1. Technical Field
The present disclosure relates to a tamper-resistant non-volatile memory device including a plurality of non-volatile resistive memory cells.
2. Description of the Related Art
The market for electronic commerce services provided via the Internet, such as online banking and online shopping, is rapidly expanding. As a method of payment in such services, electronic money is used. Accordingly, integrated circuit (IC) cards and smartphone terminals that are used as media for electronic money are being increasingly used. In these services, a security technique of a higher level is always required in mutual authentication for communication and encryption of communication data in order to ensure secure payment.
Regarding software techniques, encryption techniques based on program processing focusing on advanced encryption algorithms are accumulating, and sufficient security is provided. However, the advancement of technology rapidly increases a risk that information within a circuit may be directly and externally read.
International Publication No. WO2012/014291 proposes a measure against such a risk. In general, in an IC with increased security, an encryption circuit mounted on the IC is used to encrypt confidential information before the information is used, thereby protecting the information from being compromised. In such a case, it is essential to protect information about an encryption key (also referred to as a “private key”) retained inside the IC from being externally compromised.
As representative schemes for encryption circuits, Triple Data Encryption Standard (3DES) and Advanced Encryption Standard (AES), for example, are widely used. These encryption schemes employ an advanced encryption algorithm that protects an encryption key from being identified within a realistic time even if an input/output pair of plaintext (data before encryption) and ciphertext is obtained and analyzed by using a computer of a highest speed, and security provided by the algorithm has been verified. Although it is considered that encrypted data is protected from hacking, a vulnerability of an encryption key such that an encryption key may be directly hacked is a concern.
In an IC employing a classical scheme, an encryption key is saved in an internal fuse read-only memory (ROM) or a non-volatile memory. In a configuration using a fuse ROM, the states of the fuse elements are observed by X-ray irradiation or the like, whether the fuse elements are each in a conducting state or not is analyzed, and saved key information is consequently hacked, which is an issue. In a configuration using a non-volatile memory, although an analysis by X-ray irradiation is not possible, a probe is directly connected to both ends of each memory element of the non-volatile memory, the state of the element is electrically read, and key information is consequently hacked, which is an issue. Therefore, an IC with increased security is manufactured by using a leading-edge fine process so as to prevent a probe from being directly connected to an internal circuit. That is, an IC is manufactured in a fine process having a rule of wiring finer than the diameter of the tip of a leading-edge probe to thereby prevent a threat, that is, an analysis by probing.
However, a scheme called a side channel attack is being used against such a measure and becomes a new threat. A side channel attack is a scheme for identifying an encryption key by using side channel information, such as the power consumption of the semiconductor device when each signal processing circuit is operating and an emitted electromagnetic wave that depends on the power consumption, as described in International Publication No. WO2012/014291. This scheme can be a threat because an attacker (hacker) is able to hack key information while the IC is operating without causing physical damage to the IC.
A Differential Power Analysis (DPA) attack, which is classified as a side channel attack described above, was made public by P. Kocher in 1999. This DPA scheme uses the fact that the signal value or the signal transition frequency when an IC is operating has a correlation with the power consumption. Specifically, in the DPA scheme, this correlation is integrated a large number of times, and machine learning control is performed while noise is removed to thereby derive a fixed pattern and identify key information. In an example in International Publication No. WO2012/014291, key information is identified from operations of an encryption processing circuit. Key information stored in a non-volatile memory is read at a timing triggered upon performing of an encryption process. According to the principle of DPA, if data read at a timing close to the timing described above is identified and obtained, the content of the data may be analyzed by DPA. If the internal specification of an IC leaks out, the control method for the IC is understood by a hacker. As a result, the entire data including encryption key information saved in the non-volatile memory is hard-copied as described above, and a duplicate of the IC is manufactured.
In order to address these issues, the Physically Unclonable Function (PUF) technology is proposed currently. The PUF technology is a technology for generating unique individual identification information that differs from IC to IC by utilizing manufacturing variations. Hereinafter, individual identification information generated by using the PUF technology is called “digital ID data”. Digital ID data can be regarded as random number data that is associated with variations in the physical properties of the IC and that is specific to each device. It is not possible to artificially control the physical properties of each IC, and therefore, data for which physical reproduction is not possible can be generated.
Even if variations in the physical properties can be controlled to some extent, when random process variations that occur during manufacturing are used, it is easy to create unique digital ID data specific to each IC by using the PUF technology. However, in actuality, it is extremely difficult to intentionally create specific individual identification information determined in advance. In a semiconductor process, manufacturing variations occur in various physical properties. Manufacturing variations may occur in the doping amount in a semiconductor process, the thickness of an oxide, the channel length, the width and thickness of a metal wiring layer, the parasitic resistance and parasitic capacitance, and so on, for example.
Specific examples of PUFs in the related art include SRAM-PUFs disclosed by Japanese Unexamined Patent Application Publication (Translation of PCT Application) No. 2013-545340 and “A 0.19 pJ/b PVT-Variation-Tolerant Hybrid Physically Unclonable Function Circuit for 100% Stable Secure Key Generation in 22 nm CMOS” Sanu K. Mathew, et al., ISSCC2014 (hereinafter referred to as “Non Patent Literature 1”). These examples utilize a phenomenon in which, in each memory cell in an SRAM, the initial value of digital data upon power-on tends to be in a “1” state or in a “0” state depending mainly on a variation in Vt of the transistor (a variation in the operating voltage). That is, this tendency is specific to each cell of the SRAM mounted on each IC and differs from cell to cell. In other words, the initial value data upon turning on the power of the SRAM is used as digital ID data.
Japanese Unexamined Patent Application Publication No. 2012-43517 discloses a modification of an SRAM-PUF that utilizes a phenomenon in which an error bit is randomly generated in a memory cell of an SRAM. Further, International Publication No. WO2012/014291 and “The Design and Evaluation Methodology of Dependable VLSI for Tamper Resistance” Takeshi Fujino, “Fundamental Technologies for Dependable VLSI System” Research Started in 2009 at CREST, 2012 Annual Report (hereinafter referred to as “Non Patent Literature 2”) introduce a PUF technology called an Arbiter PUF or a Glitch PUF. An Arbiter PUF and a Glitch PUF utilize the fact that output from a combination circuit randomly changes relative to input due to a gate delay or a wiring delay. A gate delay and a wiring delay that change due to manufacturing variations have delay amounts specific to each IC. Accordingly, each IC outputs substantially the same result relative to the input, although the result differs from IC to IC, and therefore, digital ID data can be generated.
As described above, with the PUF technology, digital ID data constituted by random numbers specific to each IC is generated as irreproducible data. Such digital ID data is used as a device key for encrypting the private key described above. The private key encrypted by using the device key (digital ID data) is kept encrypted and saved in a non-volatile memory. That is, the encrypted private key recorded in the non-volatile memory can be decrypted and restored to the original private key data only by using the device key. Therefore, even if the entire data within the non-volatile memory is hard-copied by hacking, the device key (digital ID data) specific to each IC is irreproducible. As a result, it is not possible to restore the encrypted private key to the original data, and therefore, it is not possible to use the hacked data.
Further, digital ID data generated by using the PUF technology is generated by utilizing slight manufacturing variations. Physical properties that are used may change due to the temperature environment and power condition when the digital ID data is generated and due to long-term deterioration, and therefore, obtained data may have an error. Accordingly, parity data for error correction is computed on the basis of digital ID data generated by using the PUF technology in an inspection process during manufacturing, and the parity data is separately saved in a non-volatile memory or the like, as described in Non Patent Literature 1. When a system uses the digital ID data, the digital ID data that has been generated by using the PUF technology and that may include an error is subject to an error correction process using the parity data, whereby the same ID data is always obtained.
Although the PUF technology may seem to be an inefficient technology because data correction is performed on data that includes an error as described above, such correction is another significant feature. Each time digital ID data is generated again by using the PUF technology, an error irregularly occurs in the data. Therefore, even in a case of encountering a hacking attack, such as a side channel attack described above, the data pattern is not determined, which makes an analysis extremely difficult, resulting in significantly increased security.
As described above, the PUF technology is an essential technology for increasing security in order to securely perform encryption and mutual authentication.