Mobile QR Code

1. (School of Computer and Communication Engineering, Changsha University of Science and Technology, Changsha 410114, China)
2. (Department of Information Technology, Hunan Police Academy, Changsha 410138, China)

Scan design, noninvasive attack, crypto chips, low overhead

## I. INTRODUCTION

Some emerging technologies, such as wireless sensor networks and internet of things (1-5), have been developed quickly in recent years and their security has been seriously concerned. Simultaneously, the security issue of the underlying hardware has also received more and more attentions (6-9). Scan-based design is one of the commonly used Design-for-Testability (DFT), which has significantly simplified the process of manufacturing test. However, due to its high controllability and observability, secret information inside chips may be stolen through this structure. Recently, the scan-based side-channel attacks have shown that attackers can analyze intermediate data to get important information inside chips through the scan design (10,11). Studies in (12-15) have shown that keys stored in chips with Advanced Encryption Standard (AES), RSA, Elliptic Curve Crypto systems (ECC) and Data Encryption Standard (DES) have been cracked successfully. To eliminate this potential crisis, many methods have been proposed.

A thorough way to defend against scan-based attacks is to cut off the polysilicon fuses after the test of the chip has been finished, which makes further access unavailable (16). However, this significantly compromises the testability because the scan chain is also used to connect to an external five-pin joint test action group (JTAG) interface which makes it capable to debug infield (17). BIST proposed in (18,19) does not need users’ test data and thus prevents attackers from accessing the secret key, but the fault coverage got compromised compared with the levels of scan test and ATPG.

Mirror Key Registers proposed in (14) is to isolate the key to an additional register to prevent it from entering the scan chain under test mode. Although simple and effective, the scheme considerably influences the test procedure. The method needs a separate test procedure in which the large part related to the key is tested in secure mode while another small part independent of the key is tested in insecure mode. The large test cost in secure mode adversely affects the test time and coverage. Advanced industrial DFT structures, like decompressors and X-masking in (21) which are considered firmly secure against scan-based attacks (22), still have been attacked shown in (23).

Instead of directly preventing from accessing the key information, Virtually Impervious Scan (VIm-Scan) (20) uses an additional test key to realize the authentication before the data can be scanned out. It introduces a “pattern matching block” which stores a set of M N-bit test keys. Users must firstly input correct keys, otherwise the output will be all zeros. The main overhead of the scheme is dependent on the length and number of random test keys. The security of the scan design provided by this scheme relies on the probability of matching M N-bit test keys with input patterns loaded into the scan chain. The scheme can provide high security when M*N is enough large, but the scan-out data being all zeros when all test keys have not been matched may give attackers an obvious signal and there is no input restriction that allows attackers to wildly input. This may increase the possibility to crack the test keys.

In (25), the authors propose a solution of obfuscating scan data to prevent attackers from analyzing the output data. The unauthenticated users should also firstly input an N-bit additional test key. After the N-bit test key has been loaded into SR (an additional chain designed to store the test key), the input of SR will be locked. When the test key is not correct, N scan flip-flops (SFFs) of scan chain randomly selected will dynamically change their mode between normal and test, which may fail attackers to analyze from the output data. The overhead of the scheme will increase with the increase of the length of the test key. When the length of test key is short, the time used to crack the test key will also be short. The similar schemes based on data obfuscation are also presented in (24,25,32).

In this paper, we will propose a new solution for obfuscating scan data with higher security and lower overhead. The rest of the paper is organized as follows. In Section II, we present the proposed technique. In Section III, experimental results are presented to analyze the proposed scheme. In Section IV, we will discuss an improved scheme against certain attacks. We conclude in Section V.

## II. PROPOSED LOW-OVERHEAD SOLUTION AGAINST SCAN ATTACKS

The proposed secure scan design uses test authorization mechanism to protect the chip. It makes full use of the scan chain itself to store the test authorization key, i.e, some scan cells in the scan chain are chosen to serve as test authorization key storage units. If the users can not load the correct test authorization key at the beginning of testing, then the test input data can no longer enter the scan chain while the test output data will also be confused. The proposed secure scan design requires very low overhead, which is the most significant advantage compared with the existing similar schemes.

The proposed secure scan design is shown in Fig. 1. It separates the scan chain into three parts. The first part is used to store test authorization key, the third part is used to obfuscate scan data and the second part is used to generate the end flag while completely inputting the test authorization key. The secure scan design introduces N NAND gates which are hard-wired with the $Q$ or $\overline{Q}$ output of N randomly chosen scan flip-flops (marked as test key cells key[i]) among the first part of the scan chain. All the output of the N NAND gates are connected to a multiple-input AND gate G1, and the output of G1 is used as the clock signal of D1 which can lock the control signal EN to high level with a rising edge. The inverse of EN (i.e. $\overline{EN}$ ) is also wired to an input of each NAND gate. The value of key[i] (1≤i≤N) is decided by the connection style, i.e, key[i]=0/1 if the $Q$ /$\overline{Q}$ output is connected to the NAND gate. When the circuit is reset, $EN$=0 and $\overline{EN}$=1. After the right test key is loaded, $EN$ should become ‘1’. Otherwise, $EN$ keeps zero. The output of N NAND gates are also connected to some AND gates randomly inserted among the third part of the chain to obfuscate scan data when the inputted test key is incorrect.

The End_Flag signal, which is the $\overline{Q}$ output of an SFF (named flag scan flip-flop) randomly selected among the second part of the chain, is used to judge whether the test key has been delivered completely. When the circuit is reset, End_Flag=1. Once the scan test starts, a transition from low level (‘0’) to high level must be sent via SI as Start Signal. As SI transitions from ‘0’ to ‘1’, the $Q$ output of rising-edge flip-flop D2 becomes ‘1’. At this situation, input_lock signal (the output of AND gate G3) becomes ‘1’ since the output of D3 is 1 at the beginning. The tri-state buffer G4 is enabled, so the test key can be delivered. The test key should pass through the first part of the scan chain in which the authentication is performed.

Fig. 1. Proposed scan design with low overhead for obfuscating scan data.

When the Start Signal arrives in the flag scan flip-flop, End_Flag changes to low level (‘0’) which means the loading of the test key has been finished. Then the low-level value of End_Flag will be transmitted to the input restriction circuit between SI and the first SFF of the scan chain. If the loaded key is right, $EN$ should be changed from ‘0’ to ‘1’ before the Start Signal has been transmitted to the flag scan flip-flop. In this case, the output of NOR gate G2 will remain low level (‘0’) although the value of End_Flag changes later. So, the clock of D3 will never be activated, and input_lock will keep ‘1’. Then the scan chain will always work normally. If the loaded test key is wrong, $EN$ is still in low level (‘0’) when End_Flag changes to low level (‘0’). In this case, the output of NOR gate G2 will generate a transition from ‘0’ to ‘1’. So, the clock of D3 is activated, ‘1’ will be locked into D3, and input_lock will become ‘0’. The test data cannot be delivered from SI. The data of the first part of the chain will be shifted circularly to dynamically obfuscate the scan out data in the third part of the chain. Because the big AND gate G1 is also driven by input_lock, the test authorization key can be no longer checked for match after input_lock changes to ‘0’.

The timing diagrams of the signals during authentication process are shown in Fig. 2. M and P are the length of the first part of the scan chain and the location of flag SFF, respectively. In the figure we can see that End_Flag, input_lock and $EN$ are initialized to ‘1’, ‘0’, and ‘0’, respectively. The first “0®1” transition inputted from SI causes input_lock signal becoming high level to enable the input from SI. After M clocks, if the inputted test key is right, the $EN$ signal will change to high level and the input_lock will remain in high level. When the inputted test key is incorrect, the $EN$ signal will remain in low level and the input_lock signal will change to low level to switch the input of the scan chain from SI to End_Flag.

Users who want to correctly input the test key should firstly send a high level to enable the tri-state gate G4 connected with SI, which will also finally become the end flag signal outputted from the flag scan flip-flop mentioned above. Before End_Flag changes to low level, the right test key should be inputted. Otherwise, the SI of the chain will be locked and the data in the first part of the scan chain will be shifted circularly clock by clock. One input of the AND gate inserted in the third part of the chain is fed by a test key cell via a NAND gate. If the input is 0, the adjacent SFF can only receive zero. The scan-out obfuscation arises if the real value is ‘1’.

Fig. 2. Timing diagram of the signals in authentication operation.

The proposed scheme just introduces the input restraint circuitry, a multiple-input AND gate and some NAND gates which brings slight impact on the chip implementation flow. Details will be discussed as follows. Because we just use some outputs of scan cells among the first part of the scan chain as signals to realize authentication, and insert some AND gates on scan path in the third part, there will be no impact to the design and layout of the original design. After the secure scan design insertion and placement, the tests will be performed by fab, assembly and other testers in supply chain. These authorized testers just need to input test patterns generated before and analyze the responses.

In addition, the proposed scheme can also be used to strengthen the security of the scan-tree in (33). We can randomly choose a scan path in the tree to serve as the scan chain in Fig. 1. Once the test key is wrong, the input of the root node will be disabled and the data obfascation will occur at leaf nodes of the tree.

## III. ANALYSIS AND RESULTS

In this section, We will analyze the testability, security and overhead of the proposed design. Then we will compare our design with some other countermeasures.

### 1. Analysis of Testability

Once the test key has been input correctly, the $EN$ signal will be locked to “1” forever. The output of NAND gates of the first part of the scan chain will be all high levels and the obfuscation function of the third part of the chain will be no longer in force. The input of the scan chain will be stuck at SI forever. The scan chain will finally work normally which means test vectors and test responses will finally be inputted and outputted normally.

The circuitry introduced by the proposed design can not be tested and should not be testable. But it is easy to judge the correctness of this part of the circuitry by just loading the correct test key to see if the scan chain is working normally. If the output of the scan chain is incorrect when the correct test key has been inputted, the circuitry is wrong, otherwise the circuitry is correct.

### 2. Analysis of Security

Supposing that the length of the first part of the scan chain is M and the length of the test key is N(N <= M),adversaries who know the exact number and position of the N-bit test keys should have 1/2$^{N}$ probability to input the correct test key. However, if they don’t know the details of the test key, the probability should be less than 1/2$^{N}$ because the test key is randomly distributed in a longer scan chain. When N = 100 and M = 200, the probability will be less than 7.89e-31 and should be closer to 6.22e-61 depending on the randomness of the distribution of the test key. For the data in the scan chain having been shifted circularly in the first part and obfuscated in the third part, it should not be able to analyze the positions of certain SFFs through the output of the scan chain. As the input is blocked in the middle and the output will be changed in an unknown way before the correct test key has been inputted, any malicious data will finally be obfuscated into an unpredicted state and adversaries should not be able to build association between the input and output. Based on the advantages mentioned above, the scheme can excellently resist such attacks like differential attack (23), reset attack and test mode only differential attack (31), etc.

### 3. Analysis of Overhead

The proposed scheme, called LOOS (Low-Overhead Obfuscating Scan) for convenience, costs a very low overhead. The experiment is conducted on scan designs for pipelined (26) and iterative AES circuits with Key scheduling(KS) (27) and the result is shown in Table 1. The suffix 64 and 128 in column two are the length of the test key implemented. In column three, there are four sub-columns which respectively show the area cost of the original design, scan design, proposed security scan design and the increment of the proposed scheme compared to the scan design. We implemented the netlists of the original designs with Synopsys Design Compiler and added the scan chain by using Synopsys DFT Compiler. After that, we inserted the proposed part of the circuit into the netlists and then synthesized them with Synopsys Design Compiler. The costs of the area are represented by square micrometers (µm2).

The additional part of the circuit is inserted in the scan path, rather than the functional path. Consequently, no timing overhead will be caused in the functional mode.

What’s more, the proposed scheme is also compared with some other countermeasures which include MKR (14), mode-reset (28), SOSD (29), DOSD (25), DOS (32), PUF (24) and SDSFF (30) and the results are shown in Table 2. The test key of the proposed scheme can be placed in the first set of the test stimuli used in the normal test so there will be no extra time overhead used to realize authentication. While other countermeasures like SOSD (29) and DOSD (25) shown in the last column of Table 2 need extra time to input the test key before the normal test. In addition, the online test of MKR (14) scheme is not available though it is secure. In this case, the proposed scheme should be better. The area overhead is calculated by the standard as same as what is used in Table 1, typified by the pipelined AES core. We can see that the proposed scheme cost relatively low compared to other countermeasures in Table 2. The mode reset (28) countermeasure costs a lot but still being incapable to resist test-mode-only attacks. Although secure, SDSFF (30) is not practical for its inevitable defects. The scheme can’t maintain the original fault coverage when any fault occurs in the circuit under test.

Table 1. Area overhead of the proposed scheme

 AES Scheme Area(µm2) ∆A (%) original scan secure ∆A Pipelined LOOS-64 112332.9 116022.3 116116.0 93.7 0.08 LOOS-128 116202.2 179.9 0.15 Iterative LOOS-64 15856.3 16596.0 16689.8 93.8 0.56 LOOS-128 16775.9 179.9 1.07

What’s more, there are also some other ways to realize the protection, such as the secure JTAG proposed in (34). However, the protection circuit in the proposed scheme is inside the chip, and it can achieve higher security because attackers can never bypass the protection circuit.

As mentioned above, the proposed scheme is better not only because it incurs low time and area overhead but also because it should be more secure than many existing countermeasures.

## IV. AN IMPROVED SCHEME AGAINST CERTAIN ATTACK

In some situations, adversaries may know the exact positions of critical registers in the scan chain. With the information of these positions, they can construct a specific set of sequences and analyze from the primary output response to steal secret information. As such attack is based on the knowledge of the positions of critical registers in the scan chain, with our design, such attack will take effect only when these critical registers are all distributed among the first part of the scan chain. To eliminate such potential crisis, we can use the structure shown in Fig. 3 in some critical registers to resist such attack. We use an OR gate with input of the inverse of $EN$ and TC to lock some critical registers’ mode to normal mode. When $EN$ is in low level, the output of the OR gate should always be in high level. The inputs of these registers are bypassed by additional registers which can also be used as test key registers. When $EN$ changes to high level, the output of these 2-to-1 multiplexers controlled by $EN$ will change to the original SFFs’ output and the scan chain will work normally.

Table 2. Comparison with some other countermeasures

 design area overhead (%) Security testability influence test time influence vulnerability key cracking probability LOOS-128 0.15 NONE ≤1/2128, related to the key distribution range NONE NONE MKR [14] 0.19 NONE inapplicable can not test secret key registers in test mode Online test is not available Mode reset [28] ~10 Test-mode-only attack negligible NONE NA SOSD-128 [29] 0.34 TMOSA 1/2128 Nil needing N clocks to input test key before normal test DOSD-128 [25] 0.47 NONE 1/2128 Nil PUF-128 [24] 3.80 NONE 1/2128 Nil DOS [32] 2.01 memory attack 1/2m*n Nil NA SDSFF-100 [30] 0.25 NONE 1/25 Influenced by existing faults in the circuit under test NA

Notes: m and n denotes the number of and the length of scan chains in [32].

Fig. 3. Improved secure scan design against certain attack.

These 2-to-1 multiplexers are located in the scan path. When the circuit is working normally, the additional logic will keep inactive because the signal will no longer go through these 2-to-1 multiplexers. Thus, no extra timing overhead is increased in the normal mode

## V. CONCLUSIONS

In this paper, we have illustrated a simple and effective scheme with very low overhead and enough security for obfuscating scan data against scan-based side-channel attacks in cypher chips. The method provides security by restricting the input and dynamically obfuscating scan-out data to prevent attackers from wildly inputting data and analyzing secret information from the output data. The proposed solution costs significantly low overhead compared to existing schemes and can easily improve the security by adding test key length with just some NAND gates.

### ACKNOWLEDGMENTS

This work was supported in part by the Open Research Fund of Hunan Provincial Key Laboratory of Network Investigational Technology under Grant No. 2018WLZC002, the Natural Science Foundation of Hunan Province under Grant No. 2020JJ5604 and 2020JJ4622, the National Natural Science Foundation of China under grant No. 61702052, adn the Scientific Research Fund of Hunan Provincial Education Department under grant No.18A137.

### REFERENCES

1
Yin B., Wei X., April 2019, Communication-Efficient Data Aggregation Tree Construction for Complex Queries in IoT Applications, IEEE Internet of Things Journal, Vol. 6, No. 2, pp. 3352-3363
2
Wang J., Gao Y., Liu W., 2019, An intelligent data gathering schema with data fusion supported for mobile sink in wireless sensor networks, International Journal of Distributed Sensor Networks, Vol. 15, No. 3, pp. 1-9
3
Wang J., Gao Y., Yin X., 2018, An Enhanced PEGASIS Algorithm with Mobile Sink Support for Wireless Sensor Networks", Wirel. Commun. Mob. Comput., vol. 2018, Article ID 9472075, 2018., Wirel. Commun. Mob. Comput., Vol. 2018, No. Article ID 9472075
4
Li W., Chen Z., Gao X., 2019, Multi-Model Framework for Indoor Localization under Mobile Edge Computing Environment, IEEE Internet Things J., Vol. 6, pp. 4844-4853
5
Wang J., Gao Y., Liu W., Wu W., 2019, An Asynchronous Clustering and Mobile Data Gathering Schema based on Timer Mechanism in Wireless Sensor Networks, CMC Comput. Mater. Contin. 2019, Vol. 58, pp. 711-725
6
Zhang J. L., Shen C., Su H., Arafin M. T., Qu G., 2021, Voltage Over-scaling-based Lightweight Authentication for IoT Security", IEEE Transactions on Computers, 2021, IEEE Transactions on Computers
7
Wang W., Wang X., Wang J., Xiong N. N., Cai S., Liu P., 2020, Ensuring Cryptography Chips Security by Preventing Scan-Based Side Channel Attacks With Improved DFT Architecture, IEEE Transactions on Systems Man Cybernetics-Systems
8
Zhang J. L., Wang W. Z., Wang X. W., Xia Z. H., Mar. 2017, Enhancing security of FPGA-based embedded systems with combinational logic binding", J. Comput. Sci. Technol., Vol. 32, No. 2, pp. 329-339
9
Zhang J., Qu G., Aug 2020, Physical Unclonable Function-based Key-Sharing via Machine Learning for IoT Security, IEEE Transactions on Industrial Electronics, Vol. 67, No. 8, pp. 7025-7033
10
Ali S. S., Sinanoglu O., Karri R., 2014, Test-mode-only scan attack using the boundary scan chain, in Proc. 19th IEEE Eur. Test Symp. (ETS), Vol. paderborn, No. germany, pp. 1-6
11
Tehranipoor M., Wang C., 2011, Introduction to Hardware Security and Trust, New York, Vol. ny, No. USA: Springer
12
Yang B., Wu K., Karri R., 2004, Scan-based side-channel attack on dedicated hardware implemen-tations of data encryption standard, in Proc. Int. Test Conf. (ITC), Washington, DC, USA, pp. 339-344
13
Nara R., Togawa N., Yanagisawa M., Ohtsuki T., jan. 2010, Scan-based attack against elliptic curve cryptosystems, in Proc. Asia South Pacific Design. Autom. Conf. (ASPDAC), Vol. taipei, No. taiwan, pp. 407-412
14
Yang B., Wu K., Karri R., Oct 2006, Secure scan: A design-for-test archi tecture for Crypto chips, IEEE Trans. Comput.-Aided Design Integr., Vol. 25, No. 10, pp. 2287-2293
15
Nara R., Satoh K., Yanagisawa M., Togawa N., Commun Comput Sci, Scan-based side channel attack against RSA cryptosystems using scan signatures, IEICE Trans. Fundam. Electron., Vol. E93-A, No. 12, pp. 2481-2489
16
Kömmerling O., Kuhn M. G., may 1999, Design principles for tamper-resistant smartcard processors, in Proc. USENIX Workshop Smartcard Technology, Vol. chicago, No. il, pp. 9-20
17
Josephson D., Poehhnan S., 2001, Debug methodology for the McKinley processor, in Proc. Int. Test Conf., Vol. baltimore, No. md, pp. 451-460
18
Hafner , 1991, Design and test of an integrated cryptochip, IEEE Design and Test of Computers, pp. 6-17
19
Zimmermann , Mar 1994, A 177 Mbit/s VLSI Implementation of the International data Encryption System, IEEE Journal of Solid-State Circuits, Vol. 29, No. 3
20
Paul S., Chakraborty R. S., Bhunia S., May 2007, Vim-Scan: A low overhead scan design approach for protection of secret key in scan-based secure chips, in Proc. 25th IEEE VLSI Test Symp., Vol. Berkeley, No. CA, USA, pp. 455-460
21
Yu T., Cui A., Li M., Ivanov A., may 2015, A new decompressor with ordered parallel scan design for reduction of test data and test time, in Proc. IEEE Int. Symp. Circuits Syst. (ISCAS), Vol. lisbon, No. portugal, pp. 641-644
22
Liu C., Huang Y., May 2007, Effects of embedded decompression and compaction architectures on side-channel attack resistance, in Proc. 25th IEEE VLSI Test Symp. (VTS), Vol. Berkeley, No. CA, USA, pp. 461-468
23
Da Rolt J., Di Natale G., Flottes M.-L., Rouzeyre B., oct. 2013, A novel differential scan attack on advanced DFT structures, ACM Trans. Design. Autom. Electron. Syst., Vol. 18, No. 4
24
Cui A., Chang C. H., Zhou W., Zheng Y., A New PUF Based Lock and Key Solution for Secure In-field Testing of Cryptographic Chips, IEEE Transactions on Emerging Topics in Computing.
25
Cui A., Luo Y., Chang C., Feb 2017, Static and Dynamic Obfuscations of Scan Data Against Scan-Based Side-Channel Attacks, IEEE Transactions on Information Forensics and Security, Vol. 12, No. 2, pp. 363-376
26
Oct. 2014, AES: Overview. [Online]. Available: http://opencores.org/project,tiny_aes
27
Verbauwhede I., Schaumont P., Kuo H., Mar 2003, Design and performance testing of a 2.29-GB/s Rijndael processor, IEEE J. Solid-State Circuits, Vol. 38, No. 3, pp. 569-572
28
Hely D., Bancel F., Flottes M.-L., Rouzeyre B., may 2005, Test control for secure scan designs, in Proc. Eur. Test Symp. (ETS), Vol. tallinn, No. estonia, pp. 190-195
29
Luo Y., Cui A., Qu G., Li H., may 2016, A new countermeasure against scan based side-channel attacks, in Proc. 2016 IEEE Int. Symp. Cir. Syst., Vol. montreal, No. canada, pp. 1722-1725
30
Atobe Y., Shi Y., Yanagisawa M., Togawa N., dec. 2012, State dependent scan flip-flop with key-based configuration against scan-based side channel attack on RSA circuit, in Proc. IEEE Asia Pacific Conf. Circuit. Syst. (APCCAS), Vol. kaohsiung, No. taiwan, pp. 607-610
31
Ali S. S., Sinanoglu O., Saeed S. M., Karri R., 2013, New scan-based attack using only the test mode, in Proc. IFIP/IEEE 21st Int. Conf. Very Large Scale Integr. (VLSI SoC), pp. 234-239
32
Wang X., Zhang D., He M., Su D., Tehranipoor M., Sept 2018, Secure Scan and Test Using Obfuscation Throughout Supply Chain, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, Vol. 37, No. 9, pp. 1867-1880
33
Xiang D., Li K., Sun J., Fujiwara H., 2007, Reconfigured Scan Forest for Test Application Cost, Test Data Volume, and Test Power Reduction, IEEE Transactions on Computers, Vol. 56, No. 4, pp. 557-562
34
Park K., Yoo S.G., 2010, JTAG Security System Based on Credentials, Journal of Electronic Testing, Vol. 26, No. 5, pp. 549-557

## Author

##### Xiong Zheng

Xiong Zheng is a student at College of Computer and Communication Engineering, Changsha University of Science and Technology.

His research interests include design for testability, hardware security.

##### Zuoting Ning

Zuoting Ning received the Ph.D. degree of computer science from Hunan University in 2017, He is a lecturer in Hunan Police Academy.

His research inerests include machine learning, network security and hardware security.

##### Weizheng Wang

Weizheng Wang received the Ph.D. degree in computer application technology from Hunan University in 2011.

He is currently an associate professor in Changsha University of Science and Technology, Changsha.

His research interests include hardware security, design for testability, and artificial intelligence security.

##### Yang Peng

Yang Peng is a graduate student at College of Computer and Communi-cation Engineering, Changsha Uni-versity of Science and Technology.

His research interests include design for testability, hardware security.