Sensitive information, such as encryption keys, is often stored in an integrated circuit and there is a need to protect the sensitive information from an invasive attack by a third party. There is also a need to prevent a third party from being able to monitor the internal workings of an integrated circuit with a view to reverse engineering some aspect of the integrated circuit.
When an integrated circuit is manufactured a passivation layer is created that provides mechanical protection for the layers beneath. In an invasive attack by an adversary, the passivation layer or part thereof may be removed by means of etching, laser or FIB (Focussed Ion Beam). Once the passivation layer or a selected window of the passivation layer is removed, a top layer metal is exposed. Subsequent etching, laser or FIB techniques allow access to the other metal layers beneath the top layer. The adversary can then use an electromagnetic (EM) probe to pick up local electrical signals in the exposed area from the chip. The sensed electrical signals can be recorded and then, with further post-processing analysis, sensitive information stored in the integrated circuit can be extracted or recovered.
It has been proposed previously to form an active shield layer above or below sensitive components of an integrated circuit. The active shield layer incorporates a detection arrangement to detect if the shield layer is altered physically as a result of an invasive attack. The detection arrangement detects an invasive attack and takes steps to erase or deactivate the integrated circuit to prevent a third party from gaining access to stored sensitive information or to prevent a third party from analysing the operation of the integrated circuit.
Examples of such prior-art tamper detection arrangements are disclosed in U.S. Pat. Nos. 6,798,234 and 6,496,119. In the arrangement of U.S. Pat. No. 6,798,234 an active shield layer is provided comprising at least two elongate conductive tracks added to cover the integrated circuit, i.e. over the integrated circuit itself. A drive and sensing arrangement transmits a predetermined signal over the tracks and compares the received signals to the transmitted signals. If the conductor tracks have not been modified and remain intact, then the received signals are direct representatives of the transmitted signals. If the received signals do not correspond to the transmitted signals, then this can be an indication of a broken track or a track having been tampered with. This observation is made using a normal signal measuring method. A change in signal caused by the capacitance value of the track changing can also indicate an invasive attack. A switching mechanism is provided to switch between the normal signal measuring method and the capacitive measuring method. A change in signal in either method can trigger an alarm signal to effect a function change such as erasing data held in the memory of the integrated circuit.
U.S. Pat. No. 6,496,119 discloses a similar methodology to U.S. Pat. No. 6,798,234 but with the addition of multiplexers to provide multiple signals and switching between signals and over tracks, lines and interconnects making up a protective circuit or shield provided above and/or below the integrated circuit itself.
The present invention seeks to provide an alternative tamper detection arrangement and method for detecting tampering with an integrated circuit.
One aspect of the present invention provides a tamper detection arrangement for use within an integrated circuit, the arrangement comprising: at least one input capacitor having a first capacitance value; a feedback capacitor having a second capacitance value; a sensing arrangement comprising an amplifier circuit having the at least one input capacitor as an input and the at least one feedback capacitor in a feedback loop across the amplifier operable to detect a change in the capacitance values between the at least one input capacitor and the feedback capacitor; and a protective shield to protect a sensitive area of the integrated circuit from tampering, the shield being provided by the at least one input capacitor.
Preferably, at least a part of the input capacitor is formed from at least one layer of a metal stack of the integrated circuit.
Advantageously, the sensing arrangement is operable to detect a change in the ratio of capacitance values between the at least one input capacitor and the feedback capacitor.
Preferably, the amplifier circuit comprises a differential amplifier.
Conveniently, the gain of the amplifier circuit is dictated by the ratio of capacitance values between the at least one input capacitor and the feedback capacitance.
Preferably, plural input capacitors are connected to the sensing arrangement by a multiplexer.
Conveniently, the sequencing of the multiplexer is changeable and/or is pseudo-random.
Advantageously, the multiplexer switches so that different pairs of capacitors from the input capacitor array are compared in respective measurement cycles.
Another aspect of the present invention provides a tamper detection arrangement in an integrated circuit having a stack of metal layers, the arrangement comprising: at least one input capacitor having a first capacitance value; and a protective shield to protect a sensitive area of the integrated circuit from tampering, the shield being provided by the at least one input capacitor, wherein at least a part of the input capacitor is formed from at least a part of one of the metal layers of the metal stack of the integrated circuit.
Another aspect of the present invention provides an integrated circuit incorporating the tamper detection arrangement.
A further aspect of the present invention provides an integrated circuit package incorporating the integrated circuit incorporating the tamper detection arrangement.
Another aspect of the present invention provides a method of detecting physical tampering with an integrated circuit, the method comprising: providing at least one input capacitor having a first capacitance value; providing a feedback capacitor having a second capacitance value; providing a sensing arrangement comprising an amplifier circuit having the at least one input capacitor as an input and the at least one feedback capacitor in a feedback loop across the amplifier; forming a protective shield to protect a sensitive area of the integrated circuit from at least a part of the at least one input capacitor, wherein the method comprises detecting a change in the capacitance values between the at least one input capacitor and the feedback capacitor and/or detecting a change in the ratio of capacitance values between the at least one input capacitor and the feedback capacitor.