Integrated circuits may contain or process information that is of relevance for security, or that needs to be kept secret. Data carrying such information are encrypted for that reason. An integrated circuit which processes or stores encrypted data, or which encrypts unencrypted data, is referred to in the context of the present application as a cryptographic circuit, or conterminously as a cryptographic semiconductor device.
Attacks against cryptographic circuits are targeted at information which allows decryption of the data processed or stored by the circuit. In order to gain access to such information, analyses of the measurable analog parameters of a circuit (operation execution times, power consumption) or of the physical parameters of their environment (sound, electromagnetic radiation), as well as analyses of the inner structure of the circuits are performed.
Analysis of the analog parameters of the circuit or of the physical parameters of their surroundings can often be done using non-invasive methods. Knowledge of the analog circuit parameters and of changes in the physical parameters of the surroundings of an active circuit already allows conclusions to be drawn about keys used in a circuit. SEMA (simple electromagnetic analysis), DEMA (differential electromagnetic analysis) and CEMA (correlation electromagnetic analysis) are different known types of EMA (electromagnetic analysis). They belong to the class of relatively cheap, non-invasive attacks and are based on analysis of the electromagnetic radiation in the immediate surroundings of a cryptographic circuit contained in the semiconductor device.
Known measures for counteracting EMA include component screening, changing the signal-to-noise ratio and the use of masking. Basic shielding of integrated circuits, in the form of a Faraday cage for protecting the component electrostatically, and as a protective measure against the propagation of electromagnetic radiation caused by a circuit in operation, is known from U.S. Pat. No. 8,049,119 B2, for example. Using a chip carrier to carry part of an internal grounding layer for shielding an integrated circuit is described in U.S. Pat. No. 6,865,804 B2. U.S. Pat. No. 6,243,265 B1 shows a heat sink for an integrated circuit being connected to the ground potential and the use of this arrangement to shield the IC. Such shielding measures can provide protection against non-invasive EMA. Removing these protective layers, which then has to be done as well in order to perform a successful EMA, can be achieved with relatively little effort in the case of these known designs, however.
To obtain knowledge about the internal structure of a cryptographic circuit, invasive and semi-invasive attacks are carried out with the aim of gaining optical access to the inner structure of the circuit. In the case of such an invasive or semi-invasive attack, the circuit has to be unpacked, but its inner structure must remain fully functional, so that cryptographic operations can still be carried out, for example. If the structure is destroyed, it must be restored again in order to observe such operations. By a probing-based attack is meant local detection, using measurement technology, of the values of memory or circuit elements, for example while a cryptographic algorithm is being performed by the cryptographic circuit.
One known measure against semi-invasive and invasive attacks is above all the use of active sensors to detect mechanical attacks and, in response, to render structural information about the attacked semiconductor component unusable. US 2010/0078636 A1, for example, describes the integration of light-emitting and light-sensitive components and a reflective rear wall, so that any tampering with the rear wall causes interference in the signal received by the light-sensitive components. U.S. Pat. No. 7,989,918 B2 shows the use of a capacitor, the capacitance of which changes when the thickness of a chip is reduced, and oscillator circuitry that detects such changes in capacitance. In U.S. Pat. No. 8,143,705 B2, an electrically conductive protective layer is used, the resistance of which is measured, and in the event of any tampering with the protective layer, the change in its resistance causes a code different from the reference code to be generated.