Powering an electronic system with an optical source to defeat power analysis attacks

Abstract

A device that is capable of eliminating a power trace that can be analyzed in a power analysis attack and serves as a highly effective countermeasure against power analysis attacks. The device comprising an optical source providing optical energy to an integrated circuit. An optical detector optically linked to the optical source and converts the optical energy from the optical source into electrical energy to power a secure circuit.

Claims

1. An electronic device constructed to prevent power analysis attack comprising: an optical source enabled to output optical energy to an optical detector in response to receiving a first electrical power from an electrical power source external to the electronic device; a secure circuit enabled to receive a second electrical power from the optical detector; the optical detector enabled to receive the optical energy and output the second electrical power to the secure circuit; a controller circuit configured to deliver the second electrical power to the secure circuit when the secure circuit is performing an operation that requires security; wherein the first electrical power is isolated from the second electrical power; wherein the first electrical power does not vary in response to the second electrical power when the secure circuit consumes the second electrical power; and wherein the second electrical power is contained within the electronic device and the electronic device is enabled to prevent access by an external probe to measure the second electrical power when the electronic device is operational.

2. The electronic device of claim 1, wherein the optical detector and the secure circuit are located on an integrated circuit die.

3. The electronic device of claim 1, wherein the optical detector and the secure circuit are located on different integrated circuit die.

4. The electronic device of claim 3, wherein the optical detector is on a first integrated circuit die, a secure circuit is on a second integrated circuit die, and further comprising an interconnection line connecting the optical detector and the secure circuit.

5. The electronic device of claim 4, wherein the electronic device is enabled to prevent access to the interconnection line by an external probe when the electronic device is operational.

6. The electronic device of claim 1, wherein the optical detector and the secure circuit are included in a three-dimensionally stacked integrated circuit.

7. The electronic device of claim 1, wherein the optical detector and the secure circuit are included in a 2.5 dimensionally stacked integrated circuit.

8. The electronic device of claim 1, wherein the optical detector and secure circuit are located in a system-in-package.

9. The electronic device of claim 1, further comprising a non-secure circuit, an interconnection line between the secure circuit and the non-secure circuit, wherein communications in the interconnection line is isolated by an isolation circuit, a power connection connected to the non-secure circuit, a ground connection connected to the non-secure circuit, wherein the power connection and the ground connection are isolated from the secure circuit.

10. The electronic device of claim 1, wherein the optical source is a laser.

11. The electronic device of claim 1, wherein the optical source is a light emitting diode.

12. The electronic device of claim 1, wherein the optical detector is a photovoltaic device.

13. The electronic device of claim 1, wherein the optical detector is a photodiode.

14. The electronic device of claim 1, further comprising transistors in the secure circuit.

15. The electronic device of claim 14, wherein switching of the transistors results in variations of the second electrical power.

16. The electronic device of claim 1, wherein the secure circuit implements encryption.

17. The electronic device of claim 1, wherein the secure circuit implements decryption.

18. The electronic device of claim 1, wherein the secure circuit contains a key.

19. The electronic device of claim 2, further comprising a plurality of electrical connections between the secure circuit and the optical detector.

20. The electronic device of claim 19, wherein the plurality of electrical connections are isolated within the integrated circuit die.

21. The electronic device of claim 1, further comprising at least one external connector for connecting the optical source to an electrical power source.

22. The electronic device of claim 2, wherein the integrated circuit die is included in a semiconductor device.

23. A method of operating an electronic device to prevent power analysis attacks, the method comprising: receiving a first electrical power from an external power source at an optical source enabled to output optical energy in response to receiving the first electrical power; outputting the optical energy by the optical source; receiving the optical energy by an optical detector enabled to output a second electrical power in response to receiving the optical energy; outputting the second electrical power by the optical detector; receiving the second electrical power at a secure circuit enabled to consume the second electrical power; wherein the first electrical power is isolated from the second electrical power, wherein the first electrical power does not vary in response to the second electrical power when the secure circuit consumes the second electrical power, wherein the second electrical power is contained within the electronic device and the electronic device is enabled to prevent access to the second electrical power when the electronic device is operational; and delivering, by a controller circuit, the second electrical power to the secure circuit when the secure circuit is performing an operation that requires security.

24. The method of claim 23, further comprising selecting between the first electrical power and the second electrical power to power the secure circuit.

25. The method of claim 24, wherein selecting between the first electrical power and the second electrical power occurs when the secure circuit is performing an operation requiring security.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

(1) The present disclosure is further described and explained in relation to the following figures of the drawings wherein:

(2) FIG. 1 is a block diagram of a prior art circuit with an encryption circuit portion and a power trace measurement device connected.

(3) FIG. 2A is a graph illustrating an exemplary power trace of the input current of the prior art circuit of FIG. 1 with an encryption circuit portion.

(4) FIG. 2B is a graph illustrating an exemplary power trace of the input current/wattage of an optical source powered circuit with an encryption circuit portion.

(5) FIG. 3 is a block diagram of an optical source powered circuit, constructed in accordance with a first embodiment of the present disclosure.

(6) FIG. 4A is a side view of the optical source powered circuit of FIG. 3, with through silicon vias.

(7) FIG. 4B is a perspective view of the optical source powered circuit of FIG. 3, with the optical detector embedded within a silicon die.

(8) FIG. 5 is a block diagram of an optical source powered circuit, constructed in accordance with a second embodiment of the present disclosure, having a power island.

(9) FIG. 6 is a perspective view of an optical source powered circuit, constructed in accordance with a third embodiment of the present disclosure.

(10) Like reference numerals are used to describe like parts in all figures of the drawings.

DESCRIPTION OF THE EMBODIMENTS

(11) FIG. 1 is a block diagram of a prior art circuit with an encryption circuit portion and a power trace measurement device connected. A prior art circuit 100 contains an encryption circuit 102. The encryption circuit 102 contains a key 104 that is required to perform the encryption/decryption of information using the algorithm implemented by the encryption circuit 102. A power line 108 and a ground line 110 together deliver current to the circuit 100 via pins 112. A measurement device 106, such as an oscilloscope, placed across the power line 108 and the ground line 110, is used to measure the amount of current delivered to the circuit 100.

(12) FIG. 2A is a graph illustrating an exemplary power trace of the input current/wattage of the prior art circuit of FIG. 1 with an encryption circuit portion. An exemplary power trace 202 for the circuit 100 as shown in FIG. 1 is measured by the measurement device 106. The power trace 202 has a y-axis of current and an x-axis of time. The power trace 202 fluctuates over time coinciding with the power drawn by the circuit 100. The fluctuations of the power trace 202 can be specifically linked to the current drawn by the encryption circuit 102. An attacker seeking to extract the key 104 used by the encryption circuit 102 examines the power trace 202 to make inferences about the computations made by the encryption circuit 102 by closely analyzing the fluctuations of the power trace 202. The attacker is further able to infer switching activity within the encryption circuit 102 by sending plaintext 116 or cipher text 118 into the encryption circuit 102. The attacker monitors the amount of switching activity that occurs by monitoring the amount of dynamic power drawn as reflected in the fluctuations of the power trace 202. Combining the information from the power trace 202 with the information from the plaintext 116 or cipher text 118 sent in, the attacker is able to extract the key 104.

(13) FIG. 3 is a block diagram of an optical source powered circuit, constructed in accordance with a first embodiment of the present disclosure. A circuit 300 contains a circuit portion 301 that contains information such as an encryption circuit 302 is powered by a laser 312. The circuit 300 may be part of an integrated circuit that contains other circuits that do not require protection from power-based side channel attacks. An encryption key 304 is stored within the protected encryption circuit 302. For example, the encryption key 304 can be stored in an EEPROM or a set with fuses. The encryption key 304 can also be generated by providing a challenge to a physically unclonable function (PUF). A user seeking to decrypt information produced by the encryption circuit 302 or encrypt data so that it looks like it was produced by the encryption circuit 302 needs the key 304. A user (and/or other parts of the circuit) communicates with the encryption circuit 302 by sending and/or receiving plaintext 316 or cipher text 318. The circuit section 301 can also store information (e.g. as a memory) that must remain secure where the stored information is protected by the encryption provided by the encryption circuit 302.

(14) In this embodiment, the power source is a laser. However, the power source is not limited to a laser. The power source can be an optical source that generates optical energy, such as a light emitting diode (LED) or natural light, including solar or artificial lighting. A semiconductor laser emitting in the 850 to 1600 nanometer (nm) wavelength region is an efficient optical source with efficiencies of 40% to 75% to serve as the power source. LEDs, although less efficient at efficiencies of approximately 20%, are becoming more efficient and can serve as a power source.

(15) Electrical power to the circuit 300 is typically obtained through connections to Vcc and Gnd (or Vss) delivered by a power line 320 and a ground line 322. The power line 320 and the ground line 322 are connected to the circuit 300 via a set of pins 314 that include at least a power pin 314a and a ground pin 314b. The pins 314 are in turn connected to the laser 312. The power line 320 and ground line 322 together deliver electrical power to the laser 312 from Vcc and Gnd. The laser 312 converts the electrical energy (i.e., energy made available by the flow of electric charge through a conductor) into optical energy and emits the optical energy in the direction of a detector 310. The detector 310 may be a photodiode or any other type of photo-sensitive device capable of converting optical energy into electrical energy with a current or voltage. The detector 310 may also be a pin detector, an avalanche photo detector (APD) or other types of semiconductor optical detectors. The detector selected should be matched to the emission wavelength range of the optical source. The current derived from the laser 312 by the detector 310 is used to deliver electrical power to the circuit via an internal power line 306 and an internal ground line 308. The internal power line 306 and the internal ground line 308 are embedded within the circuit and are not accessible by external probes to measure the value of the current being delivered through them.

(16) The electrical current delivered from Vcc and Gnd to the laser 312 through the power line 320 and ground line 322 is a constant value regardless of the actual power drawn by the components in the circuit 300. A measurement device 324, such as an oscilloscope, may be used to measure the amount of current traveling through the power line 320 and ground line 322. However, no information regarding the key 304 will be obtainable by the measurement of the amount of current traveling through the power line 320 and ground line 322 because it is not correlated to the circuit's switching activity.

(17) FIG. 2B is a graph illustrating an exemplary power trace of the input current of an optical source powered circuit with an encryption circuit portion. An exemplary power trace 204 measured by the measurement device 324 is shown in FIG. 3. The power trace 204 has a y-axis of current and an x-axis of time. The primary difference between the power trace 204 and the power trace 202 as seen in FIG. 2A is that power trace 204 shows no fluctuation correlated with the switching activity in the amount of current drawn by the circuit 300 over time as measured by the measurement device 324. This is because the laser 312 draws a constant current when the circuit 300 is powered on and a current value of zero when the circuit 300 is powered off. The power trace 204 does not fluctuate regardless of the switching activity occurring within the encryption circuit 302. When plaintext 316 and cipher text 318 are sent into the encryption circuit 302 to stimulate switching activity, the power trace 204 remains unchanged.

(18) FIG. 4A is a side view of the optical source powered circuit of FIG. 3, with through semiconductor vias. The encryption circuit 302 is mounted on a silicon die 402. Although the die is silicon in this embodiment, another material can be chosen depending on the particular application. The detector 310 is mounted onto the silicon die 402. The laser 312 is then mounted in optical linkage with the detector 310 so that the laser light emitted by the laser 312 can be detected by the detector 310. For the laser 312 to be in optical linkage with the detector 310, the laser 312 can be mounted onto the detector 310 itself as shown in the current embodiment. However, the laser 312 can also be mounted onto the silicon die 402 directly (not shown). The optical linkage can be provided by other interconnections between the laser 312 and the detector 310 such as a fiber optic cable (not shown). Power is delivered from the detector 310 to the encryption circuit 302 by an electrical current traveling within the through semiconductor vias (TSVs) that run within the silicon die 402. Although through silicon vias are used in this embodiment, the vias can be constructed from other semiconductor materials dependent on the semiconductor material system chosen for the particular application. There are at least two TSVs that serve as a power trace 404 and a ground trace 408. An attacker seeking to measure the current running through the TSV power trace 404 and the TSV ground trace 408 cannot do so without breaking into the silicon die 402 and causing irreversible damage.

(19) FIG. 4B is a perspective view of the optical source powered circuit of FIG. 3, with the optical detector embedded within a silicon die. The detector 310 is now embedded directly within the silicon die 412 that contains information that must remain secure. The laser 312 is mounted on the surface of the silicon die 412. Embedding the detector 310 within the silicon die 412 provides added protection from physical tampering.

(20) Where the detector 310 is embedded within the silicon die 412, there are several methods of powering the laser 312 that is mounted on the surface of the silicon die 412. The laser 312 remains linked to the detector 310 optically. One method for powering the laser 312 is to utilize TSVs running from the bottom of the package and passing through the silicon die 412 (not shown).

(21) FIG. 5 is a block diagram of an optical source powered circuit, with an encryption circuit portion, constructed in accordance with a second embodiment of the present disclosure, having a power island. A circuit 500 includes a non-secure circuit portion 502 and the encryption circuit 501 portion. The encryption circuit 501 that requires protection against power analysis attacks is contained within a power island 508. A key (not shown) is stored within the encryption circuit 501. The power island 508 is an isolated power domain wherein power to the encryption circuit 501 is provided separately from the power provided to the non-secure circuit portion 502. The encryption circuit 501 is powered by a set of power and ground lines (not shown) connected to the detector 510. The laser 512 emits laser light that is converted by the optically linked detector 510 into electrical energy. The electrical energy is used to charge a battery 514 that is connected to the detector 510 and the encryption circuit 501. The electrical energy is also passed through the battery 514 to the encryption circuit 501. The battery 514 serves as a backup power source and can power the encryption circuit 501 temporarily when no power is delivered through the laser 512 and the detector 510. This provides added protection to prevent an attacker monitoring the encryption circuit 501 from using power-based fault insertion attacks on the encryption circuit 501. The non-secure circuit portion 502 is powered directly by a separate set of lines that include a power line 506 and a ground line 504. An attacker monitoring the current through the power line 506 and the ground line 504 can only obtain a current trace of the power drawn by the non-secure circuit portion 502 but has no way to infer the power drawn by the encryption circuit 501. Although the encryption circuit 501 is on the power island 508, it is still able to communicate with the non-secure circuit portion 502 through lines 511. The communication in the lines 511 are enabled with digital isolation circuitry (not shown) in both the encryption circuit and the non-secure circuit portion. A controller (not shown) in the integrated circuit can also be configured to switch power delivery to the secure circuit from the power line 506 and a ground line 504 to the electrical energy provided by the detector 510 when the encryption circuit 501 is performing a cryptographic algorithm and back when the cryptographic algorithm is completed.

(22) FIG. 6 is a perspective view of an optical source powered circuit, constructed in accordance with a third embodiment of the present disclosure. A circuit 600 that contains an encryption circuit (not shown) is powered by a broad area laser 602 that is gallium arsenide (GaAs) based. The broad area laser 602 is an “edge-emitting laser.” An example of a broad area laser that would function is an edge-emitting laser having a 100 μm wide stripe with a length of 1000 μm. Although in this embodiment the broad area laser 602 is GaAs based, it can also be based on other material systems such as indium phosphide (InP) alloys or gallium antimony (GaSb) alloys. The broad area laser 602 provides approximately 1 watt (W) of optical power at a selected wavelength of approximately 850 nm and has a drive current of approximately 1.6 amperes (A) at an input voltage of about 1.6 volts (V). The power density of the broad area laser 602 at the emitting aperture is equivalent to about one million (or more) times the power density of the sun at the earth's surface. Electrical power to the broad-area laser 602 is typically obtained through connections to VL and Gnd delivered by a power line 620 and a ground line 622.

(23) The broad-area laser 602 converts the electrical energy from power line 620 into light energy and emits the light energy in the direction of a gallium arsenide based optical detector 604. The optical detector 604 is capable of operating in the photovoltaic mode to produce approximately 700 milliwatts (mW) of electrical power from 300 suns from a surface area of 500 μm.sup.2. The direct band gap of a GaAs based optical detector is efficient for monochromatic laser illumination. The far-field intensity distribution of the broad-area laser 602 is elliptical and will have an aspect ratio of between 2:1 to 5:1.

(24) Input power provided to the broad area laser 602 is approximately 2.25 W to produce an output power of 1 W. This is a power conversion efficiency of approximately 44%. After light energy is projected onto the optical detector 604, about 500 mW of electrical power is produced at the output of the optical detector 604. This is a total optical to electrical power conversion efficiency of 22%. With optimization of the optical source and optical detector, efficiencies of greater than 35% can be achieved.

(25) The broad area laser 602 and optical detector 604 are mounted on the surface of a first metallization layer 608. The broad area laser 602 and optical detector 604 are mounted with a spacing on the order of 1 mm apart, allowing the aspect ratio of the optical detector 604 to be optimized to the far-field beam pattern of the broad area laser 602 so the optical detector 604 is uniformly illuminated. Below the first metallization layer 608 is, a second metallization layer 610, a third metallization layer 612, a fourth metallization layer 614, and a fifth metallization layer 616. The encryption circuit (not shown) is buried within the metallization layers (608, 610, 612, 614, 616) and the silicon substrate 626.

(26) Multi-level metallization allows for the optical detector 604 to power the encryption circuit as appropriate. Unlike the power supplied to the broad-area laser 602 by the power line 620 and the ground line 622, the multiple metallization layers (608, 610, 612, 614, 616) are not accessible by external probes. The optical power from the laser 620 results in a secure V.sub.DD 624 and a secure ground (not shown) to power the encryption circuit. The only way to access the secure power provided to the metallization layers is by destructive removal of the metallization layers. The encryption circuit (not shown) cannot be probed through the metallization layers and any attempt to access the metallization layers would result in the irreversible destruction of the chip.

(27) In a fourth embodiment of the present disclosure, an optical source powered circuit is constructed with a heat sink. The silicon die, laser, and detector are mounted on a heat sink. The laser is optically linked to the detector so that the laser light emitted by the laser can be detected by the detector. Power is delivered from the detector to the secure circuit by an electrical current running through a power trace and a ground trace.

(28) Note that any and all of the embodiments described above can be combined with each other, except to the extent that it may be stated otherwise above or to the extent that any such embodiments might be mutually exclusive in function and/or structure.

(29) While the present disclosure has been described in conjunction with the embodiments, it will be understood that they are not intended to limit the present disclosure to these embodiments. On the contrary, the present disclosure is intended to cover alternatives, modifications, and equivalents, which may be included within the spirit and scope of the present disclosure as defined by the appended claims. Accordingly, the specification and drawings are to be regarded in an illustrative sense rather than a restrictive sense. Unless otherwise specifically stated, the terms and expressions have been used herein as terms of description and not terms of limitation. There is no intention to use the terms or expressions to exclude any equivalent of features shown and described or portions thereof and this disclosure should be defined in accordance with the claims that follow. For example, the secure circuit being protected does not have to be an encryption circuit but could be another circuit that could contain secret or proprietary information or functionality that could otherwise be compromised through a power analysis attack.

(30) Where reference is made herein to a method comprising two or more defined steps, the defined steps can be carried out in any order or simultaneously (except where the context excludes that possibility), and the method can include one or more other steps which are carried out before any of the defined steps, between two of the defined steps, or after all the defined steps (except where the context excludes that possibility).

(31) Any element in a claim that does not explicitly state “means for” performing a specified function, or “step for” performing a specific function, is not to be interpreted as a “means” or “step” clause as specified in 35 U.S.C. § 112, ¶6. In particular, the use of “step of” in the claims herein is not intended to invoke the provisions of 35 U.S.C. § 112, ¶6.