DesignTag: A Thermally Sensed Security Tag to Protect Chip Designs
Edinburgh, United Kingdom
Abstract :
 This paper introduces a novel "security tag" technology for detecting misuse of semiconductor intellectual property, in the form of a small circuit which is added to the chip design. This technology can benefit semiconductor companies, FPGA users, IP Core vendors and CAD tool providers. The tag can combat falsely marked ‘ghost’ chips, provide design and version labelling for FPGA users, detect misused intellectual property and aid in maintenance and diagnosis of electronic systems in the field.
 
 INTRODUCTION
 
 In recent times there has been considerable interest in means of protecting electronic design information from misuse and piracy. Cryptographic schemes have been proposed to prevent unauthorized access to design source code [1], FPGA bitstreams [2][3][4] and solutions integrated with chip test have been developed to prevent overbuilding [5].
 
 The patented DesignTag™ technology proposed here is complementary to ‘lock on the door’ encryption technologies which seek to prevent IP theft. Rather than trying to prevent misuse of intellectual property, our ‘active tag’ aims to make it easy to detect when misuse has occurred by identifying the ‘stolen goods’. Unlike previous approaches to tagging design information, DesignTag is an active circuit present in the finished chip, not an optical identification code on special mask layers or a watermark in the design source code[6]. 
 
 For semiconductor companies DesignTag complements the product information which is traditionally marked on chip packages and written on the top metal layers of the die itself. Unlike ink markings on the chip package the information from the active tag is only available to authorised users and is very difficult to tamper with. Unlike metal markings on the die the active tag can be read through the chip package without damaging the chip or the system containing it – there is no need to remove the chip and send it to a specialist laboratory for de-packaging and microscopic analysis.
 
 FPGA users, IP core vendors and CAD software vendors face a particular problem in that they cannot directly mark the packages of the chips which contain, or were designed using, their products. This can be solved by adding a DesignTag to the design.
 
 There are severe limits as to the amount of information that can be provided using ink on a chip package. DesignTag, on the other hand, can access a web-based database to deliver a rich set of information about the tagged chip, such as datasheets or marketing literature.
 
 Usage scenarios for DesignTag include:
 
 
-  DesignTag can detect misuse by parties who have legally acquired the design information. Examples of such misuse are ‘overbuilding’ chips and underpaying royalties, and using IP acquired under a single project licence on multiple projects. 
-  DesignTag can be used to detect fake or ‘ghost’ grey market chips which are marked as though they came from a reputable manufacturer but are in fact copies, test failures or recycled from scrapped equipment. 
-  DesignTag can be used to detect chips which have had speed or temperature grade information falsely marked to increase product value. 
-  DesignTag can be programmed to return additional information such as version numbers or error codes from the circuit it protects. 
-  DesignTag can be used by IP core vendors to provide product version information. Thus, in the event of a product failing in the field an IP vendor can obtain independent confirmation of the version of their IP that was used – and potentially additional status information from the IP. 
-  CAD companies can configure design tools to add active tags to the synthesized circuit. For example, tools provided for evaluation or donated under an educational licence might add an active tag so that use to create commercial products could be detected. 
-  DesignTag can be used to mark chips which contain sensitive technologies in a tamper resistant manner – for example military technologies subject to export licensing. 
OVERVIEW AND DESIGN REQUIREMENTS
 The DesignTag technology consists of four components: a small ‘tag’ circuit incorporated within the IP core or chip to be protected, a sensor for collection of data from the tagged chip, software which processes the collected data, and a web-based database of tag codes and design information. To check whether a chip contains any tags, an agent (for example an employee of the company providing the tag or a police or customs officer) places the sensor over the suspect chip in the operating equipment. Within a short period of time the software will detect whether any active tags are present and decode any additional information (for example version numbering or status information) provided by the tags.
 
 The goal of the ‘active tag’ is to create a covert ‘side channel’ between the ‘tag’ circuit on the chip and an external sensor. ‘Side Channels’ have been studied in the context of cryptographic hardware where operation of the cryptographic circuit can cause unintentional signals, for example fluctuations in power supply voltages or electromagnetic radiation which can be detected off-chip and provide information about the cryptographic key. Unlike the ‘side channel attacks’ in cryptography, the signal from the tag is an intentional transmission and the modulation scheme is within the control of the tag designer making the detection task considerably easier.
 
 Several desirable properties for the DesignTag circuit are immediately clear:
 
 
-  The tag circuit must be very small. Large circuits will create an unacceptable area overhead and will be easy to visually identify. For this reason typical structures found in radio frequency circuits such as antennas and inductors are undesirable. 
-  The tag should have very low power consumption so that it does not significantly affect the overall power requirement of the larger circuit it protects. 
-  Ideally the tag should be created using only digital circuit components so that it can be embedded in IP cores supplied as netlists and it can be used to protect FPGA designs where no analogue components are available. 
 The sensor used to collect data should be simple and low cost. A low-cost data-logging unit can be used to collect sensor data and connect directly with the software. Ideally, for evaluation and where tags are used infrequently, common test equipment such as a high precision digital multimeter with data logging capability could be used to collect the data.
 
 There are several requirements for the software which performs the required signal processing on the collected data to determine whether tags are present:
 
 
-  It should be possible to detect multiple tags in a single set of data. There may be more than one tagged IP core within a chip, and all of these should be detectable. 
-  The time required to detect tags should be as short as possible. 
-  The tags should be detectable in the presence of interference. There may be several sources of interference including external noise, signals from other tags within a chip, and activity of other chip functions during normal operation. 
 The web-based database should be closely integrated with the reader software and contain up-to-date information on known tags as well as links to associated information such as datasheets.
 
 TAG DESIGN
 
 Communications Channel
 
 Several potential side channels are available: in the cryptographic field timing (changes in the delay between observable events), power supply voltage variations and electromagnetic emanations have all been extensively studied [7][8][9]. We have also studied and developed intellectual property on using these channels in security tags. However, for the initial DesignTag product it was decided to take the novel approach of signalling via a thermal channel i.e. changes in the chip package temperature.
 
 Signalling with heat, while clearly possible in theory, has the important practical drawback that the data rate is low because there are physical limitations on how fast a chip package can heat up and how quickly a temperature measurement can be made. This makes it unsuitable for most applications. However in the context of a security tag only a very small amount of information needs to be transferred and it would be quite acceptable to take a few minutes to do so. Compared with the alternative of extracting the chip from the system and sending it to a laboratory for analysis a few minutes is a very short period.
 
 In the context of the DesignTag, signalling with heat has two important advantages:
 
 
-  Switching an appropriate digital circuit on and off can create heat changes which can be detected as temperature changes on the chip package. Thus it is possible to create an active tag using only digital logic. 
-  It would be difficult to ‘jam’ the thermal channel between the on-chip tag and an external sensor using circuitry on the chip without creating an unacceptable increase in power consumption. 
Tag Circuit
 Each tag is a small digital circuit which generates a sequence of chip temperature changes corresponding to a binary code assigned to that particular tag. In the prototype tag circuit design, a number of parallel ring oscillators are used as the mechanism for heat generation. A binary ‘1’ corresponds to turning the heat generation circuit on, i.e. enabling the ring oscillators which operate at a high frequency and generate heat. The heat generation circuit remains on for a length of time corresponding to the bit period. A binary ‘0’ corresponds to turning the heat generation circuit off for one bit period. The temperature differences generated are small (less than 0.1°C), and therefore the power consumed by the heat generation circuit is low. Normally, the tag circuit will only be enabled for a 15 minute period after the chip is powered up and then switched off to save power.
 
 Tag Codes
 
 Because there may be a large number of tagged designs, and several may be present on a single chip, the coding system used is vital to ensure any tags can be detected. The problem of assigning codes is similar to that faced by designers of Code Division Multiple Access (CDMA) spread spectrum systems for wireless communications. In such systems, each user is assigned a code sequence which is used to modulate (‘spread’) data transmitted by that user. A number of users can then transmit data simultaneously if the codes are chosen such that mutual interference between codes is minimized. Code sets such as Walsh-Hadamard and Gold codes [10] with low cross-correlations are used to achieve this. At the receiver end, the signal is de-spread using one of the assigned codes, resulting in only the signal transmitted using that code being retrieved.
 
 The active tag technology, as in CDMA systems, consists of multiple signal sources (the tags associated with various IP blocks) transmitting simultaneously over a single channel (through temperature variations in the chip package). A set of codes selected to have low cross-correlations would allow multiple tags to be detected in a single signal. A problem exists due to the potentially large number of possible tags. A CDMA system provides for a comparatively small number of users per cell and is therefore able to provide codes with low cross-correlations to minimize interference.
 
 Unlike CDMA, where data bits from a message are spread by the (short) spreading code and it is necessary to recover each data bit at the receiver, the aim in this application is to simply detect the presence of a tag signal and which spreading code has been used. It is therefore not necessary to use short codes with very low cross-correlations – long codes can be used and codes for two different tags may have quite high cross-correlations over particular code sections. If these codes are pseudo-random then over a long enough period the cross-correlations between codes will approach zero. These long codes allow the processing software to detect the tags.
 
 Each tag is uniquely identified by the processing software by its pseudo-noise spreading code. The tag circuit uses an LFSR to generate the spreading code based on a unique and secret ‘tag code’ which is stored within the tag. The temperature changes caused by the tag are below the thermal noise level from the circuit – this makes determining whether a tag is present within a particular chip is very difficult for anyone who does not know the tag code (and hence the spreading code).
 
 Tag Detection Software
 
 The signal processing performed by the software correlates data derived from the signal sampled by the sensor with each of the tag codes stored in a secure web-based database. As more samples are acquired, the correlation between the signal and a code matching a tag code in the chip being checked will increase. Because of interference from chip activity, environmental temperature changes and other tags, the magnitude of the correlation is likely to be small – but detectably higher than the correlation for non-matching codes which should tend to zero as the number of samples increases. The software can then display which tags have been detected and provide access to further information such as datasheets through the web-based database. Fig. 1 shows data used and generated by the signal processing – Fig. 1A shows temperature data sampled by the sensor; Fig. 1B gives the data derived from the temperature data, which is then correlated, for a range of code offsets, with each code in the database – one such code is given in Fig. 1C. Figs. 1D and 1E show the resulting correlation values for a non-matching code and matching code, respectively. A peak can clearly be seen in Fig. 1E, indicating a matching tag code.
 
 
 
 
 
 
 
 
 
 
 
 
 Fig. 1. A) Temperature data sampled by sensor. B) Data derived from temperature data. C) Example tag code. D) Correlation data for non-matching code. E) Correlation data for matching code.
 
 Tag Area and Power Requirements
 
 Implementation details for the initial implementation of the active security tag on a Spartan 3A FPGA from Xilinx are presented in Table 1. As can be seen the area of the circuit is very small, power consumption is low and including this tag would be a marginal cost when incorporated in a large IP core or complete chip design.
 
 Table 1. Tag Implementation Details
 
 
| Chip | Slices | RAM Blocks | Average Power Consumption | 
| Spartan 3A | 152 | 0 | 5 mW | 
EXPERIMENTAL RESULTS
 The experimental setup used for initial evaluation of the active tag is shown in Fig. 2. A design to be tagged is implemented on a Xilinx Spartan XC3S700A chip on a Xilinx Spartan 3A evaluation board. The design used for this experiment is a Xilinx demonstration design provided with the evaluation board. It can be viewed as a typical SoC design and makes use of several large IP blocks including a PicoBlaze soft core processor, VGA driver and audio driver to display various advertising messages on a VGA screen and via audio under the control of switches on the evaluation board. DesignTags were added to each of the main functional blocks of the design – a total of five tags were used. 
 
 The sensor used is simply a thermocouple, attached to the top of the FPGA chip package, and temperature data is transferred to the tag detection software through a data logging unit. The software runs on a laptop computer which connects to the data logging unit through a USB port. The software is then run for a specified period of time and any detected tags are displayed. Initially, the software searches through a database of 1000 different tag codes (including the five codes used by the on-chip tags).
 
 The time taken to detect the five tags varies depending on which tag codes are used and temperature changes in the chip’s environment, however the average time to successfully detect all five tags was found to be less than ten minutes. Tag detection takes place while the main circuit operates normally.
 
 For the same design with a single tag, the time for detection was significantly reduced, at less than five minutes. We are continuing to optimise the DesignTag implementation and expect that we will be able to further improve the performance characteristics reported here.
 
 
 
 Fig. 2 - Experimental Setup
 
 SUMMARY
 
 A novel ‘active tag’ technology has been proposed and developed. Unlike previous schemes, the DesignTag seeks to detect rather than prevent the misuse of integrated circuit intellectual property. DesignTags can address misuse scenarios such as overbuilding by licensed customers, misuse of CAD tool licences and identifying falsely marked ‘grey market’ chips which cannot be controlled using previous techniques.
 
 The proposed active tag is a very small and low power circuit which can be added to chip or IP core designs and detected using an external sensor. Tag detection is achieved using a thermal scheme allowing the tag to be built using only digital components and making it suitable for use with FPGAs.
 
 Future implementations of this scheme will allow for signalling of status or version information and will thus help in the diagnosis and maintenance of systems including tagged components as well as providing security.
 
 REFERENCES
 
 
[1] A. Dauman, “An open IP encryption flow permits industry-wide interoperability”, Synplicity Inc, White Paper, June 2006.
[2] Algotronix Ltd, “Method and apparatus for secure configuration of a Field Programmable Gate Array”, US Patent Application US2001/0015919
[3] Algotronix Ltd, “Method of using a mask programmed key to securely configure a Field Programmable Gate Array”, US Patent Application US2001/0037458
[4] Algotronix Ltd, “Method of protecting Intellectual Property cores on Field Programmable Gate Array”, US Patent US2002/0199110
[5] Certicom Corp. “Certicom Security for fabless semiconductor design companies.” Application Note, Certicom http:www.certicom.com/download/aid-603/AppNotes-fabless.pdf
[6] A.B. Kahng et al, “Watermarking techniques for Intellectual Property protection”, 1998 ACM/IEEE Design Automation Conference Proceedings, pp. 776-781, June 1998.
[7] Kocher Paul, “Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems”, Proceedings of Crypto’96, Springer-Verlag, August 1996, pp. 104–113.
[8] Kocher, Jaffe and Jun, “Differential power analysis”, Proceedings of Crypto’99, Springer-Verlag, 1999, pp. 388-397
[9] Gandolfi, Mourtel and Olivier, “Electromagnetic analysis: concrete results”, Proceedings of CHES’01 Springer-Verlag, 2001, pp, 251-261
[10] G.J. Proakis, “Digital Communications”, Third Edition. McGraw Hill 1995.
Related Semiconductor IP
- Post-Quantum Digital Signature IP Core
- Compact Embedded RISC-V Processor
- Power-OK Monitor
- RISC-V-Based, Open Source AI Accelerator for the Edge
- Securyzr™ neo Core Platform
Related White Papers
- Using non-volatile memory IP in system on chip designs
- Protecting multicore designs without compromising performance
- Security dons chip, card mantles
- 2002 will bring more chip consolidation after worst year ever, says Dataquest
Latest White Papers
- DRsam: Detection of Fault-Based Microarchitectural Side-Channel Attacks in RISC-V Using Statistical Preprocessing and Association Rule Mining
- ShuffleV: A Microarchitectural Defense Strategy against Electromagnetic Side-Channel Attacks in Microprocessors
- Practical Considerations of LDPC Decoder Design in Communications Systems
- A Direct Memory Access Controller (DMAC) for Irregular Data Transfers on RISC-V Linux Systems
- A logically correct SoC design isn’t an optimized design