[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

WO2008099348A2 - Semiconductor device identifier generation - Google Patents

Semiconductor device identifier generation Download PDF

Info

Publication number
WO2008099348A2
WO2008099348A2 PCT/IB2008/050515 IB2008050515W WO2008099348A2 WO 2008099348 A2 WO2008099348 A2 WO 2008099348A2 IB 2008050515 W IB2008050515 W IB 2008050515W WO 2008099348 A2 WO2008099348 A2 WO 2008099348A2
Authority
WO
WIPO (PCT)
Prior art keywords
memory
identifier
cover
semiconductor device
memory cells
Prior art date
Application number
PCT/IB2008/050515
Other languages
French (fr)
Other versions
WO2008099348A3 (en
Inventor
Victor Zieren
Johannes A. J. Van Geloven
Robertus A. M. Wolters
Original Assignee
Nxp B.V.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nxp B.V. filed Critical Nxp B.V.
Publication of WO2008099348A2 publication Critical patent/WO2008099348A2/en
Publication of WO2008099348A3 publication Critical patent/WO2008099348A3/en

Links

Classifications

    • GPHYSICS
    • G11INFORMATION STORAGE
    • G11CSTATIC STORES
    • G11C7/00Arrangements for writing information into, or reading information out from, a digital store
    • G11C7/20Memory cell initialisation circuits, e.g. when powering up or down, memory clear, latent image memory
    • GPHYSICS
    • G11INFORMATION STORAGE
    • G11CSTATIC STORES
    • G11C11/00Digital stores characterised by the use of particular electric or magnetic storage elements; Storage elements therefor
    • G11C11/21Digital stores characterised by the use of particular electric or magnetic storage elements; Storage elements therefor using electric elements
    • G11C11/34Digital stores characterised by the use of particular electric or magnetic storage elements; Storage elements therefor using electric elements using semiconductor devices
    • G11C11/40Digital stores characterised by the use of particular electric or magnetic storage elements; Storage elements therefor using electric elements using semiconductor devices using transistors
    • G11C11/401Digital stores characterised by the use of particular electric or magnetic storage elements; Storage elements therefor using electric elements using semiconductor devices using transistors forming cells needing refreshing or charge regeneration, i.e. dynamic cells
    • G11C11/4063Auxiliary circuits, e.g. for addressing, decoding, driving, writing, sensing or timing
    • G11C11/407Auxiliary circuits, e.g. for addressing, decoding, driving, writing, sensing or timing for memory cells of the field-effect type
    • G11C11/4072Circuits for initialization, powering up or down, clearing memory or presetting
    • GPHYSICS
    • G11INFORMATION STORAGE
    • G11CSTATIC STORES
    • G11C7/00Arrangements for writing information into, or reading information out from, a digital store
    • G11C7/04Arrangements for writing information into, or reading information out from, a digital store with means for avoiding disturbances due to temperature effects
    • GPHYSICS
    • G11INFORMATION STORAGE
    • G11CSTATIC STORES
    • G11C7/00Arrangements for writing information into, or reading information out from, a digital store
    • G11C7/10Input/output [I/O] data interface arrangements, e.g. I/O data control circuits, I/O data buffers
    • G11C7/1006Data managing, e.g. manipulating data before writing or reading out, data bus switches or control circuits therefor
    • GPHYSICS
    • G11INFORMATION STORAGE
    • G11CSTATIC STORES
    • G11C7/00Arrangements for writing information into, or reading information out from, a digital store
    • G11C7/24Memory cell safety or protection circuits, e.g. arrangements for preventing inadvertent reading or writing; Status cells; Test cells
    • HELECTRICITY
    • H01ELECTRIC ELEMENTS
    • H01LSEMICONDUCTOR DEVICES NOT COVERED BY CLASS H10
    • H01L23/00Details of semiconductor or other solid state devices
    • H01L23/57Protection from inspection, reverse engineering or tampering
    • H01L23/576Protection from inspection, reverse engineering or tampering using active circuits
    • HELECTRICITY
    • H01ELECTRIC ELEMENTS
    • H01LSEMICONDUCTOR DEVICES NOT COVERED BY CLASS H10
    • H01L2924/00Indexing scheme for arrangements or methods for connecting or disconnecting semiconductor or solid-state bodies as covered by H01L24/00
    • H01L2924/0001Technical content checked by a classifier
    • H01L2924/0002Not covered by any one of groups H01L24/00, H01L24/00 and H01L2224/00
    • HELECTRICITY
    • H01ELECTRIC ELEMENTS
    • H01LSEMICONDUCTOR DEVICES NOT COVERED BY CLASS H10
    • H01L2924/00Indexing scheme for arrangements or methods for connecting or disconnecting semiconductor or solid-state bodies as covered by H01L24/00
    • H01L2924/30Technical effects
    • H01L2924/301Electrical effects
    • H01L2924/3011Impedance

Definitions

  • the present invention relates to a semiconductor device for generating an identifier comprising a volatile memory having a plurality of memory cells, to a method of generating an identifier using such a semiconductor device and to a method of detecting a tampering on said semiconductor device.
  • a security key e.g. financial transactions, commercial software, media content protection or device identification. It is highly desirable to provide a secure memory for such a key.
  • the key or code from this memory may not easily be read-out besides normal operation and should certainly not be transferable into another, similar device. It should be tamper safe or tamper resistant, i.e. opening the device would destroy or alter the code.
  • the key or ID number should be reliable, e.g. not influenced by temperature or analog/digital inputs beyond a certain degree.
  • the code is random and unique from device to device, wherein 128 bits are usually considered to be sufficient.
  • Some known techniques target the utilization of unique device characteristics for identification purposes.
  • An example of such an identification method is disclosed in TC identification Circuit Using Device Mismatch' by Lofstrom et al. in Proceedings of the ISSCC, IEEE Feb. 9 2000, pp. 372-373.
  • an IC is disclosed having an array of addressable MOSFETs. Due to mismatches in the MOSFETs, the drain currents of these devices will be randomly different, thus producing a random voltage signature over a load driven by the array. Since these voltages are reproducible for a single IC, these voltage signatures can serve as an identifier for the IC.
  • a drawback is that this method requires the presence of additional, dedicated hardware on board the IC, which adds to the IC cost.
  • the powering up of the DRAM volatile memory includes storing a set of predefined bit values in the memory cells, e.g. a set of all ' 1 ' bits, wherein after a predetermined time period the data is read out, the time period is chosen such that some but not all of the DRAM memory cells will have lost their predefined bit value.
  • a set of predefined bit values in the memory cells e.g. a set of all ' 1 ' bits
  • a semiconductor device for generating an identifier comprises a volatile memory having a plurality of memory cells, each of said memory cells being adapted for assuming a random state during an initialization phase, a cover at least partially covering said memory, said cover comprising isolating portions and conductive portions resulting in a capacitive coupling of said memory and said cover, and a controller adapted for initiating said initialization phase of said memory and for generating said identifier based on a state of a subset of said plurality of memory cells after said initialization phase.
  • a method of generating an identifier from a semiconductor device comprising a volatile memory having a plurality of memory cells and a cover at least partially covering said memory, said cover comprising isolating portions and conductive portions resulting in a capacitive coupling of said memory and said cover, said method comprising the steps of: initiating an initialization phase of said memory for causing each of said memory cells to assume a random state, reading out a subset of said plurality of memory cells, and generating said identifier based of said read out.
  • a method of detecting a tampering on a semiconductor device comprising a non- volatile memory and a volatile memory having a plurality of memory cells and a cover at least partially covering said memory, said cover comprising isolating portions and conductive portions resulting in a capacitive coupling of said memory and said cover, said method comprising the steps of: generating an original identifier according to a method as described above, storing said original identifier in said non- volatile memory, preferably in a scrambled, encrypted or encoded form, repeatedly generating said identifier according to a method as described above and comparing said newly generated identifier to said original identifier stored in said nonvolatile memory, and performing a predetermined operation in case a degree of difference between said newly generated identifier and said original identifier exceeds a predetermined threshold indicating that said semiconductor device has been tampered with.
  • Preferred embodiments of the invention are defined in the dependent claims.
  • the identifier generation of the above mentioned application titled "Semiconductor Device Identifier Generation Method And Semiconductor Device” may further be improved if the impact on the states assumed by the memory cells by parameters outside the device, e.g. temperature, would be reduced. This would result in an improved reliability of the generation, i.e. that the correct identifier can repeatedly be generated over a wider range of environmental parameters. Further, the dependency of the supply voltage or start up voltage of the memory may be reduced which also increases reproducibility.
  • a capacitive coupling of the underlying memory-circuit nodes and the distributed conductive parts of the coating is achieved which stabilizes the initialization state of the memory cells over a wider range of parameters like temperature or supply-voltage.
  • the key or identifier can be generated more reliably over a wider range of operation parameters. Further, a tampering on said layer leads to a change to the stray capacitances and thus changes the identifier or key. Also, a removal of the cover may lead to damage to the circuitry, when adhesion to the semiconductor-device surface is sufficient.
  • subset is not limited to "true subset” but may also refer to a complete plurality, i.e. the subset of a plurality may as well comprise all elements of said plurality.
  • generation of an identifier based on a value or a set of states of memory cells does not necessarily include a manipulation or alteration to said value or set of states, i.e. a possible generation may also merely be constituted by reading out the values or states as present in the memory cells.
  • the predetermined operation resulting from a detection of tampering may as well be a halt operation, i.e. shutting down the device.
  • Fig. 1 shows a schematic diagram of a semiconductor device according to the present invention
  • Fig. 2 shows a schematic diagram of a memory cell together with a cover according to the present invention
  • Fig. 3 shows a schematic flow chart of a method of generating an identifier according to the present invention
  • Fig. 4 shows a schematic flow chart of a method of detecting a tampering according to the present invention
  • Fig. 5 is a SEM photomicrograph of an IC covered by a TiO 2 / TiN layer according to an embodiment of the present invention.
  • Fig. 1 shows a schematic diagram of a semiconductor device according to the present invention.
  • the semiconductor device 11 comprises a plurality of volatile memory 13 and a controller 15.
  • Said volatile memory 13 is enclosed by a cover 17 comprising insulating portions and conducting portions.
  • said volatile memory 13 comprises a plurality of memory cells (not shown in Fig. 1) of SRAM type.
  • Said controller 15 is adapted for powering up said volatile memory 13, i.e. initializing said volatile memory.
  • Said memory cells of SRAM type exhibit a bistable behavior, i.e. during power up each memory cell assumes either a bit value of 0 or a bit value of 1.
  • the outcome of the power up for each memory cells depends on its parameters and some outside factors among others. However, provided similar conditions from outside and from power up each or almost all of the memory cell will assume the same bit value each time it is initialized. This reproducibility of the initialization value is increased by the provision of the cover 17.
  • Fig. 2 shows a schematic diagram of a memory cell together with a cover according to the present invention.
  • the memory cell 21 is of the well-known 6 transistor SRAM type.
  • the memory cell 21 is addressed by word lines 22 and bit lines 23 and comprises transistors 24 and inverters 25.
  • the operation and design of such memory cells in general is well known and is thus not discussed in further detail herein.
  • the memory cell is covered by a non-homogeneous coating layer or cover 27 consisting of an isolation layer 28 mixed with conductive particles 29.
  • the isolation layer 28 is made of an Aluminum Meta Phosphate matrix and TiO 2 particles of about 0.1 ⁇ m.
  • the conductive particles 29 are made of TiN.
  • the conductive particles have a diameter of about 1 ⁇ m (1 micron).
  • the structure may have a high porosity.
  • the nodes of the SRAM cell 21 will 'see' stray capacitances 26, 26' depending on the random distribution of the particles 29.
  • the state will be influenced by said stray capacitances 26, 26' as well as the cell's local properties resulting in a random bit value.
  • the outcome of the initialization is not necessarily the same for said memory cell 21 having said cover 27 as for an identical memory cell having no such cover or a different cover. Since there is no particular meaning to the bit values of a plurality of memory cells besides their randomness this possible change due to the layer does not matter.
  • the resistance of the bit value outcome against variations in for example temperature or supply voltage is increased, so that an identifier or code may be generated from such a plurality of memory cells more reliably, i.e. the impact of varying conditions on the generated code is reduced and within a wider range of conditions the semiconductor device of the present invention will generate virtually the same identifier.
  • the randomness of the distribution of the bit value over the plurality of memory cells allows this identifier to be used as a random code in a large number of appliances.
  • a possible way for producing a memory cell and a semiconductor device according to the present invention includes a deposition of the coating on the wafer and possibly the removal of some coating from the bond-pad region for preventing short- circuiting the pads and for enabling bond-wire attachment.
  • a cover which is mainly formed by TiO 2 as an isolating material with particles of TiN as conducting material providing the stray capacitances. It is also possible to include isolating, non conducting particles in a conducting matrix, wherein it may be necessary to provide a (further) isolation between the memory cell and the cover in order to avoid short cuts. Other ways of providing a cover are also possible, including multiple types of particles of different conductivity or having different dielectric properties. Further, the skilled person may choose from a large number of possible methods to apply the cover to the memory or to the memory cells including a coating or an embedding.
  • the cover suitably includes conductive particles to achieve optimum randomness, although these particles are strictly not necessary in order to achieve variation of the capacitive coupling. Without particles, merely a stray capacitance is left.
  • the cover of this preferred example is based on a matrix of meta-aluminum phosphate, that is suitably applied by spincoating. A method thereof is known from US6198155.
  • the coating material is certainly not limited to such a material.
  • Other inorganic matrix materials that can be applied with a sol-gel technique may be used alternatively, including an oxide-matrix that may be applied on the basis of TEOS and a porous titanium oxide matrix. It is moreover not excluded to include particles in an organic matrix material.
  • cover or embedding may be applied with chemical vapor deposition techniques.
  • a CVD deposition suitably includes a plurality of deposition steps of different materials and of different thicknesses.
  • Particularly atomic layer CVD is recognized as a technique that can be tuned to provide non-uniform layers.
  • the creation of threedimensional structures, such as those conventionally applied in damascene and dual damascene structures will help to create further randomness, but also tends to increase the number of lithographic masks needed.
  • the number of metal layer overlying the memory cell and underlying the cover in the area of the memory cell is less than ten and preferably less than six.
  • the distance between cover 17 and the memory cell is limited to approximately 2 microns of oxide.
  • Integrated circuits in advanced technology such as C90, C65 etc, tend to have a large number of metal layers in the interconnect structure.
  • Such metal inevitably influences the capacitive coupling and a cover that is for instance deposited on top of the passivation layer.
  • By limiting the number of metal layers between the cover and the memory cell this disturbance is reduced. Such limitation may be achieved by proper design of the metal layers outside the area of the memory cell. Alternatively, the stack of metal layers may be modified locally.
  • the limitation may further be achieved by provision of a patterned cover within the structure of metal layers and below the passivation layer.
  • the limitation of the oxide thickness may be translated into other, larger thicknesses in case use is made of intermetal dielectrics with a small dielectric constant, e.g. low-K materials.
  • the cover is provided on an opposite side of the memory cell, e.g. on the bottom side of the semiconductor substrate after this substrate has been thinned.
  • WO2003/046802 discloses another structure including a cover of the same material as the preferred example of this invention. That prior art structure is intended to generate a physically uncloneable function in that a passive element such as a capacitor or inductor is defined adjacent to the coating, e.g. generally in the upper metal layer. While the known structure may be further improved, its temperature dependence is considered an inherent problem: the measured overall capacitance is temperature dependent, and thus the absolute value of the capacitor may vary in the course of time. However, in the present invention, use is made of the capacitive coupling for defining a randomness of a non- volatile memory cell during initialization.
  • the semiconductor device of the present invention includes a volatile memory coupled to a memory controller.
  • the memory controller is configured to retrieve pseudo-random bit values from a predefined subset of the memory cells of memory for identifier generation purposes.
  • the pseudo-random bit values are inherent to the microstructure of the corresponding memory cells from which they are retrieved, as previously explained.
  • the controller retrieve the bit values upon a power-up of the memory in case of an SRAM-type memory, or may be configured to, upon a power-up of a DRAM-type memory, store a predefined bit pattern in the memory and retrieve the pseudorandom bit values from memory after a predefined delay, which may be programmable.
  • the dimension of the subset may be hard-coded in the memory controller or may be programmable.
  • the memory controller may have a data storage facilities, e.g. a small flash memory, one or more suitable registers and so on, to store the programmable dimensions of the subset.
  • the memory controller may be responsive to a signal provided via an input. The signal typically requests the generation of the identifier, and will therefore also trigger the power-up of the memory.
  • the output is configured to receive the data retrieved from the memory.
  • the memory controller may be directly coupled to the input.
  • the semiconductor device may further comprise an IEEE 1149.1 compliant test access port
  • TAP test equipment
  • the TAP controller may have an instruction register (not shown) for receiving an instruction from the TAP. Since the boundary scan standard allows the use of proprietary instructions, an instruction may be added to the instruction set for the TAP controller that triggers the power-up of the memory and the data retrieval under control of the memory controller.
  • the Input may be the TDI
  • the output may be the TDO of TAP
  • the data path from the memory to the output may include a scan chain under control of the TAP controller.
  • Fig. 3 shows a schematic flow chart of a method of generating an identifier according to the present invention.
  • a memory comprising a plurality of memory cells is initialized wherein said memory cells are caused to assume a random state.
  • a subset of said plurality is read out and in a following step 35 said identifier is generated based on said read out.
  • the memory of the semiconductor device is powered up under predefined operating conditions, i.e. a predefined power-up voltage V and a predefined temperature T to let the cells of the memory assume the respective pseudorandom bit values.
  • a predefined power-up voltage V and a predefined temperature T to let the cells of the memory assume the respective pseudorandom bit values.
  • the value for the power-up voltage is chosen such that it exceeds the threshold voltage of the transistors of the memory.
  • V are dependent of the technology in which the volatile memory is realized; for instance, for a memory developed in a CMOS 12 technology, any value V in the range of 0.7 V - 1.5V may be appropriate, but values outside this range may also be used, e.g. in the case of other semiconductor technologies.
  • Step 31 may be initiated by an identifier generation request signal, i.e. a signal triggering the semiconductor device to initiate execution of the method of the present invention.
  • a subset of the plurality is read out. That is: the data stored in at least a subset of the memory is retrieved.
  • Data acquisition from a part of the memory rather than the whole memory is preferred because reading data from a whole memory can be rather time-consuming, especially when the memory is of significant size, e.g. several megabits.
  • some equipment used for reading the bit values from the volatile memory can only cope with limited data volumes, thus preventing read-outs of the whole memory.
  • step 32 it is decided if further measurements are required. Different sets of bit values may be retrieved from different retrieval steps, e.g different SRAM-type memory power-ups, which may be at different temperatures, different power-up voltages or combinations of those different conditions, and each power-up step and data retrieval step being repeated a number of times at fixed T and V to facilitate the detection of variations in start-up bit values for the selected subset of the volatile memory between the various startups. This for instance allows the determination of the randomness of the start-up behavior of each memory cell in the subset, e.g. whether or not the cells are strongly biased towards adopting a particular bit value at start-up. The decision whether or not to perform multiple start-ups and data retrievals is taken in step 32, after which T and/or V may be changed in an optional step.
  • T and/or V may be changed in an optional step.
  • these sets of data may be combined subsequently, for instance by averaging the sets of data. This will be explained in more detail below.
  • the retrieved data which may be data combined subsequently, is assigned as an identifier to the semiconductor device in step 35 and stored in a suitable database thereafter.
  • the size of the volatile memory subset used for the identifier generation may be chosen such that the size of the identifier is suitable to be stored in the database, e.g. does not lead to excessive database sizes.
  • Fig. 4 shows a schematic flow chart of a method of detecting a tampering according to the present invention.
  • a first step 41 an original identifier is generated according to a method as described above.
  • the original identifier is stored in a non- volatile memory, preferably in an encrypted, scrambled or encoded format.
  • step 45 according to a method of the invention an identifier is generated and compared to said original identifier which is stored in said non- volatile memory. Step 45 is repeated each time it is to be checked whether a tampering has occurred.
  • step 45 may be performed each time the semiconductor device is started as well as repeatedly during operation.
  • a predetermined operation is performed in step 47 in order to indicate the detection of tampering, e.g. a system halt, an alarm or some other procedure.
  • Fig. 5 is a SEM photomicrograph of an IC covered by a Aluminum Meta Phosphate / TiO 2 / TiN layer according to an embodiment of the present invention.
  • a cross section of an IC 51 is shown which is covered by a mixture 53 of TiO 2 and TiN particles embedded in Aluminum Meta Phosphate providing the random stray capacitances for stabilizing the random states of the memory cells after initialization.
  • a semiconductor device may be implemented as including a (unique) key or identifier intrinsically coupled to the device, e.g: the device may be part of a baseband chip of a GSM or portable media-player. Certain purchased rights (e.g. to play a song) can be encrypted with the embedded key; this right can then never be transferred to another device.
  • the device could be a codec of a copy-protected audio/video stream which also does the decryption of this stream before it is decrypted.
  • copy protection schemes for protecting audio/video are designed such that every compliant device has a unique set of device keys to perform decryption.
  • a smart card may be used to authenticate a GSM/Set Top Box, i.e. the GSM or the STB has to prove by cryptographic means to the smartcard/SIM that it is indeed a STB or GSM and not some malignant PC-software application; this is important because the SIM/Smartcard delivers essential secrets for setting up telephone calls or decrypting pay TV content.
  • the smart card has to prove that it is a smartcard and not a simulated smartcard; this is important for business models where hardware (STB/GSM) is subsidized, and should only be used with the smartcard/SIM of the original provider.
  • STB/GSM hardware
  • STB/GSM hardware
  • Such authentication is based on a shared secret (if symmetric) or public key infrastructure. In either case it has to be ensured that the keys for authenticating and verifying the authentication are tied to the respective device, which can be done by cryptographically linking them to the embedded ID/key. protection of the keys used to decrypt firmware

Landscapes

  • Engineering & Computer Science (AREA)
  • Microelectronics & Electronic Packaging (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • Condensed Matter Physics & Semiconductors (AREA)
  • General Physics & Mathematics (AREA)
  • Power Engineering (AREA)
  • Storage Device Security (AREA)
  • Semiconductor Memories (AREA)
  • Read Only Memory (AREA)

Abstract

The present invention relates to a semiconductor device (11) for generating an identifier comprising a volatile memory (13) having a plurality of memory cells (21), to a method of generating an identifier using such a semiconductor device (11) and to a method of detecting a tampering on said semiconductor device (11). Providing a layer (27) comprising conductive and non conductive materials (28, 29) with said semiconductor device allows for a cooperation between elements or properties of a memory cell (21) which are responsible for the assuming of a random state by the memory cell (21) during initialization and the layer (27) acting as stray capacitances (26, 26 ). From the random states of the memory cells (21) a key or identifier can be generated. Due to said cooperation, i.e. the influence of the stray capacitances (26, 26 ) formed by the layer, the key or identifier can be generated more reliably over a wider range of operation parameters. Further, a tampering on said layer (27) leads to a change to the stray capacitances (26, 26 ) and thus changes the identifier or key.

Description

SEMICONDUCTOR DEVICE IDENTIFIER GENERATION
FIELD OF THE INVENTION
The present invention relates to a semiconductor device for generating an identifier comprising a volatile memory having a plurality of memory cells, to a method of generating an identifier using such a semiconductor device and to a method of detecting a tampering on said semiconductor device.
BACKGROUND OF THE INVENTION
An increasing number of operations and applications is in need of some kind of a security key, e.g. financial transactions, commercial software, media content protection or device identification. It is highly desirable to provide a secure memory for such a key. The key or code from this memory may not easily be read-out besides normal operation and should certainly not be transferable into another, similar device. It should be tamper safe or tamper resistant, i.e. opening the device would destroy or alter the code. Furthermore, the key or ID number should be reliable, e.g. not influenced by temperature or analog/digital inputs beyond a certain degree. Preferably, the code is random and unique from device to device, wherein 128 bits are usually considered to be sufficient.
Some known techniques target the utilization of unique device characteristics for identification purposes. An example of such an identification method is disclosed in TC identification Circuit Using Device Mismatch' by Lofstrom et al. in Proceedings of the ISSCC, IEEE Feb. 9 2000, pp. 372-373. In this paper, an IC is disclosed having an array of addressable MOSFETs. Due to mismatches in the MOSFETs, the drain currents of these devices will be randomly different, thus producing a random voltage signature over a load driven by the array. Since these voltages are reproducible for a single IC, these voltage signatures can serve as an identifier for the IC. A drawback is that this method requires the presence of additional, dedicated hardware on board the IC, which adds to the IC cost.
Another example of such a method is disclosed in US patent application US 2004 / 0162959 Al relating to a semiconductor device having a memory. That method utilizes the fact that memories tend to have defective memory blocks. Since the location of the faulty memory blocks is more or less random, a semiconductor device can be identified by an identifier that is at least partially based on the location of the defective blocks in the memory. A drawback of this method is that the whole memory has to be investigated to determine the identifier, which is a time-consuming and costly process, especially for large memories.
SUMMARY OF THE INVENTION
It is an object of the present invention to provide a device and a method for generating an identifier without a need for additional, dedicated hardware (either controller or memory) which allow for a fast, reliable and secure generation of an identifier. In the co-pending European patent application titled "Semiconductor Device
Identifier Generation Method And Semiconductor Device" (EP06112656.1, filed 13 April 2006, PH005738EP1) a different approach is described. The start-up values of the bits of SRAM (static random access memory) memory cells after power-up are randomly distributed. Most bits have a fixed state (0 or 1), which results in a code that may be used to identify the chip in which this SRAM has been embedded. This is a so-called physical identification code, as no programming is needed to generate this particular ID code. It is only determined by the random distribution of transistors' threshold voltages and other locally different parameters. Further, in a DRAM (dynamic random access memory), the charge leakage rate of different cells differ from each other because of variations in the microstructure of the cells. Thus, the powering up of the DRAM volatile memory includes storing a set of predefined bit values in the memory cells, e.g. a set of all ' 1 ' bits, wherein after a predetermined time period the data is read out, the time period is chosen such that some but not all of the DRAM memory cells will have lost their predefined bit value. The disclosure of said application is incorporated herein by reference. In particular for further details on the generation of an identifier based on the start-up values of memory cells reference is made to said application.
In a first aspect of the present invention a semiconductor device for generating an identifier is presented that comprises a volatile memory having a plurality of memory cells, each of said memory cells being adapted for assuming a random state during an initialization phase, a cover at least partially covering said memory, said cover comprising isolating portions and conductive portions resulting in a capacitive coupling of said memory and said cover, and a controller adapted for initiating said initialization phase of said memory and for generating said identifier based on a state of a subset of said plurality of memory cells after said initialization phase. In a further aspect of the present invention it is presented a method of generating an identifier from a semiconductor device comprising a volatile memory having a plurality of memory cells and a cover at least partially covering said memory, said cover comprising isolating portions and conductive portions resulting in a capacitive coupling of said memory and said cover, said method comprising the steps of: initiating an initialization phase of said memory for causing each of said memory cells to assume a random state, reading out a subset of said plurality of memory cells, and generating said identifier based of said read out.
In a further aspect of the present invention it is presented a method of detecting a tampering on a semiconductor device comprising a non- volatile memory and a volatile memory having a plurality of memory cells and a cover at least partially covering said memory, said cover comprising isolating portions and conductive portions resulting in a capacitive coupling of said memory and said cover, said method comprising the steps of: generating an original identifier according to a method as described above, storing said original identifier in said non- volatile memory, preferably in a scrambled, encrypted or encoded form, repeatedly generating said identifier according to a method as described above and comparing said newly generated identifier to said original identifier stored in said nonvolatile memory, and performing a predetermined operation in case a degree of difference between said newly generated identifier and said original identifier exceeds a predetermined threshold indicating that said semiconductor device has been tampered with. Preferred embodiments of the invention are defined in the dependent claims.
It was found that the identifier generation of the above mentioned application titled "Semiconductor Device Identifier Generation Method And Semiconductor Device" may further be improved if the impact on the states assumed by the memory cells by parameters outside the device, e.g. temperature, would be reduced. This would result in an improved reliability of the generation, i.e. that the correct identifier can repeatedly be generated over a wider range of environmental parameters. Further, the dependency of the supply voltage or start up voltage of the memory may be reduced which also increases reproducibility. By covering the chip or memory with a layer of a two-phase or multi-phase material including isolating and conducting areas a capacitive coupling of the underlying memory-circuit nodes and the distributed conductive parts of the coating is achieved which stabilizes the initialization state of the memory cells over a wider range of parameters like temperature or supply-voltage. Providing a layer comprising conductive and nonconductive materials with said semiconductor device allows for a cooperation between elements or properties of a memory cell which are responsible for the assuming of a random state by the memory cell during initialization and the layer acting as stray capacitances. From the random states of the memory cells a key or identifier can be generated. Due to said cooperation, i.e. the influence of the stray capacitances formed by the layer, the key or identifier can be generated more reliably over a wider range of operation parameters. Further, a tampering on said layer leads to a change to the stray capacitances and thus changes the identifier or key. Also, a removal of the cover may lead to damage to the circuitry, when adhesion to the semiconductor-device surface is sufficient.
The term "subset" as used herein is not limited to "true subset" but may also refer to a complete plurality, i.e. the subset of a plurality may as well comprise all elements of said plurality. Further, the generation of an identifier based on a value or a set of states of memory cells does not necessarily include a manipulation or alteration to said value or set of states, i.e. a possible generation may also merely be constituted by reading out the values or states as present in the memory cells. Further, the predetermined operation resulting from a detection of tampering may as well be a halt operation, i.e. shutting down the device.
BRIEF DESCRIPTION OF THE DRAWINGS These and other aspects of the invention will be apparent from and elucidated with reference to the embodiment(s) described hereinafter. In the following drawings
Fig. 1 shows a schematic diagram of a semiconductor device according to the present invention;
Fig. 2 shows a schematic diagram of a memory cell together with a cover according to the present invention;
Fig. 3 shows a schematic flow chart of a method of generating an identifier according to the present invention;
Fig. 4 shows a schematic flow chart of a method of detecting a tampering according to the present invention; and Fig. 5 is a SEM photomicrograph of an IC covered by a TiO2 / TiN layer according to an embodiment of the present invention.
DETAILED DESCRIPTION OF EMBODIMENTS Fig. 1 shows a schematic diagram of a semiconductor device according to the present invention. The semiconductor device 11 comprises a plurality of volatile memory 13 and a controller 15. Said volatile memory 13 is enclosed by a cover 17 comprising insulating portions and conducting portions. Further, said volatile memory 13 comprises a plurality of memory cells (not shown in Fig. 1) of SRAM type.
Said controller 15 is adapted for powering up said volatile memory 13, i.e. initializing said volatile memory. Said memory cells of SRAM type exhibit a bistable behavior, i.e. during power up each memory cell assumes either a bit value of 0 or a bit value of 1. The outcome of the power up for each memory cells depends on its parameters and some outside factors among others. However, provided similar conditions from outside and from power up each or almost all of the memory cell will assume the same bit value each time it is initialized. This reproducibility of the initialization value is increased by the provision of the cover 17.
The surprising increase of reproducibility will be explained as follows: a capacitive coupling is present between this cover 17 and the memory 13. An SRAM, if designed properly, is in a metastable state during a power up. The provision of the cover 17 leads to an offset that is in itself stable. The term 'offset' is understood within the context of this application to refer to an imbalance between capacities in the cover and in the SRAM memory cell. In other words, the effects of the metastability of the SRAM cell during power up are suppressed by the capacitive coupling with the cover. Since the cover has a laterally varying, random impedance, the resulting value of the cell during the initialization is still random, but more reproducible. Reproducible means here that the value will be sufficiently identical in several initialization runs. If the value is to be used for identification purposes, the reproducibility is evidently a very relevant parameter. Fig. 2 shows a schematic diagram of a memory cell together with a cover according to the present invention. The memory cell 21 is of the well-known 6 transistor SRAM type. The memory cell 21 is addressed by word lines 22 and bit lines 23 and comprises transistors 24 and inverters 25. The operation and design of such memory cells in general is well known and is thus not discussed in further detail herein. The memory cell is covered by a non-homogeneous coating layer or cover 27 consisting of an isolation layer 28 mixed with conductive particles 29. The isolation layer 28 is made of an Aluminum Meta Phosphate matrix and TiO2 particles of about 0.1 μm. The conductive particles 29 are made of TiN. The conductive particles have a diameter of about 1 μm (1 micron). The structure may have a high porosity. As a result of this cover layer 27 the nodes of the SRAM cell 21 will 'see' stray capacitances 26, 26' depending on the random distribution of the particles 29. As described in the above mentioned application titled "Semiconductor Device Identifier Generation Method And Semiconductor Device" during power up the memory cell 21 will assume a bit value characteristic to said memory cell 21. During power up of the memory cell 21 the state will be influenced by said stray capacitances 26, 26' as well as the cell's local properties resulting in a random bit value. The outcome of the initialization is not necessarily the same for said memory cell 21 having said cover 27 as for an identical memory cell having no such cover or a different cover. Since there is no particular meaning to the bit values of a plurality of memory cells besides their randomness this possible change due to the layer does not matter. By providing the layer 27 the resistance of the bit value outcome against variations in for example temperature or supply voltage is increased, so that an identifier or code may be generated from such a plurality of memory cells more reliably, i.e. the impact of varying conditions on the generated code is reduced and within a wider range of conditions the semiconductor device of the present invention will generate virtually the same identifier.
The randomness of the distribution of the bit value over the plurality of memory cells allows this identifier to be used as a random code in a large number of appliances.
A possible way for producing a memory cell and a semiconductor device according to the present invention includes a deposition of the coating on the wafer and possibly the removal of some coating from the bond-pad region for preventing short- circuiting the pads and for enabling bond-wire attachment.
In Fig. 2 a cover is shown which is mainly formed by TiO2 as an isolating material with particles of TiN as conducting material providing the stray capacitances. It is also possible to include isolating, non conducting particles in a conducting matrix, wherein it may be necessary to provide a (further) isolation between the memory cell and the cover in order to avoid short cuts. Other ways of providing a cover are also possible, including multiple types of particles of different conductivity or having different dielectric properties. Further, the skilled person may choose from a large number of possible methods to apply the cover to the memory or to the memory cells including a coating or an embedding. The cover suitably includes conductive particles to achieve optimum randomness, although these particles are strictly not necessary in order to achieve variation of the capacitive coupling. Without particles, merely a stray capacitance is left. As stated above, the cover of this preferred example is based on a matrix of meta-aluminum phosphate, that is suitably applied by spincoating. A method thereof is known from US6198155. However, the coating material is certainly not limited to such a material. Other inorganic matrix materials that can be applied with a sol-gel technique may be used alternatively, including an oxide-matrix that may be applied on the basis of TEOS and a porous titanium oxide matrix. It is moreover not excluded to include particles in an organic matrix material. While spincoating is preferred from cost-perspective, it is not impossible that the cover or embedding may be applied with chemical vapor deposition techniques. Such a CVD deposition suitably includes a plurality of deposition steps of different materials and of different thicknesses. Particularly atomic layer CVD is recognized as a technique that can be tuned to provide non-uniform layers. The creation of threedimensional structures, such as those conventionally applied in damascene and dual damascene structures will help to create further randomness, but also tends to increase the number of lithographic masks needed.
In a preferred embodiment according to the invention, the number of metal layer overlying the memory cell and underlying the cover in the area of the memory cell is less than ten and preferably less than six. Preferably, the distance between cover 17 and the memory cell is limited to approximately 2 microns of oxide. Integrated circuits in advanced technology such as C90, C65 etc, tend to have a large number of metal layers in the interconnect structure. Such metal inevitably influences the capacitive coupling and a cover that is for instance deposited on top of the passivation layer. By limiting the number of metal layers between the cover and the memory cell, this disturbance is reduced. Such limitation may be achieved by proper design of the metal layers outside the area of the memory cell. Alternatively, the stack of metal layers may be modified locally. The limitation may further be achieved by provision of a patterned cover within the structure of metal layers and below the passivation layer. The limitation of the oxide thickness may be translated into other, larger thicknesses in case use is made of intermetal dielectrics with a small dielectric constant, e.g. low-K materials. In a further embodiment, the cover is provided on an opposite side of the memory cell, e.g. on the bottom side of the semiconductor substrate after this substrate has been thinned.
WO2003/046802 discloses another structure including a cover of the same material as the preferred example of this invention. That prior art structure is intended to generate a physically uncloneable function in that a passive element such as a capacitor or inductor is defined adjacent to the coating, e.g. generally in the upper metal layer. While the known structure may be further improved, its temperature dependence is considered an inherent problem: the measured overall capacitance is temperature dependent, and thus the absolute value of the capacitor may vary in the course of time. However, in the present invention, use is made of the capacitive coupling for defining a randomness of a non- volatile memory cell during initialization. While though the absolute value of the capacitance of the cover may vary as a result of the temperature dependence, the capacitive coupling is less temperature-dependent. The combination of cover and memory cell in the invention therefore not only leads to improved reproducibility over a mere memory cell, but also over a mere coating with an impedance sensor.
It will be understood that the semiconductor device of the present invention includes a volatile memory coupled to a memory controller. The memory controller is configured to retrieve pseudo-random bit values from a predefined subset of the memory cells of memory for identifier generation purposes. The pseudo-random bit values are inherent to the microstructure of the corresponding memory cells from which they are retrieved, as previously explained. The controller retrieve the bit values upon a power-up of the memory in case of an SRAM-type memory, or may be configured to, upon a power-up of a DRAM-type memory, store a predefined bit pattern in the memory and retrieve the pseudorandom bit values from memory after a predefined delay, which may be programmable.
The dimension of the subset may be hard-coded in the memory controller or may be programmable. To this end, the memory controller may have a data storage facilities, e.g. a small flash memory, one or more suitable registers and so on, to store the programmable dimensions of the subset. The memory controller may be responsive to a signal provided via an input. The signal typically requests the generation of the identifier, and will therefore also trigger the power-up of the memory. The output is configured to receive the data retrieved from the memory.
The memory controller may be directly coupled to the input. Alternatively, the semiconductor device may further comprise an IEEE 1149.1 compliant test access port
(TAP) controller, which for instance may also be involved with controlling test modes of the device. The TAP controller may have an instruction register (not shown) for receiving an instruction from the TAP. Since the boundary scan standard allows the use of proprietary instructions, an instruction may be added to the instruction set for the TAP controller that triggers the power-up of the memory and the data retrieval under control of the memory controller. The Input may be the TDI, and the output may be the TDO of TAP, and the data path from the memory to the output may include a scan chain under control of the TAP controller. Fig. 3 shows a schematic flow chart of a method of generating an identifier according to the present invention. In a first step 31 a memory comprising a plurality of memory cells is initialized wherein said memory cells are caused to assume a random state. In a subsequent step 33 a subset of said plurality is read out and in a following step 35 said identifier is generated based on said read out.
In the said first step 31, the memory of the semiconductor device is powered up under predefined operating conditions, i.e. a predefined power-up voltage V and a predefined temperature T to let the cells of the memory assume the respective pseudorandom bit values. It will be obvious that the volatile memory is powered up from a state in which it does not contain any information, i.e. any substantial charge. The value for the power-up voltage is chosen such that it exceeds the threshold voltage of the transistors of the memory. It will be appreciated that the actual suitable values of V are dependent of the technology in which the volatile memory is realized; for instance, for a memory developed in a CMOS 12 technology, any value V in the range of 0.7 V - 1.5V may be appropriate, but values outside this range may also be used, e.g. in the case of other semiconductor technologies.
Step 31 may be initiated by an identifier generation request signal, i.e. a signal triggering the semiconductor device to initiate execution of the method of the present invention. In the next step 32, a subset of the plurality is read out. That is: the data stored in at least a subset of the memory is retrieved. Data acquisition from a part of the memory rather than the whole memory is preferred because reading data from a whole memory can be rather time-consuming, especially when the memory is of significant size, e.g. several megabits. Moreover, some equipment used for reading the bit values from the volatile memory can only cope with limited data volumes, thus preventing read-outs of the whole memory.
In step 32, it is decided if further measurements are required. Different sets of bit values may be retrieved from different retrieval steps, e.g different SRAM-type memory power-ups, which may be at different temperatures, different power-up voltages or combinations of those different conditions, and each power-up step and data retrieval step being repeated a number of times at fixed T and V to facilitate the detection of variations in start-up bit values for the selected subset of the volatile memory between the various startups. This for instance allows the determination of the randomness of the start-up behavior of each memory cell in the subset, e.g. whether or not the cells are strongly biased towards adopting a particular bit value at start-up. The decision whether or not to perform multiple start-ups and data retrievals is taken in step 32, after which T and/or V may be changed in an optional step.
If multiple sets of data from such data retrievals are present, which is checked thereafter, these sets of data may be combined subsequently, for instance by averaging the sets of data. This will be explained in more detail below.
The retrieved data, which may be data combined subsequently, is assigned as an identifier to the semiconductor device in step 35 and stored in a suitable database thereafter. It will be obvious that the size of the volatile memory subset used for the identifier generation may be chosen such that the size of the identifier is suitable to be stored in the database, e.g. does not lead to excessive database sizes.
Fig. 4 shows a schematic flow chart of a method of detecting a tampering according to the present invention. In a first step 41 an original identifier is generated according to a method as described above. In step 43 the original identifier is stored in a non- volatile memory, preferably in an encrypted, scrambled or encoded format. In step 45 according to a method of the invention an identifier is generated and compared to said original identifier which is stored in said non- volatile memory. Step 45 is repeated each time it is to be checked whether a tampering has occurred. Thus, step 45 may be performed each time the semiconductor device is started as well as repeatedly during operation. In case a degree of difference between said newly generated identifier and said original identifier exceeds a predetermined threshold a predetermined operation is performed in step 47 in order to indicate the detection of tampering, e.g. a system halt, an alarm or some other procedure.
Fig. 5 is a SEM photomicrograph of an IC covered by a Aluminum Meta Phosphate / TiO2 / TiN layer according to an embodiment of the present invention. A cross section of an IC 51 is shown which is covered by a mixture 53 of TiO2 and TiN particles embedded in Aluminum Meta Phosphate providing the random stray capacitances for stabilizing the random states of the memory cells after initialization.
There are a number of applications possible in which a semiconductor device according to the present invention may be implemented as including a (unique) key or identifier intrinsically coupled to the device, e.g: the device may be part of a baseband chip of a GSM or portable media-player. Certain purchased rights (e.g. to play a song) can be encrypted with the embedded key; this right can then never be transferred to another device. the device could be a codec of a copy-protected audio/video stream which also does the decryption of this stream before it is decrypted. Nowadays copy protection schemes for protecting audio/video are designed such that every compliant device has a unique set of device keys to perform decryption. To store device keys securely they are encrypted with the unique ID of the codec-IC and stored in ordinary flash. In this way they cannot be used in other devices (which have codec ICs with a different embedded key). a smart card may be used to authenticate a GSM/Set Top Box, i.e. the GSM or the STB has to prove by cryptographic means to the smartcard/SIM that it is indeed a STB or GSM and not some malignant PC-software application; this is important because the SIM/Smartcard delivers essential secrets for setting up telephone calls or decrypting pay TV content. The same holds vice versa; the smart card has to prove that it is a smartcard and not a simulated smartcard; this is important for business models where hardware (STB/GSM) is subsidized, and should only be used with the smartcard/SIM of the original provider. Usually such authentication is based on a shared secret (if symmetric) or public key infrastructure. In either case it has to be ensured that the keys for authenticating and verifying the authentication are tied to the respective device, which can be done by cryptographically linking them to the embedded ID/key. protection of the keys used to decrypt firmware
IDs for cheap sensors, refill cartridges, etc. In this scenario a (relatively complex) central device (the sensor server, or a printer) has to verify that the sensors/refill cartridges are from the original manufacturer and not some cheap imitation; this can be done by white/black-listing IDs, as long as these IDs can be made cheaply (no extra EEPROM) and are unique for every sensor/cartridge. This may for example be achieved by the present invention. While the invention has been illustrated and described in detail in the drawings and foregoing description, such illustration and description are to be considered illustrative or exemplary and not restrictive; the invention is not limited to the disclosed embodiments.
Other variations to the disclosed embodiments can be understood and effected by those skilled in the art in practicing the claimed invention, from a study of the drawings, the disclosure, and the appended claims.
In the claims, the word "comprising" does not exclude other elements or steps, and the indefinite article "a" or "an" does not exclude a plurality. A single processor or other unit may fulfill the functions of several items recited in the claims. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measured cannot be used to advantage.
Any reference signs in the claims should not be construed as limiting the scope.

Claims

CLAIMS:
1. Semiconductor device (11) for generating an identifier, said device (11) comprising: a volatile memory (13) having a plurality of memory cells (21), each of said memory cells (21) being adapted for assuming a random state during an initialization phase, - a cover (17, 27, 53) at least partially covering said memory (13), said cover
(17, 27, 53) comprising isolating portions (28) and conductive portions (29) resulting in a capacitive coupling of said memory (13) and said cover (17, 27, 53), and a controller (15) adapted for initiating said initialization phase of said memory (13) and for generating said identifier based on a state of a subset of said plurality of memory cells (21) after said initialization phase.
2. Semiconductor device (11) as claimed in claim 1, wherein said memory cells (21) are volatile memory cells, in particular SRAM cells or DRAM cells.
3. Semiconductor device (11) as claimed in claim 1, wherein said cover (17, 27,
53) comprises a random distribution of isolating and conductive portions (28, 29).
4. Semiconductor device (11) as claimed in claim 1, wherein said cover (17, 27, 53) comprises a mixture (53) OfTiO2 particles and TiN particles, in particular embedded in Aluminum Meta Phosphate, wherein the TiN particles in particular have an average diameter of 0.5 to 2 μm, preferably of 1 μm.
5. Semiconductor device (11) as claimed in claim 1, wherein said cover (17, 27, 53) comprises particles, in particular conductive particles, having an average diameter in the same order of magnitude as a minimum feature size of a memory cell.
6. Semiconductor device (11) as claimed in claim 1, wherein said initialization phase is a power up of said memory (13).
7. Method of generating an identifier from a semiconductor device comprising a volatile memory having a plurality of memory cells and a cover at least partially covering said memory, said cover comprising isolating portions and conductive portions resulting in a capacitive coupling of said memory and said cover, said method comprising the steps of: - initiating (31) an initialization phase of said memory for causing each of said memory cells to assume a random state, reading out (33) a subset of said plurality of memory cells, generating (35) said identifier based of said read out.
8. Method of detecting a tampering on a semiconductor device comprising a nonvolatile memory and a volatile memory having a plurality of memory cells and a cover at least partially covering said memory, said cover comprising isolating portions and conductive portions resulting in a capacitive coupling of said memory and said cover, said method comprising the steps of: - generating (41) an original identifier according to a method as claimed in claim 7, storing (43) said original identifier in said non-volatile memory, preferably in a scrambled, encrypted or encoded form, repeatedly generating (45) said identifier according to a method as claimed in claim 6 and comparing said newly generated identifier to said original identifier stored in said non- volatile memory, and performing (47) a predetermined operation in case a degree of difference between said newly generated identifier and said original identifier exceeds a predetermined threshold indicating that said semiconductor device has been tampered with.
PCT/IB2008/050515 2007-02-16 2008-02-13 Semiconductor device identifier generation WO2008099348A2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
EP07102549.8 2007-02-16
EP07102549 2007-02-16

Publications (2)

Publication Number Publication Date
WO2008099348A2 true WO2008099348A2 (en) 2008-08-21
WO2008099348A3 WO2008099348A3 (en) 2008-10-30

Family

ID=39591179

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2008/050515 WO2008099348A2 (en) 2007-02-16 2008-02-13 Semiconductor device identifier generation

Country Status (1)

Country Link
WO (1) WO2008099348A2 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2968454A1 (en) * 2010-12-06 2012-06-08 St Microelectronics Rousset Method for identifying integrated circuit that is utilized in personal digital assistant, involves determining impression of granular structure of metallic zone from digital image obtained by backscattered electron diffraction
EP3021254A1 (en) * 2014-11-11 2016-05-18 Giesecke & Devrient GmbH Method for protecting against unauthorized access
CN114236999A (en) * 2021-12-22 2022-03-25 珠海奔图电子有限公司 Data protection method, consumable chip, consumable and image forming device

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20010033012A1 (en) * 1999-12-30 2001-10-25 Koemmerling Oliver Anti tamper encapsulation for an integrated circuit
WO2003046802A2 (en) * 2001-11-28 2003-06-05 Koninklijke Philips Electronics N.V. Semiconductor device, card, methods of initializing, checking the authenticity and the identity thereof

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20010033012A1 (en) * 1999-12-30 2001-10-25 Koemmerling Oliver Anti tamper encapsulation for an integrated circuit
WO2003046802A2 (en) * 2001-11-28 2003-06-05 Koninklijke Philips Electronics N.V. Semiconductor device, card, methods of initializing, checking the authenticity and the identity thereof

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2968454A1 (en) * 2010-12-06 2012-06-08 St Microelectronics Rousset Method for identifying integrated circuit that is utilized in personal digital assistant, involves determining impression of granular structure of metallic zone from digital image obtained by backscattered electron diffraction
EP3021254A1 (en) * 2014-11-11 2016-05-18 Giesecke & Devrient GmbH Method for protecting against unauthorized access
CN114236999A (en) * 2021-12-22 2022-03-25 珠海奔图电子有限公司 Data protection method, consumable chip, consumable and image forming device

Also Published As

Publication number Publication date
WO2008099348A3 (en) 2008-10-30

Similar Documents

Publication Publication Date Title
US20090065591A1 (en) Smart-card chip arrangement
US9129671B2 (en) Semiconductor device identifier generation method and semiconductor device
TWI732903B (en) Electronic apparatus, memory apparatus and operation method thereof
JP6474056B2 (en) Non-volatile memory device having tamper resistance, integrated circuit card, authentication method for non-volatile memory device, encryption method and decryption method using non-volatile memory device
JP6532024B2 (en) Tamper resistant nonvolatile memory device and integrated circuit card
Tehranipoor et al. DRAM based intrinsic physical unclonable functions for system level security
JP6508478B2 (en) Tamper resistant nonvolatile memory device and integrated circuit card
CN107437431B (en) Nonvolatile memory device
US7945791B2 (en) Protected storage of a datum in an integrated circuit
US9824239B2 (en) System for and method of cryptographic provisioning
US20130141137A1 (en) Stacked Physically Uncloneable Function Sense and Respond Module
US20120044777A1 (en) Semiconductor device
CN114631093B (en) Semiconductor device with secure access key and associated methods and systems
US20100085075A1 (en) Integrated circuit and method for preventing an unauthorized access to a digital value
US9509306B2 (en) Tamper resistant IC
Rosenblatt et al. A self-authenticating chip architecture using an intrinsic fingerprint of embedded DRAM
EP2174255A1 (en) Method and device for providing digital security
US20080282209A1 (en) System for and Method of Verifying IC Authenticity
JP2008033594A (en) Data storage unit, power control method, and communication unit
US20090049548A1 (en) Semiconductor Device and Method For Preventing Attacks on the Semiconductor Device
US8108691B2 (en) Methods used in a secure memory card with life cycle phases
TWI663604B (en) Method for operating a circuit including non-volatile memory cell and circuit using the same
CN114631149A (en) Semiconductor device with secure access key and related method and system
US20160373256A1 (en) Chip authentication technology using carbon nanotubes
CN108958650A (en) Electronic system and its operating method

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08710015

Country of ref document: EP

Kind code of ref document: A2

NENP Non-entry into the national phase in:

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08710015

Country of ref document: EP

Kind code of ref document: A2