1. Field of the Invention
The invention is directed to a protective circuit for an integrated circuit.
2. Description of the Related Art
Certain forms of electronic circuits, particularly integrated circuits for use in chip cards, require a high degree of secrecy of circuit information or of internal chip data. This security-relevant information must be protected both against foreign analysis as well as against manipulation.
Various approaches have been used to achieve this protection. For example, integrated circuits have been provided with a metallic sleeve of, for example, silver or titanium which can prevent a readout of the integrated circuits with X-rays. A further approach has been to arrange an interconnect in the highest circuit level of an integrated circuit as shield line and to monitor the physical properties such as the resistance, the capacitance, etc., thereof. When a change is detected, for example, due to short-circuiting, grounding or parting during undesired observation or manipulation, an alarm signal is then triggered. Such a protective circuit is disclosed by U.S. Pat. No. 5,389,738. These types of protective circuits, however, are inadequate since the anticipated physical properties can be simulated with suitable external measures and the protective circuit can consequently not detect an outside attack by observation or manipulation and, thus, no suitable counter-measures can be taken.
The invention is based on the object of specifying a protective circuit for integrated circuits that provides greater protection against unwanted observation or manipulation.
This object is achieved by a protective circuit for an integrated circuit, wherein the protective circuit is arranged in a circuit level at a location under or above the integrated circuit, the protective circuit comprising a plurality of interconnects that are charged with different signals of a signal generator, a detector that evaluates the different signals transmitted via the plurality of interconnects for faulty behavior, the detector having an output at which, when the faulty behavior is found, a control signal is provided for switching the integrated circuit into a security mode.
The inventive protective circuit is arranged in at least one circuit level above or below the integrated circuit as well. This protective circuit thereby exhibits one or more interconnects that are charged with signals that change over time or with different signals as well. These signals are transmitted via the interconnects and are subsequently investigated by the detector or detectors in that the received signal to be investigated is respectively compared to a reference signal, i.e., the anticipated signal. When one or more detectors find a significant deviation, then this triggers an alarm signal that switches the integrated circuit into a security mode. In this mode, for example, the content of the memory cells can be erased, so that the control programs and the stored data can no longer be read out and interpreted.
By employing a plurality of different signals that are conducted over a plurality of interconnects and subsequently analyzed by the various detectors, it is nearly impossible to supply all alarm-triggering signals in the correct way from the outside during an attempted readout or manipulation and to simulate the presence of these signals for the detectors. When, for example, the integrated circuit is planarly mechanically eroded from above such that it is possible to view the circuit levels of the integrated circuit lying therebelow, then the interconnects of the protective circuit lying above are affected first, which leads to a modification or, to an interruption of the signal transmission that is detected by one or by several detectors. This is also true when individual interconnects are tapped with miniature needles, resulting in modifications of, for example, the signal shape, the signal attenuation or the like. All of these modifications then regularly cause an error recognition by various detectors.
Inventively, thus, it is not only a single signal but a plurality of different signals that must be simulated. Precisely in view of the extremely limited spatial conditions of an integrated circuit, it is nearly impossible to specifically supply this plurality of simulated signals to the various detectors. A nearly all-embracing protection of the integrated circuit by the protective circuit arranged above is thus established.
Preferably, the integrated circuit is surrounded in a sandwich-like manner by a protective circuit above and a protective circuit below the integrated circuit, so that an observation or manipulation from both above as well as below is precluded by the protective circuits.
It has proven successful to fashion the detectors such that, in the evaluation of the transmitted signals, these signals are investigated for integrity, which can especially ensue with a CRC check, with a checksum comparison, with a parity check or with other signature comparisons. As a result of this integrity comparison between the transmitted signal and the integrity value of the anticipated signal, also referred to as reference signal, it is possible to prevent a manipulation of the protective circuit in which the detector is quasi-shorted, whereby one and the same signal is forwarded both as reference signal and as transmitted signal to the detector with a mere identity comparison for detecting improper behavior.
The different signals that are supplied to the different interconnects can be realized with a common signal generator or can also be realized by a plurality of individual signal generators. Preferably, the generator or generators is/are in communication with the detectors resulting in the respective detector receiving information about the type and nature of the anticipated signal, (the reference signal,) from the generator allocated to it. It is thus possible that the generators dynamically modify their output signals and inform the detectors of this modification, which makes the simulation of the signals even more difficult in an attack since the time curve of the signals is also taken into consideration,
It has proven especially advantageous to extend the interconnects over a plurality of circuit levels, resulting in a significantly better coverage of the integrated circuit to be protected. Similar to the view into the structure of the integrated circuit over a plurality of circuit levels (and, thus, a view into the type and nature of the generation, of the signal guidance and of the detection of the various signals) is also significantly more difficult and is thereby not easy to simulate externally. Consequently, each modification of the protective circuit by an intervention from the outside leads to a detection of the faulty behavior, since a simulation is extremely difficult or nearly impossible due to the extremely difficult, three-dimensional structure of the fashioning of the interconnect or, the guidance therefor. It is thus clear that the one circuit level of the protective circuit protects the other circuit level of the protective circuit against an analysis. An extremely far-reaching and dependable protective circuit for the integrated circuit is definitely established by this approach.
According to a preferred embodiment of the protective circuit, the interconnects of the protective circuit are fashioned such that, ideally, they largely completely planarly cover the integrated circuit to be protected. This is done in a manner such that, when looking through the protective circuit onto the integrated circuit, there is no longer any possibility of directly reaching the protective circuit, for example, through bores or the like, i.e. without damaging the interconnects of the protective circuit. This far-reaching or complete coverage is enabled in a simple and sure way by precisely fashioning the interconnects over a plurality of circuit levels or in a plurality of circuit levels, since the interconnects can be arranged in a plane with adequate spacing from one another to prevent crosstalk. The region between the interconnects can just be covered by interconnects in the other circuit level of the protective circuit, enabling a complete coverage of the integrated circuit or, respectively, of the critical parts of this integrated circuit.
An attempt made to approach the integrated circuit, for example with a bore, leads to damage to one of the interconnects, which leads to a modified signal. When the interconnect is fashioned with an extremely slight interconnect width that corresponds to the size of such a bore or is smaller, then each such bore leads to an interruption of the interconnect and, thus, to a fault signal that can be very reliably detected. It is also possible that such a bores would lead to a short between various interconnects, which can also be very dependably recognized as fault signal by the corresponding detectors as a total signal fade. The interconnect width is thereby preferably selected such that it corresponds to the minimum interconnect width given a specific chip technology employed. Due to these specific fashionings of the interconnects as, on the one hand, very narrow interconnects and as, on the other hand, interconnects extending over various circuit levels as well as with optimum surface coverage, an extraordinary degree of protective effect against a mechanical intervention (e.g., boring or plaining) is established.
According to a preferred embodiment of the invention, the detector or detectors of the protective circuit are arranged in a circuit level under the highest circuit level having interconnects of the protective circuit and are protected against unwanted access by these interconnects. A cascading protection for the detectors of the protective circuits by the interconnects of the protective circuits and for the integrated circuit by the interconnect with detectors is established by this systematic structure.
An observation or manipulation of the detector or detectors is prevented by this arrangement due to the lines lying above the detector(s), which precludes another possibility of an attack in which signals could be directly supplied into the detectors without proceeding via the interconnects.
In a corresponding way, it is advantageous to arrange the generator or generators in a circuit level that is protected by interconnects of the protective circuit lying above it. Such an arrangement of the detectors or, respectively, of the generators definitely proves to be a critical way of enhancing the protective effect of the protective circuit against unauthorized access.
When the different signals are generated completely independently of one another, for example, by independent generators, then it is assured that these signals differ significantly in terms of their signal curve, since they do not systematically depend on one another. Such signals can only be simulated with extreme outlay and with extreme difficulty, especially since the plurality of different signals must be supplied in a targeted fashion into the correct interconnects or, respectively, the correct detectors. This is nearly impossible given the extremely restricted spatial dimensions of the integrated circuit. Such a protective circuit has proven particularly successful in protecting an integrated circuit.
In one version of the invention, a plurality of detectors are allocated to one interconnect, these detectors tapping the signal on the one interconnect at a position specific to the respective detector and monitoring it. In this construction, the interconnect is divided into several interconnect sections that are each respectively monitored by detectors allocated to them. These interconnect sections thus assume the function of a monitored interconnect. Over and above this, however, the multiple monitoring of the entire interconnect with the various interconnect sections assures that, if an intervention into this interconnect with suitable intervention measures were not to be detected by one detector, the other detectors or some of the other detectors at the overall interconnect will find a variation of the monitored signal and trigger an alarm. The redundant arrangement of the detectors at an interconnect thus establishes an enhanced protective effect of the protective circuit.
In general, it is desirable to provide optimally many signal lines and optimally many signal generators or detectors that complicate an attack in the form of reconfiguration merely due to their number. Limits, however, are placed on the number of signal lines/generators/detectors dependent on the size of the integrated circuit, since many discrete signals mean a high hardware expenditure, which leads to the circuit becoming significantly more expensive due to these security measures.
In another version of the invention, the above-described method of protective signal generation is combined with a multiplexer and a demultiplexer, where different interconnects of the protective shield are connected to the same generator outputs and detector inputs at different times on the basis of a time-division multiplex method. In this way, the number of generators and detectors is smaller than the number of shield segments.
A further advantage of this arrangement is that the number of reference lines that supply the detectors with a reference signal from the appertaining detector is likewise reduced, which leads to a considerable saving of chip area.
The multiplexers and demultiplexers can either be centrally synchronously controlled or their status may be dependent only on the plurality of past clock cycles of the common clock system. A random or pseudo-random drive of the multiplexer channels is especially advantageous. A true random drive requires an ongoing synchronization of multiplexer and demultiplexer with specific control signals. A pseudo-random drive allows a local generation of identical control signals in the respective spatial proximity of multiplexer and demultiplexer.
According to an especially preferred embodiment of the protective circuit and given a plurality of detectors, the detectors are networked with one another.
What this achieves is that the integrated circuit is driven such as soon as one detector identifies a faulty behavior and, by inference, an unallowed attack on the integrated circuit that the intergrated circuit is switched into a comprehensive security mode. Via the networking, it is also possible that the individual detectors check the functionability/presence of the other detectors in the framework of an acknowledgment function or in the framework of a watchdog function and thereby recognize an unallowed intervention into the protective circuit or, respectively, the integrated chip and trigger the corresponding security mode of the integrated circuit.
In addition to networking the detectors, it has also proven advantageous to network the generators, which permits recognition of a failure intervention in a generator. Over and above this, the networking of the generators with the detectors makes it possible for the generators to provide the detectors allocated to them with information about the signals they output, for example, about the time curve, about their level, about their shape or the like. As a result thereof, the variability of the different signals and, thus, the degrees of freedom of the protective circuit can be significantly enhanced, which makes intervention more difficult and thereby significantly enhances the protective effect of the protective circuit against an unnoticed attack on the integrated circuit.
The inventive protective circuit thus exhibits the underlying idea of decentralization the components of the protective circuit are no longer locally concentrated but instead are distributed over a larger spatial area, multiplying in number and fashioning them in a differentiated manner. This permits the and the transport via the interconnects and the monitoring of the signals to be distributed onto a plurality of redundant units, which leads to greater protection against an unnoticed observation or manipulation of the protective circuit or respectively, of the integrated circuit to be protected.