SYSTEM AND METHOD FOR SECURING AN ELECTRONIC CIRCUIT

专利摘要:
The invention relates to a system (1) for securing an electronic circuit (2) comprising a plurality of regions (Z1-Z2, Z4-Z6) whose activity of each can be controlled, comprising a plurality of sensors (S1- Sm) integrated in the electronic circuit, each sensor being sensitive to variations in the manufacturing process and able to provide a measurement representative of a local activity of the electronic circuit, characterized in that it comprises a processing unit comprising a verification module configured to: - determine, from the measurements provided by the sensors, and for each of the regions, a partition of the sensors between affected sensors and sensors unaffected by activation of the region; - Compare each partition to a model partition to detect the possible presence of a hardware Trojan that could infect the electronic circuit. The system can also authenticate the electronic circuit through its intrinsic physical characteristics by responding to challenge or key generation.
公开号:FR3026253A1
申请号:FR1458863
申请日:2014-09-19
公开日:2016-03-25
发明作者:Maxime Lecomte；Jacques Fournier；Philippe Maurine
申请人:Commissariat a lEnergie Atomique CEA；Commissariat a lEnergie Atomique et aux Energies Alternatives CEA；
IPC主号:

专利说明:

[0001] TECHNICAL FIELD The field of the invention is that of securing electronic circuits. The invention relates more particularly to the integrity check of an electronic circuit for detecting a possible hardware Trojan, as well as to the authentication of such an electronic circuit. STATE OF THE PRIOR ART Integrated circuits, especially those used for a secure purpose (encryption of data, encrypted communications, secure payments, etc.), are potential targets for attackers who may seek to modify their integrity with, for example, for example, to cause a denial of service, to degrade its performance or to induce a drop in manufacturing efficiency. For these reasons, it is important to provide these circuits with countermeasures to ensure their safety. Until now, the safety of integrated circuits has focused on secure packaging and measures against physical attacks (by auxiliary channels and by fault injection) such as the differential analysis of consumption. But with the phenomena of relocation of production in third-party factories and the explosion of counterfeiting, new needs related to the authentication and verification of the integrity of electronic circuits have emerged. Today, the authentication of a circuit can be carried out using a secret and unique key stored in a circuit memory. This key is usually written in memory during the personalization phase of the circuit. In parallel, the key is stored in a database of a server. To perform authentication of the electronic circuit, the server sends a binary word to the circuit that uses it to process (with a hash algorithm for example) the key stored in memory and returns the result to the server. The server applies the same procedure with the key stored in the database and compares the result obtained with that returned by the circuit. If the two results are identical, the circuit is authenticated. In addition to its cost (related to the personalization phase and the degree of security of the memory storing the key), this authentication mode also has the disadvantage of not being perfectly robust since it is clonable both mathematically and physically. . Another authentication solution consists of measuring intrinsic and inclonable characteristics of a given circuit as is done in biometrics to authenticate people. In this field, numerous researches have been carried out, in particular in the field of the so-called physical functions PUFs (for Physical Unclonable Functions). The PUFs functions are material structures that measure intrinsic characteristics of the circuits, ie characteristics revealing the variations of recognized manufacturing processes that are impossible to clone (both mathematically and physically) because they are sufficiently large and random to guarantee the uniqueness of the circuits. fingerprints. Optical PUFs are known in particular based on the optical properties of randomly doped materials with opaque particles, PUFs functions based on variations in the external environment (for example by measuring the equivalent resistance of a circuit or that of electrical properties of a special environment), PUFs based on differences in internal propagation delays of a circuit (using either arbiters or ring oscillators), or PUFs based on the unpredictable initial state memory cells. Due to their susceptibility to physical aggression, PUFs can, to a certain extent, be used to check the integrity of an integrated circuit. However, in a more global and more efficient approach to the integrity problem, it must be verified that a given circuit has not been tampered with, by disabling certain features or by adding what is called a hardware Trojan. . A Trojan horse consists of two parts, a trigger and an actuator. The trigger is a mechanism that is pending and scans conditions for which the "harmful" effect must be triggered. The triggering event can be generated externally (external signal or special physical conditions) or generated internally (internal state of the circuit, special data configuration, etc.). Moreover, the trigger can be combinatory when the desired condition is the result of a logical operation on several signals, or sequential when the signal is generated by a state machine. The actuator is the unwanted effect of the Trojan. It can be explicit when signals or logical blocks are directly added, deleted or disabled, or implicit when the effect is not directly observed, for example, the thinning of some wires or hidden information in the auxiliary channels of the circuit . The detection of a hardware Trojan is a complex and multidimensional problem that depends on the type of trojan (functional or parametric), its size, its distribution on the circuit surface and its structure. Detection techniques based on fault analysis or automatic generation of Automatic Test Pattern Generation (ATPG) test vectors are known. But these techniques are limited in terms of coverage of the circuit.
[0002] Techniques using auxiliary channels or delay propagation on internal paths of a circuit are also known. But they require relatively expensive equipment and long measurement times that are incompatible with the volume production of integrated circuits. They require moreover a reference circuit (called golden in the English terminology), namely an implementation which is declared healthy (without Trojan horse) and whose auxiliary channel analyzes or delays of propagation are carried out and used like reference for the analysis of other circuits. However, such a reference circuit is only valid once the circuit has been manufactured and after it has undergone a complete phase of reverse engineering, a phase which is extremely costly in time and resources.
[0003] The existing integrity verification solutions for the detection of a hardware Trojan are still experimental and not well adapted to industrial deployment (volume production). US patent application 2013/019324 A1 discloses an integrity verification technique using a network of ring oscillators distributed through a circuit, and a statistical analysis of the data of this network to verify whether a circuit is healthy. or not. Three consecutive statistical methods are more precisely performed outside the circuit. The drawbacks of this technique are the need for a population of healthy circuits of the same design, and the application of the three statistical methods which proves costly in calculation and which is not shipped but performed outside the circuit. DISCLOSURE OF THE INVENTION The purpose of the invention is to propose a solution for verifying the integrity of an electronic circuit for the detection of the possible presence of a hardware Trojan that could infect the circuit that can be easily deployed during circuit volume production. To this end, the invention proposes a system for securing an electronic circuit comprising a plurality of regions whose activation can be controlled, comprising a plurality of sensors integrated in the electronic circuit, each sensor being sensitive to variations in the manufacturing process. and capable of providing a representative measurement of a local activity of the electronic circuit, characterized in that it comprises a processing unit comprising an integrity verification module configured to: determine, from the measurements provided by the sensors, and for each of the regions, a partition of the sensors between affected sensors and sensors not affected by an activation of the region; compare each of the partitions to a model partition to detect the possible presence of a hardware Trojan that could infect the electronic circuit. Each region can be dedicated to the execution of a given functionality, the activation of a region then taking the form of a command of the execution of the functionality associated with the region.
[0004] BRIEF DESCRIPTION OF THE DRAWINGS Other aspects, objects, advantages and characteristics of the invention will appear better on reading the following detailed description of preferred embodiments thereof, given by way of non-limiting example, and made in reference to the accompanying drawings in which: Figure 1 is a diagram illustrating the system according to the invention; FIG. 2 represents an example of spatial deployment of the sensors on the surface of a circuit; FIG. 3 represents an example of a sensor that can be used in the context of the invention; FIG. 4 is a diagram illustrating the operation of an integrity check that can be implemented by a system according to the invention. DETAILED DESCRIPTION OF PARTICULAR EMBODIMENTS With reference to FIGS. 1 and 2, the invention relates to a system 1 for securing an electronic circuit 2, the circuit 2 comprising several regions Z1-Z6 whose activation can be controlled. For example, a region is dedicated to executing a feature, and its activation corresponds to the execution of this feature. The system comprises a plurality of sensors Si, 51-5m integrated in the electronic circuit, each sensor being sensitive to variations in the manufacturing process and the operating conditions (in particular supply voltage) so as to be able to provide a representative measurement a local activity of the electronic circuit in an area surrounding the sensor and the local quality of the silicon. The 51-5m sensors can be distributed in the form of a regular matrix (as shown in Figure 2 where we find a matrix of 8 * 8 sensors) or not. In particular, the surface density of the sensors can be varied locally (non-uniform distribution) depending on the part of the circuit that is to be protected. The sensors are preferably distributed over the entire surface of the circuit, but in general, the placement and the number of sensors are chosen according to the arrangement of the different regions of the circuit in order to obtain measurements representing at best the activity of the circuit. Circuit 2 is formed of integrated components on a chip. The sensors are also integrated on the chip, but do not participate in the realization of the circuit functionality. The measurements provided by the sensors are retrieved by an acquisition unit and processed by a processing unit 3. The processing unit can be implemented in a hardware and / or software way, or be deported or not outside the circuit. In an embodiment shown in FIG. 2, the acquisition and processing units are integrated in the circuit, typically being placed in a space left free of the circuit (the region Z3 in FIG. 2). Si sensors provide a digital output value that depends on process variations and local supply voltage. They are controllable and can be turned on or off. Their output is preferably not influenced by the temperature conditions. The sensors are preferably configurable, for example to modify the sensitivity. In the case of ring oscillator type sensors, it is thus possible to play on the counting time. An example of such sensors is a delay measuring device which uses a delay amplifier and a two-delay interpolation method to generate a digital word whose value varies according to the measured time and therefore the manufacturing process variations. Arbitrator is the element comparing propagation delays on two paths. Compared paths can be a pre-existing path and a replica or two similar dedicated paths.
[0005] Another example of sensors is a ring oscillator, an exemplary embodiment of which is illustrated in FIG. 3. In this example, the oscillator is composed of an AND gate, two inverters and a 16-bit counter. Activation of the 'enable' signal causes oscillation at a frequency f which depends on process variations, temperature and supply voltage. From this oscillation frequency, a numerical value is generated by the counter which enumerates the oscillations for a given time. Turning off the 'enable' signal causes system stability and stops oscillation. Identification of informative bits The sensors preferably provide measurements in the form of digital words each consisting of a series of bits. The processing unit 3 may comprise an informational bit identification module making it possible to identify the characteristic bits of each sensor and whose variation between two measurements remains limited. In this way, it is possible to reduce the size of digital words, without losing informative content. For this purpose, the informative bit identification module is configured to eliminate the series of bits provided by each sensor the invariant bits in the digital words provided by the different sensors and randomly varying bits in the different digital words provided by the sensor.
[0006] In a first step, the information bit identification module identifies the invariant bits from one sensor to another, for example by calculating the variance or entropy of each bit between the sensors. Bits for which the variance (or entropy) is zero can then be deleted. These are, for example, bits of significant importance up to the first bit having non-zero variance (or entropy) between the sensors. In a second step, the identification module informative bits identifies the bits that vary randomly between two acquisitions of the same sensor, for example by calculating the variance (or entropy) of each bit between different acquisitions. Bits for which the variance (or entropy) is non-zero can then be deleted. It is for example bits of low weight up to the first bit of variance (entropy) zero between two acquisitions. The informative bit identification module thus makes it possible to limit the size of the digital words coming from each sensor in order to keep only the bits containing useful and unique information for each sensor. In one exemplary embodiment, for the 16 bits generated by a sensor, the 6 most significant bits are identified for all the sensors as carrying invariant information between the sensors and the 6 least significant bits as carrying the random information of the sensor. This leaves 4 common informative bits per sensor. The identification module of the informative bits is preferably placed upstream of the other modules 4, 5, 6 of the processing unit which will be described later. Integrity Verification The processing unit 3 comprises an integrity verification module 4 making it possible to detect the possible presence of a hardware Trojan in the circuit 2. The integrity verification module 4 allows more precisely detect and possibly locate the electrical activity of the trip units or actuators. It is configured for this purpose: to determine, from the measurements provided by the sensors, and for each of the regions, a partition of the sensors between affected sensors and sensors unaffected by the activation (activation) of the region; compare each partition to a model partition, obtained from a reference circuit (golden) or simulations during the circuit design, to detect the possible presence of a Trojan horse material likely to infect the electric circuit.
[0007] In the case where the circuit is affected by a hardware Trojan, the trigger of the Trojan changes the activity of the circuit and hence the partitions of the sensors. Partitions that do not correspond to model partitions, the infection of the circuit can be declared. The integrity check module 4 can exploit the measurements provided by the sensors for different activities of the circuit. Thus, in one possible embodiment, the integrity verification module 4 can be configured to: deactivate all the regions of the electronic circuit (for example by deactivating all the functionalities of the electronic circuit) and perform an acquisition of the measurements provided by the sensors; activate (activate) in turn only one of the regions of the electronic circuit (for example by ordering the execution in turn of only one of the functionalities of the electronic circuit), and perform an acquisition of the measurements provided by the sensors ; comparing, for each of the regions, and for each of the sensors, the measurement made by the sensor while only the region is activated to the measurement made by the sensor while all the regions are deactivated; determining said sensor partitions from said compared measurements. A region can be dedicated to the execution of a given feature and its activation (activation) can thus consist in executing this functionality. Alternatively or not, electrical activity generators can be integrated within the circuit to improve, if necessary (for example when the circuit contains few functional blocks), the number of partitions that can be built . An activity generator generates a local current call, leading to activation of a given region of the circuit. The different acquisitions are made for the same duration. The result of the comparison is, for each region of the circuit successively activated, a list of comparative measurements. In the example shown above where the sensors are ring oscillators, the list is a list of oscillation frequency differences. This list is used to separate the population of the sensors into two sets: a first set containing the sensors affected by the activity of the activated region and a second set containing the sensors unaffected by the activity of the activated region. This separation is typically implemented by a partitioning algorithm, for example the k-means algorithm (standard or fuzzy), a supervised learning algorithm of Bayesian classifier type or support vector machine type. FIG. 4 illustrates this integrity check by taking as an example a healthy circuit comprising three regions R1, R2 and R3 for the implementation of three functionalities and a circuit 21 of the same design but infected by a hardware Trojan T. Sensors S1-S9 are distributed in a matrix manner on circuits 20, 21.
[0008] The table at the top right illustrates, for the healthy circuit 20, and for each of the regions, the partition of the sensors between affected sensors ("1") and unassigned sensors ("0") by the activation of the region (execution a feature in the following example). Several tests can be performed to obtain a probability of being affected if necessary. Thus, the execution of the functionality corresponding to the region R1 and the measurements of the different sensors makes it possible to determine that the sensors Si, S2, S4 and S5 are affected by the execution of this functionality, while the others are not. Similarly, the execution of the functionality corresponding to the region R2 and the measurements of the various sensors make it possible to determine that the sensors S7 and S8 are affected by the execution of this functionality, while the others are not. Finally, the execution of the functionality corresponding to the region R3 and the measurements of the various sensors makes it possible to determine that the sensors S3, S6 and S9 are affected by the execution of this functionality, while the others are not. In other words, each line of this table illustrates the model partition for each of the functionalities corresponding to the regions R1-R3. In practice, the model partition is a partition resulting from simulation, or a partition made from sensor measurements integrated into a healthy reference circuit. The table at the bottom right illustrates for the infected circuit 21, for each of the functionalities, the partition of the sensors between affected sensors and sensors unaffected by the execution of the functionality. Thus, the execution of the functionality corresponding to the region R1 and the measurements of the different sensors makes it possible to determine that the sensors S1-55 are affected by the execution of this functionality, while the others are not. Similarly, the execution of the functionality corresponding to the region R2 and the measurements of the various sensors make it possible to determine that the sensors S2, S3, S7 and S8 are affected by the execution of this functionality, while the others are not affected. . Finally, the execution of the functionality corresponding to the region R3 and the measurements of the various sensors makes it possible to determine that the sensors S2, S3, S6 and S9 are affected by the execution of this functionality, while the others are not affected. .
[0009] The line-by-line comparison of the two tables makes it possible to note a different partition of the sensors and thus to conclude to an infection of the circuit 21 by a hardware Trojan. This comparison of the partitions can be carried out by means of a similarity measure, for example according to the rand index or the Jaccard index.
[0010] Moreover, in one possible embodiment, the integrity check module 4 is further configured to locate a possible hardware Trojan, for example by counting, for each sensor and for all the features, the number of times where it is classified in a set different from the one where it should appear in the model partition. When this number exceeds a threshold, the integrity check module determines the presence of a hardware Trojan near the sensor. Returning to the example of Figure 4, this number is zero for the sensors Si and S4-S9, and two for the sensors S2 and S3. We deduce the presence of the Trojan T near the sensors S2 and S3. In a possible embodiment, and returning to Figure 1, the system may further comprise at least one detector integrated in the electronic circuit and capable of providing a measurement representative of an operating condition of the circuit. The at least one detector may comprise, as shown, one or more voltage detectors Vj each providing a voltage value v, (global or local) and one or more temperature detectors Tk each providing a temperature value tk (global or local). The detectors may possibly be identical to the sensors; they can in particular also take the form of ring resonators as described, for example, in the article by L.Vincent et al. entitled "Embedding statistical tests for onchip dynamic voltage and temperature monitoring," Design Automation Conference (DAC), 2012, 49th ACM / EDAC / IEEE, pp. 994-999.
[0011] The information relating to a circuit operating condition provided by the detectors, and the variations of this information from one circuit to another, can be exploited in a constructive manner to allow authentication of the electronic circuit by challenge-response. and / or by key generation as subsequently described. Authentication In one embodiment, the processing unit 3 comprises a challenge-response electronic circuit authentication module configured to calculate, in accordance with the present invention, the authentication module. response to a challenge, a physical function response that can be rectified by means of measurements provided by the sensors and provide said response accompanied by the measurement provided by the at least one detector that is representative of an operating condition of the circuit. The invention thus makes it possible to authenticate a circuit thanks to its intrinsic physical characteristics. The entity requesting the authentication of the circuit sends a challenge and receives in return a unique response by challenge, by circuit and by operating condition (voltage torque V and temperature T typically), a condition measured by the circuit itself. same and encrusted in the answer. The advantages over existing systems are lower surface cost per bit response. Authentication is also more robust to changes in temperature and voltage by taking into account in the response the operating conditions V, T. In addition, the system makes it easy to select the number of bits used for authentication. Finally, all of the measurements are performed on a chip which makes it possible to accelerate the procedures, and to reduce the production costs in volume.
[0012] In one embodiment, the challenge is a choice of sensors among the m's. The authentication module 5 is thus configured to calculate the inclonable physical function response from the measurements provided by a subset of said plurality of sensors. This response may include the concatenation of values developed from the measurements provided by the sensors of each of the (n2f) pairs of sensors among the subset of m 'sensors of said plurality of m sensors. In particular, the value developed for a pair of sensors p, q among the subset of said plurality of sensors may consist of AFpq = Fp, vJ, tk + Fq, vJ, t -j, tk, where m 'is the number of sensors of the subset and Fm, j, tk corresponds to the measurement provided by one of the subset sensors for an operating condition of the circuit v ,, tk given. This operating condition is taken by a global voltage or temperature detector or by several local detectors. In the latter case, the responses of these detectors are concatenated to be representative of the overall operating condition of the circuit. Post-processing modules (e.g., error-correcting codes) of the authentication system response may be integrated (or externally shifted) to increase the reliability of the system. The system may further include a database listing, for each of a plurality of circuit operating conditions, the expected response for a given challenge, and a comparator configured to verify that the response developed by the module authentication 5 corresponds to the expected response stored in the database for an operating condition (typically voltage torque, temperature) of the circuit corresponding to the measurement provided by the at least one detector accompanying the response developed by the authentication module.
[0013] The authentication procedure is as follows. A single phase is performed to create the database containing the different responses of the system to the various challenges and this for all conditions V, T of the system. A challenge is sent to the system that returns the voltage and temperature values as well as a digital word that is challenge-dependent and unique to each circuit. The database is consulted for the returned voltage and temperature values, and verifies that the received response matches the response stored in the database for challenge and the given voltage and temperature conditions. If there is a match, the circuit is authenticated. Otherwise, the circuit is not authentic or has undergone modifications.
[0014] With this technique the number of possible challenges is (min,), that is 2035800 challenged by condition V, T for m = 30 and m '= 7. The size of the response is (n2) multiplied by the number of informative bits per sensor. In the case of a prototype according to the invention, the size of the response is (27) * 4 = 84 bits when the bit identification module has reduced to 4 the number of informative bits per sensor. But of course, the size and number of challenges can be reduced if needed. Calculations have shown for this defl-response technique a variation between (between different circuits) of 48.8% and an intra-distance variation (between different executions for the same circuit) of 6.3%. These measurements, obtained in an uncontrolled environment and without tattooing of the voltage and temperature, are particularly satisfactory.
[0015] Key Generation Physically Obfuscated Key (POK) generation allows you to return a key stored permanently in the physical characteristics of a circuit. Thus, it is more difficult for an attacker to recover the key by measuring the external signals (probing). In addition, an invasive attack of this circuit will cause physical alterations and thus destruction of the key. A difficulty encountered during the generation of such keys is their variability as a function of the operating conditions (typically temperature and voltage). The invention proposes to circumvent this difficulty by tattooing the key generated with the operating condition information. Thus changes in the key due to variations in operating conditions can be taken into account. Thus, the problem of variability of voltage and temperature is bypassed by using it to increase safety. The processing unit 3 of the system according to the invention can thus comprise in one embodiment a key generation module 6 configured to generate a key by means of the measurements provided by the sensors and to supply said key accompanied by the measurement provided by the at least one detector. The key may notably consist in the concatenation of the measurements Fu j, tk provided by each of the sensors, possibly by exploiting the only bits identified as informative. Thus, the system provides as a key the operating condition information and a digital word which is a function of the variations in the manufacturing process. For the prototype of the invention, there are m = 30 sensors for which 4 informative bits are kept, which makes a key of 120 bits (at most) supplemented by the temperature and voltage information. These 120 bits can serve as a seed for the generation of longer keys by means for example of a pseudo-random number generator. The various modules of the processing unit can of course be implemented alone or in combination, and this in hardware and / or software. The invention is also not limited to the system as previously described, but also extends to a method of securing an electronic circuit implemented by one and / or the other of the modules of the processing unit, and in particular to a method which comprises the following steps: determination, from the measurements provided by a plurality of sensors integrated in the electronic circuit, each sensor being sensitive to variations in the manufacturing process and able to provide a representative measurement a local activity of the electronic circuit, and for each of the functionalities, a partition of the sensors between affected sensors and sensors unaffected by the execution of the functionality; comparing said partition to a model partition to detect the possible presence of a hardware Trojan that may infect the electronic circuit. And the invention also extends to a software implementation of such a security method, and thus in particular to a computer program product comprising code instructions for executing the steps of the method, when said program is running on a computer. It will be remembered that the invention can also be applied to ASISC-type circuits as to reconfigurable type circuits (for example FPGA), both in their design and in their programming method after fabrication.

权利要求:
Claims (14)
[0001]
REVENDICATIONS1. System (1) for securing an electronic circuit (2) comprising a plurality of regions (Z1-Z2, Z4-Z6, R1-R3) whose activation can be controlled, comprising a plurality of integrated sensors (51-5m) in the electronic circuit, each sensor being sensitive to manufacturing process variations and able to provide a measurement representative of a local activity of the electronic circuit, characterized in that it comprises a processing unit (3) comprising a verification module integrity sensor (4) configured to: determine, from the measurements provided by the sensors, and for each of the regions, a partition of the sensors between affected sensors and sensors unaffected by activation of the region; compare each of the partitions to a model partition to detect the possible presence of a hardware Trojan that could infect the electronic circuit.
[0002]
2. System according to claim 1, wherein the integrity check module (4) is configured to: disable all the regions of the electronic circuit and perform an acquisition of the measurements provided by the sensors; activate in turn only one of the regions of the electronic circuit, and perform an acquisition of the measurements provided by the sensors; comparing, for each of the regions, and for each of the sensors, the measurement made by the sensor while only the region is activated to the measurement made by the sensor while all the regions are deactivated; determining said sensor partitions from said compared measurements.
[0003]
3. System according to one of claims 1 and 2, wherein at least one of the regions is dedicated to the execution of a feature, the activation of the at least one corresponding region being performed by the control of the performing said functionality.
[0004]
4. System according to one of claims 1 to 3, further comprising at least one detector (Vj, Tk) integrated in the electronic circuit and able to provide a measurement representative of an operating condition of the circuit and wherein the processing unit further comprises a challenge-response electronic circuit authentication module (5) configured to calculate, in response to a challenge, an inclonable physical function-type response using measurements provided by the sensors and providing said response accompanied by the measurement provided by the at least one detector.
[0005]
The system of claim 4, wherein the authentication module (5) is configured to calculate the physical function-unreachable response from the measurements provided by a subset of said plurality of sensors.
[0006]
The system of claim 5, wherein the unclonable physical function response comprises concatenating values derived from measurements provided by the sensors of each of the sensor pairs from the subset of said plurality of sensors.
[0007]
The system of claim 6, wherein the value developed for a pair of sensors p, q among the subset of said plurality of sensors is AFPq = Fp, vJ, tk + tk, where m 'is the number of subset and Fui sensors, tk corresponds to the measurement provided by one of the subset of the sensors for an operating condition of the circuit y1, tk data.
[0008]
The system of one of claims 4 to 7, further comprising a database listing, for each of a plurality of circuit operating conditions, the expected response for a given challenge, and a configured comparator for checking the response developed by the authentication module corresponds to the expected response stored in the database for a circuit operating condition corresponding to the measurement provided by the at least one detector accompanying the response developed by the authentication module .
[0009]
9. System according to one of claims 3 there, further comprising at least one sensor (Vj, Tk) integrated in the electronic circuit and able to provide a measurement representative of a circuit operating condition and wherein the unit processing device further comprises a key generation module (6) configured to generate a key by means of the measurements provided by the sensors and to provide said key together with the measurement provided by the at least one detector.
[0010]
The system of claim 9, wherein the key is the concatenation of the measurements provided by each of the sensors. 15
[0011]
11. System according to one of claims 1 to 10, wherein the sensors provide measurements in the form of digital words consisting of a series of bits and wherein the processing unit comprises an information bit identification module configured to eliminate a series of bits provided by a sensor the invariant bits in the digital words provided by the different sensors and randomly varying bits in the different digital words provided by the sensor.
[0012]
12. System according to one of claims 1 to 11, wherein the processing unit is integrated in the electronic circuit. 25
[0013]
13. A method of securing an electronic circuit comprising a plurality of regions, the activity of each of which can be controlled, characterized in that it comprises the following steps: determination, from measurements provided by a plurality of sensors integrated in the electronic circuit, each sensor being responsive to manufacturing process variations and able to provide a representative measurement of a local activity of the electronic circuit, and for each of the regions, a partition of the sensors between affected sensors and sensors unaffected by an activation of the region; comparing said partition to a model partition to detect the possible presence of a hardware Trojan that may infect the electronic circuit.
[0014]
A computer program product comprising code instructions for executing the steps of the method of claim 13 when said program is run on a computer.

类似技术:

---

公开号 | 公开日 | 专利标题

---

EP3195296B1|2019-11-20|System and method for securing an electronic circuit

---

Tehranipoor et al.2016|DRAM-based intrinsic physically unclonable functions for system-level security and authentication

---

Maes et al.2010|Physically unclonable functions: A study on the state of the art and future research directions

---

US8694856B2|2014-04-08|Physically unclonable function with tamper prevention and anti-aging system

---

KR20180102627A|2018-09-17|Privacy-preserving, mutual PUF-based authentication protocols

---

KR20070012529A|2007-01-25|Identification system using mechanical vibrations on identifier

---

US20150278527A1|2015-10-01|Self-Test of a Physical Unclonable Function

---

US20110002461A1|2011-01-06|Method and System for Electronically Securing an Electronic Biometric Device Using Physically Unclonable Functions

---

Cavoukian et al.2012|Advances in biometric encryption: Taking privacy by design from academic research to deployment

---

FR2933216A1|2010-01-01|METHOD AND SYSTEM FOR VALIDATING A SUCCESSION OF EVENTS VECUTED BY A DEVICE

---

Gao et al.2017|PUF sensor: Exploiting PUF unreliability for secure wireless sensing

---

Anagnostopoulos et al.2018|An overview of DRAM-based security primitives

---

Zalivaka et al.2016|Design and implementation of high-quality physical unclonable functions for hardware-oriented cryptography

---

Yang et al.2015|An RFID-based technology for electronic component and system counterfeit detection and traceability

---

Maiorana et al.2008|User adaptive fuzzy commitment for signature template

---

Hupperich et al.2016|Leveraging sensor fingerprinting for mobile device authentication

---

Chen et al.2019|Intrinsic Physical Unclonable Function | sensors in commodity devices

---

Mulhem et al.2018|Accelerometer-Based Joint User-Device Clone-Resistant Identity

---

FR2989504A1|2013-10-18|REGISTER PROTECTED FROM FAULT INJECTION ATTACKS

---

US20160110165A1|2016-04-21|Quality detecting method, random number generator, and electronic device

---

Anandakumar et al.2021|FPGA-based Physical Unclonable Functions: A comprehensive overview of theory and architectures

---

Pehl et al.2014|Advanced performance metrics for physical unclonable functions

---

US20200387601A1|2020-12-10|Methods for detecting system-level trojans and an integrated circuit device with system-level trojan detection

---

US20210194921A1|2021-06-24|System and method for network intrusion detection based on physical measurements

---

Gravellier2021|Remote Hardware Attacks on Connected Devices

同族专利:

---

公开号 | 公开日

---

EP3195296A1|2017-07-26|

---

EP3195296B1|2019-11-20|

---

US10397251B2|2019-08-27|

---

FR3026253B1|2016-12-09|

---

WO2016042144A1|2016-03-24|

---

US20170310688A1|2017-10-26|

引用文献:

---

公开号 | 申请日 | 公开日 | 申请人 | 专利标题

---

WO2012122309A2|2011-03-07|2012-09-13|University Of Connecticut|Embedded ring oscillator network for integrated circuit security and threat detection|EP3340214B1|2016-12-21|2021-01-20|Secure-IC SAS|Synthetic physically unclonable function|US7701244B2|2008-07-29|2010-04-20|International Business Machines Corporation|False connection for defeating microchip exploitation|

---

KR101046992B1|2009-10-29|2011-07-06|한국인터넷진흥원|Sensor data security method, system and recording media|

---

US20120159274A1|2010-12-21|2012-06-21|Balakrishnan Kedarnath J|Apparatus to facilitate built-in self-test data collection|

---

US9081991B2|2011-03-23|2015-07-14|Polytechnic Institute Of New York University|Ring oscillator based design-for-trust|WO2015089346A1|2013-12-13|2015-06-18|Battelle Memorial Institute|Electronic component classification|

---

EP3377977A4|2015-11-16|2019-08-21|Arizona Board Of Regents Acting For And On Behalf Of Northern Arizona University|Multi-state unclonable functions and related systems|

---

US10762261B2|2016-01-22|2020-09-01|Yu-Liang Wu|Methods and apparatus for transforming the function of an integrated circuit|

---

US10303878B2|2016-01-22|2019-05-28|Yu-Liang Wu|Methods and apparatus for automatic detection and elimination of functional hardware trojans in IC designs|

---

FR3051600B1|2016-05-20|2018-12-07|Commissariat A L'energie Atomique Et Aux Energies Alternatives|ELECTRONIC DEVICE WITH IDENTIFICATION OF PUF TYPE|

---

CN108345352A|2017-01-24|2018-07-31|精工爱普生株式会社|Circuit device, oscillating device, physical quantity measuring apparatus, electronic equipment and moving body|

---

JP6972562B2|2017-01-24|2021-11-24|セイコーエプソン株式会社|Circuit devices, oscillation devices, physical quantity measuring devices, electronic devices and mobile objects|

---

CN106841987B|2017-01-25|2019-09-13|天津大学|Hardware Trojan horse side channel detection method based on electromagnetism and electric current|

---

US10572671B2|2017-02-20|2020-02-25|Tsinghua University|Checking method, checking system and checking device for processor security|

---

US10684896B2|2017-02-20|2020-06-16|Tsinghua University|Method for processing asynchronous event by checking device and checking device|

---

US10657022B2|2017-02-20|2020-05-19|Tsinghua University|Input and output recording device and method, CPU and data read and write operation method thereof|

---

US10642981B2|2017-02-20|2020-05-05|Wuxi Research Institute Of Applied Technologies Tsinghua University|Checking method, checking device and checking system for processor|

---

GB2548493B|2017-03-17|2018-03-28|Quantum Base Ltd|Optical reading of a security element|

---

US10789550B2|2017-04-13|2020-09-29|Battelle Memorial Institute|System and method for generating test vectors|

---

FR3068150B1|2017-06-21|2020-02-07|Commissariat A L'energie Atomique Et Aux Energies Alternatives|METHOD FOR CONSTRUCTIVELY SECURING AN INTEGRATED CIRCUIT DURING ITS IMPLEMENTATION|

---

US10706181B1|2017-12-19|2020-07-07|National Technology & Engineering Solutions Of Sandia, Llc|Randomization of dangling nodes in a digital circuit design to mitigate hardware trojans|

---

US11170106B2|2018-05-10|2021-11-09|Robotic Research, Llc|System for detecting hardware trojans in integrated circuits|

---

US10305479B1|2018-06-12|2019-05-28|Nxp B.V.|Fault attack protection against synchronized fault injections|

---

US10778451B2|2018-07-30|2020-09-15|United States Of America As Represented By The Secretary Of The Navy|Device and method for hardware timestamping with inherent security|

---

US11251139B2|2019-01-22|2022-02-15|X-Celeprint Limited|Secure integrated-circuit systems|

---

GB201919297D0|2019-12-24|2020-02-05|Aronson Bill|Temperature sensing physical unclonable functionauthenication system|

法律状态:
2015-09-30| PLFP| Fee payment|Year of fee payment: 2 |

---

2016-03-25| PLSC| Search report ready|Effective date: 20160325 |

---

2016-09-28| PLFP| Fee payment|Year of fee payment: 3 |

---

2017-09-29| PLFP| Fee payment|Year of fee payment: 4 |

---

2018-09-28| PLFP| Fee payment|Year of fee payment: 5 |

---

2019-09-30| PLFP| Fee payment|Year of fee payment: 6 |

---

2020-09-30| PLFP| Fee payment|Year of fee payment: 7 |

---

2021-09-30| PLFP| Fee payment|Year of fee payment: 8 |

优先权:

---

申请号 | 申请日 | 专利标题

---

FR1458863A|FR3026253B1|2014-09-19|2014-09-19|SYSTEM AND METHOD FOR SECURING AN ELECTRONIC CIRCUIT|FR1458863A| FR3026253B1|2014-09-19|2014-09-19|SYSTEM AND METHOD FOR SECURING AN ELECTRONIC CIRCUIT|

---

EP15771067.4A| EP3195296B1|2014-09-19|2015-09-18|System and method for securing an electronic circuit|

---

US15/510,425| US10397251B2|2014-09-19|2015-09-18|System and method for securing an electronic circuit|

---

PCT/EP2015/071479| WO2016042144A1|2014-09-19|2015-09-18|System and method for securing an electronic circuit|