Abstract A successful detection of the stealthy dopantlevel circuit (trojan), proposed by Becker et al. at CHES 2013 (LNCS 8086:197-214, 2013 The chip is delayered down to the contact layer, and images are taken with (1) an optical microscope, (2) SEM, and (3) FIB. As a result, the four possible dopantwell combinations, namely (i) p+/n-well, (ii) p+/p-well, (iii) n+/n-well and (iv) n+/p-well are distinguishable in the SEM images. Partial but sufficient detection is also achieved with FIB. Although the stealthy dopant-level circuits are visible, they potentially make a detection harder. That is because the contact layer should be measured. We show that imaging the contact layer is at most 16 times more expensive than that of a metal layer in terms of the number of images. This is an extended version of the paper appeared at CHES 2014 submitted to the JCEN special edition for CHES 2014.
Introduction
Chips are widely used as "roots of trust" in modern security systems. The trust originates from properties that chip internals are difficult to inspect and/or modify. Limitations and improvements of such properties have been studied over the last decades in the chip security community. Recently, two related threats to the properties are drawing attentions. They are (i) hardware trojans and (ii) chip reverse engineering.
Hardware trojans are malicious modifications or implantations to circuit systems. An attacker uses a trojan as a backdoor to compromise security of a chip. Threats of hardware trojans are emerging because of the globalization [1] . Nowadays, many parties, e.g., IP vendors, design houses, foundries, assembly and testing companies, etc., are commonly involved in chip development. It might be that one party does not act according to the rules of the chip manufacturer under certain circumstances.
In chip reverse engineering, on the other hand, an attacker tries to recover a netlist (or ultimately its logical functionality) of a target chip. The attempt is made by investigating depackaged and delayered chips. The attacker is motivated, for example, (i) to make fakes, (ii) to obtain trade secrets, or (iii) to get an embedded secret key, etc. For example, Nohl et al. successfully reconstructed a structure of a hidden cipher algorithm by reverse engineering an RFID chip [4] . Analysis techniques are catching up with shrinking CMOS process. Torrance and James [5] mention that even a 45-nm chip can be reverse engineered.
Two problems are related. They can be modeled as a game between two players:
-Hider who tries to hide something in a chip, -Seeker who tries to find the hidden something.
Note that the players Hider and Seeker appear throughout this paper. The labels are used because roles of an attacker and a defender are interchanged between the contexts of the hardware trojan and reverse engineering.
Seemingly, Hider is now advantageous because of the stealthy dopant-level trojans proposed by Becker et al. at CHES 2013 [1] . In the stealthy dopant-level trojan, dopant types in the active region are modified. Becker et al. assume that measuring dopant types should be difficult even with scanning electron microscopy (SEM). If the assumption is true, then Seeker cannot find the trojan. Becker et al. showed a proof-of-concept modification and some realistic attack scenarios, which attracted much attention [6] . Such a modification in active region is realistic especially when the trojan is implanted by a malicious foundry.
Soon after the proposal by Becker et al., an anti-reverse engineering technique called the diffusion programmable device (DPD) was proposed by Shiozaki et al. [3] . The stealthy dopant-level trojan and DPD have different purposes, but they use the same technique to camouflage themselves. Therefore, they are referred to as "stealthy dopant-level circuits" in this paper.
As a first contribution, the assumption of the stealthy dopant-level circuits is examined with concrete experiments. Specifically, a dedicated chip containing DPD is measured with (a) an optical microscope, (b) SEM and (c) focused ion beam (FIB). As a result, we show that the stealthy dopantlevel circuit is detectable contrary to the assumption made by Becker et al. All four possible dopant-well configurations namely (i) p+/n-well, (ii) p+/p-well, (iii) n+/n-well and (iv) n+/p-well are distinguishable with SEM imaging. In addition, partial success is achieved with FIB imaging. The reason is explained by a technique called the passive voltage contrast (PVC) [2] studied in the LSI failure analysis community [5, 7, 8] .
Although the stealthy dopant-level circuits are visible, they potentially make the detection harder. That is because the contact layer should be measured for detection. As a second contribution, the cost is estimated in terms of the number of images. We show that imaging of the contact layer can be 16-times more expensive than that of the first metal (M1) layer in our setup.
Stealthy dopant-level circuits

CMOS circuit fabrication
We first recall chip internals focusing on dopants. Figure 1 shows a cross-sectional view of a common CMOS circuit. It has a layered structure. The layers are created through a series of processes summarized in [9] :
1. create n-and p-wells, 2. deposit and pattern polysilicon layer, 3. implant source and drain regions, 4. deposit and pattern metal layers.
Photomasks are used to determine shapes of circuits in the processes. A goal of circuit designers is to design layouts that are then converted to the photomasks. In the stealthy dopant-level circuits, wells and dopants play important roles. At the process 1, wells are formed by implanting a moderate concentration of dopant on substrate. The implanted region is referred to as p-or n-wells depending on the types of dopants. Then, at the process 3, the source and drain junctions are formed by doping a high concentration of dopant (shown as n+ and p+) on the wells. Here, the p+/n+ regions are called active regions. Finally, contact plugs are formed. They connect between the p+/n+ regions and upper metal layers.
Notation
There are four possible dopant-well combinations. They are denoted as (i) p+/p-well, (ii) p+/n-well, (iii) n+/p-well and (iv) n+/n-well in this paper. Corresponding dopant types are summarized in Table 1 . Two different junctions: the Ohmic and PN junctions are formed. The Ohmic and PN junctions form a resistor and diode, respectively. 
Stealthy dopant-level trojans
Becker et al. proposed a new hardware trojan at CHES 2013 [1] . Their idea is to make a trojan just by modifying dopant types in active region. They showed a proof-ofconcept circuit modification to a CMOS inverter. If the modification is made, an output of the inverter is stuck to a constant. The mechanism behind the modification is explained below. Figure 2 (1) shows an original CMOS inverter. Figure 2 (2), (3) are modified ones. When the modification shown in Fig. 2 (2) is made, the output port Y is tied to V DD through a resistor formed by the n+/n-well. The connection between the port Y and GND is opened because of a diode formed by n+/p-well. Therefore, V DD and GND are safely insulated. As a result, the output of the inverter is always high, i.e., it is stuck at 1. Stuck-at-0 fault is achieved by an alternative modification shown in Fig. 2 (3) .
Such a simple principle leads to a variety of applications. Becker et al. showed example attack cases targeting (i) Intel Ivy Bridge RNG and (ii) iMDPL: a gate-level side-channel attack countermeasure.
An attempt to detect the trojan is made as follows [1, 10] . First, a target chip is depackaged and a bare chip is exposed. Then, the bare chip is delayered one by one through polishing or etching [4, 5] . The exposed layers are measured with an imager, e.g., SEM. Secondly, the images are compared with golden images for a possible difference [1] . Therefore, finding the trojan is as difficult as distinguishing dopant types in such images.
DPD: diffusion programmable device
DPD is an anti-reverse engineering technique inspired by the stealthy dopant-level trojan [3] . The idea is to make a programmable look-up table (LUT), similar to that of an FPGA, but programmed by dopant (cf. SRAM in FPGA). There was a conventional dopant-based anti-reverse engineering technique [10, 11] on which the work by Becker et al. is based. However, DPD is the first academic publication on the topic to the best of our knowledge. Figure 3 depicts a schematic diagram of a design unit called the DPD logic element (DPD-LE). DPD-LE implements a 2-input LUT. The two inputs A and B are used to select one out of four terminals. The terminals S 1 , . . . , S 4 are connected to the dopant-programmed ROM. The ROM is made with the stuck-at-0 and stuck-at-1 modifications shown in Fig. 2 . Note that for the sake of performance, the ROM in DPD-LE is simplified from the ones shown in Fig. 2 . DPD-LE can be configured to any 2-input gate. Table 2 shows a truth table of example configurations.
Layout of the DPD-LE is shown in Fig. 4 where programmable regions are indicated with rectangles. Similar to the stealthy dopant-level trojan, logic functions using DPD-LE are identical except for dopant types in the programmable regions. 
Fig. 4 Layout of DPD-LE configured to XOR
An attempt of reverse engineering is conducted as follows. Chip images are taken in the same manner as the trojan detection. Then, the images are analyzed with an image processing tool to extract standard cells and interconnections [12] . To reverse engineer a circuit with DPD, Seeker needs revealing the ROM contents S 1 , . . . , S 4 . However, that is as difficult as finding the stealthy dopant trojan. Therefore, Seeker cannot recover a netlist from the images.
Measurement principle
In this section, we first recall a measurement principle of SEM and FIB. Then, we explain a measurement technique called PVC [2] which potentially detects dopant types.
Measurement using SEM/FIB
SEM and FIB are common instruments for LSI failure analysis. Both can be used for imaging. Their advantage over optical microscopy is spatial resolution. Resolution of optical microscopy is restricted by wavelengths of lights that are around 200 nm, which correspond to around 250-180 nm CMOS processes [4] . Therefore, SEM or FIB is indispensable for imaging chips fabricated with modern CMOS processes.
Although SEM and FIB are common in semiconductor industries and universities, they are much more difficult to obtain compared to other instruments like oscilloscopes. Joint Interpretation Library of Common Criteria categorizes the equipment as "bespoke devices" [14] . The bespoke The primary beam is different between SEM and FIB; electron and ions are used, respectively.
PVC: passive voltage contrast
SEM/FIB can also be used to measure surface voltage of a sample. That is because a static field formed by the surface voltage interferes with secondary electrons. As a result, the number of secondary electrons caught at the detector is changed. A measurement based on the principle is called PVC. The method was developed in the 1990s and is now widely used. We refer a paper by Rosenkranz as a good survey on the topic [2] . Voltage contrast images of DRAM and SRAM are found in the paper by Rosenkranz [2] and one by Chen et al. [13] , respectively.
The dopant configurations in Table 1 can be distinguished with PVC even when a chip is measured at power-off state. In the following description, we consider a case wherein contact plugs in Fig. 6 are measured with SEM. Figure 7 illustrates the mechanism. When the primary beam is accelerated by a voltage around 0.7 kV, the total number of secondary electrons emitted from the plug exceeds that of the injected primary electrons. As a result, the plug charges positively by lack of electrons. At the same time, external electrons are provided to the plug because of the voltage difference. In other words, the positive charges are shared by a whole conductive region from the plug. A resulting surface voltage, at stationary state, is determined by the mass of the region conducted to the contact plug.
The mass depends on a dopant-well configuration. That attributes to diodes formed by PN junctions as shown in Fig. 6 . The conductive regions are illustrated in Fig. 8 . The four figures correspond to the four dopant-well combinations. Conductive region is shaded. For example, the contact B has the smallest conductive region (i.e., the n+ region only) because of a reverse PN junction illustrated as a diode. On the other hand, the contact A has the largest conductive region involving the p-well, n-well, and p-substrate. As a result, the masses of the conductive regions are ordered as the contacts A > C ≈ D > B. When the resulting surface voltages are compared, they are ordered as the contacts A < D < C < B. Note that the difference between the contacts C and D is caused by the diffusion potential at the p+/n-well.
When the plug charges positively, secondary electrons are attracted back to the plug, and thus less is measured at the detector. Therefore, the brightness of a corresponding pixel in a SEM image becomes darker as the plug voltage is higher (conversely, it becomes brighter as the voltage is lower). As a result, the brightnesses of the plugs are ordered as A > D > C > B, or equivalently (i) p+/p-well > (iv) n+/n-well > (ii) Table 1 can be distinguished by looking at contacts in SEM images.
Experiment
Setup
Experiments are conducted using a chip implementing DPD. The chip is fabricated using the Rohm 180-nm CMOS process. All metal layers are removed by mechanical polishing. As a result, the chip exposes its contact layer (see Fig. 6 ). The process is destructive and thus the chip is inoperative after the preparation. Figure 9 shows an optical microscopy image of the prepared chip. The figure shows a DPD array containing 10×10 DPD-LEs configured to different 2-input logic gates. That are XOR, XNOR, BUF_B, INV_B, BUF_A, INV_A, OR, NOR, AND, and NAND gates as shown in Fig. 9 .
Hitachi High-Technologies S-5200 SEM and FB-2100 FIB are used for experiments.
Experiment 1: distinguishing dopant types
The contact layer of DPD-LE configured to 2-input XOR is measured. Results are shown in Fig. 10 . Figure 10 (1) is a drawing of the layout. The programmable regions for S 1 , . . . , S 4 are indicated by rectangles. In the XOR configuration, (S 1 , S 2 , S 3 , S 4 ) = (0, 1, 1, 0). Figure 10 (2) , (3), (4) are images taken with (2) an optical microscope, (3) SEM, and (4) FIB. Many dots found in the images are contact plugs. The rectangles indicate the programmable regions (see Fig. 4 ). Dopant types are undetectable by optical microscopy as shown in Fig. 10 (2) . Meanwhile the contacts show different brightnesses in SEM/FIB images in Fig. 10 (3) and (4). In the SEM image shown in Fig. 10 (3) , the brightnesses of the contacts are (p+/p-well, p+/n-well, n+/p-well, n+/n-well) = (white, dark grey, black, light grey), as expected in Sect. 3.2. Therefore, the four possible configurations are distinguishable. In the FIB image shown in Fig. 10 (4) , on the other hand, (p+/p-well, p+/n-well, n+/p-well, n+/n-well) = (white, white, black, white). Only the n+/p-well is distinguishable from others with FIB.
Only a partial differentiation is achieved with FIB. However, that is sufficient for recovering stored values in S 1 , . . . , S 4 as shown in Fig. 10 (4) . Similarly, the dopantlevel trojan is detectable if n+/p-well is distinguishable from others. That is because n+/p-well is replaced with others after the modifications as shown in Fig. 2 . Note that FIB has several parameters to explore. Therefore, the result can be improved with other acceleration voltage, ions, and gas.
The same experiment is repeated for other DPD-LEs configured to other logic gates. Results are shown in Fig. 11 . We can observe different brightnesses depending on S 1 -S 4 configurations, which corresponds to the ROM con- Table 2 . The results also indicate that measurements are well reproducible.
Experiment 2: distinguishing dopant types under various measurement conditions
In the presented method, M1 layer should be removed to electrically isolate the contacts. For the purpose, Seeker needs to measure the contact layer in addition to metal layers. Therefore, Seeker should pay an extra cost to analyze the stealthy dopant-level circuits. One metric to evaluate the cost of detection is the number of images. That is because (i) usage of an instrument (e.g., SEM) is sometimes charged at an hour each [15] , and (ii) a computational cost to process acquired images should depend on data size. 1 The relationship between the (i) number of images and (ii) gate counts is estimated in "Appendix".
To estimate the cost, the chip is measured with different configurations: (i) acceleration voltage, (ii) scan speed, and (iii) magnification. Table 3 summarizes examined configurations and corresponding brightnesses of contacts. The acquired images are shown in Fig. 12 .
First, difficulty to detect non-dopant patterns is discussed. It is a common practice to use patterns in the M1 layer to identify types of standard cells [12, 16] . Therefore, the layer is desirable as a counterpart. Images Fig. 12 (2) and (3) are SEM images acquired at magnifications of 400× and 1.5k×, respectively. The contacts are not visible in Fig. 12 (2) . Therefore, the magnification of x1.5k is needed to image contacts. Patterns in the M1 layer, that lead to standard-cell identifications, are in the similar dimension as contacts [16] . Therefore, we assume that the limit of magnification to measure the M1 layer is 1.5k× in the following discussion.
If we want to distinguish the four dopant-well configurations, the case (5) in Table 3 is the only option. In that case, magnification should be at least 6.0k×. Therefore, the number of images is 16 (= (6.0k/1.5k) 2 ) times larger than that of the M1 layer. In summary, the additional cost for Seeker to find the stealthy dopant-level circuits is the cost of imaging of one additional layer (i.e., the contact layer). The layer is 16 times more costly compared to the M1 layer.
As also described in Sect. 4.2, partial distinguish is sufficient for recovering S 1 , . . . , S 4 . More specifically, distinguishing one out of the four dopant-well configurations is sufficient. Such a detection succeeds in the cases (1), (3), (5), (6), (7) , and (9). Therefore, the 1.5k× magnification is sufficient. That is the same as the one required for the M1 layer. As a result, the additional cost for detecting these circuits is very limited, i.e., the costs for imaging the contact layer at the same magnification as the M1 layer.
Finally, we discuss how to determine dopant-well configurations given images only. That is not trivial because the relationship between brightnesses and the dopant-well configurations is not consistent as shown in Table 3 . One possible solution is to conduct a profiling using an open sample fabricated with the same CMOS process. Even without open samples, we can make an educated guess. That is because references are found everywhere in the chip. Important landmarks are the lines of contacts marked in Fig. 11 . They are used to tie p/n-well voltages to V DD /GND, thus they should be p+/pwell and n+/n-well. Since wells are regularly placed, contacts near the line of p+/p-well contacts should be either p+/p-well or n+/p-well. In that way, Seeker can efficiently find reference contacts for the four dopant-well configurations. Such a guess is easier if standard cells are found in the chip. Table 3 )
Conclusion
The assumption behind the stealthy dopant-level circuits (i.e., the stealthy dopant-level trojan and the diffusion programmable device) is examined with concrete experiments. As a result, it is shown that all four possible dopant-well combinations are distinguishable with SEM. It is also shown that the stealthy dopant-level circuits are resistant against optical microscopy, however, that means only a limited practical benefit because modern CMOS circuits are small beyond the limit of optical microscopy. To detect the stealthy dopant-level circuits, the contact layer should be measured. Additional experiments revealed that the layer can be 16 times more costly compared to the M1 layer in terms of the number of images. The results show that the assumption used in the previous works-dopant types are difficult to measure-was too optimistic.
Feasibility of the presented method in advanced CMOS process smaller than 180-nm is worth discussing. Spatial resolution of SEM, which is around 1 nm, is sufficient for state-of-the-art processes. In addition, the mechanism behind the measurement described in Sect. 3.2 is not restricted by physical dimension. However, additional experiments are needed to verify if the caused voltage difference is detectable with an electron detector. Therefore, limitation of the presented technique, in terms of target process, is remained open. To the best of our knowledge, there is successful PVC imaging of a 65-nm SRAM [17] . An image processing technique to automatically recognize dopant types will be needed to discuss the limitation quantitatively.
Making a PVC-invisible circuit can be an interesting research topic. Since the measurement principle is known, we can possibly make a circuit that is invisible to the measurement. For example, the high contrast at p+/p-well could be reduced if p-well is isolated from substrate by a deep n-well that is available in a triple-well process. Meanwhile, the principle hints that a dopant modification is undetectable by PVC if modifications are limited to regions not con-nected to contact plugs. Making a meaningful circuit with the restriction is an interesting challenge. However, we stress that PVC is just one of many measurement techniques. Other options involve the active voltage contrast method and PVC combined with FIB circuit modifications [2] . Therefore, it would be more important to make a reasonable assumption considering these techniques, before rushing into studies of improved circuits/trojans. Knowledge in the LSI failure analysis community will help, because we will need to know state-of-the-art measurement techniques to make a reasonable assumption.
From the view point of trojan detection, cost will be a matter. That is because the detection becomes more expensive as chip size increases. It is estimated that we need 5.16 shots/kGE (see "Appendix"), but mega-gate chips are common now. One possible direction for settling the problem is to use a built-in testing instrument. The problem of finding a trojan in a chip may be reduced to a smaller problem of finding one in the testing instrument. However, Becker et al. already showed an example of bypassing a built-in self test (BIST) without modifying the BIST itself. Building a sophisticated testing instrument will be an interesting research direction.
Another important viewpoint is a dilemma between goals of trojan detection and anti-reverse engineering. We want Hider to win the game in reverse engineering and Seeker to win in trojan detection at the same time. A problem of finding a new technique that satisfies both requirements is opened. An important observation is that there are asymmetric capabilities between trojan attackers and circuit engineers. For example, the circuit engineers are allowed to modify metal layers while the (dopant-level) trojan attackers are not.
