OTP for DCP Key Storage

Update: Synopsys Expands DesignWare IP Portfolio with Acquisition of Sidense Corporation (Oct. 17, 2017)

By Wlodek Kurjanowicz, Founder and CTO, Sidense

Abstract

High-definition digital content is driving advanced security requirements for SoCs. Millions of people will buy products with Digital Content Protection (DCP) to view, listen and communicate, thus creating a huge need to protect consumer data and intellectual property (IP) from theft. Non-volatile storage of encryption keys is an ideal way to securely implement DCP in a variety of electronic devices. However, not all non-volatile memory (NVM) technologies are suited for these applications. This paper will review some available NVM alternatives for DCP-enabled products and describe an innovative logic NVM IP technology that meets the diverse requirements for encryption key storage.

Digital Content is Everywhere

The number and types of consumer devices that store and play back audio and video content are skyrocketing. It seems that every handheld device - iPods, MP3 players, cell phones and even cameras - is an entertainment source for movies and music. Add in your car and the various types of equipment found in a home entertainment center, such as HDTVs, DVRs and set-top boxes, and you have dozens of devices at your disposal that record, transfer or playback copyrighted digital content - thus the need for secure protection of that content to protect the IP of the owner.

Briefly stated, digital content protection, or DCP, is a way of permitting the use of copyrighted content such as music and movies by authorized persons (licensees or customers of licensees) while blocking the use of that material by unauthorized persons. There are many ways of implementing digital content, but the concept is best described with an example. Consider High-bandwidth Digital Content Protection (HDCP), a form of Digital Rights Management (DRM) developed by Intel to control high-definition video (and audio) as it travels from a source to a display device.

HDCP in Brief

The HDCP protocol for transferring high-definition video from a source to a display device employs three processes for DCP:

• An authentication process that allows authorized devices to receive high-definition content and exclude devices that have been compromised or hacked (revocation).
• Encrypting the content sent over a High Definition Media Interface (HDMI) interface to prevent eavesdropping or "man in the middle" attacks on content.
• Procedures to revoke keys for equipment that is no longer licensed to receive HDCP content, blocking that equipment from receiving the content.

HDCP-compliant and HDMI-enabled equipment use NVM technology for storing the forty 56-bit keys and the Key Selection Vector (KSV) that HDCP requires. A compromised device has its KSV placed on a revocation list, signed with a digital signature to prevent unauthorized users from revoking legitimate devices. The KSV values are unique to each key set and to each device. An HDCP-compliant system compares these values to a revocation list and if either the transmitter or receiver appears on that list, authentication fails. Updates to the revocation list arrive with new media and are automatically integrated.

The total encryption key storage requirements for HDCP-enabled DCP is just a few thousand bits. However, as is the case for keys for DCP applications in general, the storage technology has to be extremely secure, field- updatable/reconfigurable to allow key value updates, non-volatile (not dependent on a power source), and highly reliable. Let's review some traditional NVM memory alternatives and see how they stack up for DCP encryption key storage.

Traditional NVM alternatives

The most prevalent embedded NVM technologies are electrical fuses, masked ROM, EEPROM and Flash. Each of these has its drawbacks for use in DCP applications.

Electrical fuses are not truly field-programmable, as they require special programming equipment. They also have some long-term reliability issues if they are programmed by blowing an electrical link, since the sputtered material has a tendency to recombine. You can read the contents of a fuse array using either an SEM or FESEM (Field-Emission Scanning Electron Microscope) or by accessing the pins the array uses for programming and testing. In addition, electrical fuses can be reversed with FIB (Focused Ion Beam) techniques. Finally, electrical fuse implementation on a chip consumes large silicon area, which together with subsequent programming on a wafer adds cost to the chip processing and can severely impact profit margins on chips for consumer applications.

Like an electrical fuse, a masked ROM is not field-programmable, i.e., it is programmed during wafer processing. Security can also be breached by reading the ROM's content with SEM or FESEM equipment, but first of all the individual chips can not be customized with unique key values.

Traditional embedded EEPROM and Flash add about 30% to 50% to the wafer cost and are not available for the leading process technology nodes (which are important for price reduction and increased device feature sets.) An alternative, charge storage based logic NVM solutions are limited to 3.3V process nodes and consume large silicon area. In all these charge storage based memories the information is stored as charge trapped either in the gate oxide or on the floating gate. This charge can be exposed using voltage contrast techniques or, worst, it can be removed through exposure to high temperature, light or electron and ion beams. Once the security lock has been erased, the contents can be read using built-in programming and test pins or functions.

An ideal embedded NVM solution for encryption key storage is one that is low cost, adding little or no cost to the wafer processing, and is highly secure. Such a solution is available now with Sidense's 1T-Fuse™ technology.

1T-Fuse Storage

Sidense's 1T-Fuse Logic NVM IP is based on a patented split channel antifuse technology utilizing a gate oxide breakdown mechanism to produce highly reliable one-time programmable storage devices that are the smallest and fastest in the industry (Figure 1). The technology requires no additional mask layers or process steps and is portable across all leading technology nodes and foundries. Using only a fraction of a single transistor to create a bit cell results in a memory that is much more robust, reliable and hacker-proof compared to the conventional two-transistor (2T) per cell designs of other logic NVM vendors.

Figure 1. The 1T-Fuse™ bit cell is a two-terminal , high-density, split-channel device that looks like an MOS capacitor in the un-programmed state and a diode-connected MOS transistor in the programmed state. All programming occurs in the transistor's channel region for high reliability and repeatability.

1. The state of the antifuse can not be reversed. The antifuse programming involves a permanent structural change. The amorphous gate oxide melts locally and recrystalizes into silicon monocrystal forming a nano-scale MOS device. Once programmed, it cannot be undone, no matter what temperature or beam exposure. This means that, unlike the case with storage based devices, the security bits can not be reversed.
2. Voltage contrast techniques cannot reveal the contents of the memory.
   1. There is no charge stored in the memory, so unlike the charge storage based devices direct observation can not reveal the information.
   2. A leakage observation technique cannot be used either. Unlike the traditional 2T antifuse cell, the 1T-Fuse does not have a junction between the storage and access transistors and therefore there is no localized area that could be scanned using voltage contrast techniques.
   3. The single polysilicon word line (WL) in 1T-Fuse precludes the use of voltage contrast scanning that depends on two independent polysilicon gates in a 2T NVM cell.
   4. The increased density of 1T-Fuse vs. 2T or larger NVM structures makes it more difficult, if not impossible, to isolate individual memory cells.
   5. The possibility of resistive programming of the memory bits is completely eliminated with 1T-Fuse. The resistively programmed bits in a 2T cell provide a strong link between the gate and the diffusion and are much easier to detect.
   6. Fast access time and very low voltage swing during read operation eliminates the use of voltage contrast during dynamic chip operation.
3. No power signature
   1. The simplest and easiest to implement a security attack is through observation of the power signature during read operation. The real danger of this non-intrusive method can be fully understood once one take into account the wide availability of the basic lab equipment and computing power in almost every school and university worldwide, not to mention professional hacker basements. Unlike other antifuse providers, Sidense IP utilizes a fully complementary read technique to leave no power signature for the attacker to explore.
   2. In addition to fully a complementary read technique, the resistively programmed bits are completely eliminated, minimizing the noise signature.
4. It is impossible to visually differentiate a programmed from a non-programmed bit in 1T-Fuse (Figure 2). Unlike the electrical fuse, the antifuse structural change is within a 10 atom radius and is not detectable using etching and FESEM techniques used in the industry.

Figure 2. Unlike an electrical Fuse, the state of a 1T-Fuse bit is undetectable by optical or SEM microscopy means [photographs by Chipworks Inc.]

Sidense's SiFuse and SiPROM products with the 1T-Fuse architecture target highly secure applications, including encryption key storage and secure boot code, offering bit counts up to several megabits. Read access times are very fast, under 10 ns, and retention rates exceed 20 years. A built-in charge pump lets a customer program the macrocell in the field without the need for a separate programming power supply. An security lock is available to disable the programming voltage to segments and/or the entire macrocell, providing additional key storage security.

About the Author

With over 25 years of IC design and manufacturing experience, Wlodek Kurjanowicz has lead numerous design, design automation and design analysis groups. In 2003 he founded Sidense Corp. with a vision to build a reliable NVM solution for sub 100nm CMOS technologies. In 1998 he co-founded ATMOS Corp., the embedded memory IP company, which he lead as its Chief Technology Officer to become the world's leading provider of embedded DRAM compilers. Wlodek became a Mosys Fellow following the ATMOS acquisition by Mosys Inc (Nasdaq: MOSY) in 2002. Prior to that, he managed the Design Analysis Group and held a Senior Technical Advisor position at Chipworks Inc., and a Member of Technical Staff position at Semiconductor Insights Inc., both in Canada. He also held various IC Design Manager and IC Technology Manager positions in semiconductor plants in Poland. He holds six patents granted in addition to several pending applications in the memory IP space, with new applications in the works.