In order to protect secret data or secret circuitry on an integrated circuit (IC) against reading or tampering by invasive physical attacks, it is known to cover the IC with an inhomogeneous coating. The coating is opaque and chemically inert. It is also known to increase security of encryption devices having a data key, by not storing the key in the device but generating it only at the time when needed and deleting it afterwards. In particular in this case, the key can be derived from capacitance measurements on the inhomogeneous coating. If the coating has been tampered with or removed or replaced, the capacitance or other characteristic will be different and the key cannot be generated. In order to enable this, a measurement circuit for measuring the capacitance values is needed. Sensors in the form of electrodes are embedded in or near the coating. The measured values of the sensors can be used to generate a physical identification code, as no programming is needed to generate this particular ID code, and to detect attacks. Attacks or changes to the coating will change the measured values and so also the ID code.
It is known from patent application WO2003-046986 to provide a circuit covered by a secure coating in the form of a passivation structure. It is provided with a first and a second security element which each comprise local areas of the passivation structure, and with a first and a second electrode. The security elements have first and second impedances, respectively, which impedances differ, as the passivation structure has an effective dielectric constant that varies laterally over the circuit. Actual values of the impedances are measured by measuring means and transferred to an access device by transferring means. The access device comprises or has access to a central database device for storing the impedances. The access device compares the actual values with the stored values of the impedances in order to check the authenticity or the identity of the semiconductor device.
The various elements are coupled via transistor switches to an oscillator. The oscillator provides a signal to a binary counter, whose frequency depends on the capacitance of the selected element being measured. The counter compares this frequency with a signal having a clock frequency. This signal originates from oscillator with a reference capacitor and a reference resistor which both have a precise and well-known value. The result of the comparison in the-binary-counter is a digitized signal which can be stored. The digitized signal represents the actual value of the impedance of the measured security element. The actual value may be present in any kind of SI-unit, or else in any semiconductor specific value, as it will not be compared with any externally measured value. A selection unit controls the transistors for selecting which security elements is to be measured. It will send signals such that one of the switches is on, to measure one of the security elements, or may switch on a number of the switches so that a desired combination of security elements may be measured, so as to minimize the number of measuring steps or to complicate the security.
One of the security elements can be a reference element whose actual value is known. It may be realized, for example, by implementing this element in the interconnect structure; especially if the passivation structure comprises a security layer with particles that are distributed inhomogeneously. This reference security element can be used for optimizing the measuring results, or for calibrating measured counts and converting them to actual values.
Another known tamper detection circuit is shown in U.S. Pat. No. 7,024,565. This shows another capacitor measuring circuit for detecting tampering of a passivation layer. Two current sources produce substantially identical, constant current through a range of load conditions. A reference capacitor is provided which is coupled to one current source. A voltage across the reference capacitor will increase approximately linearly due to the application of constant current over time to reference capacitor. The rate at which the voltage increases is determined by the capacitance of capacitor. A second capacitor is coupled to the second current source. The second capacitor is defined by conductive elements arranged adjacent to the passivation layer. A constant current applied to this capacitor will increase a voltage across the capacitor approximately linearly over time. The rate at which this voltage increases may be determined by the capacitance of capacitor. One side of each capacitor is coupled to ground, and the other side to inputs of a comparator. When either of the voltages across the capacitors exceeds a predetermined voltage level (logical “high”), an OR gate asserts an enable signal to a comparator, to produce an output signal value indicating if one signal has a value less than the other, or alternately if one signal has a value greater than the other, to indicate tampering.