second input the output of the first logic gate G1. The output of the fifth gate is the second output value O2.

[0062] Therefore, even if the gates are all known (e.g. by a reverse engineering) the correct (designated) functioning of the circuitry is obfuscated by the key gates KG0, KG1. Without the correct key values KI1, KI2 the circuitry would not work correctly. In other words, the chip can only be activated with the correct key values KI1, KI2, . . . stored at a designated place and provided correctly to the chip. The plurality of key values KI1, KI2, . . . define the logic encryption key (LEK) which will be denoted here and in the following by K.

[0063] This key K should by stored at a secure place. At startup, the key K may be read from the storage (e.g. via a finite state machine, FSM) and transferred, e.g. into dedicated registers, which are connected to the key gates KG0, KG1, . . . . Therefore, by protecting the key K the functionality of the device can be kept secret.

[0064] This procedure will mitigate at least some of the previously mentioned attack scenarios AS: [0065] As for AS-1a: As long as the key K is kept confidential during production of the chips, hardware trojans (HT) insertion can be prevented by the LE. [0066] As for AS-1b: An attacker may access the key K from a first round of produced chips and then insert the HT when the (n+1)th round is produced. [0067] As for AS-2{a,b}: An attacker may retrieve the K and activate/overbuild a chip. [0068] As for AS-3a: A fault E injected on Slot 1 can propagate and K⊕E may be analyzed, because small variations of two distinct faults Ei and Ej are directly “forwarded”. [0069] As for AS-3b: With the learning from AS-3a, the fault attacks may be re-produced for the (n+1)th round SoCs.

[0070] Therefore, embodiments implement an additional security measure by using a physical unclonable function (PUF). A PUF is a physical object that for a given input and conditions (denoted by challenge), provides a physically-defined “digital fingerprint” output (response) that serves as a unique identifier. The PUF according to embodiments map unique variations of at least one additively manufactured component (e.g. an electronic structure) of the chip device to a digital output, wherein unique physical variations that occur during an additive manufacturing process are utilized. For this, according to embodiments, the component with the PUF may be integrated at various places, such as: in the packaging or in an encapsulation of the chip or in the circuit board support of the chip or in a solder layer or an interposer connecting the chip.

[0071] The additive manufacturing process utilized in embodiments may rely on the technology for “additive manufactured electronics” (AME) of 3D-printed electronics for additive circuit boards (ACB). According to embodiments, various additive manufacturing processes may be utilized such as the inkjet printing or the laser sintering, which both allow for a manufacturing of conductive and dielectric structures to produce, e.g. a desired electronic circuit.

[0072] The inkjet printing (so-called inkjet process) may use a conductive and a non-conductive functional fluid (e.g. ink), which are additively applied to a carrier and processed into a three-dimensional structure. For example, a photopolymer fluid may be used as ink for non-conductive structures and a fluid with nanoparticle (e.g. of silver) may be used as ink for conductive structures. Theses fluids are added layer by layer. Each layer may be cured by an irradiation with an ultraviolet light or other suitable radiation. The result is a three-dimensional solid that was additively manufactured in layers.

[0073] The laser sintering process may utilize the so-called “low-temperature cofired ceramic” (LTCC) process. This process is based on low-sintering flexible ceramic foils, wherein the foils are first structured mechanically and printed, laminated and then sintered at approx. 850 to 900° C. The result is a highly integrated, three-dimensionally networked multilayer board made of ceramic. Further processing may use known layer, bond or SMD technologies (SMD, surface mounted devices). The carrier material here is ceramic. Its stability enables a high-quality connection and packing system.

[0074] In both processes, the electronic structure is build-up from scratch to a complete 3D device. In particular, these additive manufacturing processes allow to integrate or embed a chip (such as SoC) into an additively manufactured packaging, for example. Or the chip may be mounted onto an additively manufactured board or may be encapsulated by an additively manufactured housing.

[0075] The conductive/isolating fluids in the ink jet process or the nanoparticle sintering of conductive functional fluids or the various postprocessing variants generate a unique nanoparticle structure in the final chip device. Each chip has a nanoparticle fingerprint and embodiment utilize this fingerprint for incorporating a PUF.

[0076] FIG. 3 illustrates the microstructures resulting from an additive manufacturing of an exemplary electronic structure that will be utilized for or includes the PUF. The additive manufacturing will always result in a microstructure that is not uniform, but is specific for the manufacturing process and will thus be different from manufactured structure to structure. For example, electrically conductive nanoparticles 310 are merged during the manufacturing leaving random cavities 320 between the merged nanoparticles 310.

[0077] Therefore, each additive manufactured conductive structure has its own specific microstructure. As a result, the electric characteristics of the conductive materials will be slightly different from chip to chip (or their additively manufactured component defining the PUF). Furthermore, in the additive manufacturing a full 3D-wiring can be implemented, no vertical interconnect accesses (VIAs) are needed, and thus 3D-printed lumped elements (capacitors, coils) can be generated. It is also possible to integrate or embed other electric components (e.g. active elements). For example, if a coil or a capacitor or a resistor is formed by this additive manufacturing, the resulting characteristics will be structure-specific and can be used as a physical unclonable function.

[0078] The physical unclonable function may be characterized by various circuits or structures. For example, the microstructure as depicted in FIG. 3 generates specific complex impedance values and thus specific resistance and/or capacitance and/or inductance values. This in turn, will provide a structure-specific resonance property for a resonant circuit. For example, the resonance frequency will differ from structure to structure. Since the structure is part of the chip device, this will likewise differ from device to device.

[0079] FIG. 4 depicts another embodiment of a component in the chip device that may be used to integrate the physical unclonable function 110. In this embodiment the additively manufactured component includes a stripline 410 embedded into dielectric material 420. Instead of stripline 410, microstrip configurations can also be used within the PUF 110. The stripline 410 is completely embedded into the dielectric material 420. Since the electric conductive strip 410 as well as the dielectric material 420 are formed by additive manufacturing, the propagation velocity of a high frequency signal along the stripline 410 will depend on the particular structure and thus on the chip device. The structure-specific propagation results in a specific latency (delay) in signal propagation and/or in a specific signal damping through the line.

[0080] The nanoparticle fingerprint influences thus the electric properties such as latency and phase shift of propagating signals, which may be measured, e.g. by comparing two signals propagating different paths. Likewise, the nanoparticle fingerprint modifies slightly electromagnetic radiation properties (e.g. shielding).

[0081] Likewise, the additive manufacturing produces slight variations in form factors or movements (e.g. characteristics of 3D-printed electric motors).

[0082] According to further embodiments, optical variations in optical characteristics may be further utilized for the physical unclonable function. For example, during the additive manufacturing a unique label may be imprinted into the chip device (for example in the packaging) which can be read out and used as an encryption for the logic encryption utilized within the present invention. A further optical identification would be the incorporation of intended error pixels or even an imprinted optical light source.

[0083] The concrete functioning of the PUF 110 can be summarized as follows. Let Ch.sub.i be a challenge of the j-th instance of a PUF (family). Each instance may be associated with a concrete realization in one chip device. The response is

Re.sub.i=PUF.sub.j(Ch.sub.i).  (1)

[0084] One main characteristic of the PUFs is that the Hamming distance for a challenge Ch.sub.1

Dist.sub.H(PUF.sub.i(Ch.sub.1),PUF.sub.j(Ch.sub.1)),  (2)

for i≠j is very large.

[0085] PUFs with small output size and input size W are called weak PUFs. In this case, an untrusted foundry could do a full characterization and could store all pairs {(Ch.sub.i, Re.sub.i)}, which are part of W for all chip devices, where W denotes the set of all possible values of input/output for weak PUFs. Strong PUFs, on the other hand, have a very large input/output space S, making characterization impractical and thus much more secure, i.e., {(Ch.sub.i, Re.sub.i)}.sub.i∈S, where |S|>>|W|.

[0086] According to embodiments, for a chip device “i” the following information is stored in the storage 120: [0087] ENC.sub.Rei (K), and [0088] (Ch, He)
wherein Re.sub.i is the response of the PUF.sub.i realized in the chip device “i” and is used as encryption key for the LEK “K”. The value He defines optional helper data for the key generation (to ensure high entropy, reproducibility, control, etc.). This information may be stored in different slots (e.g. a slot 1 and slot 2) of a storage 120.

[0089] Next, when the chip device shall be activated to perform the desired purpose, the following steps may be performed:

[0090] (1) Read C.sub.i←ENC.sub.Rei (K) and (Ch, He) from the storage, e.g. via FSM;

[0091] (2) Generate Rei←PUF.sub.i (Ch, He), e.g. via FSM;

[0092] (3) Decrypt K←DEC.sub.Rei (C.sub.i); e.g. via FSM in a dedicated HW module;

[0093] (4) Transfer K into dedicated registers (connected to the inserted gates),

wherein an optional finite state machine (FSM) may be employed.

[0094] According to embodiments, these steps may be performed as part of a method, wherein PUF.sub.i defines an execution of the implemented physical unclonable function using the challenge Ch. According to further embodiment, a processing unit and/or cryptographic hardware module which may or may not be part of the chip device may be configured to perform these steps.

[0095] In conjunction with the above-mentioned attack scenarios, embodiments provide the following advantages:

[0096] As for AS-1a: The key K (resp. ENC.sub.Rei (K)) is kept confidential during production of the chip device and one can rely on the resistance of the LE to prevent the insertion of hardware trojans.

[0097] As for AS-1b: The value ENC.sub.Rei (K) and the tuple (Ch,He) may be retrievable. However, the function to generate the corresponding Re.sub.i relies on the protection of the PUF 110, which is unknown or not reproducible. Thus, it is impossible to obtain the encryption key Re.sub.i needed to decrypt K.

[0098] As for AS-2{a,b}: An attacker may be replay ENC.sub.Rei(K) and (Ch,He). But it is impossible to rebuild the PUF function 110, other attacks would be needed.

[0099] As for AS-3a: The situation is similar to variant 1, i.e. for two distinct faults E.sub.i and E.sub.j with small Hamming distance distH (E.sub.i, E.sub.j) injected on slot 1, the Hamming distance:

dist.sub.H(DEC.sub.Rei(ENC.sub.Rei(K))⊕E.sub.i),DEC.sub.Rei(ENC.sub.Rei(K)⊕E.sub.j))

is very large. Therefore, fault attacks are very hard to “execute” (e.g. by trying all possibilities).

[0100] As for AS-3b: Embodiments improve the safety significantly when compared to the situation where the key K and/or the encryption of the key ENC(K) is the same for all devices. Even if the attacker infers information from an attack on a device A, according to embodiments, this information cannot be utilized for an attack on another device B (because of the PUF). Hence, the learning from AS-3a is smaller (than in Variant 1a), because ENC.sub.Rei (K) is unique to each device chip.

[0101] As a result, embodiments provide a reliable protection against all three attack scenarios.

[0102] FIG. 5 shows a schematic flow chart for a method for protecting a logic circuitry 105 by a randomized logic encryption based on a key K for preventing a designated usage of the logic circuitry 105 by an unauthorized user. The method includes: [0103] generating S110, by using a physically unclonable function, a device-individual response based on a challenge Ch; [0104] storing S120, in a storage 120, the challenge Ch and a data element C, the data element C being an encryption of the key K with the response Re of the PUF 110 as encryption key; [0105] enabling S130, by a chip enabler 130 with one or more registers 132, the logic circuitry 105 for the designated usage by transferring the key K into the register(s), the key K being a decryption of the data element C with the response Re as the encryption key.

[0106] It is understood that in further embodiments some or all functions implemented by the chip device as described before can be optional method steps in the method of FIG. 5. In particular, further optional steps may be: [0107] generating the response Re of the PUF 110 based on the challenge Ch; or [0108] encrypting the key K with the response Re of the PUF 110 as encryption key and providing a result as the data element C; or [0109] decrypting the data element C be using the response Re of the PUF 110 as decryption key.

[0110] The order of method steps shall only be limited by the condition that one method step can only be carried out if another step is performed in advance.

[0111] This method may also be a computer-implemented method. A person of skill in the art would readily recognize that steps of the above-described method may be performed by programmed computers. Embodiments are also intended to cover program storage devices, e.g., digital data storage media, which are machine or computer readable and encode machine-executable or computer-executable programs of instructions, wherein the instructions perform some or all of the acts of the above-described methods, when executed on a computer or processor.

[0112] The description and drawings merely illustrate the principles of the disclosure. It will thus be appreciated that those skilled in the art will be able to devise various arrangements that, although not explicitly described or shown herein, embody the principles of the disclosure and are included within its scope.

[0113] Furthermore, while each embodiment may stand on its own as a separate example, it is to be noted that in other embodiments the defined features can be combined differently, i.e. a particular feature descripted in one embodiment may also be realized in other embodiments. Such combinations are covered by the disclosure herein unless it is stated that a specific combination is not intended.

[0114] It is therefore clear that there is a plurality of possible variations. It is also clear that embodiments stated by way of example are only really examples that are not to be seen as limiting the scope, application possibilities or configuration of the invention in any way. In fact, the preceding description and the description of the figures enable the person skilled in the art to implement the exemplary embodiments in concrete manner, wherein, with the knowledge of the disclosed inventive concept, the person skilled in the art is able to undertake various changes, for example, with regard to the functioning or arrangement of individual elements stated in an exemplary embodiment without leaving the scope of the invention, which is defined by the claims and their legal equivalents, such as further explanations in the description.

LIST OF REFERENCE SIGNS

[0115] 105 a logic circuitry [0116] 110 physically unclonable function (PUF) [0117] 120 a storage [0118] 130 chip enabler [0119] 132 one or more registers [0120] 135 cryptographic module [0121] 310 merged nanoparticles [0122] 320 cavities or voids due to additive manufacturing [0123] 410 stripline, microstrip [0124] 420 additively manufactured dielectric material [0125] K logic encryption key [0126] Re (device-individual) response [0127] Ch challenge to trigger the response [0128] C data element