DOCSLIB.ORG

Design of 32-Bit Differential Paired Efuse OTP Memory in a Form of Two-Dimensional Array

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Design of 32-Bit Differential Paired Efuse OTP Memory in a Form of Two-Dimensional Array J. Cent. South Univ. (2012) 19: 3484–3491 DOI: 10.1007/s11771-012-1433-3 Design of 32-bit differential paired eFuse OTP memory in a form of two-dimensional array KIM Yoon-kyu, JANG Ji-hye, YOON Geon-soo, LEE Dong-hoon, HA Man-yeong, HA Pan-bong, KIM Young-hee Department of Electronic Engineering, Changwon National University, 9 Sarim-Dong, Changwon 641-773, Korea © Central South University Press and Springer-Verlag Berlin Heidelberg 2012 Abstract: A differential paired eFuse OTP (one-time programmable) memory cell which can be configured into a 2D (two-dimensional) eFuse cell array was proposed. The sensible resistance of a programmed eFuse link is a half smaller than that of the single-ended counterpart and BL datum can be sensed without a reference voltage. With this 2D array of differential paired eFuse OTP memory cells, we design a 32-bit eFuse OTP memory IP. We use a sense amplifier based D F/F circuit as the BL (bit-line) SA (sense amplifier) and design a sensing margin test circuit with a variable pull-up load. It is confirmed by the function test that the designed 32-bit OTP memory IP functions normally on 30 sample dies. Key words: eFuse; one-time programmable memory; 2-dimensional array NMOS transistor with big channel width that can flow a 1 Introduction big programming current, and a read NMOS transistor with small channel width that can reduce a read current In general, small-density program memories used in the read mode [2]. In addition, the differential paired for the analog trimming of PMICs (power management eFuse cell has a form that dual-port eFuse cells are ICs) are OTP (one-time programmable) memories of connected in pair, and can make the peripheral circuit eFuse type rather than EEPROMs or flash memories simpler without any reference voltage generator and the since they can be designed based on a logic process sensing resistance of the programmed eFuse link a half which does not require any additional processes [12]. smaller. The OTP memory of eFuse type is programmed by There is, however, a problem that the previously flowing an over-current through poly-silicon fuses, or proposed differential paired eFuse cells can have just eFuses [3]. The pre-program resistance of the eFuse cell one-dimensional cell array since they have BL[7:0] and is about 50–200 Ω and the post-program resistance is BLb[7:0], PD[7:0] and PDb[7:0] in the column direction. more than several kilos ohms. Thus, the eFuse is Memory failures can also occur since there is a programmed into either a conductive state or highly possibility that the eFuse link can be shortened to the resistive state [3]. VSS-biased p-substrate by the thermally ruptured eFuse. An eFuse OTP cell is classified into a single-port In addition, an additional layout area is required since an eFuse cell [34], a dual-port eFuse cell [5], and a external pad is required to supply a program voltage in differential paired eFuse cell [6]. The single-port eFuse the program mode. cell shares its read and write port, has the program In this work, we propose a differential paired eFuse resistance of several kilo ohms, and adopts an analog OTP (one-time programmable) memory cell which can sensing scheme. In contrast, the dual-port eFuse cell has be configured into a 2D (two-dimensional) eFuse cell its separate read and write port and has the program array. The sensible resistance of a programmed eFuse resistance of several tens kilos ohms since it uses a link is a half smaller than that of the single-ended NMOS transistor with big channel width to flow a big counterpart and BL datum can be sensed without a programming current. The peripheral circuit is simple reference voltage. Also, we remove an external pad to since a digital sensing scheme can be adopted. A supply a program voltage since we use VIO (I/O voltage) dual-port eFuse cell consists of an eFuse link, a program for programming in the PMIC chip. Foundation item: Project supported by the Second Stage of Brain Korea 21 Projects Received date: 2012–02–09; Accepted date: 2012–04–20 Corresponding author: KIM Young-hee, Professor, PhD; Tel: +82−55−285−1023; E-mail: [email protected] J. Cent. South Univ. (2012) 19: 3484–3491 3485 Furthermore, we use a sense amplifier based D F/F is ‘0’ and the eFuse1 connected to BL is blown in case circuit as the BL (bit-line) SA (sense amplifier) and that DIN is ‘1’. The anodes of eFuse1 and eFuse2 are design a sensing margin test circuit with a variable connected to FSOURCE commonly and they are selected pull-up load in consideration of the variation of the column decoded PD[7:0] and PDb[7:0] in the differential programmed eFuse resistance. Also, we solve a problem paire eFuse cell of Fig. 1. Thus, the differential paired of an electrical shortage between an eFuse link and the eFuse cell do not have the row decoding function and VSS-biased p-substrate by placing a floated n-well under can be used only in a one-dimensional eFuse cell array. the eFuse link. We design the 32-bit eFuse OTP IP with Also, it requires an additional layout area since an MagnaChip’s 0.18 µm CMOS process. external pad is required to supply the programming voltage in the program mode. 2 Circuit design As shown in Fig. 2, differential paired eFuse OTP memory cells require the row decoded and column As shown in the simplified circuit of the eFuse OTP decoded signal to be configured in the two-dimensional memory using differential paired eFuse cells which can array. The proposed differential paired eFuse OTP be configured in one-dimensional array, it consists of memory cell consists of two program transistors (MN1 differential paired eFuse memory cell circuit, a and MN3), two read transistors (MN2 and MN4), and high-impedance pull-up loads, and differential amplifier two eFuses (eFuse1 and eFuse2). The used devices in Fig. [6]. The proposed differential paired eFuse cell is made 2 and the functions of RWL and BL/BLb are the same as by connecting conventional dual-port eFuse cells in pair. those in Fig. 1 while WWL and PD/PDb are used instead The left circuit (eFuse1, MN1 and MN2) of the proposed of FSOURCE. eFuse cell stores its program datum and the right one (eFuse2, MN3 and MN4) stores its complementary program datum. MN1 and MN3 are program transistors. MN2 and MN4 are read transistors. FSOURCE receives an external supply voltage directly and flows an over-current in the program mode. In the program mode, program voltage of FSOURCE should be applied with 5.5 V instead of 4.2 V in designing with MV transistors of 5 V rather than 3.3 V. Table 1 shows bias voltage conditions for various operation modes of each conventional one-dimensional configurable differential paired OTP memory cell node. The read NMOS transistors turn off since RWL keeps at 0 V in the program mode. Also, PD (program data) and PDb (program data bar) of the non-selected cell by A[2:0] keep at 0 V while PD (program data) and PDb (program data bar) of the selected cell keep at 0 V and 5.5 V in the case of DIN= ‘0’; 5.5 V and 0 V in the case of DIN= ‘1’. In the program mode, the eFuse2 connected Fig. 1 Simplified circuit of conventional differential paired to BLb of the selected cell is blown in the case that DIN eFuse OTP memory cell Table 1 Bias voltage conditions for various operation modes of each conventional differential paired OTP cell node Program mode Cell Read mode Unselected Cell Selected Cell DIN 0 1 0 1 X X RWL 0 0 0 0 VDD VDD PD 0 V 0 V 0 V 5.5 V 0 V 0 V PDb 0 V 0 V 5.5 V 0 0 V 0 V FSOURSE 5.5 V 5.5 V 5.5 V 5.5 V Floating Floating BL Floating Floating Floating Floating 0 V VDD BLb Floating Floating Floating Floating VDD 0 V eFuse1 Unblown Unblown Unblown Blowing Unblown Blown eFuse2 Unblown Unblown Blowing Unblown Blown Unblown 3486 J. Cent. South Univ. (2012) 19: 3484–3491 be 4.2 V in the program mode. On the other hand, the program transistor turns off since PD and PDb keep at 0 V. Figure 3 shows the layout image of the proposed differential paired eFuse OTP memory cell. The proposed eFuse cell size is 34.46 µm×6.94 µm (=239.15 µm 2). We use a p+ doped poly-silicon fuse as an eFuse, and the width and length of the eFuse link are 0.35 µm and 2.1 µm, respectively. There is, however, a possibility that the eFuse link can be shortened to the VSS-biased p-substrate by a thermal rupture and memory failures can occur. Thus, we solve a problem of an electrical shortage Fig. 2 Newly proposed differential paired eFuse OTP memory cell configured in a form of two-dimensional array between an eFuse link and the VSS-biased p-substrate by placing a floated n-well under the eFuse link, as shown Table 2 gives bias voltage conditions for various in Fig. 3 [7]. operation modes of each proposed two-dimensional Table 3 gives the major specifications of the 32-bit configurable differential paired OTP memory cell node.
Load more

Recommended publications
  • Design of a Rad-Hard Efuse Trimming Circuit For
    Master Thesis 2018 DESIGN OF A RAD-HARD EFUSE TRIMMING CIRCUIT FOR BANDGAP VOLTAGE REFERENCE FOR LHC EXPERIMENTS UPGRADES Supervisors: Student: Prof. Maher Kayal1 Mustafa Beşirli Dr. Adil Koukab1 Dr. Stefano Michelis2 CERN-THESIS-2018-084 28/06/2018 1School of Engineering (STI), Electronics Laboratory (ELAB), EPFL. 2Experimental Physics Department, Microelectronics Section (EP-ESE-ME), CERN. Electronics Laboratory, STI/ELAB Electrical and Electronic Engineering Section 22 June 2018 2 ACKNOWLEDGEMENTS At the end of the two years of my master’s studies, I would like to thank all the people who supported me during this significant period of my life. First, I would like to thank Prof. Maher Kayal for having given me the chance to work in ELAB and I would like to express my gratitude to Prof. Adil Koukab for having given me the opportunity to work in collaboration with CERN and for supervising my thesis. I would like to express my appreciation to Stefano Michelis for his constant help and precious advices during the development of this project and for providing me vast amount of knowledge on rad-hard analog design. I would also like to thank Federico Faccio for his valuable advices and I would like to express my gratitude to Giacomo Ripamonti for his consistent support during the design and test of my chip. These years were very important for my professional career and personal development. I would like to thank all my friends at EPFL and at CERN; it was nice to meet them. I would also like to express my gratitude to my friends in Turkey for their consistent supports.
    [Show full text]
  • 5V/12V Efuse with Over Voltage Protection and Blocking FET Control Check for Samples: TPS2592AA, TPS2592AL, TPS2592BA, TPS2592BL, TPS2592ZA
    TPS2592AA, TPS2592AL TPS2592BA, TPS2592BL TPS2592ZA www.ti.com SLVSC11B –JUNE 2013–REVISED NOVEMBER 2013 5V/12V eFuse with Over Voltage Protection and Blocking FET Control Check for Samples: TPS2592AA, TPS2592AL, TPS2592BA, TPS2592BL, TPS2592ZA 1FEATURES APPLICATIONS 2• 12 V eFuse – TPS2592Ax • HDD and SSD Drives • 5 V eFuse – TPS2592Bx • Set Top Boxes • 4.5 V – 18 V Protection – TPS2592Zx • Servers / AUX Supplies • Integrated 28mΩ Pass MOSFET • Fan Control • Fixed Over-Voltage Clamp (TPS2592Ax/Bx) • PCI/PCIe Cards • Absolute Maximum Voltage of 20V • Switches/Routers • 2 A to 5 A Adjustable I (±15% Accuracy) LIMIT PRODUCT INFORMATION(1) • Reverse Current Blocking Support FAULT PART NO UV OV CLAMP Status • Programmable OUT Slew Rate, UVLO RESPONSE • Built-in Thermal Shutdown TPS2592AA 4.3 V 15 V Auto Retry Active • UL Recognition Pending TPS2592BA 4.3 V 6.1 V Auto Retry Active TPS2592AL 4.3 V 15 V Latched Active • Safe during Single Point Failure Test TPS2592BL 4.3 V 6.1 V Latched Active (UL60950) TPS2592ZA 4.3 V — Auto-retry Active • Small Foot Print – 10L (3mm x 3mm) VSON TPS2592ZL 4.3 V — Latched Preview (1) For the most current package and ordering information, see the Package Option Addendum at the end of this document, or see the TI web site at www.ti.com DESCRIPTION The TPS2592xx family of eFuses is a highly integrated circuit protection and power management solution in a tiny package. The devices use few external components and provide multiple protection modes. They are a robust defense against overloads, shorts circuits, voltage surges, excessive inrush current, and reverse current.
    [Show full text]
  • Design of Variation-Tolerant Circuits for Nanometer CMOS Technology: Circuits and Architecture Co-Design
    Design of Variation-Tolerant Circuits for Nanometer CMOS Technology: Circuits and Architecture Co-Design by Mohamed Hassan Abu-Rahma A thesis presented to the University of Waterloo in ful¯llment of the thesis requirement for the degree of Doctor of Philosophy in Electrical and Computer Engineering Waterloo, Ontario, Canada, 2008 °c Mohamed Hassan Abu-Rahma 2008 I hereby declare that I am the sole author of this thesis. This is a true copy of the thesis, including any required ¯nal revisions, as accepted by my examiners. I understand that my thesis may be made electronically available to the public. ii Abstract Aggressive scaling of CMOS technology in sub-90nm nodes has created huge challenges. Variations due to fundamental physical limits, such as random dopants fluctuation (RDF) and line edge roughness (LER) are increasing signi¯cantly with technology scaling. In addition, manufacturing tolerances in process technology are not scaling at the same pace as transistor's channel length due to process control limitations (e.g., sub-wavelength lithography). Therefore, within-die process varia- tions worsen with successive technology generations. These variations have a strong impact on the maximum clock frequency and leakage power for any digital circuit, and can also result in functional yield losses in variation-sensitive digital circuits (such as SRAM). Moreover, in nanometer technologies, digital circuits show an in- creased sensitivity to process variations due to low-voltage operation requirements, which are aggravated by the strong demand for lower power consumption and cost while achieving higher performance and density. It is therefore not surprising that the International Technology Roadmap for Semiconductors (ITRS) lists variability as one of the most challenging obstacles for IC design in nanometer regime.
    [Show full text]
  • RESEARCH INSIGHTS – Hardware Design: FPGA Security Risks
    RESEARCH INSIGHTS Hardware Design: FPGA Security Risks www.nccgroup.trust CONTENTS Author 3 Introduction 4 FPGA History 6 FPGA Development 10 FPGA Security Assessment 12 Conclusion 17 Glossary 18 References & Further Reading 19 NCC Group Research Insights 2 All Rights Reserved. © NCC Group 2015 AUTHOR DUNCAN HURWOOD Duncan is a senior consultant at NCC Group, specialising in telecom, embedded systems and application review. He has over 18 years’ experience within the telecom and security industry performing almost every role within the software development cycle from design and development to integration and product release testing. A dedicated security assessor since 2010, his consultancy experience includes multiple technologies, languages and platforms from web and mobile applications, to consumer devices and high-end telecom hardware. NCC Group Research Insights 3 All Rights Reserved. © NCC Group 2015 GLOSSARY AES Advanced encryption standard, a cryptography OTP One time programmable, allowing write once cipher only ASIC Application-specific integrated circuit, non- PCB Printed circuit board programmable hardware logic chip PLA Programmable logic array, forerunner of FPGA Bitfile Binary instruction file used to program FPGAs technology CLB Configurable logic block, an internal part of an PUF Physically unclonable function FPGA POWF Physical one-way function CPLD Complex programmable logic device PSoC Programmable system on chip, an FPGA and EEPROM Electronically erasable programmable read- other hardware on a single chip only memory
    [Show full text]
  • 14Nm Finfet Technology
    14LPP 14nm FinFET Technology Highlights Enabling Connected Intelligence • 14nm FinFET technology GLOBALFOUNDRIES 14LPP 14nm FinFET process technology platform is + Manufactured in state-of-the-art ideal for high-performance, power-efficient SoCs in demanding, high-volume facilities in Saratoga County, New York applications. + Volume production in Computing, 3D FinFET transistor technology provides best-in-class performance and Networking, Mobile and Server power with significant cost advantages from 14nm area scaling. 14LPP applications technology can provide up to 55% higher device performance and 60% • Ideal for high-performance, lower total power compared to 28nm technologies. power-efficient SoC applications + Cloud / Data Center servers Lg Gate length shrink enables + CPU and GPU performance scaling + High-end mobile processors + Automotive ADAS FET is turned on its edge + Wired and wireless networking + IoT edge computing • Lower supply voltage • Comprehensive design ecosystem • Reduced off-state leakage + Full foundation and complex • Faster switching speed IP libraries – high drive current + PDK and reference flows supported by major EDA and IP partners + Robust DFM solutions Target Applications and Solutions • Complete services and Mobile Apps Processor High Performance Compute & Networking supply chain support 60% power reduction 60% power reduction 2x # cores + Regularly scheduled MPWs 80% higher performance, >2.2GHz >3GHz maximum performance + Advanced packaging and test solutions, including 2.5/3D products 45% area reduction
    [Show full text]
  • Achieve 20-A Circuit Protection and Space Efficiency Using Paralleled Efuses
    Application Report SLVA836–November 2016 Achieve 20-A Circuit Protection and Space Efficiency Using Paralleled eFuses Rakesh Panguloori, Venkat Nandam ABSTRACT Today Texas Instrument’s eFuse devices are sought-after to replace discrete frontend protection circuits in many applications. These eFuses are available in the current range from 0.1 A to 12 A. However, certain applications like servers and communication equipment demand currents in the range of several tens of amperes. In general, device paralleling is seen as the first option by the system designers to scale the system for higher current requirements and better thermal management. While these devices are operated in parallel, it is essential that individual e-fuse share equal or near to equal load current for proper system operation and dynamic response. This application note describes the design considerations and performance characteristics of using eFuses in parallel configuration. An example of paralleling four eFuse devices to support 20-A load current is considered here to demonstrate load current sharing performance and to illustrate device behavior during transient overload, short-circuit events. Contents 1 Introduction ................................................................................................................... 2 2 Parallel Operation of eFuse ................................................................................................ 3 3 Application Circuit Schematic for 20-A Load Support..................................................................
    [Show full text]
  • Chip Morphing by Efuse
    ISSN (Online) 2278-1021 ISSN (Print) 2319-5940 IJARCCE International Journal of Advanced Research in Computer and Communication Engineering NCRICT-2017 Ahalia School of Engineering and Technology Vol. 6, Special Issue 4, March 2017 Chip Morphing by Efuse Harikrishnan A I1, Lashmi K2 Assistant Professor, Department of ECE, NSS College of Engineering, Palakkad, India1 Student, Department of ECE, NSS College of Engineering, Palakkad, India2 Abstract: Chip morphing enables a new class of semiconductor products that can monitor and adjust their functions to improve their quality, performance and power consumption without human intervention. Chip Morphing Technology deals with eFUSE. eFUSE is part of a built-in self-repair system that constantly monitors a chip‟s functionality.It combines unique software algorithms and microscopic electrical fuses to produce chips that can regulate and adapt their own actions in response to changing conditions and system demands. Keywords: Chip morphing, EFuse, Programming, Sensing. I. INTRODUCTION Chip morphingis a technology invented byIBMwhich to improve the programming window. This fuse link allows for the dynamic real-time reprogramming introduced programming via electromigration, with no of computer chips. Computer logic is generally "etched" or collateral damage. A programming Current (I=12mA) and "hard-coded" onto a chip and cannot be changed after the anode voltage (Fsource-5V.) range were established to chip has finished being manufactured. By utilizing a set of produce the desired electromigration phenomena. The fuse eFUSEs, a chip manufacturer can allow for the circuits on achieved typical programmed resistance in excess of a chip to change while it is in operation. The primary 100KΩ with all fuses over 10KΩ.
    [Show full text]
  • Opensparc™ Internals
    ISBN 978-0-557-01974-8 90000 > 9 780557 019748 OpenSPARC™ Internals OpenSPARC T1/T2 CMT Throughput Computing David L. Weaver, Editor Sun Microsystems, Inc. 4150 Network Circle Santa Clara, CA 95054 U.S.A. 650-960-1300 Copyright 2002-2008 Sun Microsystems, Inc., 4150 Network Circle • Santa Clara, CA 950540 USA. All rights reserved. This product or document is protected by copyright and distributed under licenses restricting its use, copying, distribution, and decompilation. No part of this product or document may be reproduced in any form by any means without prior written authorization of Sun and its licensors, if any. Third-party software, including font technology, is copyrighted and licensed from Sun suppliers. Parts of the product may be derived from Berkeley BSD systems, licensed from the University of California. UNIX is a registered trademark in the U.S. and other countries, exclusively licensed through X/Open Company, Ltd. For Netscape Communicator, the following notice applies: Copyright 1995 Netscape Communications Corporation. All rights reserved. Sun, Sun Microsystems, the Sun logo, Solaris, OpenSolaris, OpenSPARC, Java, MAJC, Sun Fire, UltraSPARC, and VIS are trademarks, registered trademarks, or service marks of Sun Microsystems, Inc. or its subsidiaries in the U.S. and other countries. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. in the U.S. and other countries. Products bearing SPARC trademarks are based upon an architecture developed by Sun Microsystems, Inc. The OPEN LOOK and Sun Graphical User Interface was developed by Sun Microsystems, Inc. for its users and licensees. Sun acknowledges the pioneering efforts of Xerox in researching and developing the concept of visual or graphical user interfaces for the computer industry.
    [Show full text]
  • Safety Manual for Tms570ls31x and Tms570ls21x Hercules™ ARM®-Based Safety Critical Microcontrollers
    Safety Manual for TMS570LS31x and TMS570LS21x Hercules™ ARM®-Based Safety Critical Microcontrollers User's Guide Literature Number: SPNU511D November 2014–Revised December 2015 Contents 1 Introduction ........................................................................................................................ 8 2 Hercules TMS570LS31x and TMS570LS21x Product Overview ................................................. 11 2.1 Targeted Applications .................................................................................................. 12 2.2 Product Safety Constraints ............................................................................................ 12 3 Hercules Development Process for Management of Systematic Faults ..................................... 13 3.1 TI Standard MCU Automotive Development Process ............................................................. 14 3.2 TI MCU Automotive Legacy IEC 61508 Development Process .................................................. 15 3.3 Yogitech fRMethodology Development Process ................................................................... 15 3.4 Hercules Enhanced Safety Development Process................................................................. 15 4 Hercules Product Architecture for Management of Random Faults........................................... 17 4.1 Safe Island Philosophy and Architecture Partition to Support Safety Analysis (FMEA/FMEDA) ............ 17 4.2 Identification of Parts/Elements ......................................................................................
    [Show full text]
  • Safety Manual for Tms570lc4x Hercules ARM Safety Mcus
    Safety Manual for TMS570LC4x Hercules ARM Safety MCUs User's Guide Literature Number: SPNU540A May 2014–Revised September 2016 Contents 1 Introduction ........................................................................................................................ 8 2 Hercules TMS570LC4x Product Overview.............................................................................. 10 2.1 Targeted Applications .................................................................................................. 11 2.2 Product Safety Constraints ............................................................................................ 12 3 Hercules Development Process for Management of Systematic Faults ..................................... 13 3.1 TI Standard MCU Automotive Development Process ............................................................. 14 3.2 TI MCU Automotive Legacy IEC 61508 Development Process .................................................. 15 3.3 Yogitech fRMethodology Development Process ................................................................... 15 3.4 Hercules Enhanced Safety Development Process................................................................. 15 4 Hercules Product Architecture for Management of Random Faults........................................... 18 4.1 Safe Island Philosophy and Architecture Partition to Support Safety Analysis (FMEA/FMEDA) ............ 18 4.2 Identification of Parts/Elements ......................................................................................
    [Show full text]
  • Basics of Efuses
    Application Report SLVA862A–December 2016–Revised April 2018 Basics of eFuses Rakesh Panguloori....................................................................................................... Power Switches ABSTRACT eFuses are integrated power path protection devices that are used to limit circuit currents, voltages to safe levels during fault conditions. eFuses offer many benefits to the system and can include protection features that are often difficult to implement with discrete components. This application note highlights the challenges and limitations of discrete circuit-protection solutions and discusses how they can be improved with an eFuse. This report also provides an example comparison between eFuse solution and discrete circuit-protection solution for a typical hard disk drive (HDD) application. Contents 1 Need for Protection and Ways to Achieve................................................................................ 2 2 Discrete Circuit-Protection Solutions ...................................................................................... 2 3 What is an eFuse?........................................................................................................... 4 4 Typical Application Example for Comparison........................................................................... 11 5 Conclusion .................................................................................................................. 12 6 References .................................................................................................................
    [Show full text]
  • Key Extraction Using Thermal Laser Stimulation a Case Study on Xilinx Ultrascale Fpgas
    Key Extraction Using Thermal Laser Stimulation A Case Study on Xilinx Ultrascale FPGAs Heiko Lohrke∗,1, Shahin Tajik∗,3,†, Thilo Krachenfels2, Christian Boit1, and Jean-Pierre Seifert2 1Semiconductor Devices Group, 2Security in Telecommunications Group Technische Universität Berlin, Germany 3Florida Institute for Cybersecurity Research University of Florida, USA [email protected], [email protected] [email protected], {tkrachenfels,jpseifert}@sect.tu-berlin.de Abstract. Thermal laser stimulation (TLS) is a failure analysis technique, which can be deployed by an adversary to localize and read out stored secrets in the SRAM of a chip. To this date, a few proof-of-concept experiments based on TLS or similar approaches have been reported in the literature, which do not reflect a real attack scenario. Therefore, it is still questionable whether this attack technique is applicable to modern ICs equipped with side-channel countermeasures. The primary aim of this work is to assess the feasibility of launching a TLS attack against a device with robust security features. To this end, we select a modern FPGA, and more specifically, its key memory, the so-called battery-backed SRAM (BBRAM), as a target. We demonstrate that an attacker is able to extract the stored 256-bit AES key used for the decryption of the FPGA’s bitstream, by conducting just a single non-invasive measurement. Moreover, it becomes evident that conventional countermeasures are incapable of preventing our attack since the FPGA is turned off during key recovery. Based on our time measurements, the required effort to develop the attack is shown to be less than 7 hours.
    [Show full text]