Embed Size (px)
Citation preview
176 IEEE TRANSACTIONS ON VERY LARGE SCALE INTEGRATION (VLSI) SYSTEMS, VOL. 20, NO. 1, JANUARY 2012
[3] D. B. Lavo and T. Larrabee, “Making cause-effect cost effective:Low-resolution fault dictionaries,” in Proc. Intl. Test Conf., 2001, pp.278–286.
[4] T. Bartenstein, D. Heaberlin, L. Huisman, and D. Sliwinski, “Diag-nosing combinational logic designs using the single location at-a-time(SLAT) paradigm,” in Proc. Int. Test Conf., 2001, pp. 287–296.
[5] R. D. Blanton, J. T. Chen, R. Desineni, K. N. Dwarakanath, W. Maly,and T. J. Vogels, “Fault tuples in diagnosis of deep-submicron circuits,”in Proc. Int. Test Conf., 2002, pp. 233–241.
[6] R. C. Tekumalla and S. Davidson, “On identifying indistinguishablepath delay faults and improving diagnosis,” in Proc. Int. Test Conf.,2002, pp. 993–1002.
[7] A. K. Majhi, G. Gronthoud, C. Hora, M. Lousberg, P. Valer, andS. Eichenberger, “Improving diagnostic resolution of delay faultsusing path delay fault model,” in Proc. VLSI Test Symp., 2003, pp.345–350.
[8] P. Bernardi, M. Grosso, M. Rebaudengo, and M. R. Sonza, “A patternordering algorithm for reducing the size of fault dictionaries,” in Proc.VLSI Test Symp., 2006, pp. 386–391.
[9] S. Holst and H.-J. Wunderlich, “Adaptive debug and diagnosis withoutfault dictionaries,” in Proc. Eur. Test Symp., 2007, pp. 7–12.
[10] W.-T. Cheng, B. Benware, R. Guo, K.-H. Tsai, T. Kobayashi,K. Maruo, M. Nakao, Y. Fukui, and H. Otake, “Enhancing transitionfault model for delay defect diagnosis,” in Proc. Asian Test Symp.,2008, pp. 179–184.
[11] P. Franco and E. J. McCluskey, “Three-pattern tests for delay faults,”in Proc. VLSI Test Symp., 1994, pp. 452–456.
[12] A. Pierzynska and S. Pilarski, “Quality considerations in delay faulttesting,” in Proc. EURO-DAC, 1995, pp. 196–201.
[13] A. Pierzynska and S. Pilarski, “Non-robust versus robust,” in Proc. Int.Test Conf., 1995, pp. 123–131.
[14] I. Pomeranz and S. M. Reddy, “Hazard-based detection conditions forimproved transition fault coverage of scan-based tests,” IEEE Trans.Very Large-Scale Integr. (VLSI) Syst., vol. 18, no. 2, pp. 333–337, Feb.2010.
[15] D. Brand and V. S. Iyengar, “Identification of redundant delay faults,”IEEE Trans. Comput.-Aided Des. (CAD) Integr. Circuits Syst., vol. 13,no. 5, pp. 553–565, May 1994.
[16] J. Savir and S. Patil, “Broad-side delay test,” IEEE Trans. Comput.-Aided Des. (CAD) Integr. Circuits Syst., vol. 13, no. 8, pp. 1057–1064,Aug. 1994.
[17] M. Yoeli and S. Rinon, “Applications of ternary algebra to the study ofstatic hazards,” J. ACM, pp. 84–97, Jan. 1964.
[18] E. B. Eichelberger, “Hazard detection in combinational and sequentialcircuits,” IBM J. Res. Devel., pp. 90–99, Mar. 1965.
Robust Secure Scan Design Against Scan-BasedDifferential Cryptanalysis
Youhua Shi, Nozomu Togawa, Masao Yanagisawa, andTatsuo Ohtsuki
Abstract—Scan technology carries the potential risk of being misusedas a “side channel” to leak out the secrets of crypto cores. The existingscan-based attacks could be viewed as one kind of differential cryptanal-ysis, which takes advantages of scan chains to observe the bit changes be-tween pairs of chosen plaintexts so as to identify the secret keys. To addresssuch a design/test challenge, this paper proposes a robust secure scan struc-ture design for crypto cores as a countermeasure against scan-based attacksto maintain high security without compromising the testability.
Index Terms—Crypto hardware, differential cryptanalysis, scan-baseddiscrete Fourier transform (DFT), security, side channel attack, testability.
I. INTRODUCTION
Scan test has been widely adopted as a default testing techniqueamong most VLSI designs, including crypto cores. Unfortunately,these scan chains might be used as a “side channel” to recover thesecret keys from the hardware implementations of cryptographic algo-rithms, for example scan-based attacks on Data Encryption Standard(DES), Advanced Encryption Standard (AES), and Elliptic CurveCryptography (ECC) have been illustrated in [1]–[3], respectively.
In general, the existing scan-based side channel attacks (SSCA)could be viewed as one kind of differential cryptanalysis by using scanchains of crypto cores. Unlike other known side channel attacks, SSCAis much easier. It is because that in SSCA, in addition to the primaryoutputs of the crypto cores, a hacker could use scan chain to shift outthe intermediate contents during a cryptographic operation. It wasillustrated in [2] that on average overall only 544 ���� � �� � �����plaintexts are required to discover the AES key by using SSCA, whichclearly shows the great potential threat of scan-based side channelattack.
Thus how to develop secure test techniques for these crypto coresbecomes an emergent task so as to guarantee the security as well asthe quality. In the literature, some interesting secure test methods havebeen proposed to protect crypto cores against SSCA. A function/testmode control method was proposed in [2], in which the basic idea is tolimit the crypto cores being switched between normal function modeand scan test mode. However it is not applicable in case that the se-cret key is hardware wired or stored in the secure memory and thereset operation cannot clear and should not clear them. Moreover, itdoesn’t support at-speed online testing, and incurs large area overhead(around 10% as indicated in [2]). In [4], a flipped-scan was introducedby adding inverters along the scan path so as to make it difficult forhackers to discover the internal scan structure at the cost of small hard-ware overhead; however, it cannot protect the circuit under test (CUT)from the scan-based attacks as presented in [2] and [3]. In [5], Agrawalet al. discussed the security threat of flipped-scan [4] by introducinga simple reset-based SSCA, and then developed a XOR-chain structure
Manuscript received May 03, 2010; revised October 09, 2010, December 19,2010, and February 08, 2011; accepted February 13, 2011. Date of publicationMarch 17, 2011; date of current version December 14, 2011.
The authors are with the Faculty of Science and Engineering, Waseda Uni-versity, Tokyo 169-8555, Japan (e-mail: [email protected]).
Color versions of one or more of the figures in this paper are available onlineat http://ieeexplore.ieee.org.
Digital Object Identifier 10.1109/TVLSI.2011.2120635
1063-8210/$26.00 © 2011 IEEE
IEEE TRANSACTIONS ON VERY LARGE SCALE INTEGRATION (VLSI) SYSTEMS, VOL. 20, NO. 1, JANUARY 2012 177
Fig. 1. Proposed RSSF versus traditional SFF. (a) Traditional SFF. (b) Pro-posed RSSF.
for secure testing. Unfortunately, due to the back loop in XOR-chain,if a SFF captures an unknown response, it might corrupt all the otherresponses passing the SFF; as a result more test and debug cost isrequired. In [6], [7], secure scan flip-flop designs were proposed byadding launch and logic into traditional scan flip-flops to maintain thehigh test quality without compromising the security; however, theyboth incur large hardware overhead.
To address this issue, a robust secure scan (RSS) is proposed in thispaper, in which a new kind of scan flip-flop, called robust secure scanflip-flop (RSSF), is introduced from a security aspect. By includingsuch RSSFs into crypto cores, all the advantages and simplicity of tra-ditional scan test are preserved, and the security is significantly im-proved with ignorable design and test overhead.
The rest of this paper is organized as follows. Section II presentsthe proposed robust secure scan design. In Section III, detailed anal-ysis on implementation overhead and security performance are given.Section IV concludes this paper.
II. ROBUST SECURE SCAN
Due to the security and testability requirements as mentioned above,a novel robust secure scan-based test approach is proposed as a coun-termeasure against scan-based differential cryptanalysis.
A. RSS Design
The basic idea of the proposed RSS design is to encrypt the contentsin scan chains during scan operation, so as to reduce the controllabilityand observability of unintended users. By doing this, it becomes morecomplicated for hackers to identify the bit differences between pairs ofrelated plaintexts when they are encrypted under the same key.
One kind of the proposed RSS design is shown in Fig. 1, in whichthe contents of two neighboring SFFs are encoded during scan opera-tion from a security aspect. When compared with the traditional SFF,an extra inverter and an XOR gate are introduced in the RSS design.This simple logic could be used for encryption during scan operations.Observe that the proposed robust scan flip-flop (RSSF) has identicalpinouts when compared with the traditional scan flip-flop as shown inFig. 1, and is therefore fully compatible with industry standard designtools from a design perspective, when integrated into current designflows it only requires the RSSF added into the cell library.
When in normal function mode ��� � ��, SFF loads data from thelogic through DI, and the output to logic is DO. Because the additionalinverter and the XOR gate are inserted along the scan path, they do notaffect the timing of the design. Thus in function mode, RSSF workslike a traditional scan flip-flop.
When in scan test mode, we can observe from Fig. 1 that (1) duringscan shift operation, the content of FF is XORed with SI to be shiftedout to the next SFF and the inverted scan-in data (SI) will be loadedinto FF. An example to illustrate the operations of RSSF is shown inFig. 2, where the original SFF (SFF3) is replaced by an RSSF and thescan chain contains eight scan flip-flops. As a result, during scan in/out,
Fig. 2. Example to illustrate the operations of RSSF.
the data that passes RSSF would be encoded. Thus for hackers, it be-comes extremely complicated to identify the relationship between thecaptured response and the scan-out.
On the other hand, for test engineer it is rather easy to pre-pare the scan-in vector for a specified test vector generated bystate-of-the-art ATPG tools. Simply assume that we want to applya test vector � � ������ ����� � � � � ��� ��� ��� and the corre-sponding response is � � ����������� � � � � ��� ��� ���. Thescan-in is �� � ������� ������ � � � � ���� ���� ����, the scan-out�� � ������� ������ � � � � ���� ���� ����, and the th SFF isreplaced by RSSF like the scan structure shown in Fig. 2. Thus � and�� could be expressed as a function of �� and �, respectively, where
�� �
��� � ������ if �� �
���� if �� � �
���� if �� � �
(1)
and
��� �
��� if �� �
�� ������ if �� � �
�� ������ if �� � ���� �� �
�� � ���� if �� � �� �
(2)
According to the above equations, it could be observed that for pairsof (V, R) the scan-in (SI) and scan-out (SO) could be uniquely identi-fied, which is called input- and output-equivalence and makes the testengineers easy to prepare the corresponding scan-in and out vectorsfor specific test patterns generated by automatic test pattern generation(ATPG) tools. Furthermore, when more RSSFs are inserted along thescan path, the input- and output-equivalence are still preserved.
B. Implementation Discussion
In the following, the implementation issues on the proposed RSSFdesign will be discussed.
One of the reasons to replace the original SFF with the proposedRSSF is that scan data should be encrypted to prevent secret leakageso that: 1) the applied test vector from external should not be the sameas the real test vector and 2) the real captured response must be differentfrom the data that is scanned out and could be observed at external.
178 IEEE TRANSACTIONS ON VERY LARGE SCALE INTEGRATION (VLSI) SYSTEMS, VOL. 20, NO. 1, JANUARY 2012
TABLE IOBSERVABLE HAMMING DISTANCES BETWEEN PAIRS OF RESPONSES USING
TRADITION SCAN STRUCTURE
The second reason is that, for pairs of responses, the Hamming dis-tances between the scan-outs should not always be the same as thosebetween the original responses. Consider the case that there is a scanchain which contains two scan flip-flops (SFF1 and SFF0). Assume thatthe captured responses in these two SFFs are R1 and R0. Thus in tradi-tional scan structure, R1 and R0 will be shifted out, and the Hammingdistances between two responses could be observed and compared. Intraditional scan, the Hamming distances for responses and scan-outsare always the same, which might be used by the hacker to guess thesecret key. It is because due to the avalanche effect of cryptographicalgorithms, by observing the scan-outs of some specific pairs of plain-texts it becomes possible to guess the secret key. The proposed RSSFdesign could deal with such an issue to make it more complicate forthe hackers to guess the key. Tables I and II show the observable Ham-ming distances between pairs of responses using the traditional scanand the proposed RSS structure, respectively, where we assume thereis a scan chain that contains four SFFs and in RSS the last SFF (SFF0)is replaced by the proposed RSSF. In the two tables, �� indicates theresponse and the scan out for each SFF. In Table II, ��� represents thescan out and �� is the first scan-in as that shown in Fig. 2. From thetwo tables, it could be observed that the Hamming distances of 80 outof 136 pairs are changed, and for the unchanged 56 pairs the positionsof different bits are changed in 29 pairs. In other words, there are only27 pairs in which the Hamming distances and the different bit positionsare the same as those using the traditional scan structure.
In order to carry out scan-based attacks on crypto hardware imple-mentations, one needs to ascertain the internal scan structure. Using theproposed RSSF design, the task of determining the scan structure be-comes computationally infeasible. Simply consider that a scan chainhas � SFFs and one SFF is replaced by RSSF, so according to (1)and (2), the probability to guess the correct structure by an attackeris ������, which is because the final observable scan-outs depend notonly on the contents in the � SFFs but also on the first scan-in. There-fore for a CUT in which the length of scan chain is �, we can se-lect � SFFs and replace them with the proposed RSSFs. By doingthis, the long scan chain could be viewed as being divided into �blocks and the length of each block is ��� ��� �� , respectively. Thenthe probability to guess the whole scan structure by an attacker wouldbe� � ����� � � � �� � ���� ���
����� ���� � � ���� ��� � �������,
where � � �� � �� � � � � � �� . Because the number of internal SFFs��� is usually much larger than the key length in crypto hardware im-plementation, the complexity of guessing the correct scan structure is
infeasible, i.e., much more difficult than brute force on such a cryptoalgorithm itself. Moreover from above, it is observed that, by cascadingmore RSSFs into the scan chain, i.e., to increase � , there is less pos-sibility for hackers to discover the internal scan structure.
It should be mentioned that in this work the basic idea of RSS isto encrypt the scan data by considering the relationship of two neigh-boring scan data. Thus there would have a lot of possible implemen-tation for RSS instead of the form as shown in Fig. 1. In general, twofactors should be considered when designing such an RSSF: 1) it isdesired that the resulted Hamming distances should be unpredictablewhen compared with those in normal scan and 2) the implementationof RSSF should not induce any test problems.
C. Scan Control Unit
It should be noted that unlike the existing static scan structure suchas [4] and [5], the proposed RSSF design could be viewed as a dynamicscan structure in which the scan out depends on not only the scan databut also the dependencies among them. But, even with the integration ofRSSFs, the proposed scan structure still has the security threat on reset-based attack or flush test, which is because the proposed test methodworks like a static scan structure when the CUT is reset, therefore itmight be possible for hackers to discover the scan structure so as to inferthe RSSF positions by iterating the operations as reset, apply plaintext/scan-in and scan out.
To deal with such an issue, we develop a scan enable control unitto limit the scan operation after the CUT is reset. In general at the be-ginning of scan test, the CUT is reset and a scan vector is shifted intothe scan chain, but it should be noted that companying with the scanin process of the first test vector, the corresponding scanned out data isuseless. Based on this fact, we can mask the scan-out when the 1st testvector is scanned in.
The proposed scan control unit (SCU) design is shown in Fig. 3,which is inserted at the end of a scan chain. The output of SCU (i.e.,the MASK signal) is ORed to the scan out of a scan chain. SCU onlyconsists of a register, an inverter and a NAND gate. We can observefrom Fig. 3 that when reset is applied, DFR is reset to 0 (i.e., MASKis high). If SE is enabled it indicates the case that the output of SCU(the MASK signal) is kept high and then all the scan outs are maskedas one. The MASK signal would be kept high until CUT enters intofunction mode once after reset. By doing this, because the hacker doesnot know what data is actually loaded into SFFs, the proposed schemewill be an effective countermeasure against reset-based attack and/orflush test.
III. SECURITY AND IMPLEMENTATION ANALYSIS
In this section, security analysis and implementation overhead arediscussed to show the advantages of the proposed secure test techniqueover existing methods.
A. Security Analysis
Due to the avalanche effect of cryptographic algorithms, there existtwo kinds of scan-based differential cryptanalysis, called as constant-based (CBA) and fixed-hamming-distance-based attack (FHDA). Herelet us use AES as an example cryptographic algorithm to explain thesetwo kinds of attacks.
CBA takes advantages of the fact that in encryption process, the con-tents of some special registers are independent on the inputted plaintext.For example, the round registers in AES, without special protection,for each normal inputs, in the first cycle they would be 0001, and then0010, � � �, 1010. By using several different plaintext inputs and scan-ning out the contents at different times of the cryptographic operation,these registers could be easily identified. Then by setting the registersas 1010 (i.e., to indicate the round cycle is 10, the last round for 128-bit
IEEE TRANSACTIONS ON VERY LARGE SCALE INTEGRATION (VLSI) SYSTEMS, VOL. 20, NO. 1, JANUARY 2012 179
TABLE IIOBSERVABLE HAMMING DISTANCES BETWEEN PAIRS OF RESPONSES USING THE PROPOSED RSS STRUCTURE
Fig. 3. Proposed scan control unit design.
AES), which is because in AES the mix-column operation is bypassedin the last round, it became much easier to discover the secret keys.Such a kind of attack is called constant-based attack.
FHDA is another kind of scan-based attack by counting the numberof bit changes on relevant plaintexts so as to discover the secret key,and refer to [2] for more details on FHDA.
In the following, the security robustness of our method will be ana-lyzed and show how the proposed design can protect crypto cores fromthe known scan-based side channel attacks: CBA and FHDA.
Against Constant-Based Attack: Constant-based attack takes ad-vantages of the fact that in encryption process, the contents of someflip-flops are always the same in some specified cycles for differentplaintext inputs. In traditional scan, by using several different plaintextinputs and scanning out the contents at different times of the crypto-graphic operation, these registers called constant flip-flops (CFFs) inour work could be easily identified. Then by setting these CFFs to spe-cific state through scan operation, the complexity of secret key identi-fication might be reduced to a low level.
When using the proposed RSS, it can be easily configured that oncethe intermediate data of CFFs passing the replaced RSSFs, they wouldbe encrypted and this makes it extremely difficult to identify the posi-tions of CFFs in the scan chain from external. In addition, because theproposed RSSFs deals with the scan-in and scan-out as well, it is alsodifficult for hackers to set the CFFs to desired states with no detailedknowledge of the scan structure implementation. Therefore, it is ob-vious that the proposed RSS could be an effective countermeasure ofsuch constant-based attacks.
Against Fixed-Hamming-Distance-Based Attack: In FHDA, usuallyseveral pairs of relevant plaintexts are applied and then for each pair thenumber of different bits in the round output is counted. Here let us usethe FHDA procedure introduced in [2] to illustrate the robustness ofour RSS structure in AES.
In our work, first we rerun the FHDA on an AES implementation,and confirmed that when the Hamming distance between the round re-sults is 9, 12, 23, or 24, the corresponding occurring frequency is one,which could be used to uniquely determine the round key. Next wesimply group the registers together in the scan chain for each block,replace the last SFF in the scan chain with RSSF, and then conductFHDA. In the third step, we replace two SFFs with RSSFs, and runthe attack again. The observable Hamming distances between pairs ofplaintext ���� ���� � is shown in Fig. 4, in which 128 pairs of plain-texts are applied in the three ways as mentioned above. Furthermorethe occurring frequency for each Hamming distance in the above men-tioned three cases is calculated and plotted in Fig. 5. By observing theresults as shown in Figs. 4 and 5, it could be seen that the numberof combinations that might be used to uniquely determine the pair ofplaintexts is reduced from 4 to 1 and 0 for the two RSS implementa-tions respectively. When analyzing the point in one RSSF implemen-tation where the occurring frequency for the Hamming distance (24) is
180 IEEE TRANSACTIONS ON VERY LARGE SCALE INTEGRATION (VLSI) SYSTEMS, VOL. 20, NO. 1, JANUARY 2012
Fig. 4. Observable Hamming distances between pairs of responses using theproposed RSS structure in AES.
Fig. 5. Occurring frequencies of the observable Hamming distances betweenrelevant pairs.
one into details, we found that the two pairs of plaintexts do not belongto any of the original four pairs, which might mislead the hackers towrong keys.
In addition, as shown in Fig. 5 when the proposed RSS design is in-troduced into the scan chain, the distribution of the occurring frequen-cies for the possible Hamming distances is very interesting and quite
TABLE IIICOMPARISONS WITH PREVIOUS WORKS
unlike that in traditional scan structure. This is due to the intrinsic prop-erties of crypto algorithms and it would become more obvious whenmore RSSFs are inserted into the scan chain.
It should be noted here in the above we simply group the regis-ters that belong to the same block together and concatenate them toform a scan chain, which indicates that we used the DFT insertiontool to stitch the scan chain based on the alphanumeric order of scanflip-flop names in each module, independent on physical synthesis.Thus it might still be possible to identify the relations between the reg-isters and the blocks, but even though discovering the key using scan-based differential cryptanalysis becomes much more complicated thanthat in traditional scan. Furthermore, due to the fact that in general theorder of the internal scan flip-flops is usually optimized during phys-ical synthesis step for routing overhead, test power consumption and/ortest data compression, it would be much more difficult for hackers toidentify the relationship between the internal registers and the blocks,and then impossible to retrieve the secret keys.
B. Comparisons With Previous Works
Table III compares the proposed RSS design with the existing works[2], [4], which are the representatives of the recent works as illustratedabove, from security, test and design aspects.
As for security, secure scan requires the redesign of the function/testmode control unit, thus it could limit the CUT to be switched fromfunctional mode to test mode. To run in scan test mode, all the internalregisters should be reset and instead of the secret key a mirror key isloaded for scan test. However, it is not applicable in case that the se-cret key is hardware wired or stored in the secure memory and the resetoperation cannot clear and should not clear them. For flipped-scan, itstill has the security threat on FHDA because the Hamming distancebetween the observable scan-outs and the real response is fixed. Forthe proposed RSS design, both the scan-in and the scan-out are en-crypted, thus the security margin, i.e. the probability to guess the wholescan structure, would be ������ , where � and � are the total numberof scan flip-flops and the number of RSSFs, respectively. For a �-bitcrypto hardware implementation where � is the length of the key, thelength of the internal scan chain � is obviously times larger than �;thus the possibility of the success key extraction is reduced from ����
to ������, which makes the proposed RSS design a robust counter-measure against scan-based differential cryptanalysis.
As for design and test issues, secure scan does not support at-speedonline testing due to the reset and key-reload operations, and wouldincur large area overhead (around 10% as indicated in [2]) that is be-cause additional registers, called mirror key registers (MKR), are in-serted to isolate any critical data from entering the scan chain whenin test mode. Both the proposed RSS design and the flipped-scan cansupport at-speed testing. In our work, no negative effect on fault cov-erage, test patterns and ATPG time is observed. Table IV compares therequired hardware overhead among flipped-scan, XOR-chain and theproposed method. Due to the total number of insertion is quite flexibledepending on the required security margin, and according to our expe-rience typically the required insertion (�) is at least less than half of thetotal number of SFFs (�), which clearly shows that the proposed RSS
IEEE TRANSACTIONS ON VERY LARGE SCALE INTEGRATION (VLSI) SYSTEMS, VOL. 20, NO. 1, JANUARY 2012 181
TABLE IVHARDWARE OVERHEAD COMPARISONS
Note: � is the total number of scan flip-flops in the crypto implementation,� is the number of RSSFs, and � is less than �, i.e., � � �.
design provides a low cost but flexible secure test solution for cryptocores, and also removes the back-loop problem of XOR-chain for bettertestability.
IV. CONCLUSION
In this paper, a new robust secure scan technique is introduced as aneffective countermeasure against scan-based differential cryptanalysis.It could be fully compatible with the state-of-the-art design flow andall the advantages and simplicity of traditional scan test are preserved,therefore it is desirable in modern crypto designs as a secure test solu-tion with ignorable design/test overhead.
REFERENCES
[1] B. Yang, K. Wu, and R. Karri, “Scan based side channel attack on ded-icated hardware implementation of data encryption standard,” in Proc.Int. Test Conf., 2004, pp. 339–344.
[2] B. Yang, K. Wu, and R. Karri, “Secure scan: A design-for-test architec-ture for crypto chips,” IEEE Trans. Comput.-Aided Des. Integr. CircuitsSyst., vol. 25, no. 10, pp. 2287–2293, Oct. 2006.
[3] R. Nara, N. Togawa, M. Yanagisawa, and T. Ohtsuki, “Scan-based at-tack against elliptic curve cryptosystems,” in Proc. IEEE ASP-DAC,2010, pp. 407–412.
[4] G. Sengar, D. Mukhopadhyay, and D. R. Chowdhury, “Secured flippedscan-chain model for crypto-architecture,” IEEE Trans. Comput.-AidedDes. Integr. Circuits Syst., vol. 26, no. 11, pp. 2080–2084, Nov. 2007.
[5] M. Agrawal, S. Karmakar, D. Saha, and D. Mukhopadhyay, “Scanbased side channel attacks on stream ciphers and their counter-mea-sures,” in Proc. Int. Conf. Cryptology India (INDOCRYPT), 2008, pp.226–238.
[6] H. Atobe, R. Nara, Y. Shi, N. Togawa, M. Yanagisawa, and T. Ohtsuki,“Dynamically variable secure scan architecture against scan-based sidechannel attack on cryptography LSIs,” IEICE Tech. Rep., Nov. 2008,vol. 108, pp. 55–59.
[7] Y. Shi, N. Togawa, M. Yanagisawa, and T. Ohtsuki, “Design-for-se-cure-test for crypto cores,” in Proc. IEEE Int. Test Conf., 2009, pp. 1–1,Poster-11.
[8] D. Hely, M. Flottes, F. Bancel, B. Rouzeyre, and N. Bérard, “Scandesign and secure chip,” in Proc. Int. On-Line Test. Symp., 2004, pp.219–224.
A Novel Sensing Circuit for Deep SubmicronSpin Transfer Torque MRAM (STT-MRAM)
Jisu Kim, Kyungho Ryu, Seung H. Kang, and Seong-Ook Jung
Abstract—STT-MRAM has emerged as a compelling candidate foruniversal memory, but demands an advanced sensing circuit to achievethe proper sensing margin. In addition, STT-MRAM requires low-currentsensing to avoid read disturbance. We report a novel sensing circuit thatutilizes a source degeneration scheme and a balanced reference scheme.Monte Carlo HSPICE simulation results using 65 nm technology modelparameters show that the proposed sensing circuit achieves an read accessyield of 96.3% with a sensing current of 43.1 uA at a supply voltage of 1.1V for 32 M bit, whereas the conventional sensing circuit achieves an readaccess yield of only 0% (81.5%) with a sensing current of 48.0 uA (64.2uA) at a supply voltage of 1.1 V (1.6 V).
Index Terms—Balancing, read disturbance, sensing circuit, sensingmargin, source degeneration, STT-MRAM.
I. INTRODUCTION
The conventional MRAM has long been considered an emergingtechnology and is thus poised as a leading candidate for universalmemory. However, there are critical technology scaling problems forthe conventional MRAM, in which the magnitude of the magnetic fieldrequired for memory switching increases rapidly as the technologyshrinks [1]. Thus, the write current needed to generate the magneticfield becomes too large to build a competitive memory circuit in deepsub-micron technologies. This problem can be solved by emergingSTT-MRAM, in which each memory cell is programmed by a spin-po-larized current that directly flows through the MTJ. This write currentis dependent on the size of the MTJ so that it can be reduced as theMTJ scales down [2].
On the other hand, STT-MRAM faces a circuit design challenge inmaintaining the sensing margin due to the decrease in supply voltageand increase in process variation as the process technology shrinks, andrelatively smaller resistance difference of two states in STT-MRAMthan other 1T-1R memory such as PRAM, where sensing margin isdefined as the voltage difference between output and reference nodesin the sensing circuit minus the offset voltage of 2nd sense amplifier.The design of a sensing circuit with a low supply voltage has thus be-come critical to the realization of STT-MRAM at deeply scaled tech-nologies. Since the read operation of STT-MRAM uses the same cur-rent path as the write operation, STT-MRAM has a design problemknown as a “read disturbance”, which is an unintended write occur-ring during a read operation [3]. Read disturbance occurs when readcurrent is larger than critical current ����. Thus, STT-MRAM requireslow-current sensing to prevent potential read disturbance.
In this work, we report a novel sensing circuit that achieves an ade-quate read access yield along with low-current sensing. The proposedsensing circuit utilizes source degeneration and balanced referenceschemes. The design method for this sensing circuit is also proposed.
Manuscript received March 12, 2010; revised July 05, 2010; accepted Oc-tober 09, 2010. Date of publication November 18, 2010; date of current versionDecember 14, 2011.
J. S. Kim, K. H. Ryu, and S. O. Jung are with the School of Electrical andElectronic Engineering, Yonsei University, Seoul 120-749, Korea (e-mail: [email protected]; [email protected]; [email protected]).
S. H. Kang is with Qualcomm Incorporated, San Diego, CA 92121 USA(e-mail: [email protected]).
Digital Object Identifier 10.1109/TVLSI.2010.2088143
1063-8210/$26.00 © 2010 IEEE
