Reversing stealthy dopant-level circuits

A successful detection of the stealthy dopant-level circuit (trojan), proposed by Becker et al. at CHES 2013 (LNCS 8086:197–214, 2013 ), is reported. Contrary to an assumption made by Becker et al. dopant types in active region are visible with either scanning electron microscopy (SEM) or focused ion beam (FIB) imaging. The successful measurement is explained by a technique called the passive voltage contrast (Rosenkranz J Mater Sci Mater Electron 22(10):1523–1535, 2011 ) which is used to analyze failures in large-scale integration (LSI). The experiments are conducted by measuring a dedicated chip. The chip uses the diffusion programmable device (Shiozaki et al. Diffusion programmable device: a device to prevent reverse engineering, IACR Cryptology ePrint Archive 2014/109 2014 ): an anti-reverse engineering technique by the same principle as the stealthy dopant-level trojan. The chip is delayered down to the contact layer, and images are taken with (1) an optical microscope, (2) SEM, and (3) FIB. As a result, the four possible dopant–well combinations, namely (i) p+/n-well, (ii) p+/p-well, (iii) n+/n-well and (iv) n+/p-well are distinguishable in the SEM images. Partial but sufficient detection is also achieved with FIB. Although the stealthy dopant-level circuits are visible, they potentially make a detection harder. That is because the contact layer should be measured. We show that imaging the contact layer is at most 16 times more expensive than that of a metal layer in terms of the number of images.