Abstract-Lasers have become one of the most efficient means to attack secure integrated systems. Actual faults or errors induced in the system depend on many parameters, including the circuit technology and the laser characteristics. Understanding the physical effects is mandatory to correctly evaluate during the design flow the potential consequences of a laser-based attack and implement efficient counter-measures. This paper presents results obtained within the LIESSE project, aiming at defining a comprehensive approach for designers. Outcomes include the definition of fault/error models at several levels of abstraction, specific CAD tools using these models and new counter-measures well-suited to thwart laser-based attacks. Actual measures on components manufactured in the new 28 nm FDSOI technology are also presented.
I. INTRODUCTION
Hardware attacks on secure integrated systems can be done by several means, including side-channel observation (measuring e.g., computation time, power consumption or electromagnetic emissions) and faulty behavior exploitation. We will focus here on fault-based attacks aiming at retrieving some confidential information such as a private cryptographic key stored in the circuit. One of the most efficient techniques to induce faults in a circuit is to use a laser. The main advantages are a very good control of both the injection location and the injection time, making the attack more efficient and more difficult to avoid from the designer point of view.
Since the pioneer work by Skorobogatov and Anderson [1] , many experimental works have been done on laser-based attacks on various types of circuits, including smartcards but also FPGAs. However, a clear view of laser effects is still lacking. This is due to a strong dependence with (1) the circuit technology, (2) the laser characteristics (wavelength, focus, energy, impulsion duration …), and (3) the type of set-up (front-side or back-side). From a designer point-of-view, it is therefore difficult to understand the exact protections (or "counter-measures") to implement in a circuit, and also to identify the most critical parts in a given design.
The work presented in this paper aims at providing a more comprehensive framework to a designer, in order to perform a robustness analysis throughout the design flow. One part of the proposal concerns the definition of models representing the effects of laser attacks with several levels of abstraction. The second part concerns specific counter-measures that can be selected to increase the robustness. The designer work is also supported by specific design tools.
Section II gives an overview of the global design flow from a laser-based attack perspective. Section III summarizes some results obtained by actual laser attacks, especially on components in the new 28 nm FDSOI technology. Sections IV and V discuss the fault and error models. Section VI is dedicated to the CAD tools and section VII shows new counter-measures adapted to the effects of laser-based attacks.
II. GLOBAL FLOW: OVERVIEW
The global flow is illustrated in Figure 1 . Steps on the left concern the modeling process while steps on the right are the design phases. Modeling has to be made once for a given technology and a given spectrum of laser sources and parameters. In fact, some models may be re-used from one technology to the other but measures are required to calibrate the probability of a given type of fault/error for a given source and a given technology. Low-level physical models (or TCAD models) are derived from the analysis of the interaction between the laser beam and the circuit material. Such models are very long to simulate, so more abstract models based on current curves can then be derived, in order to perform simulations at the electrical level. Abstraction can then be raised again at the logical level for gate-level netlist simulation. Finally, behavioral error models corresponding to data 978-1-4799-6016-3/14/$31.00 ©2014 IEEE perturbations can be proposed for early design analysis. This bottom-up process, validated by the experiments performed on real circuits, lead to a set of models adapted to several design steps.
Once the models are available, a designer can perform various analyses at several design steps. Early analyses can be made after the Register-Transfer level description, using either behavioral simulation or emulation, and injecting errors corresponding to the behavioral models. This first analysis may allow him to quantify the probability of a successful attack from a functional point of view and identify some weak points in the design (including or not some functional countermeasures). On this basis, countermeasures may be added to the design at several levels, from functional checks down to e.g., placement and routing constraints or sensor insertions. Further analyses can then be performed once the gate-level netlist is available, and then when the placement and routing has been done, with potentially electrical-level simulations using the previously developed fault models. All these steps must maximize the probability that the final qualifications made on the first product prototypes confirm a satisfying level of resilience against attacks.
CAD tools used at the different steps will be discussed in section VI. 
III. MEASURES ON CMOS AND FDSOI COMPONENTS
Previous work was done in order to derive models of laser shots on CMOS ICs, and especially SRAM cells [2] . The model validity was assessed by a very good correlation with an experimental laser sensitivity map.
Current work is focused on the emerging 28 nm Fully Depleted Silicon On Insulator (FDSOI) technology that is mainly dedicated to low-power applications and provides thanks to well biasing techniques the ability to optimize dynamically the circuit's speed versus its power consumption [3] . FDSOI is also expected to bring reduced sensitivity to laser attacks due to the thin oxide box that isolates the channel of transistors from their wells [4] . Indeed, the laser-induced charge generation volume of FDSOI transistors is smaller than that of CMOS bulk transistors. As a result, the induced photocurrent should be reduced both in time and magnitude.
Measurements of the laser effects have been performed on FDSOI elementary test elements with the following laser settings: 1064nm wavelength, 20 μs pulse duration, 5 μm spot diameter and backside illumination. As an example, one of the experiments aimed at analyzing the photocurrent induced in the drain of FDSOI NMOS transistors in OFF state and comparing it to the current induced in a similar transistor in bulk CMOS. The transistors were biased in OFF state: Vdrain = 1.8 V, Vsource = Vgate = VPwell = 0 V. We used a laser pulse with 855 mW power. Photocurrent peaks magnitude were in the μA range while in a bulk 90 nm NMOS transistor they are in the mA range. Although more experiments are required in the near future, these first results tend to confirm the expectations about the lower sensitivity of FDSOI technology.
IV. MODELS: FROM PHYSICAL TO GATE LEVEL
Laser effects on electronics are very similar to effects induced by radiations in the sense that both laser and radiations generate electron-hole pairs in the semi-conductor; the charges are transported into the media and are collected at the electrodes of the device. In order to model these phenomena, a tool called "MUSCA SEP3" (MUlti-SCAles Single Event Phenomena Predicted Platform) has been developed and is described in [5] . It is based on a Monte Carlo approach, and consists in sequentially modeling all the physical and electrical mechanisms.
Required information is directly extracted from layout files in GDS format and mainly includes areas and positions of the active layer. The representative 3D structure for Monte-Carlo simulation only contains N and P active junctions (drains and sources) of the design. The global collection volume takes into account the depletion capacitance of Drain-Substrate junction.
Transient currents issued from physical model can be injected on each illuminated collection node (transistor drains or sources). Doing so, the electrical model of the transient pulses can be associated with the circuit netlist. The link between the layout and the netlist is performed in our flow thanks to the "Calibre" tool from Mentor Graphics. According to this physical-level model, the laser effect is modeled at electrical level as a plug-in current source for each illuminated junction. The model is depicted in Figure 2 . In order to link the physical-level models and the electricallevel models for simulation purpose, a database was developed; each file corresponds to a standard cell in a given library and to a laser configuration data (energy, spot size). In each file, the transient current pulses I(t) are enumerated for each collection zone according to the position of the laser for each logic state of the standard cell.
The eventual effect of a current injection at electrical level in a digital circuit is a modified logic signal. The propagation of the fault and the final consequences on the circuit behavior can then be analyzed using logic-level simulations. A multilevel fault simulator has therefore been implemented and will be described in section VI.
V. ERROR MODELS: BEHAVIORAL LEVEL
Finding design flaws late in the design flow is costly and strongly impairs the global development time. Evaluating the resilience of a given architecture at early design steps is therefore suitable. In most cases, such evaluations start at Register-Transfer Level (RTL) in order to benefit from a precise view of the registers in the design; higher-level descriptions are too abstract to clearly identify the real hardware that will be implemented in the circuit.
Identifying some design flaws early in the design can be achieved by using fault injection techniques [6] . At that level, the final design structure is not known so only errors in registers can be injected. The evaluation is meaningful only if errors injected at design time are actually representative of errors induced during a real attack. Also, evaluation time is limited so it is mandatory to trigger fault injection campaigns on reduced but significant sets of errors. Many papers in the literature report either single-bit or multiple-bit errors so both cases have to be taken into account.
A. Single-bit Errors
A very usual assumption consists in modeling the effect of laser shots as bit-flips. However, some previous work reported that bit-flips are not necessarily an adequate model.
Previous work [7] has shown that, at least in some experimental conditions, errors are unidirectional. Bits are in that case always modified in the same manner, setting them to either zero or one. Such effects lead to the error models called bit-reset or bit-set. It means that more or less bits will be sensitive to the perturbation, depending on the current state during the attack. The choice of the model may therefore have an impact on the resilience evaluation. Part of our work therefore aimed at identifying the impact of a given error model on the accuracy of early security evaluations for e.g., differential fault attacks.
Fault injection experiments were defined on the basis of a simple circuit example, implementing a 16-bit sequential integer multiplier. This circuit is part of those currently manufactured in 28 nm technologies within the project LIESSE, and will be used in further work to compare in details early analyses with the consequences of real laser attacks. No error detection or tolerance mechanism is implemented in this circuit. Errors can therefore either be silent, or lead to computation errors (or crashes). The external communication protocol is based on handshake so the differences in computation time are not taken into account for the classification; only the result value is checked. Crashes were very few so will not be explicitly discussed.
Exhaustive single-bit error injections have been performed (in all flip-flops, at each clock cycle, so a total of 11,410 injections) using first the functional validation testbench of the circuit, then several similar testbenches with random multiplication operands.
The first outcome is clearly the impact of the circuit state on the difference in the percentage of computation errors for the 3 models (bit-flip, bit-set, bit-reset). For this particular example with the validation testbench, bits are more often at zero than one so the bit-reset model leads to noticeably more "non-injected" errors, i.e. injections that do not modify the flipflop contents. About 3500 single-bit error injections have no impact for the bit-set model, while near 8000 injections have no impact for the bit-reset model.
The second outcome is related to the use of the fault injection results. Considering the total number of injected errors, bit-flips are the most critical errors with 40.1% computation errors, while the bit-reset model only leads to 5.9% computation errors and the bit-set model leads to 34.3% computation errors. However considering only the actual bit modifications obtained during the campaign, the most critical injections correspond to bits forced at one, with 49.5% computation errors in that case (while the percentage is 19.6% for bits forced at zero).
When using random multiplication operands, the percentages are different, but the qualitative comparison of the three models is the same. Table I illustrates a more detailed view, analyzing each register independently. The register criticality level is obtained with respect to the percentage of computation errors recorded after an exhaustive fault injection campaign with each of the error models. The percentage of computation errors noticeably differs from one model to the other. However, the classification in terms of criticality only slightly differs for the functional testbench. In all cases the state register (storing the current state of the Finite State Machine) is the most critical. After that, two groups of registers can be identified (Acc/MQ and Counter/B) with some inversions between bit-set or bit-reset. With random operands, results are similar for bit-flip and bit-reset, but slightly different for bit-set since the counter becomes the most critical register when "non-injected" errors are not considered. The choice of the right model to select for early fault injections therefore depends a lot on the designer intents. The bit-flip model creates more actual errors in the circuit but is more independent of the application characteristics. If those characteristics have to be taken into account, and if experiments have shown the feasibility of bit-set or bit-reset errors for a given technology, those models may lead to more accurate results, with in some cases significant differences in the error percentages. If the goal is to identify the most critical registers, the three models may lead to very similar results, at least for our case study, and in that case the bit-flip model may lead to more efficient fault injection campaigns.
B. Multiple-bit Errors
One of the key benefits of a laser source, as a tool to perform fault-based attacks, is its high precision locality, although a single laser shot may generate either single or multiple faults inside an integrated circuit. These characteristics must be taken into account by an RTL laser fault model assuming multiple-bit errors. Usual methods based only on fault injections for a given maximum error multiplicity are quite time-consuming and do not take into account the locality characteristics. Although at RT-Level it is not possible to precisely know the final placement of the element, it is possible to evaluate proximity on the basis of functional relationships.
There are two different categories of faults that can finally affect the circuit and potentially create an error. A fault may originate either from the combinational part or it can be directly injected inside a flip-flop (FF). Our proposed approach is attempting to unify these two different ways of introducing faults and model them with faults injected to the FFs of the design.
Our approach, as described in [8] , makes use of a logic cone partitioning methodology, capable of introducing the notion of locality to an early RTL analysis including the ability to model multiple faults. The developed tool uses the elaborated RTL netlist of a behavioral (VHDL) description. The elaborated netlist and its analysis are obtained thanks to the Verific front-end API [9] . The circuit under analysis is partitioned into intersecting functional blocks of combinational logic, called logic cones. Each cone starts from FFs of the circuit and/or primary inputs, and ends to another FF and/or a primary output. Given a subset of the circuit, assumed as the area under attack, we are then able to determine the sequential elements that may potentially contain an error.
Initially each attack is assumed to impact an entire logic cone and the application generates for each cone under attack a set of FFs that may potentially capture a fault. In a second step, depending on the results, this assumption can be modified to better focus laser attacks in suppressing some logic dependencies. Since we are able to know the functional relationship between the FFs of the design, we can also deduce information about the FFs that are likely to be attacked concurrently by a single laser shot, because of their potentially adjacent placement later in the design flow.
The method leads to the creation of a fault space with varying multiplicities for each attack depending on the functional relationship of the cone under attack with all the remaining cones of the circuit [10] . Then, multiple-bit errors are injected into each FF set (called cone-attack set). Our results show that the approach achieves a noticeable reduction of the size of the fault space, compared to random exhaustive multi-bit fault approaches, without even considering a maximum multiplicity for each attack. This way we can at the same time save computational resources for a fault injection campaign and take into account faults that are more realistic when we model a localized laser attack. Errors are injected to the FFs of the design so the approach is compatible with fast emulation techniques that can be very useful for an RTL evaluation.
As an example, Figure 3 shows the sets obtained for the 128-bit datapath of an AES cryptoprocessor. The largest coneattack sets include 62 FFs so errors with a maximum multiplicity of 62 may be injected for those sets. On the opposite, for all sets with only one FF, single-bit error injections are sufficient. In the classical approach, the maximum multiplicity would be defined more arbitrarily and errors would be injected randomly in the global set of 512 FFs. 
VI. CAD TOOLS
The proposed design flow is supported by several tools. In order to generate the databases of induced currents, MUSCA SEP3 has already been mentioned in section IV.
The multi-level simulation at electrical and logical level is supported by an open-source tool called "tLIFTING" [11] . This simulator is able to perform transistor-level simulations based on the laser-induced fault model (current curves) and then further logic-level simulation for the whole circuit in order to analyze propagations. In addition, an integrated layout parser can locate the affected transistors within a given illuminated zone. As an open-source tool, it was expanded to read the database that is generated by "MUSCA SEP3". Figure 4 sketches the whole architecture of the two different level simulators.
The simulation process is illustrated in Figure 5 . Starting from the laser's parameters, it is possible to extract the affected p-n junctions and look up the corresponding I(t) curves from the database. The faults are injected into the transistor-level circuit element description. After the transistor-level fault simulation for the affected gates, if the perturbation changes the state(s), the difference(s) will be translated to logic-level and returned to the whole circuit to finish the fault simulation at logic-level. At higher level, prototyping platforms are used in order to evaluate early in the design flow the functional consequences of errors. These platforms are based on commercial FPGA development boards, but specific tools have been developed in order to manage the injection process. Platform examples are cited in [12] .
VII. COUNTER-MEASURES
Several types of counter-measures are being developed in order to improve the circuit resilience to laser-based attacks. Some of them are based on functional detection, and can be applied at RT-Level. Others are related to the placement and routing phase. In this paper, we will detail a detection mechanism using a light sensor.
A. Structure of the Detector based on a Customised Cell
When a standard logic cell is entirely illuminated, all the laser-induced effects on the p-n junctions may cancel each other. Let's take the inverter in Figure 6 (a) as example. When both NMOS and PMOS are affected, the amplitude of the transient current pulse Iph_out is the difference between the generated photocurrent in all the affected transistors. Figure 6(b) shows the layout of the inverter INV2 in AMS C35 technology. For this cell (and for most of the cells in the library), the area of P+/N-well junction is larger than the N+/P-sub junction. Therefore, if the input value is set to 1, a positive current pulse Iph_out can be observed at the cell's output when a laser beam attacks the whole cell, and the cell output switches temporary from 0 to 1.
The principle of the proposed light sensor is to modify such an inverter for increasing Iph_dp and decreasing Iph_dn. Doing so, the current Iph_out will increase. Therefore it can easily force the next gate to switch. In other words, such a modified gate will be more sensitive to laser illumination than other standard cells. For that, we combined a large p-MOS transistor with a small n-MOS one. The resulting cell is called S_INVP3. The ratio of the P+/N-well area and N+/P-is 48:5, instead of 8:5 as in all standard inverter cells in this technology. S_INVP3 must be fed by the logic value 1. Thus, a laser illumination switches the detector output to 1 (instead of 0 in normal operation).
Similarly, we elaborated another sensor named S_INVN3. For S_INVN3, the ratio of the P+/N-well area and N+/P-sub is 8:30. Its input has to be set to 0 (i.e., its p-MOS transistor is on) in order to let the illuminated n-MOS provoke a negative pulse on the detector output that switches temporary to 0.
Since detector cells have the same height as other standard cells, they can be easily integrated into the design. Figure 7 shows the minimum current density to provoke the fault detection by our detector and to induce a transmissible transient in a standard cell. Clearly, the two proposed detectors are more sensitive to laser illumination than other standard cells. On average, the S_INVP3 is 6.5 times more sensitive than NAND2 whose input values are "10" and 18.9 times when its input values are "11". For S_INVN3, these ratios are 5.1:1 and 15.1:1.
B. Detector Sensitivity

C. Detection Architecture
The principle is to spread such cells in the layout. For gathering all detector signals to a single detection flag, the detectors are combined into a chain-based structure as shown in Figure 8 . For spreading the detectors into the layout, we grouped 80 detectors into 4 chains because the maximum input number of standard NAND/NOR cell is 4 for the used technology. All the detectors that are in the same chain are scattered as far as possible from each other. In the design, any adjacent four detectors do not belong to the same chain ( Figure 4) . The area cost for the detection structure is 4.17% of the total logic area that is protected.
We performed 2000 laser-induced fault simulations. In each experiment, the location of injected laser spot and the circuit input patterns are randomly chosen. The laser spot diameter is assumed to be 40 m, so it covers 20 standard cells. Table II shows the output error rate, the attack detection rate and the non-detected error rate. VIII. CONCLUSIONS This paper summarizes the main results obtained so far in the LIESSE project. Work is on-going to refine the tools and compare their outcomes with actual attacks on bulk and FDSOI prototypes.
