Laser attacks on integrated circuits: from CMOS to FD-SOI

Jean-Max Dutertre, Stephan de Castro, Alexandre Sarafianos, Noémie Boher, Bruno Rouzeyre, Mathieu Lisart, Joel Damiens, Philippe Candelier, Marie-Lise Flottes, Giorgio Di Natale

To cite this version:

HAL Id: emse-01099042
https://hal-emse.ccsd.cnrs.fr/emse-01099042
Submitted on 7 Jan 2015

HAL is a multi-disciplinary open access archive for the deposit and dissemination of scientific research documents, whether they are published or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers.

L’archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.
Laser attacks on integrated circuits: 
from CMOS to FD-SOI

Jean-Max Dutertre*, Stephan De Castro*, Alexandre Sarafianos†, Noémie Boher‡, Bruno Rouzeyre§,
Mathieu Lisart†, Joel Damiens†, Philippe Candelier‡, Marie-Lise Flottes§ and Giorgio Di Natale§,
*ENSM.SE, Centre Microelectronique de Provence - Georges Charpak, 13541 Gardanne, France, name@emse.fr
†ST Microelectronics, Avenue Clestin Coq, 13390 Rousset, France, firstname.name@st.com
‡STMicroelectronics, 850 rue Jean Monnet, 38926 Crolles, firstname.name@st.com
§LIRMM (CNRS UMR N5506), 161, rue Ada, 34095, Montpellier Cedex 5, France, name@lirmm.fr

doi : 10.1109/DTIS.2014.6850664
Abstract—The use of a laser as a means to inject errors during the computations of a secure integrated circuit (IC) for the purpose of retrieving secret data was first reported in 2002. Since then, a lot of research work, mainly experimental, has been carried out to study this threat. This paper reports research conducted, in the framework of the French national project LIESSE, to obtain an electrical model of the laser effects on CMOS ICs. Based on simulation, a first model permitted us to draw the laser sensitivity map of a SRAM cell. It demonstrates a very close correlation with experimental measures. We also introduce the preliminary results we gathered to build a similar electrical model for FD-SOI circuits. FD-SOI technology is expected to be less sensitive to laser than CMOS.

Index Terms—Laser fault injection, FD-SOI, CMOS, electrical model, fault attack.

I. INTRODUCTION

Secure circuits are integrated circuits (ICs) that embed cryptographic features (e.g. smart cards) to provide confidentiality, authentication, or data integrity services. They conceal confidential information such as private data (e.g. medical data) or encoding/decoding keys. Thus, they are a target for malicious hackers, who try to tamper with this confidential data. There are both software (which is out of the scope of this paper) and hardware attacks. The latter aims to take advantage of weaknesses inherent to the hardware implementation of security features. Among these hardware attacks, “fault attacks”, introduced in 1997 by Boneh et al. [1], have proved to pose a real threat to the security of devices implementing encryption algorithms [2]. Fault attacks (FA) are based on the distortion of the chip environmental conditions. It results in the injection of faults in the encryption process, which may be used to retrieve the confidential data handled during ciphering (e.g. a secret key). Several injection means used to induce faults in cryptographic integrated circuits have been reported: laser exposure, voltage or clock glitches, electromagnetic perturbation, etc. Therefore, a lot of research work has been done to understand and mitigate fault attacks.

The use of a laser beam to inject faults into the computations of an IC was first reported by S. Skorobogatov and R. Anderson in 2002 [3]. Since then, laser is considered as a very efficient tool to carry out FA. It permitted an accurate injection of faults both in space and time [2]. Besides, despite the scaling down of IC’s technologies, it makes it possible to inject faults with a high resolution (at byte or even at bit level [4]), which is mandatory to apply most of the known FA schemes [2].

Laser injection was first introduced and studied by the radiation effects community as a tool to emulate Single Event Effects (SEE) induced by ionizing particles into CMOS ICs [5], [6]. Consequently, it is no surprise that researchers from that field were the first to build an electrical model of the effects of a laser shot on a transistor [7]. It followed similar work on modeling radioactive particule or laser induced SEEs with physical two- or three-dimensional simulators [8]. Note that physical simulation requires more calculation time and resources than electrical simulation. It also requires detailed information on the IC’s fabrication process which is often unavailable due to confidentiality issues.

Our research work focuses on the building and use of an electrical model of the laser induced effects into ICs. The aim of such an electrical model is to allow at design time the evaluation of the laser sensitivity of a device. This work intends to help mitigating the threats and save the cost of a redesign in case flaws are found during a security evaluation following the device’s fabrication. Our main contribution in modeling the laser induced SEEs is that our model takes into account the topology of the targeted IC. Indeed, the induced effects depend (among many parameters) on the distance between the laser shot and the laser sensitive parts of the device. Based on simulation using this model, it became possible to draw the laser sensitivity map of a SRAM cell. The validity of our electrical model was assessed by its very good correlation with an experimental laser sensitivity map [9]. This work was first carried out on devices using a 90 nm process CMOS technology. We are currently carrying it on with the emerging 28 nm Fully Depleted Silicon On Insulator (FD-SOI) technology. This technology is expected to bring reduced sensitivity to laser attacks due to the thin oxide box that isolates the channel of transistors from their wells.

This article is organized as follows. Section II describes the methodology we used to build an electrical model of laser attacks on CMOS devices. It also reports its use to simulate laser fault injection into a SRAM cell. In section III we introduce the specificities of the 28 nm FD-SOI technology we are studying and we present our first attempts to build a similar electrical model. Finally, our findings are summarized in section IV with some perspectives.

II. MODELING ATTACKS ON CMOS INTEGRATED CIRCUITS

A. Methodology

1) Photoelectric effect: laser may be used to inject faults into ICs because of the photoelectric effect resulting from its interaction with silicon. When a laser beam with a wavelength corresponding to an energy level higher than the silicon bandgap passes through silicon, it creates electron-hole pairs along his path (the so-called photoelectric effect). These charge carriers may recombine without any noticeable effect. An exception exists when the laser beam passes through a transistor’s reverse biased PN junction (drain/bulk or source/bulk): a place where there exists a strong electric field. As a consequence, the charge carriers drift in opposite directions and a current pulse is induced. This photocurrent pulse vanishes as the charges are exhausted. It may last a few hundreds of picoseconds after the laser pulse ceased [6]. This current pulse in turn creates a transient voltage pulse, which may induce a fault if stored in a downstream Flip-Flop.

2) CMOS structure: Fig. 1 displays the cross sectional view of a NMOS and a PMOS transistors in bulk CMOS technology. There are three types of PN junctions that may undergo the outbreak of a photocurrent (respectively labeled 1, 2, and 3 in Fig. 1):
1) the Psub-N+ junction between a NMOS diffusion and the circuit’s bulk (i.e. the P-type substrate),
2) the P+.-Nwell junction between a PMOS diffusion and its Nwell,
3) the Psub-Nwell junction between a PMOS Nwell and the circuit’s bulk.

Fig. 1. Cross sectional view of CMOS technology

CMOS technology also encompasses three bipolar parasitic structures (depicted in blue in Fig. 1 and labeled a,b, and c resp.). They may be triggered by a laser shot:

a) the lateral npn parasitic bipolar transistor associated with every NMOS transistor,
b) the lateral npn parasitic bipolar transistor associated with every PMOS transistor,
c) the vertical npn parasitic bipolar transistor created by the P+ diffusion of a PMOS, its Nwell, and the Psubstrate.

3) Methodology: The methodology we used to build the electrical model of the laser effects on an IC consists both in measuring the photocurrents induced in its PN junctions for the relevant settings of the laser (detailed in the following) and the triggering of the parasitic bipolar transistors. Measurements from real experiments were used to tune the corresponding models. These models were then added to the circuit’s netlist for simulating the laser effects. Fig. 2 depicts the models of the PN junctions and the parasitic npn transistor that are connected to a NMOS [10] ([7] introduced a first version of this model). For the sake of brevity we won’t report the PMOS model.

PN junction photocurrents are modeled with a voltage controlled current source (denoted 'Psub-N+ model' in Fig. 2). The induced photocurrent model we built is given in Eq. 1:

\[ I_{ph}(t) = [a(P).V_r + b(P)].A.\alpha_{topology}.w_{\text{thick}}.\Omega_{\text{shape}}(t) \] (1)

Fig. 5 (right) displays an example of laser induced photocurrent according this model. The pulse is shaped in the time domain thanks to the term \( \Omega_{\text{shape}}(t) \) in Eq. 1 which takes into account the laser shot duration. The other four multiplicative terms model the photocurrent pulse magnitude according to the other parameters of interest:

- \( a(P).V_r + b(P) \): where \( V_r \) is the junction’s reverse voltage, and \( a(P), b(P) \) are coefficients depending on the laser power \( P \). This term models the impact of both the laser power and the reverse bias voltage of the PN junction,
- \( A \): the junction’s area,
- \( \alpha_{\text{topology}} \): this coefficient models the influence of the topology, i.e. the fact that the photocurrent magnitude decreases as the laser spot distance from the PN junction increases,
- \( w_{\text{thick}} \): this coefficient takes into account the thickness of the Psubstrate (in case the laser illumination is made through the chip backside, which is generally the case).

The electrical model of the NMOS’ parasitic npn bipolar transistor is denoted ‘npn model’ in Fig. 2. We used a simplified model of this transistor made of two voltage controlled current sources [10]. It is activated when the substrate’s voltage under the channel (node B) is increased over a triggering threshold (around 0.6 V). Note that this activation requires a significant amount of photocurrent to be injected into node B. Resistors \( RB \) and \( RB' \), and capacitor \( C_D \) are used to model the time constant of the variations of node B voltage. Resistors \( RC1, RC2 \) and \( RB2 \) model the access resistors between node B and respectively, the transistor’s drain, source, and substrate biasing contacts.

B. Measurement-based electrical model

The various parameters of our models were tuned experimentally. As a result, they are only valid for the technology and laser settings used during the experiments. We used a test chip designed in 90nm CMOS technology. It embeds many transistors of different sizes. Their electrodes are easy to reach with electrical probes while performing a laser injection through the chip’s backside. The tests were carried out with an infrared laser source \( (\lambda = 1064nm) \). Its power range is up to 3W. The pulse duration was set between 50 ns and 20 µs. We used x5, x20 or x100 optical lenses. The related spot diameters are resp. 20 µm, 5 µm and 1 µm. The test chip was mounted on a xyz displacement stage with a 0.1 µm resolution.

Fig. 3 displays the measures of the photocurrents induced in a Psub-N+ junction of a NMOS transistor as a function
of its reverse bias voltage for three laser powers: 0.0125 W, 0.42 W, and 1.25 W. The power is given at the output of the x20 lens used during this set of experiments. As expected, the photocurrent magnitude increases with the laser power and also with the reverse biasing of the junction. Coefficients $a(p)$ and $b(P)$ from the first term in Eq. 1 are derived from these results. Similar experiments were carried out for obtaining the various terms in Eq. 1 and also for the three types of PN junctions found in CMOS devices (see Fig. 1).

Our main contribution is that our model takes into account the distance between the laser shot and the PN junction of interest (term $\alpha_{\text{topology}}$ in Eq. 1). The induced photocurrent is maximum when the laser spot is centered on the PN junction. It decreases progressively as the distance rises as illustrated in Fig. 4 for our three available optical lenses. The curve shapes have a Gaussian-like behavior modeled with the $\alpha_{\text{topology}}$ term (see subsection III-C for an example). Having a topology dependent term in our model makes it possible to draw fault sensitivity maps as illustrated in subsection II-C. For the sake of brevity, we won't report here the experiments carried out to tune the parasitic bipolar transistors (see [10] for the NMOS case). Fig. 5 illustrates the activation of the npn parasitic bipolar transistor of a NMOS at a 1.25 W laser power for a 20 µs laser pulse: on the basis of experiments on the left part, on the basis of simulation on the right part. It displays the NMOS drain, source and bulk currents. The NMOS transistor was in OFF state with the following biasing: $V_{\text{drain}} = 1.2 \text{ V, } V_{\text{source}} = V_{\text{gate}} = V_{\text{bulk}} = 0 \text{ V}$. At first the source and drain photocurrents are negatives. They flew through the drain and source into the bulk from our measurement probes. Then, as the parasitic bipolar transistor was activated, the source current rose and became positive. Due to the transistor activation, a current was injected into the source from the drain. Data reported in Fig. 5 shows the very close correlation we obtained between real experiments and simulation.

C. Obtained results: laser sensitivity map of a SRAM cell

Once the electrical models of NMOS and PMOS were built and validated at transistor level, the next step was to test their efficiency in simulating the effects of laser fault injection on a larger scale. We chose a SRAM cell as a test element because it is a typical target of fault injection and we have a test chip that embeds a five transistors SRAM [9], [11]. Despite the fact that our model was built from measurements performed on 90 nm CMOS circuits, we used it to model the behavior of our SRAM designed in 0.25 µm CMOS. Our assumption was that these two CMOS processes from the same IC manufacturer had a similar behavior regarding laser effects. For validation purposes we first drew experimentally the laser induced fault sensitivity map of the SRAM. Second, we carried out the same analysis based on simulation. Then, we compared the two obtained sensitivity maps.

The most laser sensitive parts of a logic gate are the drains of its OFF transistors because they are the PN junctions where the reverse bias is the highest (see Fig. 3 as an illustration). Consequently, the laser sensitive parts of a SRAM change with its logical state. As a result, if a SRAM is scanned with a laser at an increasing laser power, the places where faults will be injected will depend on its logical state. A laser induced fault is said to be a bit-set (resp. a bit-reset) when the information bit stored into the SRAM changed from zero to one (resp. from one to zero). We used our infrared laser to draw such a laser fault sensitivity map of the SRAM cell. The left part of Fig. 6 displays the obtained experimental map. The laser pulse duration was set to 50 ns at 0.43 W laser power. The laser spot size was 1 µm and the displacement step along the
$x$ and $y$ axis was set to $0.2 \mu m$. The bit-set and bit-reset areas are drawn respectively in red and blue.

Because we did not observe the activation of the parasitic bipolar transistors during our experiments at $0.43W$ laser power, we used simplified electrical models of the SRAM transistors without the models of the bipolar transistors. The laser sensitivity map drawn on simulation basis is given in the right part of Fig. 6. The bit-set and bit-reset areas are drawn very similarly on these two maps, revealing the same laser sensitivity which is linked to the logical state of the SRAM. We assumed that the tiny differences were due to the fact that the laser experiments were carried out through the front side of the test chip, while simulation was performed with a model of backside laser illumination. For frontside illumination the laser beam may be reflected in some locations by the metallic interconnections of the gate. The close correlation obtained between experiments and simulation provides a strong assessment of the validity of our approach.

III. MODELING LASER ATTACKS ON FD-SOI INTEGRATED CIRCUITS

A. FD-SOI structure

FD-SOI is an emerging technology on the IC market which is pushed forward by ST Microelectronics. It is supposed to replace CMOS bulk for advanced technology nodes at a similar process complexity; we studied $28nm$ FD-SOI. FD-SOI is mainly dedicated to low power applications. It provides, thanks to well biasing techniques, the ability to dynamically optimize the circuit’s speed versus its power consumption [12]–[14]. FD-SOI is also expected to bring reduced sensitivity to laser attacks due to the thin oxide box that isolates the transistors from their wells [15], [16]. Indeed, the laser induced charge generation volume of FD-SOI transistors is smaller than that of CMOS bulk transistors. As a result, the induced photocurrent should be reduced both in time and magnitude. Fig. 7 depicts the cross sectional view of the $28nm$ FD-SOI technology of our test chip.

This technology offers two types of transistors that have different threshold voltages: regular $V_t$ transistors (denoted rvt in Fig. 7) and low $V_t$ transistors (not shown). Consider the rvt NMOS: it is built on an isolation thin box (less than $30nm$ thick) that isolates it from its Pwell. The transistor’s channel is an intrinsic silicon. Its thickness is less than $10nm$. The rvt PMOS is built with complementary doped silicones. The main difference between FD-SOI and CMOS bulk regarding laser sensitivity is that there is no reverse biased PN junctions between the transistors’ diffusions and their wells for FD-SOI technology. The most laser sensitive part of rvt transistors should be the Psub-Nwell junction that exists between the Nwell of a PMOS and the P-substrate (marked (1) in Fig. 7). The parasitic bipolar transistors found in CMOS technologies are no longer present.

Based on these observations, our first job in modeling laser effects on FD-SOI circuits was to model the Psub-Nwell junction of regular $V_t$ transistors and also to verify experimentally that the photocurrents induced in a transistor’s drain are lower than for bulk transistors.

B. Measurements of the laser effects on FD-SOI elementary test elements

For the purpose of building on the basis of experiments the electrical model of the laser effects on FD-SOI ICs, we first measured the laser induced photocurrents in a Psub-Nwell junction. We used laser settings identical to that reported in subsection II-B ($\lambda = 1064nm$, $20\mu s$ pulse duration, backside illumination, $5\mu m$ laser spot diameter). Fig. 8 displays the magnitude of the induced photocurrents as a function of the reverse bias voltage for four laser powers: $0.28SW$, $0.57W$, $0.885W$, and $1.14W$. As expected, the photocurrents measured in a Psub-Nwell junction exhibit a behavior similar to those measured for CMOS technology. Then, we measured the spatial dependency of the photocurrent magnitude, it depends on the distance between the laser spot and the junction’s center. Fig. 9 displays the obtained photocurrent at $0.28SW$ laser power for a reverse biasing $V_t = 1V$.

The second set of measures was carried out, for availability reasons, on a thick oxide high voltage NMOS transistor with regular $V_t$. Our intent was to confirm the assumption that the photocurrent induced in the drain of a FD-SOI-NMOS in OFF state is significantly reduced by comparison with the bulk CMOS case. We used a $20\mu s$ laser pulse at a $855mW$ power for a spot size of $5\mu m$. The transistors were biased in off state: $V_{drain} = 1.8V$, $V_{source} = V_{gate} = V_{Pwell} = 0V$. 

---

Fig. 6. Laser induced faults map of a SRAM cell: experimental (left) - simulation based (right)

Fig. 7. Cross sectional view of FD-SOI technology: regular $V_t$ transistors
C. Analysis and preliminary electrical models

The width of transistor #1 is three times smaller than the width of transistor #2. The photocurrent magnitude peaks were respectively 8 µA and 27 µA. These values are significantly greater than the leakage currents of these transistors, which are less than 50 pA. It is also significantly lower than the ON currents of these transistors, which are around 1.5 mA. Besides, the laser induced photocurrents measured in the drain of a CMOS-NMOS in similar conditions is in the mA range (5 – 6 mA for 90 nm CMOS). This is a first assessment of the assumption that FD-SOI transistors are less sensitive to laser fault injection than CMOS ones. It is also worth to notice that the charge collection distance of the drain of a FD-SOI NMOS is significantly reduced by comparison with that of a bulk CMOS NMOS. According to data reported in Fig. 4 and 10, the drain photocurrent of a FD-SOI transistor is halved as the laser spot is taken away from 4 µm. Whereas it takes 80 µm to halve the drain current of a bulk CMOS transistor. More experiments have to be carried out on regular Vt transistors to confirm this trend.

The building and tuning of the corresponding electrical models is our current task. Fig. 11 illustrates this process for the topology dependence of the photocurrent magnitude of the Psubstrate-Nwell junction (marked (1) in Fig. 7): measurement results correspond to the dots, the blue curve was drawn from the model.

\[
\alpha_{\text{topology}} = \sum_{i=1}^{4} a_i \cdot \exp\left(-\left(\frac{x - b_i}{c_i}\right)^2\right) \quad (2)
\]

where \(x\) is the distance between the laser spot and the junction center expressed in \(\mu\)m, and \(a_i, b_i\) and \(c_i\) are fitting coefficients. Table I gives their values. A very good matching coefficient of 0.9882 is obtained for this model.

IV. Conclusions

We reported our research work focusing on the building of an electrical model of the laser sensitivity of ICs. Regarding CMOS technology, the model permitted us to draw
the sensitivity map of a SRAM cell. It takes into account the topology of the target, i.e. the position of the laser spot w.r.t. the target’s sensitive areas. This approach is ascertained by the very close correlation obtained between simulation and experimental results. This tool proved to be very valuable as it makes it possible to anticipate the laser sensitivity of a circuit before its actual fabrication (as an illustration see the proposal of a laser hardened SRAM design [17]).

We also displayed our first results in studying and modeling the laser effects on a FD-SOI 28 nm technology.

ACKNOWLEDGMENT

This work is supported by a research grant from the French Agence Nationale de la Recherche (LIESSE project, ANR-12-INS-0008-01).

REFERENCES


