1. Technical Field
The present disclosure relates to a tamper-resistant non-volatile memory device including a plurality of non-volatile resistive memory cells.
2. Description of the Related Art
The market for electronic commerce services rendered via the Internet, such as electronic banking or electronic shopping, is rapidly expanding. Such services are paid for with electronic methods of payment like electronic money using integrated circuit (IC) cards and smartphone terminals whose use is also expanding. These services require high-level security technology for mutual authentication during communication and encryption of communication data all the time in order to make payment safe.
In terms of software technologies, due to the accumulation of encryption techniques based on program processing, such as high-level encryption algorithms, a sufficient level of security has been achieved. However, technological advances have lead to a rapid growth of concerns about the direct interception of inside information on circuitry from outside parties.
International Publication WO2012/014291 proposes a solution to such concerns. In general, security-enhanced ICs encrypt confidential information by using a built-in cryptographic circuit and use the encrypted information to prevent leakage of information. In this case, it is required that information on an internally stored encryption key (also referred to as a “private or secret key”) not be leaked to the outside.
Typical standards for cryptographic circuits, such as Triple Data Encryption Standard (3DES) and Advanced Encryption Standard (AES), are widely used. These encryption standards employ sophisticated cryptographic algorithms that make it difficult to identify the encryption key within the realistic constraints of time even if pairs of plaintext (unencrypted data) and ciphertext constituting input and output are obtained and analyzed by making full use of top-speed computers, and the safety thereof has been confirmed. However, such standards, which are regarded as being safe in providing protection against hacking of encrypted data, have still involved a concern for vulnerability of the encryption key to direct hacking.
In an IC that adopts a classic technique, an encryption key is stored in an internal fuse read-only memory (ROM) or a non-volatile memory. The former configuration has experienced a problem that permits the state of the fuse element to be observed using X-ray projection or the like and the electrical conductivity of the fuse element to be analyzed, resulting in the stored key information being hacked or stolen. The latter configuration does not lead to analysis by using X-ray projection but has a problem in that the key information can be hacked by direct application of probes to both ends of a memory element of the non-volatile memory to electrically read the state of the element. To address this problem, security-enhanced ICs are manufactured using latest fine process technology so as to prevent direct application of probes to an internal circuit. That is, the manufacture of an IC using latest fine process technology with a finer process rule than the diameter of the leading edge of a probe addresses a threat of analysis with probing.
However, techniques called side-channel attacks, which have been attempting to break the countermeasure described above, can constitute threats. The side-channel attacks are techniques for, as described in International Publication WO2012/014291, identifying an encryption key by using side-channel information such as power consumption of a semiconductor device when each signal processing circuit is executed and radiated electromagnetic waves dependent on the power consumption. These techniques are threats because such techniques enable an attacker (or hacker) to hack key information without causing any physical damage to an IC when the IC is in actual operation.
Differential Power Analysis (DPA), which is a type of side-channel attack, was introduced by P. Kocher in 1999. The DPA technique uses the fact that there is a correlation between a signal value or signal transition frequency and power consumption during operation of an IC. Specifically, the DPA technique involves integrating the correlation described above multiple times to reduce noise and performing machine learning control to derive a fixed pattern, thereby identifying key information. The example disclosed in International Publication WO2012/014291 provides an example in which key information is identified through the operation of a cryptographic processing circuit. Key information stored in a non-volatile memory is read at the timing when the execution of cryptographic processing acts as a trigger. Based on the principle of DPA, if data read at timing similar to the timing described above is identified and obtained, the content of the data might be analyzed using DPA. In addition, if the internal specification of an IC leaks, a hacker will be able to understand the control method of the IC and, as described above, all of the data stored in the non-volatile memory, including cryptographic key information, will be hard-copied so that a duplication of the IC might be created.
In recent years, Physically Unclonable Function (PUF) technology has been proposed to address the problems described above. PUF technology is a technology for generating unique individual discrimination information different for each IC by exploiting manufacturing variations. In this specification, individual discrimination information generated using PUF technology is hereinafter referred to as “digital ID data”. The digital ID data can be regarded as random-number data specific to each device, which is associated with variations in the physical properties of an IC. Since it is not possible to artificially control the physical properties of each IC, data whose physical duplication is not possible can be generated.
Even if it is possible to some extent to control variations in the physical properties of an IC, using random process variations caused during manufacture would make it easy to create unique digital ID data specific to each IC by using PUF technology. In actual use, however, specific individual discrimination information determined in advance is difficult to create on purpose. In a semiconductor process, manufacturing variations occur in terms of various physical properties. Examples of the manufacturing variations include the amount of doping in the semiconductor process, oxide thickness, channel length, the width and thickness of a metal wiring layer, parasitic resistance, and parasitic capacitance.
In the related art, specific examples of static random access memory (SRAM) PUF are disclosed in Japanese Unexamined Patent Application Publication (Translation of PCT Application) No. 2013-545340 and “A 0.19 pJ/b PVT-Variation-Tolerant Hybrid Physically Unclonable Function Circuit for 100% Stable Secure Key Generation in 22 nm CMOS”, K. Mathew, et al., ISSCC 2014 (hereinafter referred to as Non-Patent Literature 1). The disclosed examples use a phenomenon in which, in each memory cell in an SRAM, the tendency of whether digital data of the initial value when power to the SRAM is turned on is likely to be in state “1” or state “0” differs mainly due to the Vt variations (variations in operating voltage) across the transistor in the memory cell. This tendency is specific to each cell of an SRAM on each IC, and differs from one cell to another. That is, the initial value data at power-on of the SRAM is used as digital ID data.
Japanese Unexamined Patent Application Publication No. 2012-43517 discloses a modification of SRAM-PUF which uses a phenomenon in which defective bits of memory cells of an SRAM randomly occur. In addition, in International Publication WO2012/014291 and “The Design and Evaluation Methodology of Dependable VLSI for Tamper Resistance” by Takeshi Fujino in “Fundamental technology for dependable VLSI system”, CREST 2009 Research Theme, 2012 Annual Report (hereinafter referred to as Non-Patent Literature 2), PUF technology called Arbiter PUF or Glitch PUF has been introduced. Arbiter PUF and Glitch PUF use random changes in the output of a combinational circuit with respect to the input by using a gate delay or a wiring delay. The gate delay or wiring delay, which changes due to manufacturing variations, constitutes an amount of delay specific to each IC. Thus, each IC outputs a substantially equal result with respect to the input, where the results of the individual ICs are different from each other, and can therefore generate digital ID data.
Accordingly, PUF technology enables digital ID data serving as a random number specific to each IC to be generated as unduplicatable data. The digital ID data is used as a device key for encrypting the private or secret key described above. A private or secret key encrypted with the device key (digital ID data) is stored in a non-volatile memory as an encrypted private or secret key. That is, the encrypted private or secret key recorded on the non-volatile memory can be decrypted into the original private or secret key data only with the device key. Thus, even if all the data in the non-volatile memory has been hard-copied by hacking, the device key (digital ID data) specific to each IC is not duplicatable, which prevents the encrypted private or secret key from being restored to the original form to make the private or secret key unavailable.
In addition, since the digital ID data generated using PUF technology is generated by using subtle manufacturing variations, environmental variations including temperature or power supply variations under which the digital ID data is generated, as well as, for example, deterioration over time, may cause changes in available physical properties, and may result in an error being caused in data obtained. Accordingly, as disclosed in Non-Patent Literature 1, parity data for error correction is computed based on digital ID data generated using PUF technology in the inspection step during manufacture. The parity data is separately stored in the non-volatile memory or the like. When the system uses digital ID data, the digital ID data, which is generated using PUF technology and contains an error, undergoes an error correction process using the parity data to obtain constantly the same ID data.
While the technology described above, which involves subjecting data containing errors to data correction, seems to be inefficient, such inefficiency becomes another important feature. Each time digital ID data is re-generated using PUF technology, random errors are generated in the data. Thus, even if the data is exposed to a hacking attack such as the side-channel attack described above, the data pattern remains unfixed and is difficult to analyze, thus achieving a significant improvement in security.
As described above, PUF technology is an important technology to increase security for secure cryptography and mutual authentication.