I. INTRODUCTION

Several new technologies, such as wireless sensor networks and internet of things ^(1,2,38-40), have been rapidly developing recently and their security issue receives significant attentions ⁽¹⁰⁾. Meanwhile, the security of the underlying hardware has also been concerned widely ^(3,4,41). With the increase of the integration level and the decrease of feature size, testing for integrated circuit (IC) has become a challenging issue. By embedding aided logic into IC in the design stage, design-for-testability (DfT) methodology makes the manufacture testing and online debugging easier and cheaper. Consequently, it has been widely applied in the semiconductor industry. Scan design is the most common DfT, which can provide full testability including controllability and observability for sequential circuits ⁽⁵⁾. Unfortunately, scan design can also be exploited as a side channel, through which an adversary controls and observes illegally the states of circuit-under-test (CUT) to attack. The scan-based attack is one kind of non-invasive attacks that doesn’t need to remove the circuit packaging and probe the internal nodes. Such attack method does not rely on expensive equipment, resulting in very small cost. The target of scan-based attacks typically include as follows.

Stealing the secret information which is stored, generated or processed in the chip. The most common situation is cracking the key of a crypto chip ^(6,7). Typically, the attacker firstly makes the circuit work in the functional mode, and delivers pre-calculated plaintext at the input pins. After a clock cycle (or one round of encryption operation) the intermediate state of encryption will be temporarily stored in the state register. Then, he switches the chip into test mode and shifts out the intermediate state using scan chains. The process is repeated until enough pairs of plaintext and intermediate state are obtained. Finally, the secret key is deduced by means of mathematical methods.

2) Reverse analyzing the chip and extracting the organizational structure and functional characteristics of the chip. The full scan design unfolds the sequential circuit into the combinational circuit. Thus, it is possible to reveal the design information of the circuit by using the input-output relation of the scan vision. The full scan design facilitates significantly the reverse engineering attack because attackers only need to access data from scan chains with the help of a common test equipment and use Boolean function learning method to complete this attack ⁽⁸⁾. This kind of attack is often used to crack special algorithms containing trade secrets.

3) Illegally manipulating or destroying the chips. The attacker can shift the illegal data into the state register, and thus illegally manipulate the chip or destroy the chip ⁽⁹⁾.

Scan attacks targeting on crypto chips have been widely studied. Existing scan attack models can be mainly divided into two categories, namely mode-switching attacks ^(6,7,11,12) and test-mode-only attacks ^(13-16). They are both based on differential analysis in mathematics. In the mode-switching attacks, the intermediate states are generated and observed under different modes, thus depending on the switching from functional mode to testing mode. In the test-mode-only attacks, ·both delivering the input data and obtaining the sensitive information are performed uniquely under testing mode.

To overcome scan-based attacks, many secure schemes have been proposed in the past few decades. They mainly include schemes based on protecting test mode ^(6,17,18), schemes based on partial scan design ^(19-21), schemes based on encrypting scan input/output ^(22-24), and schemes based on obfuscating scan input/output ^(25-35).

Countermeasures based on protecting test mode are generally used to safeguard crypto chips. They usually introduce a small secure control circuit, which can restrain the switching between functional mode and testing mode. For example, the switching from functional mode to testing mode is prohibited in ⁽⁶⁾, while all the switching is limited in ⁽¹⁷⁾. In addition, the access of cipher key is blocked in testing mode with three-state buffers ⁽⁶⁾ or OR gates ⁽¹⁷⁾. Unfortunately, this category of countermeasures changes the normal operating process of IC, and even disables the online testing.

The partial scan design excludes the flip-flops storing secret information when constructing the scan chain, effectively preventing the leakage of intermediate sensitive data ^(19-21). However, it reduces the controllability and observability of the chip, and hence sacrifices the test quality of the chip.

Secure schemes based on encrypting scan data insert various cipher modules between the scan input and the scan chain, or/and between the scan chain and the scan output . For the attackers without encryption key, neither the predetermined values can be loaded into the scan chain, nor the real circuit responses can be obtained from the scan output. On the downside, these schemes incur high hardware overhead.

A high proportion of secure schemes use the obfuscation of scan data to protect the chip against scan-based attacks. Such countermeasures ^(25-35) attempt disturbing the input vector or the output response to disable the deducing of secret information. The authors of ^(25,26) achieve the purpose of obfuscating scan data by dynamically changing the connection order of scan chains. However, the scan-based attacks have been proved to be feasible even without the knowledge of scan chain order ⁽²⁷⁾ . Several techniques obfuscate the scan data by inserting extra NOT gates ⁽²⁸⁾ or XOR gates ⁽²⁹⁾ into scan chain. However, it has been found that the sophisticated attack can defeat these secure schemes by identifying the locations of the extra logic gates ⁽³⁰⁾. Cui et al ⁽³¹⁾ insert a shift register to control the test mode of some scan flip-flops. If the correct test key is not delivered into the shift register, the selected scan flip-flops will cast away the data from predecessor and obtain the data from the CUT. Hence, either the test vectors or the test responses cannot be conveyed correctly in scan chains. To avoid the risk of leaking test key, the authors in ⁽³²⁾ improve this technique, which uses a PUF extraction scheme to generate test key. The technique in ⁽³³⁾ locks the scan design with an inserted shadow register whose state is controlled by a LFSR and updated regularly.

To address the drawbacks of the countermeasures discussed above, in this paper we propose a new scan design based on scan input and output scrambling (SDSIOS). Notably, it can provide very high security. Even if the adversary from a malicious foundry has reverse-engineered the gate-level netlist and obtained the information about secure scan design, he still can not implement scan-based attacks to steal the cipher key or control the chip illegally.The rest of this paper is organized as follows. In Section II, we describe the proposed secure scan design methodology. In Section III, we give the flow of IC design and test based on the proposed scheme. Section IV presents experimental results to verify the proposed scheme. We conclude this paper in Section V.

II. Proposed Secure Scan Design Methodology

The overall diagram of the proposed SDSIOS architecture is given in Fig. 1. The logic components marked in red are increased to secure the scan design. In the architecture, the XOR gates are inserted at each scan input (SI) port and each scan output (SO) port. In addition, a pseudorandom pattern generator (PRPG) is used to feed the XOR gates at scan input ports. Test stimuli from SI ports are scanned into scan chains after they are XORed with the outputs of PRPG, marked as ($K_{1}$ , … ,$K_{n}$) in Fig. 1. We suppose that N is the number of scan chains. Before test responses are shifted out from SO ports, each bit is XORed with the state of an internal node, which is selected through a MUX from two alternative nodes, marked as $Node_{i0}$ and $Node_{i1}$ (1${\leq}$ i ${\leq}$ N). These internal nodes are opted randomly from the combinational circuit part of CUT. The outputs of PRPG, marked as ($S_{1}$, $S_{2}$, …, $S_{N}$), are used to control the MUXes and determine which node is chosen for every pair of alternative nodes.

The PRPG is driven by system clock (System_Clock) and scan enable input (Scan_Enable) via an AND gate. In functional mode (Scan_Enable=0), System_Clock is locked and the PRPG remains its state. In this case, it can reduce the power dissipation on the PRPG. Every scan flip-flop grabs the value from the data input (DI) in functional mode, so the PRPG won’t affect the functional operation of the circuit. When the circuit enters the test mode (Scan_Enable=1), System_Clock} is activated. In each test clock cycle, the PRPG generates an N-bit scrambling vector via output ports {$K_{1}$, $K_{2}$, … , $K_{N}$}to obfuscate the scan input data, and an N-bit selection vector via output ports{$S_{1}$ ,$S_{2}$ , … ,$S_{N}$} to select the scrambling values from internal nodes for scan output data.

The PRPG can be implemented with a ring generator, as shown in Fig. 2. The output of PRPG can be provided by either the output of internal D flip-flop or the XOR of the outputs of some D flip-flops. When the circuit is powered-on or initialized by the reset signal (System_Reset), D flip-flops in the PRPG are initialized to specific values (called the PRPG seed), which can be stored in an embedded nonvolatile memory. The initialization logic is shown in Fig. 3. We suppose that the set and reset signals are active high. If the $i^{th}$ bit of the seed ($Seed_{i}$) is 0, the set terminal of the $i^{th}$ D flip-flop ($DFF_{i}$) in the PRPG keep inactive regardless of System_Reset. At this case, $DFF_{i}$ can be initialized to zero by resetting when System_Reset is asserted. If Seed$_{i}$ is 1, the reset terminal of $DFF_{i}$ remains zero regardless of System Reset. At this case, $DFF_{i}$ can be initialized to one by setting when System_Reset is high.

To guarantee the confidentiality of PRPG seed, a one-time programmable ROM can be used to store the seed. So, any two IC products with the same design can have different PRPG seeds. The seed needs to be programmed into ROM after IC is manufactured by foundry. Alternatively, the seed of PRPG can be stored in a nonvolatile memory and can be configured optionally by IP owners. It is inaccessible for users and attackers.

The scrambling procedure of the SDSIOS can be described below. Firstly, during system initialization, the seed is loaded into the PRPG. Secondly, during scan operation, the PRPG keeps running starting from the seed, and the test pattern is shifted in via SI ports slice by slice. The slice represents a set of values that are shifted into/out of the scan chains at the same clock cycle. Each test pattern slice is scrambled based on a scrambling vector slice generated at the outputs {$K_{1}$, $K_{2}$,…, $K_{i}$,…, $K_{N}$} of PRPG. Thirdly, during capture operation, the PRPG remains static, and the test response is captured into the scan chains. Fourthly, the circuit is switched to the scan mode again. The PRPG continues running, and the test response is shifted out via SOs slice by slice. At the $j^{th}$ (1${\leq}$ j${\leq}$ L) clock cycle, a selection vector slice {$S_{1j}$, $S_{2j}$,…, $S_{ij}$,…, $S_{Nj}$ is generated at the output ports{ $S_{1}$, $S_{2}$,…, $S_{i}$,…, $S_{N}$} of PRPG. Before shifting out, each test response slice is scrambled based on a scrambling vector slice that represents the current values of {$Node^{{1S}_{1j}}$ $Node^{{2S}_{2j}}$,… ,$Node^{{iS}_{ij}}$ ,… ,$Node^{{NS}_{Nj}}$. The values of {$Node_{10}$, $Node_{11}$, … , $Node_{i0}$, $Node_{i1}$, … , $Node_{N0}$, $Node_{N1}$} depend on the current states of all the scan chains and thus should be updated clock by clock. Meanwhile, a new test pattern is loaded into scan chains and also scrambled in the same way as described above.

Fig. 1. Proposed secure scan architecture.

Fig. 2. An example of Ring generator.

Fig. 3. Initialization logic of a PRPG cell.

Fig. 4 gives an example of scrambling procedure. It’s assumed that there are two scan chains with the length of scan cells. A test pattern {00110;10001}is shifted in from $SI_{1}$ and $SI_{2}$ ports. Meanwhile, the PRPG generates a scrambling vector {11011;10100} in five clock cycles through $K_{1}$ and $K_{2}$. The scrambled test pattern {00110$\oplus $ 11011;1001$\oplus $10100}, i.e.{11101;00101}, will be shifted into the scan chains. The rightmost bit is first shifted in or generated in the example. The Hamming distance between the loaded test pattern and the scrambled one is six. After capture operation, the test response is stored in the scan chains. Assuming the test response is {00011;11110}. The PRPG generates a selection vector {11010;01101} through $S_{1}$ and $S_{2}$ during scanning out the test response. Meanwhile, $Node_{10}$ and $Node_{11}$ generates a set of values {11001} and {10110}, respectively. $Node_{20}$ and $Node_{21}$ generates a set of values {00011} and {11011}, respectively. Under the action of selection vector, a scrambling vector {10011;01011} for test response is generated by MUXes. At SO ports, the scrambled test response {10000;10101}, instead of the factual test response, can be observed.

Fig. 4. An example of scrambling procedure (a) Generating scrambled test pattern, (b) Generating scrambled test response.

Fig. 5. Implementation flow of SDSIOS.

III. IC Design and Test based on SDSIOS

The proposed SDSIOS should be integrated into IC design to protect chips. The main design flow of the circuit based on SDSIOS is shown in Fig. 5. The steps can be described as below.

1) In the stage of front-end design, IC designer writes RTL code, does simulation, and performs logic synthesis to obtain gate-level netlist. After the function verification and timing analysis have passed, the standard scan design will be inserted. These steps can be implemented with EDA tools, for example Synopsys Design Compiler and DFT Compiler. They are not influenced by the proposed SDSIOS.

2) After standard scan insertion, test patterns targeted on any specified fault model can be generated by Automatic Test Pattern Generation (ATPG) tool. Meanwhile, the standard scan design should be modified into the SDSIOS architecture. This includes inserting XOR gates/MUXes at scan input and output ports, selecting scrambling nodes and connecting them to MUXes, and integrating PRPG into circuit netlist and connecting PRPG to XOR gates and MUXes.

3) After SDSIOS insertion, placement, routing, and timing optimization can be completed by EDA tools. Then, the circuit will be fabricated according to design drawings by foundry. The original test patterns and corresponding fault-free responses should be modified after SDSIOS insertion. The adjusted test patterns and responses can be obtained by scrambling the original ones with the outputs of PRPG and the scrambling nodes. The algorithm to generate adjusted test patterns and responses is described in Algorithm. 1.

4) Finally, the IC is tested with the adjusted test patterns.

Algorithm. 1. Adjusted Test Patterns/Responses Generation.

IV. Performance Analysis and Experimental Results

The proposed SDSIOS is assessed in terms of the testability,security and overhead.

V. CONCLUSIONS

In this paper, we propose a novel scan design scheme, which scrambles the inputs and outputs of scan chains with PRPG and circuit self. The proposed secure technique can prevent noninvasive attacks by restricting unauthorized users to access the scan chain. The proposed strategy provides high security for IC design while incurring low area overhead, test power overhead, and no impact on testability, which has been validated on several big benchmarks.