SYSTEM AND METHOD FOR SECURING AN ELECTRONIC CIRCUIT

Abstract

A system for securing an electronic circuit including: plural regions, activity of each of which may be controlled; plural sensors integrated into the electronic circuit, each sensor being sensitive to variations in manufacturing process and to provide a measurement representative of a local activity of the electronic circuit; a processing unit including an integrity verification module configured to: determine, based on the measurements provided by the sensors, and for each of the regions, a partition of the sensors between sensors affected and sensors not affected by an activation of the region; compare each of the partitions with a model partition to detect possible presence of a hardware Trojan horse liable to infect the electronic circuit. The system can carry out an authentication of the electronic circuit by its intrinsic physical characteristics by response to a challenge or by generation of a key.

Claims

1-14. (canceled)

15. A system for securing an electronic circuit comprising: plural regions, activity of which may be controlled; a plurality of sensors integrated into the electronic circuit, each sensor being sensitive to variations in manufacturing process and to provide a measurement representative of a local activity of the electronic circuit; a processing unit comprising an integrity verification module configured to: determine, based on the measurements provided by the sensors, and for each of the regions, a partition of the sensors between sensors affected and sensors not affected by an activation of the region; compare each of the partitions with a model partition to detect possible presence of a hardware Trojan horse liable to infect the electronic circuit.

16. The system according to claim 15, wherein the integrity check module is further configured to: deactivate all regions of the electronic circuit and make an acquisition of the measurements supplied by the sensors; activate a single region of the electronic circuit one by one, and make an acquisition of the measurements supplied by the sensors; for each region, and for each sensor, compare the measurement made by the sensor when only the region is activated with the measurement made by the sensor when all the regions are deactivated; determine the sensor partitions from the compared measurements.

17. The system according to claim 15, wherein at least one of the regions is dedicated to execution of a function, the at least one corresponding region being activated by a command to execute the function.

18. The system according to claim 15, further comprising at least one detector integrated into the electronic circuit and configured to provide a measurement representative of a functional condition of the circuit, and wherein the processing unit further comprises an authentication module for the electronic circuit by a challenge-response configured to calculate an unclonable physical function type response to a challenge, by measurements supplied by the sensors, and to supply the response accompanied by the measurement supplied by the at least one detector.

19. The system according to claim 18, wherein the authentication module is configured to calculate the unclonable physical function type response from measurements made by a sub-set of the plurality of sensors.

20. The system according to claim 19, wherein calculating the unclonable physical function type response comprises concatenating values generated from measurements supplied by sensors in each pair of sensors among the sub-set of the plurality of sensors.

21. The system according to claim 20, wherein a value generated for a pair of sensors p, q among the sub-set of the plurality of sensors consists of $Δ .Math. .Math. F_{pq} = F_{p, v_{j}, t_{k}} + F_{q, v_{j}, t_{k}} - \frac{2}{m^{'}} .Math. {.Math.}_{i = 1}^{m^{'}} .Math. F_{i, v_{j}, t_{k}},$ wherein m′ corresponds to a number of sensors in the sub-set and F.sub.i, v.sub.j.sub., t.sub.k corresponds to measurement supplied by one of the sensors in the sub-set for a given operating condition v.sub.j, t.sub.k of the circuit.

22. The system according to claim 18, further comprising a database listing an expected response for a given challenge for each of a plurality of operating conditions of the circuit, and a comparator configured to check that the response generated by the authentication module corresponds to the expected response stored in the database for an operating condition of the circuit corresponding to the measurement output by at least one detector accompanying the response generated by the authentication module.

23. The system according to claim 15, further comprising at least one detector integrated into the electronic circuit and configured to provide a measurement representative of a functional condition of the circuit, and the processing unit further comprises a key generation module configured to generate a key using measurements supplied by sensors and to supply the key together with the measurement output by the at least one detector.

24. The system according to claim 23, wherein generating the key concatenates measurements provided by each of the sensors.

25. System according to claim 15, wherein the sensors provide measurements in a form of numerical words of a series of bits, and the processing unit further comprises an information bits identification module configured to eliminate, from the series of bits supplied by a sensor, invariable bits in the numerical words supplied by each sensor and bits varying at random in the different numerical words supplied by the sensor.

26. The system according to claim 15, wherein the processing unit is integrated into the electronic circuit.

27. A method for securing an electronic circuit including plural regions in which activity of each region can be controlled, the method comprising: using measurements supplied by a plurality of sensors integrated into the electronic circuit, each sensor being sensitive to variations in manufacturing process and configured to supply a measurement representative of a local activity of the electronic circuit, to determine for each region, a partition of the sensors between sensors that are affected by activation of the region and sensors that are not affected by activation of the region; comparing the partitions with a model partition to detect possible presence of a hardware Trojan horse liable to infect the electronic circuit.

28. A non-transitory computer readable medium including a computer program containing computer code instructions for execution of the method according to claim 27 when the program is executed on a computer.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

[0018] Other aspects, purposes, advantages and characteristics of the invention will be better understood after reading the detailed description given below of preferred embodiments given as non-limitative examples, with reference to the appended drawings on which:

[0019] FIG. 1 is a diagram showing the system according to the invention;

[0020] FIG. 2 represents an example spatial deployment of sensors on the surface of a circuit;

[0021] FIG. 3 represents an example of a sensor that can be used in the framework of the invention;

[0022] FIG. 4 is a diagram illustrating operation of an integrity verification that can be made by a system according to the invention.

DETAILED PRESENTATION OF PARTICULAR EMBODIMENTS

[0023] With reference to FIGS. 1 and 2, the invention relates to a system 1 for securing an electronic circuit 2, the circuit 2 comprising several regions Z1-Z6 for which activation can be controlled. For example, a region is dedicated to the execution of a function, and its activation corresponds to the execution of this function.

[0024] The system comprises a plurality of sensors Si, S1-Sm integrated into the electronic circuit, each sensor being sensitive to variations in the manufacturing process and operating conditions (particularly power supply voltage) so as to provide a measurement representative of a local activity of the electronic circuit in a zone surrounding the sensor and the local quality of the silicon. The sensors S1-Sm may or may not be distributed in the form of a regular matrix (as shown on FIG. 2 that shows a matrix of 8*8 sensors). In particular, the surface density of sensors may be varied locally (non-uniform distribution) depending on the part of the circuit to be protected.

[0025] The sensors are preferably distributed over the entire surface of the circuit but in general, the location and the number of sensors are chosen as a function of the layout of the different regions of the circuit so as to obtain measurements best representing the activity of the circuit.

[0026] Circuit 2 is composed of components integrated on a chip. The sensors are also integrated on the chip, but do not participate in performing the function(s) of the circuit.

[0027] Measurements supplied by the sensors are retrieved by an acquisition unit and processed by a processing unit 3. The processing unit can be implemented by hardware and/or software, and may or may not be transferred outside the circuit. In one embodiment shown on FIG. 2, the acquisition and processing units are integrated into the circuit, typically being placed in a space left free by the circuit (region Z3 on FIG. 2).

[0028] The sensors Si provide a numerical output value that depends on variations of the manufacturing process and the local power supply voltage. They can be controlled and may be activated or deactivated. Their output is preferably not much influenced by temperature conditions.

[0029] The sensors can preferably be configured, for example to modify their sensitivity. In the case of ring oscillator type sensors, it is thus possible to vary the count time.

[0030] One example of such sensors is a delay measurement device that uses a delay amplifier and a method of interpolating two delays to generate a numerical word, the value of which varies as a function of the measured delay and variations in the manufacturing method. The element comparing the propagation delays on two paths is called the arbitrator. The compared paths may be an existing path and a replica or two similar dedicated paths.

[0031] Another example of sensors is a ring oscillator, of which an example is illustrated in FIG. 3. In this example, the oscillator is composed of an AND gate, two inverters and a 16-bit counter. Setting the ‘enable’ signal to the active state provokes an oscillation at a frequency f that depends on variations in the process, the temperature and the power supply voltage. Starting from this oscillation frequency, a numerical value is generated by the counter that counts oscillations during a given time. Setting the ‘enable’ signal to the inactive state stabilises the system and stops oscillations.

[0032] Identification of Information Bits

[0033] The sensors preferably provide measurements in the form of numerical words each composed of a series of bits. The processing unit 3 can include an information bit identification module that identifies bits characteristic of each sensor and the variation of which remains limited between two measurements. It is thus possible to reduce the size of numeric words without losing any information content.

[0034] To achieve this, the information bits identification module is configured to eliminate invariable bits in the numerical words supplied by each sensor and bits varying at random in the different numerical words supplied by the sensor, from the series of bits supplied by each sensor.

[0035] Firstly, the information bits identification module identifies bits that are invariable in the different sensors, for example by means of a variance or entropy calculation of each bit between the sensors. The bits for which the variance (or entropy) is null can then be eliminated. For example, they may be high order bits until the first bit with a non-null variance (or entropy) between the sensors.

[0036] Secondly, the information bits identification module identifies bits that vary at random between two acquisitions from the same sensor, for example by means of a variance (or entropy) calculation of each bit between different acquisitions. The bits for which the variance (or entropy) is not null can then be eliminated. For example, they may be low order bits until the first bit with a null variance (entropy) between two acquisitions.

[0037] The information bits identification module can thus limit the size of numerical words from each sensor, to keep only those bits that contain useful information unique to each sensor. In one example embodiment, out of the 16 bits generated by a sensor, the 6 high order bits that carry invariable information between the sensors and the 6 low order bits that carry random information for the sensor, are identified for all the sensors. Therefore, this leaves 4 common information bits per sensor.

[0038] The information bits identification module is preferably placed upstream from the other modules 4, 5, 6 of the processing unit that will be described below.

[0039] Integrity Check

[0040] The processing unit 3 comprises an integrity check module 4 that detects if there is a hardware Trojan horse present in the circuit 2. More precisely, the integrity check module 4 detects and possibly locates the electrical activity of triggers or of actuators. To achieve this, it is configure to: [0041] determine, on the basis of the measurements provided by the sensors and for each of the regions, a partition of the sensors between sensors affected and sensors not affected by an activation (making active) of the region; [0042] compare each partition with a model partition, obtained from a reference (golden) circuit or from simulations during the circuit design, to detect if there is a hardware Trojan horse present that could infect the electronic circuit.

[0043] If the circuit is affected by a hardware Trojan horse, the trigger of the Trojan horse modifies the activity of the circuit and then the partitions of sensors. Since the partitions are not the same as the model partitions, it can be declared that the circuit is infected.

[0044] The integrity check module 4 can use the measurements provided by the sensors for different activities of the circuit. Thus, in one possible embodiment, the integrity check module 4 can be configured to: [0045] deactivate all regions of the electronic circuit (for example by deactivating all functions of the electronic circuit) and make an acquisition of measurements supplied by the sensors; [0046] activate each region of the electronic circuit one by one in turn (for example by ordering execution of a single one of the functions of the electronic circuit at a time), and make an acquisition of measurements supplied by the sensors; [0047] for each region, and for each sensor, compare the measurement made by the sensor when only the region is activated with the measurement made by the sensor when all the regions are deactivated; [0048] determine said sensor partitions from said compared measurements.

[0049] A region can be dedicated to execution of a given function and its activation (making active) can thus consist of executing this function. As a variant or not, electrical activity generators can be integrated into the circuit so as to improve the number of partitions that can be constructed, if required (for example when the circuit does not contain many function blocks). An activity generator produces a local current inrush, leading to activation of a given region of the circuit.

[0050] The different acquisitions are made for the same duration. The result of the comparison is a list of compared measurements for each successively activated region of the circuit. In the example presented above in which the sensors are ring oscillators, the list is a list of differences in oscillation frequency. This list is used to separate the population of sensors into two sets: a first set containing sensors affected by the activity in the activated region and a second set containing sensors not affected by the activity in the activated region. This separation is typically used by a partitioning algorithm, for example the k-means algorithm (standard or fuzzy), a supervised learning algorithm of the Bayesian classifier type or of the support vector machines type.

[0051] FIG. 4 illustrates this integrity check for example using a healthy circuit 20 comprising three regions R1, R2 and R3 for implementation of three functions and a circuit 21 with the same design but infected by a hardware Trojan horse T. Sensors S1-S9 are distributed in matrix form on circuits 20, 21.

[0052] The table at the top right illustrates the partition of sensors between sensors that are (“1”) and that are not (“0”) affected by activation of the region (execution of a function in the following example), for the healthy circuit 20 and for each of the regions. Several tests can be carried out if necessary to obtain a probability of being affected. Thus, execution of the function corresponding to the region R1 and the measurements of the different sensors provides a means of determining that the sensors S1, S2, S4 and S5 are affected by execution of this function, while the others are not. Similarly, execution of the function corresponding to the region R2 and the measurements of the different sensors provides a means of determining that the sensors S7 and S8 are affected by execution of this function, while the others are not. Finally, execution of the function corresponding to the region R3 and the measurements of the different sensors provides a means of determining that the sensors S3, S6 and S9 are affected by execution of this function, while the others are not.

[0053] In other words, each line in the table illustrates the model partition for each function corresponding to regions R1-R3. In practice, the model partition is a partition derived from simulation, or a partition made from measurements of sensors integrated into a healthy reference circuit.

[0054] The tableau at the bottom right illustrates the partition of sensors between sensors affected and sensors not affected by execution of each function, for the infected circuit 21. Thus, execution of the function corresponding to the region R1 and the measurements of the different sensors provides a means of determining that the sensors S1-S5 are affected by execution of this function, while the others are not. Similarly, execution of the function corresponding to the region R2 and the measurements of the different sensors provides a means of determining that the sensors S2, S3, S7 and S8 are affected by execution of this function, while the others are not. Finally, execution of the function corresponding to the region R3 and the measurements of the different sensors provides a means of determining that the sensors S2, S3, S6 and S9 are affected by execution of this function, while the others are not.

[0055] A line by line comparison of the two tables shows that there is a different partition of the sensors and therefore it can be concluded that the circuit 21 must be infected by a hardware Trojan horse. This comparison of the partitions can be made using a similarity index, for example using the Rand index or the Jaccard index.

[0056] Moreover, in one possible embodiment, the integrity check module 4 is also configured to locate a possible hardware Trojan horse, for example by counting for each sensor and for all functions, the number of times the sensor is classified in a set different from the set in which it should appear in the model partition. When this number exceeds a threshold, the integrity check module concludes that there is a hardware Trojan horse close to the sensor. Returning to the example in FIG. 4, this number is zero for sensors S1 and S4-S9, and two for sensors S2 and S3. It is deduced that there is a Trojan horse T close to the sensors S2 and S3.

[0057] In one possible embodiment, and with reference once again to FIG. 1, the system may also include at least one detector integrated into the electronic circuit and capable of providing a measurement representative of a functional condition of the circuit. The at least one detector may include one or several voltage detectors Vj each supplying a voltage value v.sub.j (global or local) and one or several temperature detectors Tk each supplying a temperature value t.sub.k (global or local), as shown. The detectors can possibly be identical to the sensors; in particular, they may also be in the form of ring resonators for example as described in the paper by L. Vincent et al. entitled “Embedding statistical tests for on-chip dynamic voltage and temperature monitoring”, Design Automation Conference (DAC), 2012, 49th ACM/EDAC/IEEE, pp 994-999.

[0058] Information output by detectors related to an operating condition of the circuit, and variations of this information from one circuit to the other, can be used constructively to authenticate the electronic circuit by challenge-response and/or by generation of a key as described below.

[0059] Authentication

[0060] In one embodiment, the processing unit 3 comprises an authentication module for the electronic circuit by a challenge-response 5 configured to calculate an unclonable physical function type response to a challenge, by means of measurements supplied by the sensors, and to supply said response accompanied by the measurement supplied by the at least one detector that is representative of an operating condition of the circuit.

[0061] The invention can thus authenticate a circuit by means of its intrinsic physical characteristics. The entity requesting authentication of the circuit sends a challenge and in return receives a unique response for each challenge, for each circuit and for each operating condition (typically voltage V and temperature T pair), condition measured by the circuit itself and embedded in the response.

[0062] The advantages compared with existing systems are a lower surface cost per response bit. The authentication is also more robust to temperature and voltage changes due to consideration of V, T operating conditions in the response. Moreover, with the system it is easy to select the number of bits used for authentication. Finally, all measurements are made on-chip which allows to accelerate procedures and reduce high volume production costs.

[0063] In one embodiment, making the challenge consists of choosing m′ sensors among the m sensors. The authentication module 5 is thus configured to calculate the unclonable physical function type response from measurements made by a sub-set of said plurality of sensors.

[0064] This response can consist in particular in concatenating values generated from measurements supplied by sensors in each

[00001] $(\begin{matrix} m^{'} \\ 2 \end{matrix})$

pair of sensors among the sub-set of m′ sensors in said plurality of m sensors. In particular, the value generated for a pair of sensors p, q among the sub-set of said plurality of sensors can consist of

[00002] $Δ .Math. .Math. F_{pq} = F_{p, v_{j}, t_{k}} + F_{q, v_{j}, t_{k}} - \frac{2}{m^{'}} .Math. {.Math.}_{i = 1}^{m^{'}} .Math. F_{i, v_{j}, t_{k}},$

where m′ corresponds to the number of sensors in the sub-set and F.sub.i,v.sub.j.sub.,t.sub.k corresponds to the measurement supplied by one of the sensors in the sub-set for a given operating condition v.sub.j, t.sub.k of the circuit. This operating condition is picked up by a global voltage or temperature detector or by several local detectors. In the latter case, the responses of these detectors are concatenated to be representative of the global operating condition of the circuit. Post-processing modules (for example error correction codes) operating on the response of the authentication system can be integrated (or transferred externally) to make the system more reliable.

[0065] The system may also comprise a database listing the expected response for a given challenge for each of a plurality of operating conditions of the circuit, and a comparator configured to check that the response generated by the authentication module 5 corresponds to the expected response stored in the database for an operating condition (typically a voltage, temperature pair) of the circuit corresponding to the measurement output by at least one detector accompanying the response generated by the authentication module.

[0066] The authentication procedure is thus as follows. A single phase is performed to create the database containing the different responses of the system to the different challenges, for all V, T conditions of the system. A challenge is sent to the system and the system returns voltage and temperature values and a numerical word that depends on the challenge and that is unique for each part of the circuit. The database can be viewed for the returned voltage and temperature values, and checks that the received response actually corresponds to the response stored in the data base for the given challenge and voltage and temperature conditions. The circuit is authenticated if the values correspond. Otherwise the circuit is not authenticated or modifications have been made to it.

[0067] With this technique, the number of possible challenges is

[00003] $(\begin{matrix} m \\ m^{'} \end{matrix}),$

namely 2035800 possible challenges for each V, T condition for m=30 and m′=7. The size of the response is

[00004] $(\begin{matrix} m^{'} \\ 2 \end{matrix})$

multiplied by the number of information bits per sensor. In the case of a prototype conforming with the invention, the response size is

[00005] $(\begin{matrix} 7 \\ 2 \end{matrix}) * 4 = 84$

bits when the bit identification module made it possible to reduce the number of information bits per sensor to 4. But obviously, the size and the number of challenges can be reduced if necessary.

[0068] Calculations for this challenge-response technique have shown an inter variation (between different circuits) of 48.8% and in an intra distance variation (between different executions for the same circuit) of 6.3%. These measurements, obtained in an uncontrolled environment without tattooing the voltage and temperature, are particularly satisfactory.

[0069] Generating a Key

[0070] Generation of random keys or POK (Physically Obfuscated Key) makes it possible to return a key stored permanently in the physical characteristics of a circuit. It is thus more difficult for an attacker to retrieve the key by measuring external signals (probing). Furthermore, an invasive attack of this circuit will provoke physical changes and therefore destruction of the key.

[0071] One difficulty encountered during the generation of such keys is their variability as a function of operating conditions (typically temperature and voltage). The invention discloses how this difficulty can be circumvented by having the generated key tattooed with information about operating conditions. Thus, modifications to the key due to variations in operating conditions can be taken into account. Thus, the problem of the variability of the voltage and temperature is circumvented by using it to increase security.

[0072] In one embodiment, the processing unit 3 of the system according to the invention can thus include a key generation module 6 configured to generate a key using measurements supplied by sensors and to supply said key together with the measurement output by the at least one detector. In particular, the key may consist of the concatenation of measurements F.sub.i,v.sub.j.sub.,t.sub.k output by each sensor, possibly using only the bits identified as being informative. Thus, the system outputs operating condition information and a numerical word that depends on variations in the manufacturing process, as a key. For the prototype of the invention, there are m=30 sensors for which 4 information bits are kept, which results in a 120-bit key (maximum) together with temperature and voltage information. These 120 bits can be used as a seed for the generation of longer keys, for example using a pseudo-random number generator.

[0073] Obviously, the different modules of the processing unit can be implemented alone or in combination, and either by hardware and/or software. The invention is not limited to the system as described above, but it also includes a method for securing an electronic circuit used by one and/or the other of the modules of the processing unit, and particularly a method including the following steps: [0074] use measurements supplied by a plurality of sensors integrated into the electronic circuit, each sensor being sensitive to variations in the manufacturing process and capable of supplying a measurement representative of a local activity of the electronic circuit, to determine, for each of the functions, a partition of the sensors between sensors that are and sensors that are not affected by execution of the function; [0075] compare said partition with a model partition so as to detect the possible presence of a hardware Trojan horse liable to infect the electronic circuit.

[0076] And the invention also includes a software implementation of such a security process, and thus in particular a computer program including code instructions for the execution of the steps in the process when said program is executed on a computer.

[0077] And it will be realised that the invention can also be applied to ASISC type circuits and to reconfigurable type circuits (for example FPGA), both in their design and in their programming method after manufacturing.

SYSTEM AND METHOD FOR SECURING AN ELECTRONIC CIRCUIT

Assignee

Inventors

Cpc classification

Classification Explorer

G09C1/00

PHYSICS

Classification Explorer

H04L2209/12

ELECTRICITY

Classification Explorer

H04L63/145

ELECTRICITY

Classification Explorer

H04L63/1416

ELECTRICITY

Classification Explorer

H04L9/3278

ELECTRICITY

Classification Explorer

H04L63/1425

ELECTRICITY

International classification

Classification Explorer

H04L29/06

ELECTRICITY

Abstract

Claims

Description