Development of an On-Chip Micro Shielded-Loop ...

Development of an on-chip micro shielded-loop probe to evaluate performance of magnetic film to protect a cryptographic LSI from electromagnetic analysis Masahiro Yamaguchi#1, Hideki Toriduka#1 Shoichi Kobayashi#1, Takeshi Sugawara#2 Naofumi Hommaa#2, Akashi Satoh#3 and Takafumi Aoki#2 #1

Department of Electrical and Communication Engineering, Graduate School of Engineering,Tohoku University, 6-6-05, Aoba, Aramaki, Aoba-ku, Sendai9890-8579, Japan 1

#2

{yamaguti, toriduka, s-koba}@ecei.tohoku.ac.jp

Department of Computer and Mathematical Sciences, Graduate School of Information Sciences, Tohoku University, 6-6-05, Aoba, Aramaki, Aoba-ku, Sendai9890-8579, Japan 2

#3

{sugawara, homma, aoki}@aoki.ecei.tohoku.ac.jp

Research Center for Information Security, Advanced Industrial Science and Technology, 1-18-13, Sotokanda, Chiyoda-ku, Tokyo101-0021, Japan 3

[email protected]

Abstract—Two types of miniature shielded-loop type magnetic probes were used to analyze RF magnetic near field on the ISO/IEC 18033-3 Standard Cryptographic LSI made by 0.13 m CMOS process with clock frequency of 24 MHz. The 180x180 m2-size on-chip shielded loop probe we developed was applied to scan the magnetic near field on the LSI and clarified that the magnetic filed is strong not only on the targeting cryptographic circuit. Such a detailed map was depicted for the first time for cryptographic LSI. Then the differential electromagnetic analysis (DEMA) was performed with the shielded-loop probe (1000 x 500 m2, CP-2S, NEC). All the BITEs of 16-BYTEs long secret key are decrypted by using only 1x104 waveform data in case the waveform is measured closely to the cryptographic circuit whereas the error rate does not converge to zero until the waveform number reaches 3x104 if the data were extracted far away from the circuit. As the countermeasure against DEMA, 25m thick magnetic film (r=50 at 1MHz, NEC Tokin Co, type E25) was attached on top of bare LSI chip to suppress magnetic field intensity by 6 dB, which can be a good candidate to protect cryptographic LSI from side channel attack.

I. INTRODUCTION Electromagnetic near-field of a LSIchip is a function of instantaneous operation of the LSI circuit. Therefore magnetic near field of a cryptographic LSI can be a target for side channel attack to extract secret key of encryption. There is a known attack to electromagnetic near field of a cryptographic LSI called as differential electromagnetic analysis (DEMA)[1]. Recent interest is on the effectiveness to attack cryptographic IP core locally rather than to whole LSI chip, which may yield higher correlation to the secret key.

978-1-4244-6307-7/10/$26.00 ©2010 IEEE

Therefore this work discusses miniature magnetic field probes having higher spatial resolution to examine magnetic near field distribution on a cryptographic LSI chip and then perform localized DEMA on the chip. Two kinds of miniature shielded-loop type magnetic probes were used to analyze RF magnetic near field of a cryptographic LSI chip. One is commercially available that some of the authors developed before [2], having spatial resolution of 250 m with well defined impedance matching. The other is an on-chip shielded-loop probe using a typical SOI (Silicon-on-Insulator)-CMOS technology [3], which consists of the chip that carries a shielded loop coil, and the base-PCB with stud bump connection to the chip[4], [5]. The targeting cryptographic LSI is the ISO/IEC 18033-3 Standard Cryptographic LSI made by 0.13 m CMOS process with clock frequency of 24 MHz [6]. It is incorporated in a Side-channel Attack Standard Evaluation Board (SASEBO-R). There are 13 kinds of cryptographic IP cores implemented in the LSI. Among them is the Advanced Encryption Standard (AES_Comp) module,which is studied in this work. Magnetic near field map extraction on the LSI chip, visibility of any IP cores and power/ground lines on the map, DEMA at some hot spots of magnetic field will be discussed systematically in this paper to examine the locality of meaningful information to analyze cryptographic keys. In the last section it will be demonstrated that such information leakage would be protected by magnetic film.

103

II. PROBE DESIGN AND FABRICATION A. On-Chip Shielded-Loop Coil The planar shielded-loop coil consists of two planar coils stacked in parallel connection, and in-between half-turn signal line with via holes and electrodes [2], [4], [5]. Its features are to suppress electric-field induced voltage well up to GHz range, and provide RF impedance matching for signal transmission. In this work, the shielded loop coil was made in a test chip fabricated by a 0.15 m, five metal SOI-CMOS process with high-resistivity substrate which gives us wide bandwidth amplifiers and low loss coils [7]. There are five Al base metal layers (: 3.9 - 5.8 x 10-8 m), consisting of 0.53-m-thick three layers (M1 through M3 layers, namely), 0.72-m-thick one layer (M4) and 2.0-m-thick one layer (Top metal) with 1.23-m-thick silicon oxide dielectric layer (r: 4.08 - 4.23) in between each metal layer. Fig. 1 shows the CAD layout of the fabricated chip. At the lower left corner is the planar shielded loop coil with the window size of 180 x 180 m2, connected through the 530m-long impedance matched strip-line (Ground-SignalGround tri-plate structure) to the flip chip bonding pad. The coil size is so designed to perform robust measurements and can be miniaturized down to 40 x 40 m2 or less in the near future, judging from the gain bandwidth products of the integrated amplifier we designed for this coil [3]. A major design restriction of the on-chip shielded loop coil is the highness of the wiring resistance that originated from the unavoidable thinness of the conductive metal. Therefore we preferentially designed lower resistance wiring rather than adjusting the characteristic impedance to 50 . After a number of FEM simulation (Ansoft Co., HFSS) we found such design that the frequency profile of the transmitting signal would be linear within ± 0.5 dB up to 1 GHz and resonate at 5.5 GHz, where the M1 and M2 layers are parallelly connected by numerous via holes and applied to the bottom ground layer of the strip line[8]. Similarly the M3 and M4 layers are used for the 2.0-m-wide signal line, and the Top metal is assigned for the top ground layer. Accordingly the sum of estimated resistance became 17.0 , and 17.2  actually. This problem of insufficient impedance matching can be overcome when we will use integrated amplifier, as the lead length can be negligibly short and the input impedance of the amplifier can be as high as 10 M [3]. In another word, lumped element design becomes possible through the integration. B. Interconnect to base-PCB In Fig. 1, the signal pad located at the center of the flip chip bonding pad is surrounded by a number of parallellyconnected ground pads so that the signal line can be shielded toward vertical direction. All the pads are applied Au stud

180 180

1.5

Unit : Pm



(a) Dimension of the shielded loop

Shielded Loop Coil Flip chip bonding pad

300Pm

(b) Chip overview

(E) Enlarged view of the coil and pad Fig. 1. CAD layout of the on-chip shielded-loop coil. Au Stud bump

t = 200㷄

Chip

NCP (Non Conductive Paste)

PCB

t = 70㷄

Upside down Pressure and heating t = 270㷄

Fig. 2. Stud bump connection .

PCB (8 x 30 mm2)

Conductive paste

Test chip (2.5 x 2.5 mm2) Semi-rigid cable Fig. 3. Completed on-chip magnetic field probe.

Fig. 4. Measurement on a microstrip line.

bumps at 200 ºC as shown in the upper left illustration in Fig. 2. Separately the pads on the base-PCB are applied the non conductive paste (NCP) at 70 ºC as shown in the upper right illustration in Fig. 2. Then the chip was mounted to the base-

104

Probe output [dBm]

-50 6dB

-55

6dB

1 mm

-60 170Pm

-65

170Pm

AES_Comp

MSL : 610Pm

-70

MSL : Microstrip line

-75 -1000

-500 0 500 1000 Distance from the center [Pm]

Fig. 5. Probe output at 35-m above the microstrip conductor at 1 GHz.

(a)Outlook

(b) Circuit block arrangement Fig. 6 Cryptographic LSI

PCB at 270 ºC by a flip chip bonding machine (Model 6000, Hisol Co.) Fig. 3 shows the photo image of the completed on-chip probe, consisting of the chip, strip line provided with 50 impedance matching and semi-rigid cable. The base-PCB is made of 342-m-thick Teflon-base material with r=3.6. The base-PCB also gives mechanical toughness to the chip when scanning over a device under test (DUT). The probe measures the magnetic field perpendicularly to the base-PCB plane. The probe is set on a XYZ stage with an observing optical microscope separately developed by us. The scanning area is 100x100x20 mm3 with the nominal positioning accuracy of 20m. Fig. 4 shows the demonstration of scanning over the 20-mm-long microstrip line used as a DUT in the next section. C. Magnetic field measurement on a microstrip line In Fig. 4, the microstrip line as the DUT has 610-m-wide signal line on a 300-m-thick Teflon-base material with r=3.6 to provide 50 impedance matching. The microstrip line was attached to the jig using plastic screw located out of the reach of the electromagnetic field of the microstrip line. The measured insertion loss was as small as 0.08 dB at 1 GHz. The microstrip line was driven by 5 dBm power from a network analyzer (8720D, Agilent Co.), and the probe output was monitored by a spectrum analyzer (E4440A, Agilent Co.) The distance between the coil edge and the microstrip conductor (lift-off) was only 35 m. Scanning along the width direction of the microstrip line, the output level is high on the conductor because of the current flow as shown in Fig. 5. In detail the two peaks are well detected the edges corresponding to the current crowding at high frequency. The spatial resolution was 170 m. This value was read out at the -6 dB down point from the peaks and this definition is identical to [2]. III. CRYPTOGRAPHIC LSI A cryptographic LSI incorporated in a Side-channel Attack Standard Evaluation Board (SASEBO-R)[6] is studied in this work. The SASEBO-R is made in a 230 mm x 180 mm x 1.6

S pe ctrum Analy zer 䋨Ag ilen t E4 440A 䋩

Amplifier

GPIB

PC

Magnetic F ield Probe

Fu nction Gen era tor (Agi len t 33 250A )

50 mm C ryptographic LSI Cryptographic FPGA LSI DC Pow er So ur ce

DC Power S ou rce

1

Fig. 7 Magnetic near field measurement setup.

Magnetic probe Cryptographic LSI

5 mm

Fig. 8 Magnetic near field measurement on a cryptographic LSI.

mm, FR-4, eight layers board, working at 3.3 V input with a 24 MHz clock signal. The cryptographic LSI is implemented in a 130-nm process CMOS LSI and mounted in a 160-pin QFP package. It works at 1.2V, which is generated by a regulator on the SASEBO-R. Fig. 6(a) shows the top view of the cryptographic LSI. Signal lines and IP cores are not visible because the top two metal layers on the chip form power grid. There are 13 kinds of cryptographic IP cores implemented in the LSI. Among which is the Advanced Encryption Standard (AES) [9] module, as shown in Fig. 6(b). This is the target to be studied in this work.

105

Probe Output [PV]

300 V

250

220 sin(

f S) 470

200 150 100 50 0 0

500

1000 1500 2000 Frequency [MHz]

2500

3000

(a) Commercially available probe

Fig. 11 Magneic near field in periphery of cryptographic IP Core

Fig. 9 Even harmonics of magnetic probe output measured on AES_Comp. 1 T

F(jZ)

(b) Self fabricated probe

F(jZ)

Point2

Point4

Point1

Point3 Point3

1

G 0

Z 2S

Z 2S

(a) Lin e Fig. 10 Fourier transformation of repetitive rectangular pulse wave Fig. 12 Magnetic near field map on the Cryptographic IC.

IV. MAGNETIC NEAR FIELD MEASUREMENTS A. Spectral Analysis Magnetic near field spectrum of cryptographic IP core was measured by the on-chip probe mentioned in section II with a 40 dB amplifier. Fig. 7 shows external circuit connection to the SASEBO-R. The on-chip probe is set on a XYZ stage and set on the cryptographic LSI as shown in Fig. 8. The lift-off between the LSI chip surface to the coil edge was 20 m. Fig. 9 shows the observed even harmonics of the clock frequency of 24 MHz. The spectrum can be fitted by sine waves (like full-wave rectification) as shown by the dotted line. This can be explained on the basis of Fourier transformation of repetitive pulse waves as shown in Fig. 10. Fig. 10(a) explains that the Fourier transformation of the repetitive pulse waves is enveloped by sinc function. Since the magnetic probe outputs the induced voltage of the coil, it is the first order time derivative of the RF current waveform as shown in Fig. 10 (b). In Fig. 9, the sine wave fitting is not exactly at frequencies less than 750 MHz because the DC resistance of coil cannot be neglected as compared with the coil impedance L at lower frequencies. These results mean that the major source of the detected spectrum has a constant time rate and constant amplitude. This may be come from clock signal of the circuit. B. Two Magnetic Probes The magnetic near field on the cryptographic LSI was measured by using two different kinds of probes, one is the

on-chip probe as described in section II, and the other is a commercially available probe (CP-2S, NEC Engineering Co., window size: 1.0 x 0.2 mm2) that we jointly developed before. The special resolution of the commercially available probe is not so high as the on-chip probe because the coil is larger, and the gap between the probe coil edge and the targeting LSI chip surface is larger. The range of measurement was 1 mm around the AES_Comp IP core on the cryptographic LSI. The measurement pitch was 0.02 mm. The lift-off defined as the distance between the DUT surface and coil edge for the commercially available probe and self fabricated probe were 110 m and 20m, respectively. The measured results at the frequency of 240 MHz are shown in Fig. 11. It is obvious that finer measurement was possible by using the on-chip probe in compared to the commercially available probe. The reason is that the on-chip probe has smaller gap between the coil edge and chip edge which makes the lift-off smaller. Additionally, the transmission line of self fabricated probe was made shorter in order to reduce standing wave along the transmission line between the probe and the amplifier. C. Magnetic near field measurement over cryptographic LSI chip The on-chip probe having high spatial resolution was used for the magnetic near field measurement over the cryptographic LSI chip. The measurement range was 3.8 x 3.8 mm2 and the measurement pitch was 0.5 mm. Lift-off was set

106

Number of correct estimation

16 Point11 Point Point2 Point32 Point Point4 Point Power3 Point 4 Power

14 12 10 8 6 4 2

(a)Without magnetic film

0 0

0.5

1.0 1.5 2.0 Number of traces

2.5

3.0 㬍104

Fig. 13 Error rate

as 20r10 m. Magnetic near field of both X and Y directions were measured and magnetic field intensity was derived. It was measured at 984 MHz where certain high level output can be obtained as seen in Fig. 9. The measured result is shown in Fig 12. Traces of currents can be observed in the horizontal and perpendicular directions inside the chip. The distance between the traces are only at the multiple of the power line pitch. This observation was made possible because of high spatial resolution and shorter lift-off for the developed on-chip probe. Based on these results, it can be concluded that the traces of currents should mean RF currents in the power lines synchronising the clock signal of the cryptographic LSI chip. On the other hand, it is still uncertain if the probe output contains any information regarding the encryption. V. DIFFERENTIAL ELECTROMAGNETIC ANALYSIS A commercially available probe was used for the Differential Electromagnetic Analysis (DEMA) [10]. DEMA is one of the popular side channel attacks. In this method, the cryptographic keys are estimated by statistical analysis of the electromagnetic field radiated during encryption from the AES_Comp IP core. This method has a benefit of higher accuracy over the pre-existing power analysis attack methods which use the information leaked in the form of the power consumption in a resistance inserted between voltage source and ground line. All other IP cores were stopped during the experiments. Five different kinds of measurement were performed; DEMA at Point 1, Point 2 on the IP core surface, Point 3, Point 4, away from the IP core and Power analysis attack denoted by ‘Power’ in Fig. 13. If expressed in two dimensional orthogonal co-ordinates, Point 1 is (x,y) = (0.2,+0.2), Point 2 is (x,y) = (0,+1.2), Point 3 is (x,y) = (+2.4,0) and Point 4 is (x,y) = (+2.4,+1.2). Error rate from the magnetic near field measurement in X direction is shown in Fig 13. Vertical axis represents number of bytes that are wrongly estimated among the total 16 bytes of the cryptographic keys. Horizontal axis represents number of waveforms used for the estimation. Less is the number of

(b)With magnetic film Fig. 14 Magnetic near field map on AES_Comp.

waveforms used in complete estimation, more powerful is the attack considered [11]. It is obvious that the convergence of number of correct estimations for Point 1 and Point 2 is faster than that for Point 3 and Point 4. It proves that the locality is an important factor for DEMA. Furthermore, the DEMA method requires 1/3 of the number of waves to complete estimate the keys, compared to pre-existing power analysis methods. This shows the higher vulnerability of side channel attack by localized DEMA method than the attack by power analysis methods. From Fig. 12, Point 3 and Point 4 where the estimation of correct keys is slower, still have very strong magnetic field intensity. It is demonstrated that the information necessary for analysis lie not simply at places with strong magnetic field intensity but concentrates at very near to the IP core. VI. MAGNETIC NEAR FIELD MEASUREMENT OVER CRYPTOGRAPHIC LSI WITH MAGNETIC THIN FILM As a countermeasure of the localized DEMA, a magnetic thin film was placed on the cryptographic LSI chip surface and magnetic near field was measured. This magnetic thin film is the noise suppressor sheet (NEC Tokin Corp. Film Impeder E25) which is very widely used for suppression of electromagnetic noises in electronic devices [12]. Thickness of the film is 25 m mounted on a 60 m thick base -film, effective frequency for noise suppression is 100 MHz – 3 GHz, relative permeability is 50 at 50 MHz. As the thin film is, The measurement lift-off is 90 – 110 m. Magnetic near field was

107

measured over 1.2 mm square range of cryptographic IP core. The frequency of measurement was 20 – 5000 MHz. Fig. 14 shows the magnetic near field intensity distribution with and without the magnetic thin film measured at 984 MHz. Without the magnetic thin film, the distribution shows strong magnetic field intensity at the lower right side of the AES_Comp IP core. Patches of strong magnetic field are seen in the upper right side too. As seen in Fig. 14(b), the magnetic field intensity is obviously suppressed with the magnetic thin film mounted on the chip. A maximum suppression effect of 6 dB is seen at point (x,y) = (0.75, 0). This shows the possibility of suppression of magnetic near field on cryptographic LSI chip so that the side channel attack could be prevented. VII. CONCLUSION 2 The 180x180 m -size on-chip shielded loop probe was developed to scan the magnetic near field on LSIs. The probe was applied to measure magnetic near field of the ISO/IEC 18033-3 Standard Cryptographic LSI made by 0.13 m CMOS process with clock frequency of 24 MHz, and clarified that the magnetic filed is strong not only on the targeting Advanced Encryption Standard module (AES_Comp) IP core but almost anywhere on the grid-structure power and ground lines. Such a detailed map was depicted for the first time for cryptographic LSI. Then the vulnerability of the cryptographic LSI to the differential electromagnetic analysis (DEMA) locally to the Advanced Encryption Standard module (AES_Comp) IP core has been clarified. Information necessary for the DEMA is concentrated closely to the cryptographic IP core whereas the magnetic near field intensity is strong not only on the targeting IP core. As a countermeasure to such localized DEMA, magnetic film set just on top of the cryptographic IP core successfully reduced the magnetic field intensity by 6 dB at most, which shows the possibility of securely shielding of information leakage from the cryptographic LSI chip. ACKNOWLEDGMENT SASEBO was developed by the National Institute of Advanced Industrial Science and Technology (AIST) and Tohoku University under a research project to develop security evaluation methodologies for cryptographic modules funded by the Ministry of Economy, Trade and Industry (METI) of Japan. The authors are grateful to Mr. Dhungana Sandeep to summarize the manuscript. This work was supported in part by the Strategic Information and Communications R&D Promotion

Programme (SCOPE) by Ministry of Internal Affairs, Japan, R&D Center of Excellence for Integrated Microsystems, Tohoku University, Special Coordination Funds for Promoting Science and Technology from the Formation of Innovation Center for Fusion of Advanced Technologies, and by Priority Assistance for the Formation of Worldwide Renowned Centers of Research Centers of Research – The Global COE Program (Project: Center of Education and Research for Information Electrics Systems) from MEXT, Japan.. REFERENCES [1] E. Peeters, F. -X. Standaert, and J. -J. Quisquater, “Power and electromagnetic analysis: Improved model, consequences and comparisons,” Integration, The VLSI Journal, Vol. 40, pp. 52 – 60, 2007. [2] N. Ando, N. Masuda, N. Tamaki, T. Kuriyama, M. Saito, S. Saito, K. Kato, K. Ohhashi and M. Yamaguhci, “Development of Miniaturized Thin-Film Magnetic Field Probes for On-Chip Mesurement,” Journal of the Magnetics Society of Japan, vol. 30, pp. 429-434, 2006. [3] S. Aoyama, S. Kawahito and M. Yamaguchi, “Fully Integrated Active Magnetic Probe for High-definition Near-field Measurement,” 2006 IEEE EMC Symposium, August 2006, WE-PM-1-5. [4] M. Yamaguchi, S. Yabukami and K. I. Arai , “A New Permeance Meter Based on Both Lumped Elements/ Transmission Line Theories,” IEEE Trans. Magn., vol. 32, pp. 4941-4943, 1996. [5] M. Yamaguchi, Jin Ching Bu, K. I. Arai, N. Tamaki, N. Masuda and T. Kuriyama, “Microfabricated Planar Shielded Loop Coils for High Frequency Magnetic Near Field Measurements,” 2002 Asia-Pacific Microwave Conf., Kyoto, Japan, November 2002, TH3D-1. [6] Side-channel Attack Standard Evaluation Board, SASEBO-R Specification - Version 1.0 -,” Research Center for Information Security, National Institute of Advanced Industrial Science and Technology, http://www.rcis.aist.go.jp/files/special/SASEBO/SASEBO-Rja/SASEBO-R_Spec_Ver1.0_English.pdf, 2008.4. [7] J. Kodate, T. Douseki, T. Tsukahara, T. Okabe, and N. Sato, “Practical high-resistivity silicon-on-insulator solution for spiral inductors in radio-frequency integrated circuits,” Jpn. J. Appl. Phys., vol. 44, p. 5987, 2005. [8] K. Maruta, M. Sugawara, Y. Shimada, M. Yamaguchi, “Analysis of Optimum Sheet Resistance for Integrated Electromagnetic Noise Suppressors,” IEEE Trans. Magn., Vol. 42, pp. 3377-3379, 2006. [9] AES: NIST, "Advanced Encryption Standard (AES) FIPS Publication 197,"Nov. 2001. [10] T. Sugawara, H. Torizuka, N. Homma, A. Satoh, T. Aoki and M. Yamaguchi, “DEMA using Magnetic Field Acquired from a Very Close Point,” Symp. Cryptography and Information Security, 3A1-5, 2009. [11] E. Peeters, F. X. Standaert, and J. J. Quisquater, “Power and electromagnetic analysis: Improved model, consequences and comparisons,” Integration, The VLSI Journal, vol.40, no.1, pp.52-60, 2007. [12] M. Sato, E. Yoshida, E. Sugawara, Y. Shimada, “Permeability and EMI Characteristics of Sendust-Polymer Composite,” J. Magn. Soc. Jpn., vol.20, no.2, pp.421-424, 1996.

108