

# FDTC 2018

## Laser Fault Injection at the CMOS 28 nm Technology Node: an Analysis of the Fault Model

<u>J.M. Dutertre</u><sup>1</sup>, V. Beroulle<sup>2</sup>, P. Candelier<sup>3</sup>, S. De Castro<sup>1,4</sup>, L.B. Faber<sup>3</sup>, M.L. Flottes<sup>4</sup>, P. Gendrier<sup>3</sup>, D. Hély<sup>2</sup>, R. Leveugle<sup>5</sup>, P. Maistri<sup>5</sup>, G. Di Natale<sup>4</sup>, A. Papadimitriou<sup>2</sup>, B. Rouzeyre<sup>4</sup>

Amsterdam, The Netherlands — Thursday, September 13, 2018



• A brief history of laser fault injection

- Habing introduced laser emulation of SEE 1965 Emulation of radiation induced Single Event Effects
- 1997 Boneh et al. introduced fault attacks Hardware attack of crypto./secure devices
- 2002 Skorobogatov et al. introduced laser fault inject. Secure devices: CMOS 350 nm One single transistor under a laser beam (1 µm)
- 2018 Continuous scale down of CMOS technology Secure devices: CMOS 40 nm SoC: CMOS 14 nm Several logic gates under a laser beam (1 µm) 2

#### □ LFI accuracy vs. CMOS scale down

Laser spot

SRAM

3



#### □ LFI accuracy vs. CMOS scale down

Laser spot

SRAM



### □ Importance of the fault model

LFI considered as an accurate fault injection technique:

- physical location (gates under/close to the laser spot),
- injection time (regarding the course of an algorithm),
- nb. of faulted bits/bytes,
- additional information leakage (data dependence).

Makes it possible to meet the (sometimes strong) requirements of FA and DFA schemes.

Does CMOS technology scale down reduce the accuracy of the laser fault injection fault model?

#### □ Fault model of LFI at the CMOS 28 nm tech. node

On an experimental basis (custom test chip)

- Single-bit/single-byte fault model
- Data dependence: bit-flip vs bit-set/reset fault model
- Static LFI on D flip-flops
- Dynamic LFI on an AES encryption unit

#### I. Introduction

II. Theory of laser fault injection

Physics and basics of laser fault injection

Fault models of LFI

III. Static LFI experimental results

Setup, results, analysis

- IV. Dynamic LFI experimental results Setup, results, analysis
- V. Conclusion

### I. Introduction

#### II. Theory of laser fault injection

Physics and basics of laser fault injection

Fault models of LFI

# III. Static LFI experimental results

Setup, results, analysis

IV. Dynamic LFI experimental results Setup, results, analysis

V. Conclusion

### Physics of laser fault injection

 Photoelectric effect: from a laser pulse to transient current generation (in reverse biased PN junction)











Laser sensitive areas: OFF transistors' drains (reversed biased PN junctions)

#### Fault injection mechanism from a voltage transient to an actual fault

Two mechanisms depending on the voltage transient location:

- 1. logic,
- 2. memory element (D flip-flop, SRAM)

 Fault injection mechanism – target: combinatorial logic from voltage transient to fault



 Fault injection mechanism – target: combinatorial logic from voltage transient to fault



 Fault injection mechanism – target: combinatorial logic from voltage transient to fault



The fault injection process depends both on:

- the injection time,
- the voltage transient duration.









Note the data dependence of the laser sensitive areas.

## I. Introduction

#### II. Theory of laser fault injection

Physics and basics of laser fault injection

#### Fault models of LFI

III. Static LFI experimental results Setup, results, analysis

- IV. Dynamic LFI experimental results Setup, results, analysis
- V. Conclusion

### □ Fault model: mathematical expression at bit level

bit-flip (usual fault model, data independent)

 $b \rightarrow not(b)$ 

□ Fault model: mathematical expression at bit level

bit-set/reset fault model (data dependent)

if 
$$b = 0 \rightarrow b = 1$$
  
if  $b = 1 \rightarrow b = 1$  bit-set

$$if \ b = 0 \rightarrow b = 0$$
  
$$if \ b = 1 \rightarrow b = 0$$
 bit-reset

Provide additional information on the original bit value

⇒ Safe error attack (e.g. retrieveing memory bits)

bit-set/reset fault model: D latch layout vs. laser effect area



Laser sensitive areas:

SEU sensitive for Q = 1

SEU sensitive for Q = 0

Laser spot size/effect area:  $\rightarrow$   $1\mu m$ 

One laser sensitive area exposed

⇒ bit-set/reset fault model

bit-set/reset fault model: Dff layout vs. laser effect area



Laser sensitive areas:

SEU sensitive for Q = 1

SEU sensitive for Q = 0

Laser spot size/effect area:



Overlaps of laser sensitive areas

 $\Rightarrow$  bit-flip fault model

### Experimental state of the art

- 2015, B. Selmke et al.: 45 nm SRAM (FPGA)
- 2015, C. Champeix et al.: 40 nm D flip-flop
- Both consistent with single-bit and bit-set/reset fault models



Illustration for D flip-flop:

- 4 SEU sensitive areas of master latch (clk = 1),

- 3 SEU sensitive areas of slave latch (clk = 0).

B. Selmke et al., "Precise laser fault injections into 90 nm and 45 nm sram-cells," CARDIS 2015.

C. Champeix et al., "SEU sensitivity and modeling using pico-second pulsed laser stimulation of a D Flip-Flop in 40 nm CMOS technology," DFTS 2015.

#### I. Introduction

- II. Theory of laser fault injection
  - Physics and basics of laser fault injection

Fault models of LFI

III. Static LFI experimental results

Setup, results, analysis

- IV. Dynamic LFI experimental results Setup, results, analysis
- V. Conclusion

#### III. Static LFI experimental results

## □ Experimental setup



#### Experimental setup



- Backside injection
  - Pulse width: 30 ps
    up to 100 nJ
- Wavelength: 1,030 nm
- Pulse width: ns
  - 5-50 ns, max. power 1 W
  - 50 ns 1 s, max. power 3 W
- Wavelength: 1,064 nm
- Spot size: 1µm or 5 µm

#### III. Static LFI experimental results

#### Experiments description



Laser fault sensitivity maps drawing (colors according to the fault model)

#### III. Static LFI experimental results

#### Custom D flip-flop registers, CMOS 28 nm



## Custom D flip-flop registers, CMOS 28 nm

Matrix shaped shift register with 64 D flip-flops



- DFF: ~ 40 transistors,
- *large* output buffer



# □ Custom D flip-flop registers, CMOS 28 nm spot 1 µm / 30 ps / 0.5 nJ / ∆xy = 1 µm / backside



# □ Custom D flip-flop registers, CMOS 28 nm

3D view at 1 nJ





#### III. Static LFI experimental results

## Custom D flip-flop registers, CMOS 28 nm

in-line shift register with 10 D flip-flops

|   |       | vdd |     |       | vdd |     |       | vdd |     |       | vdd |     |       | vdd |     |       | vdd |     |       | vdd |     |       | vdd |   |       | vdd |     |       | vdd |     |
|---|-------|-----|-----|-------|-----|-----|-------|-----|-----|-------|-----|-----|-------|-----|-----|-------|-----|-----|-------|-----|-----|-------|-----|---|-------|-----|-----|-------|-----|-----|
| 8 | D     | Dff | Q 🛛 | 🖾 D   | Dff | Q 🖾 | ⊠ D   | Dff | Q 🖾 | ⊠ D   | Dff | Q 🛛 | 🖾 D   | Dff | Q 🛛 | 🖾 D   | Dff | Q 🖾 | ⊠ D   | Dff | Q 🖾 | 🖾 D   | Dff | Q | ⊠ D   | Dff | Q 🛛 | 🖾 D   | Dff | Q 🛛 |
|   | 🛯 cik |     |     | 🖾 cik |     |     | 🖾 cik |     |     | 🛛 cik |     |     | 🖾 cik |     |     | 🛛 cik |     |     | 🖾 cik |     |     | 🖾 cik |     |   | 🖾 clk |     |     | 🖾 cik |     |     |
|   |       | gnd |     |       | gnd |     |       | gnd |     |       | gnd |     |       | gnd |     |       | gnd |     |       | gnd |     |       | gnd |   |       | gnd |     |       | gnd |     |

#### III. Static LFI experimental results

# Custom D flip-flop registers, CMOS 28 nm spot 1 µm / 30 ps / 0.5 nJ / ∆xy = 0.2 µm / backside



37

□ Memory elements, static test – Conclusion

Bit-set/reset fault model = relevant

Single-bit fault model experimentally assessed with a laser at the CMOS 28 nm node for 1  $\mu$ m and 5  $\mu$ m (see table below) laser spots.

| Energy [nJ]       | 0.4 | 0.5 | 0.8 | 1  | 1.5 | 2  | 3  | 4  | 5  |
|-------------------|-----|-----|-----|----|-----|----|----|----|----|
| # of faults       | 1   | 8   | 21  | 23 | 24  | 24 | 26 | 30 | 31 |
| # of 1-bit faults | 1   | 8   | 15  | 17 | 10  | 7  | 7  | 9  | 9  |
| # of 2-bit faults | -   | -   | 6   | 6  | 7   | 5  | 4  | 5  | 6  |
| # of 3-bit faults | -   | -   | -   | -  | 4   | 7  | 8  | 4  | 4  |
| # of 4-bit faults | -   | -   | -   | -  | 3   | 3  | 3  | 5  | 1  |
| # of 5-bit faults | -   | -   | -   | -  | -   | 1  | 1  | 2  | 4  |
| # of 6-bit faults | -   | -   | -   | -  | -   | 1  | 1  | 2  | 2  |
| # of 7-bit faults | -   | -   | -   | -  | -   | -  | 1  | 2  | 4  |
| # of 8-bit faults | -   | -   | -   | -  | -   | -  | -  | 1  | 1  |

#### I. Introduction

- II. Theory of laser fault injection
  - Physics and basics of laser fault injection

Fault models of LFI

- III. Static LFI experimental results Setup, results, analysis
- IV. Dynamic LFI experimental results Setup, results, analysis
  V. Conclusion

#### IV. Dynamic LFI experimental results

### Test chips CMOS 28 nm

- Target: AES implementation (with parity-based CM, 100 MHz)
- IR microphotography (rear side), obj. x20



#### IV. Dynamic LFI experimental results

#### Experimental setup



- Backside injection
- Pulse width: 30 ps
  up to 100 nJ
- Wavelength: 1,030 nm
- Pulse width: ns
  - 5-50 ns, max. power 1 W
  - 50 ns 1 s, max. power 3 W
- Wavelength: 1,064 nm
- Spot size: 1µm or 5 µm

Hardware AES-128, CMOS 28nm, Vdd = 1.2V, 100MHz
 Exp.: 5 µm spot, 10 ns, 0.6-1.0 W, ∆xy = 1µm



26,380 faulted cipher texts

Unidentified faults: 6,574 (24.9 %)
 mainly 5 – 8 faulty bytes (up to12)



Hardware AES-128, CMOS 28nm, Vdd = 1.2V, 100MHz
 Exp.: 5 µm spot, 10 ns, 0.6-1.0 W, ∆xy = 1µm



#### Single-byte faults analysis

| # faulted bits | Occurrence |
|----------------|------------|
| 1              | 19,413     |
| 2              | 278        |
| 3              | 27         |
| 4              | 48         |
| 5              | 38         |
| 6              | 1          |

Exp. single-bit LFI rate: 73.6 %

#### I. Introduction

- II. Theory of laser fault injection
  - Physics and basics of laser fault injection
  - Fault models of LFI
- III. Static LFI experimental results
  - Setup, results, analysis
- IV. Dynamic LFI experimental results Setup, results, analysis
- V. Conclusion

#### Exp. LFI fault model analysis at CMOS 28 nm

<u>Single-bit</u>: static & dynamic tests (~ 70% success rate)
 1 µm & 5 µm laser spot size
 ps & ns laser pulse duration

Data dependence: bit-set/reset on D flip-flops well defined sensitive areas

Single-bit & Bit-set/reset are still actual and practical fault models at advanced CMOS technology nodes (28 nm).

Q? Does it still holds at the CMOS 14 nm node?

Thank you for your attention dutertre@emse.fr

Work funded by the ANR: LIESSE project ANR-12-INS-0008-01



J.M. Dutertre<sup>1</sup>, V. Beroulle<sup>2</sup>, P. Candelier<sup>3</sup>, S. De Castro<sup>1,4</sup>, L.B. Faber<sup>3</sup>, M.L. Flottes<sup>4</sup>, P. Gendrier<sup>3</sup>, D. Hély<sup>2</sup>, R. Leveugle<sup>5</sup>, P. Maistri<sup>5</sup>, G. Di Natale<sup>4</sup>, A. Papadimitriou<sup>2</sup>, B. Rouzeyre<sup>4</sup>

