The present invention relates to the field of integrated circuits, and more particularly, to an integrated circuit comprising a protection device.
Many applications use data elements that have to be kept secret. This is the case especially with smart cards or data encoding/data encryption circuits which contain confidential codes, encryption keys, etc. These secret data elements are generally contained in programmable non-volatile memories, for example EEPROMs, EPROMs or flash EPROM type memories. For these applications, it is vital to prevent access to these data elements in all circumstances.
The possibilities for unwanted access are numerous. In particular, there is a prediction method using statistical analysis based on the consumption of current by the circuit. This method can be used for the bit-by-bit reconstruction of at least certain confidential data elements. There are also more direct methods, such as optical inspection after the deactivation of the integrated circuit, and modification of operating conditions, such as for example, temperature, supply voltages, etc.
Thus, integrated circuits containing secret data elements of this kind generally comprise a wide range of sensors associated with a device for protecting the operating conditions of the integrated circuit, and to generate an alarm signal once an anomaly is detected. An anomaly may be an abnormal variation in the ambient temperature, the luminosity, (the depassivation of the integrated circuit), an abnormal level of a supply voltage, several abortive read or write attempts, etc. This list is not exhaustive.
When an alarm signal is generated, this signal is generally used to interrupt the operation in progress and reinitialize the integrated circuit. Furthermore, means have long been known, such as encoding mask circuits, access protection circuits and secured software procedures for protecting access to the secret data elements.
In view of the foregoing background, it is an object of the present invention to improve the protection of secret data elements in an integrated circuit that receives, at external power supply pins, a ground reference voltage, a logic supply voltage and a high voltage normally used for the programming of the non-volatile memory elements.
This and other objects, advantages and features of the present invention are provided by using the available high voltage to destroy all or part of the logic circuitry of the integrated circuit so that it becomes unusable. The thoroughness with which the integrated circuit is destroyed makes it impossible to know the contents of the integrated circuit, and the secret data elements cannot be known.
In recent submicron MOS technologies, the gate oxides have a thickness of about 32 angstroms to 0.8 microns. They can therefore withstand no more than 1.8 volts at their terminals. The sudden application of high voltage to these oxides causes the irreparable destruction of the gate oxides. It is this characteristic that is used in the present invention.
Thus, according to the present invention, the activation of the alarm signal causes the application of the high voltage, instead of the logic supply voltage, to the elements of the logic circuitry. The gate oxides of these elements are then irreparably destroyed. In practice, these logic elements are chosen so that their destruction makes the integrated circuit unusable. The destruction may be the entire integrated circuit or only a part thereof, such as the microprocessor, the address selection logic, the data input/output registers, etc.
A power supply control device according to the present invention has two voltage selector switches, one to switch over the high voltage and the other to switch over the logic supply voltage to a power supply input node of at least one logic element of the integrated circuit.
These selection switches are controlled in a complementary manner by a voltage level translator connected between the high voltage and ground. This translator is controlled by a binary control signal generated internally by the integrated circuit. As long as the alarm signal is not activated, it is the logic supply voltage that is applied as a supply voltage for these logic elements. As soon as the alarm signal is activated, it is the high voltage that is switched over to the power supply input node of these logic elements, causing their irreparable destruction by the breakdown of the gate oxides.
As characterized, the present invention therefore pertains to an integrated circuit having, as power supply voltages, at least one logic supply voltage and one high voltage. According to the invention, the integrated circuit furthermore comprises a protection device associated with at least one gate oxide circuit element for the application, to a supply node of the element, of either the logic supply voltage under normal conditions of operation of the integrated circuit or the high voltage under abnormal conditions of operation of the integrated circuit for breaking down the gate oxide.