near-field magnetic sensing system with high-spatial resolution and application for security of...

Upload: phuc-hoang

Post on 14-Feb-2018

214 views

Category:

Documents


0 download

TRANSCRIPT

  • 7/23/2019 Near-Field Magnetic Sensing System With High-Spatial Resolution and Application for Security of Cryptographic LSI

    1/9

    840 IEEE TRANSACTIONS ON INSTRUMENTATION AND MEASUREMENT, VOL. 64, NO. 4, APRIL 2015

    A Near-Field Magnetic Sensing System With

    High-Spatial Resolution and Application

    for Security of Cryptographic LSIs

    Nguyen Ngoc Mai-Khanh, Member, IEEE, Tetsuya Iizuka, Member, IEEE, Akihiko Sasaki,Makoto Yamada, Osamu Morita, and Kunihiro Asada, Member, IEEE

    Abstract This paper presents a high-resolution inductivenear-field magnetic sensing system to detect sensitive andsuspicious areas of cryptographic large-scale integration (LSI)chips for nondestructive inspection. The proposed system includesa probe chip based on a 0.18-m five-metal-layer CMOS processtechnology and a microposition calibration mechanism. Theprobe chip includes a magnetic pick-up coil followed by a three-stage low-noise amplifier (LNA) to amplify the induced voltageon the coil. The Si-substrate area under the coil is removedby applying a focused-ion-beam (FIB) technique to enhancethe quality factor of the coil. A mechanical scanning systemwith an ability of microposition calibration is proposed to allowhigh-precision calibration and microscanning operation. High-spatial resolution magnetic scanning experiment is conductedon a microstrip line and on the surface of a cryptographicfield programmable gate array (FPGA) running 128-b advancedencryption standard (AES) algorithm. By making a comparisonin the scanning performance of a commercial probe, this sensingmeasurement holds the advantage of higher resolution magneticmaps in multiple frequency bands. Moreover, the proposedsystem can be used to identify vulnerable areas of cryptographicLSI chips that can cause location-dependent side-channel leakage.

    Index TermsCMOS, coil, cryptography, high-spatial

    resolution, integrated circuit, magnetic, probe, sensing.

    I. INTRODUCTION

    IT HAS been widely known that nondestructive or

    side-channel attacks on cryptographic chips can exploit

    leaked physical parameters and properties of the chips. Sensing

    on such leaked properties of a cryptographic chip during

    its operation can reveal corresponding secret key and secure

    data. Conventional operating-time-based attack method [1]

    Manuscript received May 30, 2014; revised August 6, 2014; acceptedOctober 12, 2014. Date of publication February 26, 2015; date of currentversion March 6, 2015. This work was supported by the Japan Society forthe Promotion of Science through the Grants-in-Aid for Scientific Researchunder Grant 24700042. The Associate Editor coordinating the review processwas Dr. Deniz Gurkan.

    N. N. Mai-Khanh and K. Asada are with the VLSI Design andEducation Center, University of Tokyo, Tokyo 113-8654, Japan (e-mail:[email protected]).

    T. Iizuka is with the Department of Electrical Engineering and InformationSystems, University of Tokyo, Tokyo 113-8654, Japan.

    A. Sasaki and M. Yamada are with Morita-Tech Company, Ltd.,Kawasaki 215-0032, Japan.

    O. Morita is with the Department of Electrical and Electronics Engineering,Aoyama Gakuin University, Tokyo 150-8366, Japan.

    Color versions of one or more of the figures in this paper are availableonline at http://ieeexplore.ieee.org.

    Digital Object Identifier 10.1109/TIM.2014.2373472

    Fig. 1. Design and measurement procedure of this paper.

    analyzes the amount of time required to perform private

    key operations of a cryptosystem. In addition, other researchgroups employ simple or differential analysis methods on

    power consumption [2][5]. For example, Kocher et al. [2]

    proposed the differential power attack with a small resistor

    connected to the power pin of cryptographic devices to analyze

    power consumption. Another improvement on power-based

    analysis is correlation power attack [6], [7]. However, leaked

    electromagnetic (EM) emanations can provide more secret

    information [8], [9] and then side-channel cryptanalysis based

    on EM emanations has studied and investigated [10][13].

    Electric variations produced from an operating cryptographic

    LSI chip generate magnetic flux, which can be detected to

    reveal secret information. Sensing methods based on leakage

    EM emission of a cryptographic chip provide highest amountof information compared with power consumption analysis

    ones [9]. Micromagnetic sensing approach is preferred due

    to its ability of detecting susceptible locations and leaked

    magnetic field direction [14], [15]. In LSI circuits, value

    changes such as digital clock or data chains in the logic state of

    CMOS gates cause time-varying currents and hence produce

    concentric magnetic fields around conductors. By placing

    magnetic sensing coils close to a cryptographic chips surface

    to measure and monitor data-dependent leakage magnetic

    0018-9456 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

  • 7/23/2019 Near-Field Magnetic Sensing System With High-Spatial Resolution and Application for Security of Cryptographic LSI

    2/9

    MAI-KHANH et al.: N EAR-FIELD M AGNETIC SENSING SYSTEM WITH H IGH -SPATIAL RESOLUTION AN D APPLICATION 841

    Fig. 2. Three-stage LNA diagram with the magnetic pick-up coil.

    emanations of the chip, related secret information of the

    chip can be captured [3], [13][17]. Therefore, there is a

    strong demand to analyze and identify vulnerable portions of

    cryptographic chips from EM-based side-channel attacks.

    Previously, we presented a near-field magnetic probe with

    a coil integrated with an LNA in a chip [18], [19]. However,

    the probe system encountered the problem of eddy currents

    generated from metal probe holder and the small size of

    the coil of 100 100 m2 with the effective core area of

    3030m2 is not sufficient for picking-up and detecting sub-

    milliampere electric currents flowing under the lossy material

    of the cipher LSI package. Furthermore, the probe must have a

    wide frequency range, e.g., 500 MHz in the case of supplying

    a 50-MHz clock to the cipher LSI, to capture such high

    harmonic signals of the clock frequency emitted from the

    clock circuit and other internal frequency synthesizer circuits.

    In this paper, which is an extension of [20], we present

    our enhancement of near-field magnetic sensing and scanningsystem for localized EM nondestructive analysis as described

    in Fig. 1. Basic components of the system include an on-

    chip magnetic pick-up coil, an integrated three-stage LNA,

    and a plastic probe holder attached to a high-spatial resolution

    scanning system. Furthermore, a microposition calibration

    mechanism and a postmeasurement step to process scanned

    magnetic cartography are presented. Measured results show

    an ability of mapping and microresolution locating on a

    small logic block intentionally localized on a cryptographic

    FPGA.

    This paper is organized as follows. Section II presents

    the design of the magnetic probe and probe fabrication

    steps. Microposition calibration mechanism is describedin Section III. Scanning results of the proposed probe on a

    microstrip (MS) line and on the surface of a cryptographic

    FPGA, and a comparison with a commercial probe are

    discussed in Section IV. Section V concludes this paper.

    I I . PROBED ESIGN ANDI NTEGRATION

    A. On-Chip Magnetic Pick-Up Coil

    Fig. 2 shows a coil with Nturns placed at a distance r from

    a time-varying current metal wire. As well-known Faradays

    induction law, the coil induces the magnetic field based on

    Fig. 3. Proposed coil with symmetric topology.

    the relationship of the magnetic flux through the coil and the

    coils voltage, Vcoil. Current Iof the wire produces magnetic

    flux B as BiotSavart law: B = (0I/2)Xln(r+ Y/r).

    If the coil is in a perpendicular direction to the magnetic plane

    of the wire, one can write

    Vcoil = N dB

    dt= N

    0

    2Xln

    r+ Y

    r

    d I

    dt(1)

    where 0 is the vacuum permeability. If I= I0sin(2 f0t)

    Vcoil = N0Xlnr+ Y

    rI0fcos(2f0t). (2)

    To enhance Vcoil, increments of both N and X can be

    applied but the former confronts the limitation of the number

    of metal layers in a determined CMOS technology process

    while the latter can offer easily multi-increment in Vcoil.

    Therefore, we proposed a magnetic pick-up coil with a larger

    size of X = 500 m and Y = 100m, five times bigger than

    that in [18] and [19], to allow more magnetic flux throughthe coil, as shown in Fig. 3. The Si-substrate under the coil is

    removed by applying an FIB process to avoid eddy currents

    and enhance both inductance L and quality factor Q of the

    coil [19]. Quality factor of a coil is defined as

    Q = 2 (Emag Eelec)

    Eloss(3)

    where Emag and Eelec are peak magnetic and electric energies

    stored, respectively, and Eloss is the energy loss per cycle [21].

    Q is detailed as a product of ideal quality factor (ideal-Q),

    substrate loss factor, and self-resonance factor [22]. Ideal-Q

    accounts for the magnetic energy stored and the ohmic loss

    in series resistance of the coil while self-resonance factordepends on the increment of electric energy stored. Substrate

    loss factor represents the energy dissipated in the Si-substrate.

    Note that both substrate loss factor and self-resonance factor

    are less than 1. The removal of the Si-substrate under the

    coil eliminates the loss on the resistive Si-substrate, reduces

    coil-substrate coupling capacitors, and enhances the coils self-

    inductance. Fig. 4 shows the improvement on L and Q of the

    coil when its Si-substrate is removed. The improvement on

    L enhances the magnetic energy Emag stored in the coil. The

    Si-substrate removal reduces peak electric energy and hence

    enhances the quality factor Q of the coil.

  • 7/23/2019 Near-Field Magnetic Sensing System With High-Spatial Resolution and Application for Security of Cryptographic LSI

    3/9

    842 IEEE TRANSACTIONS ON INSTRUMENTATION AND MEASUREMENT, VOL. 64, NO. 4, APRIL 2015

    Fig. 4. Improvement percentages on L and Q of the Si-substrate removalcase compared with a nonremoved Si-substrate one.

    Fig. 5. Periodic rectangular pulse signal x(t) and its harmonic amplitudefunction cn in a case of duty cycle D = 1/6. A wideband amplifier is requireddue to the existence of sufficient amplitude harmonics.

    In practical applications for sensing weak magnetic fields

    generated from digital clock-supplied cryptographic LSIs, two

    things should be considered to design the related integrated

    circuit. First, a high-gain amplifier should be used to magnify

    the induced voltage on the coil. In addition, this ampli-fier should have a low-noise feature and an infinite input

    impedance. Second, the circuit including the coil followed by

    the amplifier should have an ability of wideband spectrum

    sensing to induce and then amplify magnetic fields generated

    by not only the fundamental frequency of the clock but

    also its harmonics. If clock x(t) is a repeating square pulse

    with an amplitude of A, a cycle of T, and a duty cycle

    D = 2Tp/T as shown in Fig. 5, x(t) is even and hence its

    Fourier transformation series contains only cosine terms and

    a constant term as

    x(t) = c0 +

    +

    n=1

    cncos(nt) (4)

    = DA +

    +

    n=1

    2A

    n sin(nD)cos(nt) (5)

    where = (2/T), c0 = D A, and cn = (2A/n)

    sin(nD) is harmonic amplitude. For example, if T = 12 Tpor D = 1/6, harmonic components of x(t) are nonzero

    except the multiples of the sixth component, as shown in

    the right-hand side of Fig. 5. The induced signals at the coil

    are proportional with derivation function of x(t), x/t, and

    contain harmonic components ofx(t). Moreover, inside digital

    cryptographic LSIs, there are several clock-based circuits such

    Fig. 6. Postprocessing steps including the remove of the Si-substrate areaunderneath the coil and mounting the flipped chip to a PCB by goldenballs. An X-ray photo is used to confirm the alignment of chips pads andcorresponding PCBs ones.

    as delay-locked loop, phase-locked loop, frequency dividers, or

    flip-flops, which can generate magnetic fields in different

    frequencies. Therefore, a sufficient wideband amplifier is

    required. The proposed variable-gain LNA has a maximumbandwidth of 500 MHz and a maximum gain of 63 dB in

    simulation as presented in the previous work [18]. The LNA is

    integrated with the coil into a chip to reduce signal reduction,

    reflection, and noise from cables or connections. In addition,

    an ability of frequency-band filtering is added to the scanning

    system for postmeasuring image processing.

    B. Probe Fabrication Steps

    Postfabrication steps of the proposed probe include chip-

    mounting on a based printed circuit board (PCB) and

    FIB process. After wafer dicing, tiny golden balls are attached

    to pads of the probe chip. The probe chip is then flipped andmounted on a based PCB by the usage of these golden balls.

    An FIB process is applied to remove the Si-substrate region

    under the coil, as shown in Fig. 6. The PCB then is fixed to a

    plastic probe holder. The advantage of the plastic probe holder

    compared with the metal one in the previous work [18] is to

    reduce other EM interference and to avoid eddy currents on

    the metal probe holder. Eddy currents were induced within the

    metal probe holder when it was close enough to the device-

    under-test (DUT) and thus caused a magnetic field that could

    affect to the sensing on-chip coil. The plastic probe holder is

    then attached to the probe arm of the high-precision scanning

    system placed in a shielded box to perform calibration and

    magnetic cartography scanning.

    III. MICROPOSITIONCALIBRATION

    Fig. 7 shows the calibration setup for horizontal and vertical

    directions prior to the implementation of magnetic sensing.

    Main components for the calibration are a laser attached to

    the probe arm, which also can move along the z-axis, a flat

    metal block placed on a motorized stage, and a fixed-lens

    camera whose output is fed to a computer. The computer is

    utilized to control the positions of the stage and the probes

    arm. Outputs of the camera, the laser, and the laser camera are

  • 7/23/2019 Near-Field Magnetic Sensing System With High-Spatial Resolution and Application for Security of Cryptographic LSI

    4/9

    MAI-KHANH et al.: N EAR-FIELD M AGNETIC SENSING SYSTEM WITH H IGH -SPATIAL RESOLUTION AN D APPLICATION 843

    Fig. 7. Calibration setup diagram with a real-time microphotograph for cal-ibration. Details of connection cables between computer and other equipmentare omitted.

    Fig. 8. Calibration setup picture and the base PCB with the probe chip.

    fed to the computer for monitoring and controlling the calibra-

    tion process. The distance of the laser original point (LOP) to

    any surfaces below can be measured by the laser camera but

    the gap between LOP and the probe head should be calculated

    by the first calibration step.

    The first step of the calibration is to find the gap in z-axis

    from LOP to the probe chip head. This step is performed only

    once by measuring the distance hz from LOP to the metal

    block surface and then manually finding the gap h0 between

    the probe chip head and the block surface as depicted in Fig. 7.

    Therefore, the gap between LOP and the probe head is theresult of (hz h0). To measure h 0, the probe arm is gradually

    lowered close to the flat surface of the metal block as shown in

    Fig. 8 so that the chip head and the metal block surface can be

    in range of the fixed camera and observed on the display. Then,

    h0 is measured manually based on the mesh on the display.

    Camera position is fixed and the camera lens is set together

    with an appropriate distance resolution corresponding to the

    display mesh; for example, 20 m/div, as shown in Fig. 7.

    From now, the gap between LOP and the probe chip head is

    saved and used to calculate the liftoff of the probe chip head

    to the surface of any DUTs by the laser.

    Fig. 9. Results of the flatness and magnetic scanning on an MS line withh thickness. The flatness map including relative surface roughness values isthen used in the magnetic scan step to keep the liftoff constant. Note that the

    resolution of the flatness scan must be higher or equal to the magnetic scanresolution.

    The second purpose of the calibration is to automatically

    scan the flatness of the DUT surface by the laser to compensate

    the liftoff. The metal block is removed from the motorized

    stage. A DUT, MS line, or FPGA chip, is then placed on

    the stage for surface scanning to achieve relative surface

    flatness map with a minimum accuracy of 1 m. Each of the

    points of this surface map containing values of x y positions

    and the relative surface roughness is used to compensate for

    the correspondent points on the DUT surface to keep the

    same liftoff during the magnetic scanning. Fig. 9 shows an

    illustration of height compensation and scanning results ona surface area of an MS line placed at the liftoff from the

    on-chip coil. Details of magnetic scanning results are presented

    in the following section.

    IV. SENSING E XPERIMENTALR ESULTS

    Magnetic sensing on an MS line and a cryptographic

    FPGA is performed in a shielded room to avoid external

    RF inferences. A comparison in magnetic scanning perfor-

    mance between the proposed probe and a commercial one is

    presented.

    A. Magnetic Sensing on a Microstrip LineThe experimental setup for magnetic sensing on a 100-m

    width MS line is shown in Fig. 10. After the calibration,

    the MS-line board is located on the motorized stage with

    a liftoff d from the coil. To measure the gain between the

    probe chip output and the MS-line input, the probe chip output

    is connected to port 1 of a Z V L RohdeSchwarz network

    analyzer and one terminal of the MS line is connected to

    port 2 of the network analyzer. Flatness surface map of the

    MS-line board is achieved using the laser. Magnetic scan

    is performed across the MS line and along x-axis so that

    magnetic flux generated from the MS line is perpendicular

  • 7/23/2019 Near-Field Magnetic Sensing System With High-Spatial Resolution and Application for Security of Cryptographic LSI

    5/9

    844 IEEE TRANSACTIONS ON INSTRUMENTATION AND MEASUREMENT, VOL. 64, NO. 4, APRIL 2015

    Fig. 10. Two measurement setups using network analyzer and spectrumanalyzer to measure the gain between the probe chip output and theMS-line input and the probe output versus MS-line positions.

    Fig. 11. Measured gain between the probe output and the MS-line input.

    with the coils plane to achieve maximum magnetic flux

    through the coil. Fig. 11 shows measured gains between the

    probe output and the MS-line input power by varying the liftoff

    from 100 to 1000 m.

    To measure the magnetic strength distribution on the planes

    perpendicular to the MS line, an FSVR20 RohdeSchwarz

    spectrum analyzer is connected to the probe chip output and

    the MS line is fed with a 0-dBm power by an AgilentN9310A

    RF signal generator. The liftoff is kept at 200 m. The laser

    is used to scan the surface of the MS-line board and thethickness of the MS line with a 10-m step. Fig. 12 shows

    the measured distributed magnetic strength of the MS line at

    four frequencies of 50, 100, 150, and 200 MHz. These results

    show a higher gain of this probe in measurements on MS line

    than in the previous work [18].

    B. Magnetic Sensing on a Cryptographic FPGA

    by the Proposed Probe

    Another measurement setup is performed to measure mag-

    netic field cartography of a Virtex-5 FPGA running a 128-b

    AES algorithm core, as shown in Fig. 13. The FPGA cooling

    Fig. 12. Measured probes output by spectrum analyzer on the MS line.

    Fig. 13. (a) Scan setup on FPGA. (b) FPGA floorplanning. (c) Scannedmagnetic cartography of the whole FPGA surface.

    cover part is removed to enhance the scanning performance.The FPGA surface is scanned and marked by the laser, which

    is synthesized with a video camera to achieve corresponding

    ridge maps. This ridge map is then applied to compensate

    for the next step of magnetic scanning to ensure the same

    liftoff value for all scanning points. The FPGA is programmed

    by a computer through a USB cable, which is wrapped

    round by a ferrite cover to reduce EM interference noises,

    which can generate low-frequency noise toward the sensing

    probe.

    AES encryption includes four steps in which substitution-

    boxes (S-box) are the basic components to perform

  • 7/23/2019 Near-Field Magnetic Sensing System With High-Spatial Resolution and Application for Security of Cryptographic LSI

    6/9

    MAI-KHANH et al.: N EAR-FIELD M AGNETIC SENSING SYSTEM WITH H IGH -SPATIAL RESOLUTION AN D APPLICATION 845

    substitution [23]. To demonstrate the ability of high-spatial

    scanning resolution of the proposed probe to detect abnor-

    mal or suspicious chips areas, we intentionally mapped the

    logic block of S-box1 far away from AES circuits and other

    S-boxes by FPGA floorplanning, as shown in Fig. 13(b).

    In addition, the S-box1 code-block in the FPGA is added one

    more bit so that the operation of S-box1 can be independently

    enable/disable to other blocks.

    The implementation of magnetic cartography 2-D scanning

    by the proposed probe is performed with a scanning spatial

    resolution of 50 m and a liftoff of 100 m. The probe

    output is connected to a spectrum analyzer whose data are

    transferred to a computer. Measured data from the spec-

    trum analyzer are then applied a filtering step in frequency

    domain to obtain frequency-dependent magnetic maps.

    Fig. 13(c) shows a scanned magnetic cartography at 72 MHz

    in the case of operating the AES core with the running of

    S-box1. The map shows vertical streaks that can be caused

    by the operation of digital registers and metallic mesh inside

    the FPGA. Furthermore, several areas in red color disclose

    that a higher magnetic field is distributed and leakage infor-mation in such positions might be revealed easily under

    EM side-channel attacks.

    C. Comparison in Performance With a Commercial Probe

    A commercial probe [24], MT-545, is employed to scan

    on the FPGAs surface running the AES core to achieve near-

    field magnetic maps for the purpose of comparison in scanning

    performance. The FPGA configuration in the case of using

    MT-545 is the same with that in the proposed probe.

    Table I shows 10-mm 10-mm magnetic maps scanned

    by the commercial probe with/without S-box1 operations.

    These maps are with several harmonic frequencies of theFPGAs clock frequency of 24 MHz. These maps provide lower

    resolution and less information compared with the scanned

    magnetic cartography exhibited in Fig. 13(c). A differential

    image processing step is applied for these scanned magnetic

    maps to find S-box1-operation-related portions, as shown in

    the figures of the rightmost column of Table I. It seems that

    these portions are scattered but still distributed along the center

    stripe of the maps.

    Table II shows 11.2-mm 11.6-mm magnetic maps built

    by the proposed probe. Measured data with/without S-box1

    operations are collected in several harmonic frequencies of

    the clock. In the postscanned processing step, data maps are

    rescaled with the same range of 61.0 to 55 dB. Then,a differential image processing is executed as shown in the

    rightmost column of Table II. As can be seen, the map in

    the case of 72 MHz (the third harmonic of 24 MHz) shows

    the highest received power distribution. However, that of the

    fundamental frequency indeed reveals less power distribution

    than both of the 48- and 96-MHz maps although in theory

    spectrum of the clock signal x(t) shows that the amplitude

    of fundamental component is the highest. This is because

    the coils voltage induced by the magnetic field increases in

    proportion to the frequency of the magnetic, as expressed

    in (2). Therefore, the total gain from the induced magnetic

    TABLE I

    MAGNETICCARTOGRAPHYS CANNED BYMT-545 COMMERCIALP ROBE

    field to the probe output is proportionate to the frequency

    within the range from 20 to 300 MHz, as shown in Fig. 11.

    Vertical stripes in differential magnetic cartography produced

    by the proposed probe are sharper and show more details than

    those of MT-545. In addition, one may recognize on these

    differential cartography several blurred traces of a gird, which

    may correspond to the metal mesh and dummy metals ofthe FPGA.

    Table IV shows a comparison among this proposal,

    MT-545 commercial probe, and prior works. Duboiset al.[25],

    Wei and Wilkinson [26], and Zhang et al. [27] used handmade

    or on-PCB sensing coils connected to portable or on-board

    LNAs for their probes. They used several millimeter size

    coils for the detection of the magnetic fields from digital

    logic circuits and magnetic induced tomography applications

    without any position calibration [25], [26] or with a time-

    domain simulation-versus-measurement calibration [27] for

    millimeter accuracy. These schemes are inadequate for the

  • 7/23/2019 Near-Field Magnetic Sensing System With High-Spatial Resolution and Application for Security of Cryptographic LSI

    7/9

    846 IEEE TRANSACTIONS ON INSTRUMENTATION AND MEASUREMENT, VOL. 64, NO. 4, APRIL 2015

    TABLE II

    MAGNETICC ARTOGRAPHYS CANNED BY THEP ROPOSEDP ROBE

    security applications that request microprecision magnetic

    sensing. Our probe integrates a several hundred micrometer

    scale coils with an LNA into a 0.68-mm 2.5-mm chip

    to enhance the scanning resolution as well as to reduce the

    problems of loss, reflection, and noise from the cable-based

    connection between the coil and the LNA. Another groupimplemented a standalone coil integration using the same

    chip fabrication process with us but employed an external

    LNA [28], whereas we realized a single-chip implementation.

    We performed a microposition calibration for the measurement

    with the higher scanning accuracy of 1 m, which is 10 times

    finer than that in [28]. We improved the quality factor of

    the coil by the removal of the Si-substrate area under the

    coil by applying a postprocessing FIB technique. Because

    of the high sensitivity of the integrated magnetic probe and

    the fine spatial resolution of our scanning system, we can

    perform a magnetic scanning on an abnormal small area of

    TABLE III

    33-mm2 SCANNEDM AGNETICCARTOGRAPHY OF THE

    S- BOX1 A REA BY THEP ROPOSEDPROBE

    the cryptographic FPGA surface, including the S-box1 area as

    marked in Fig. 13(c), to demonstrate the ability of detecting

    malicious blocks. Scanned magnetic maps with a

    scanning resolution of 25 m are shown in Table III at

    harmonic frequencies of the 24-MHz clock frequency. Corre-

    sponding differential maps shows some streaks caused by theoperation of the S-box1 block. These scanned data are rescaled

    with the same range of61.0 to 55 dB. Due to differential

    EM maps in harmonic frequencies of 24 MHz as depicted

    in the rightmost column, the S-box1 area can be obviously

    detected. In addition to the detection of the S-box1 operation,

    measured magnetic maps of the S-box1 area scanned by the

    proposed microprobe reveals more detailed information and

    higher resolution than that by the macro-MT-545. Moreover,

    the measured cartography maps in harmonic frequencies show

    more sharp-edged stripes and more details. The detection of

    the S-box1 area illustrates the ability of the proposed probe

  • 7/23/2019 Near-Field Magnetic Sensing System With High-Spatial Resolution and Application for Security of Cryptographic LSI

    8/9

    MAI-KHANH et al.: N EAR-FIELD M AGNETIC SENSING SYSTEM WITH H IGH -SPATIAL RESOLUTION AN D APPLICATION 847

    TABLE IV

    COMPARISONWIT HOTHERWORKS

    to detect malicious Trojan blocks, which may be intentionally

    installed in cryptographic LSIs.

    V. CONCLUSION

    A high-spatial resolution measurement for near-field

    magnetic scanning on cryptographic LSIs is presented. Theproposed probe chip includes a magnetic pick-up coil inte-

    grated in a chip with a three-stage LNA in a 0.18-m

    CMOS process. Sensing enhancement is based on the high-

    spatial resolution mechanical scanning system and the removal

    of the Si-substrate under the coil at the cost of the postprocess-

    ing of a FIB technique. A microposition calibration is pro-

    posed to allow microscanning operation with 1-m accuracy.

    Because of these techniques, magnetic sensing applications by

    the proposed system, which are conducted on a MS line and a

    128-b AES cryptographic FPGA show higher gains than those

    in the previous works. A comparison with a macro commercial

    probe is also performed. Measured results show that the

    proposed microprobe can be applied to detect and localize

    vulnerable areas and suspicious components of cryptographic

    LSIs from EM side-channel attacks.

    ACKNOWLEDGMENT

    The authors would like to thank the VLSI Design and

    Education Center, the University of Tokyo, Japan, in collabo-

    ration with Rohm Corporation, Toppan Printing Corporation,

    Synopsys, Inc., Mentor Graphics, Inc., Cadence Design

    Systems, Inc., and Agilent Technologies Japan, Ltd. They

    would also like to thank Dr. S. Nakajima and Dr. A. Satoh

    for their helpful contributions to this paper.

    REFERENCES

    [1] P. C. Kocher, Timing attacks on implementations of DiffieHellman,RSA, DSS, and other systems, in Advances in Cryptology. Berlin,Germany: Springer-Verlag, 1996, pp. 104113.

    [2] P. C. Kocher, J. Jaffe, and B. Jun, Differential power analysis, inAdvances in Cryptology(Lecture Notes in Computer Science), vol. 1666.Berlin, Germany: Springer-Verlag, 1999, pp. 388397.

    [3] E. Peeters, F.-X. Standaert, and J.-J. Quisquater, Power and electro-magnetic analysis: Improved model, consequences and comparisons,

    Integr., VLSI J., vol. 40, no. 1, pp. 5260, 2007.[4] S. Mangard, E. Oswald, and T. Popp,Power Analysis Attacks: Revealing

    the Secrets of Smart Cards. Heidelberg, Germany: Springer-Verlag,2007.

    [5] T. Sugawaraet al., Mechanism behind information leakage in electro-magnetic analysis of cryptographic modules, in Information Security

    Applications (Lecture Notes in Computer Science), vol. 5932. Berlin,Germany: Springer-Verlag, 2009, pp. 6678.

    [6] E. Brier, C. Clavier, and F. Olivier, Correlation power analysis with aleakage model, in Cryptographic Hardware and Embedded Systems(Lecture Notes in Computer Science), vol. 3156. Berlin, Germany:

    Springer-Verlag, 2004, pp. 1629.[7] J. Wu, Y. Shi, and M. Choi, Measurement and evaluation of power

    analysis attacks on asynchronous S-box, IEEE Trans. Instrum. Meas.,vol. 61, no. 10, pp. 27652775, Oct. 2012.

    [8] D. Real, F. Valette, and M. Drissi, Enhancing correlation electromag-netic attack using planar near-field cartography, in Proc. Design, Autom.Test Eur. Conf. Exhibit. (DATE), Apr. 2009, pp. 628633.

    [9] F.-X. Standaert and C. Archambeau, Using subspace-based templateattacks to compare and combine power and electromagnetic informa-tion leakages, in Cryptographic Hardware and Embedded Systems(Lecture Notes in Computer Science), vol. 5154. Berlin, Germany:Springer-Verlag, 2008, pp. 411425.

    [10] N. Homma, T. Aoki, and A. Satoh, Electromagnetic informationleakage for side-channel analysis of cryptographic modules, in Proc.

    IEEE Int. Symp. EMC, Jul. 2010, pp. 97102.

    [11] M. Yamaguchi, S. Koya, H. Torizuka, S. Aoyama, and S. Kawahito,Shielded-loop-type onchip magnetic-field probe to evaluate radiatedemission from thin-film noise suppressor, IEEE Trans. Magn., vol. 43,no. 6, pp. 23702372, Jun. 2007.

    [12] K. Chen, Q. Zhao, P. Zhang, and G. Deng, The power of electro-magnetic analysis on embedded cryptographic Ics, in Proc. Int. Conf.

    Embedded Softw. Syst. Symp. (ISESS), Jul. 2008, pp. 197201.

    [13] K. Gandolfi, C. Mourtel, and F. Olivier, Electromagnetic analysis:Concrete results, in Cryptographic Hardware and Embedded Systems(Lecture Notes in Computer Science), vol. 2162. Berlin, Germany:Springer-Verlag, 2001, pp. 251261.

    [14] D. Agrawal, B. Archambeault, J. R. Rao, and P. Rohatgi, The EMsideChannel(s), in Cryptographic Hardware and Embedded Systems.Berlin, Germany: Springer-Verlag, Aug. 2002.

    [15] J. Lenz and A. S. Edelstein, Magnetic sensors and their applications,IEEE Sensor J., vol. 6, no. 3, pp. 631648, Jun. 2006.

    [16] S. Mangard, Exploiting radiated emissionsEM attacks on crypto-graphic ICs, in Proc. Austrochip, Linz, Austria, Oct. 2003, pp. 1316.

    [17] L. Sauvage, S. Guilley, J.-L. Danger, Y. Mathieu, and M. Nassar,Successful attack on an FPGA-based WDDL DES cryptoprocessorwithout place and route constraints, in Proc. Design, Autom. Test Eur.Conf. Exhibit. (DATE), 2009, pp. 640645.

    [18] N. N. Mai-Khanh, T. Iizuka, M. Yamada, O. Morita, and K. Asada,An integrated high-precision probe system for near-field magnetic mea-surements on cryptographic LSIs, in Proc. IEEE Sensors, Oct. 2012,pp. 20742077.

    [19] N. N. Mai-Khanh, T. Iizuka, M. Yamada, O. Morita, and K. Asada,An integrated high-precision probe system in 0.18-m CMOS for near-field magnetic measurements on cryptographic LSIs, IEEE Sensors J.,vol. 13, no. 7, pp. 26752682, Jul. 2013.

    [20] N. N. Mai-Khanh, T. Iizuka, M. Yamada, O. Morita, and K. Asada,High-resolution measurement of magnetic field generated from cryp-tographic LSIs, in Proc. IEEE Sensor Appl. Symp., Feb. 2014,pp. 111114.

  • 7/23/2019 Near-Field Magnetic Sensing System With High-Spatial Resolution and Application for Security of Cryptographic LSI

    9/9

    848 IEEE TRANSACTIONS ON INSTRUMENTATION AND MEASUREMENT, VOL. 64, NO. 4, APRIL 2015

    [21] C. P. Yue and S. S. Wong, On-chip spiral inductors with patternedground shields for Si-based RF ICs, IEEE J. Solid-State Circuits,vol. 33, no. 5, pp. 743752, May 1998.

    [22] K. Nishikawa, K. Shintani, and S. Yamakawa, Effects of eddy currenton characteristics of spiral inductors on silicon, Jpn. J. Appl. Phys.,vol. 48, no. 10R, p. 106502, Jan. 2009.

    [23] [Online]. Available: http://www.csrc.nist.gov/publications/fips/fips197/fips-197.pdf, accessed Nov. 25, 2014.

    [24] [Online]. Available: http://www.morita-tech.co.jp/pdf/MT-545%20probe%20TD.pdf, accessed Sep. 18, 2014.

    [25] T. Dubois et al., Near-field electromagnetic characterization and per-turbation of logic circuits, IEEE Trans. Instrum. Meas., vol. 57, no. 11,pp. 23982404, Nov. 2008.

    [26] H.-Y. Wei and A. J. Wilkinson, Design of a sensor coil and mea-surement electronics for magnetic induction tomography, IEEE Trans.

    Instrum. Meas., vol. 60, no. 12, pp. 38533859, Dec. 2011.[27] J. Zhang, K. W. Kam, J. Min, V. V. Khilkevich, D. Pommerenke, and

    J. Fan, An effective method of probe calibration in phase-resolved near-field scanning for EMI application,IEEE Trans. Instrum. Meas., vol. 62,no. 3, pp. 648658, Mar. 2013.

    [28] S. Muroga, K. Arai, S. Dhungana, R. Okuta, Y. Endo, andM. Yamaguchi, 3-D magnetic-near-field scanner for IC chip-levelnoise coupling measurements, IEEE Trans. Magn., vol. 49, no. 7,pp. 38863889, Jul. 2013.

    Nguyen Ngoc Mai-Khanh (M12) was born inVung Tau, Vietnam. He received the B.S. andM.S. degrees in electrical engineering from VietnamNational University, University of Technology, HoChi Minh City, Vietnam, in 2002 and 2004, respec-tively, and the Ph.D. degree in electrical engineeringand information systems from the Graduate Schoolof Engineering, University of Tokyo, Tokyo, Japan,in 2011.

    He joined a system-on-chip short-term project forthe internship with the Toshiba Research and Devel-

    opment Center, Kawasaki, Japan, in 2006. From 2011 to 2013, he was a Post-Doctoral Researcher with the VLSI Design and Education Center, Universityof Tokyo, where he is currently an Assistant Professor. Since 2006, he hasbeen a Lecturer with the Faculty of Electrical and Electronic Engineering,Vietnam National University, University of Technology, HCMC, Viet Nam.

    His current research interests include integrated analog circuits and microwavepulse transceiver circuits.

    Dr. Mai-Khanh was a recipient of the Best Paper Award of the AsianSymposium on Quality Electronic Design in 2010 and the third rank of BestStudent Paper Award of the 9th IEEE NEWCAS Conference in 2011.

    Tetsuya Iizuka (M02) received the B.S., M.S., andPh.D. degrees in electronic engineering from theUniversity of Tokyo, Tokyo, Japan, in 2002, 2004,and 2007, respectively.

    He was a High-Speed Serial Interface CircuitDesigner with the industry for two years. He joinedthe University of Tokyo in 2009, where he is cur-rently an Assistant Professor with the Department of

    Electrical Engineering and Information Systems. Hiscurrent research interests include digitally assistedanalog circuits and very large scale integration

    computer-aided design.Dr. Iizuka is a member of the Institute of Electronics, Information and Com-

    munication Engineers (IEICE). He was a recipient of the Young ResearchersAward from IEICE in 2002, the IEEE International Conference on Electronics,Circuits, and Systems Best Student Paper Award in 2006, and the YamashitaSIG Research Award from the Information Processing Society of Japan in2007. He is also a member of the IEEE International Solid-State CircuitsConference and the IEEE Custom Integrated Circuits Conference TechnicalProgram Committees.

    Akihiko Sasaki received the B.E., M.E., andPh.D. degrees from the University of Electro-Communications, Tokyo, Japan, in 2003, 2005, and2008, respectively.

    In 2011, he joined Morita-Tech Company, Ltd.,Kawasaki, Japan. His current research interestsinclude evaluation platform of side-channel analysisand fault analysis on cryptographic circuit.

    Makoto Yamada was born in Nagano, Japan.He received the B.S. degree in electrical engineer-ing from the University of Yamanashi, Yamanashi,Japan, in 1981.

    He joined the Test and Measurement Division,Yokogawa Hewlett Packard, Tokyo, Japan, asa Field Sales Engineer. In 2010, he joinedMorita-Tech Company, Ltd., Kawasaki, Japan, asa Security System Division Manager and Probeand EMC Scanner Specialist. He is responsible foroverseeing SASEBO and SAKURA Project relating

    to side channel attack, DPA, electro-magnetic analysis solutions, current

    roadmap for EM, and laser fault injection system.

    Osamu Morita was born in Tokyo, Japan.He received the B.S. degree in electrical engineeringand electronics from Aoyama Gakuin University,Tokyo, in 1978.

    He set up entrepreneurial ventures and providedcustom-made solutions, including key elements ofRF technology, mechatronics, electric circuit design,and software.

    Kunihiro Asada (M80) was born in Fukui,Japan, in 1952. He received the B.S., M.S., andPh.D. degrees in electronic engineering from theUniversity of Tokyo, Tokyo, Japan, in 1975, 1977,and 1980, respectively.

    He joined the Faculty of Engineering, Universityof Tokyo, in 1980, and became a Lecturer, an Asso-ciate Professor, and a Professor in 1981, 1985, and1995, respectively. From 1985 to 1986, he was withthe University of Edinburgh, Edinburgh, U.K., as aVisiting Scholar supported by the British Council.

    From 1990 to 1992, he served as the first Editor of the English version ofIEICE Transactions on Electronics. In 1996, he established the VLSI Design

    and Education Center (VDEC), with his colleagues in the University of Tokyo,which is the center to promote education and research of VLSI design in all theuniversities and colleges in Japan. He is currently in charge of the Director ofVDEC. He has authored over 400 technical papers in journals and conferenceproceedings. His current research interests include design and evaluation ofintegrated systems and component devices.

    Dr. Asada is a member of the Institute of Electronics, Information andCommunication Engineers of Japan (IEICE), and the Institute of ElectricalEngineers of Japan (IEEJ). He has received Best Paper Awards from IEEJ,IEICE, and ICMTS1998/IEEE. He also served as the Chair of the IEEE/SSCSJapan Chapter from 2001 to 2002 and the IEEE Japan Chapter OperationCommittee from 2007 to 2008.