Professional Documents
Culture Documents
Secured Flipped Scan-Chain Model is not possible with this scheme. The cryptographic device can be a
for Crypto-Architecture part of a critical system that remains continuously ON (like satellite-
monitoring system). The method cannot be used to test Cipher Block
Gaurav Sengar, Debdeep Mukhopadhyay, and Chained encryptors, as after the device is switched off due to testing,
Dipanwita Roy Chowdhury all the previous blocks need to be encrypted again.
In [6], a lock-and-key technique was proposed, which uses a test
security controller (TSC). When a key is successfully entered, the
Abstract—Scan chains are exploited to develop attacks on cryptographic finite-state machine (FSM) of the TSC switches the chip to a secured
hardware and steal intellectual properties from the chip. This paper
proposes a secured strategy to test designs by inserting a certain number of mode, allowing normal scan-based testing. Otherwise, the device goes
inverters between randomly selected scan cells. The security of the scheme to an insecure mode and remains stuck until an additional test-control
has been analyzed. Two detailed case studies of RC4 stream cipher and pin is reset. The design suffers from the problem of large overhead due
AES block cipher have been presented to show that the proposed strategy to the design of the TSC. The TSC itself uses a large number of flip-
prevents existing scan-based attacks in the literature. The elegance of the
flops (for linear feedback shift registers (LFSRs) and FSMs), which
scheme lies in its less hardware overhead.
requires built-in self test for testing leading to an inefficient design.
Index Terms—Block ciphers, design_for_testability, hardware over-
Furthermore, the design uses an additional key (known as test key)
head, scan_based_test, scan-chain-based attacks, security margin, stream
ciphers. for security. If the cipher uses an n-bit key for its operation, a brute-
force attack would require 2n operations. If the design uses additional
t key bits for security, then, with a total of n + t bits of key, the design
I. I NTRODUCTION provides security equivalent to that of min(n, t) bits, which is not
desirable.
With the increase in the applications and complexity of crypto-
In [7], a scan-tree-based architecture with aliasing-free compactor
devices, reliability of such devices has raised concern. Scan chains
was proposed for testing of cryptographic devices. However, the
are the most popular testing technique due to their high fault coverage
design has the weakness of a large-area overhead due to the design
and least hardware overhead. However, scan chains open side channels
of compactors and its testing circuit. Normal computer-aided design
for cryptanalysis [1], [2]. Scan chains are used to access intermediate
(CAD) flow does not also support the design of scan-tree structures.
values stored in the flip-flops, thereby, ascertaining the secret informa-
Contribution of this paper: In this paper, we propose an elegant
tion, often known as key. Conventional scan chains fail to solve the
solution to the problem of testing cryptographic devices at the expense
conflicting requirements of effective testing and security [2]. In order
of very low-area overhead using inverters in the scan path. The design
to solve this challenging problem of efficiently testing cryptographic
works exactly like conventional scan chains and does not use any
chips, some research works have been proposed.
additional test key bits or clock cycles. Any conventional CAD flow
In [3], a scan-chain design based on scrambling was proposed which
can also synthesize the scan design and generate its test patterns
dynamically reorders the flip-flops in a scan chain. However, statistical
without any extra steps in the design flow. Testing of the additional
analysis of the information scanned out from chips can still determine
NOT gates is very simple. The flipped scan-chain architecture is also
the scan-chain structure and the secret information [4]. Furthermore,
amenable to online testing.
the area overhead and wiring complexity is high. The scrambler uses
This paper is organized as follows. Section II introduces the flipped
a control circuit, which requires flip-flops for their implementation.
scan-chain architecture and analyzes its security. In Section III, the
The control circuit uses a separate test key in order to program the
flipped scan chain is analyzed with respect to standard stream and
interconnections. Thus, if one uses scan chains to test the scrambler
block ciphers, like RC4 and AES. In Section IV, the overhead and the
circuit, the attack proposed in the study in [1] can be used to decode
security achieved is compared with the best reported solutions in this
the test key and, hence, break the scheme of reordering.
field. Section V discusses few additional points on flipped scan chains.
An interesting alternative and one of the best methods was proposed
This paper is concluded in Section VI.
in [4] and [5], where a secure scan-chain architecture with mirror
key register was provided. The scheme had an insecure and a secured
mode. When a crypto chip is in the insecure mode, it can be switched II. F LIPPED S CAN -C HAIN A RCHITECTURE
between the test mode and the normal mode similar to the general AND I TS S ECURITY A NALYSIS
scan-based design for testability (DFT). However, when a crypto chip
is in the secure mode, it can only stay in the normal mode. While a In this section, we first propose the new scan-chain architecture used
crypto chip can be switched from insecure mode to secure mode at to test cryptographic implementations. In this model, we introduce
any time, switching back from secure mode to insecure mode is only inverters or NOT gates (Fig. 1) at the input of the scan_in pin of the
done through a power OFF reset. But the method has the following scan D-flip flop (SDFF). We call the modified flip-flops flipped SDFF
shortcomings: Security is derived from fact that switching off power (FSDFF). In the flipped scan-chain model, it consists of both SDFFs
destroys the data in registers. In addition, at-speed or online testing and FSDFFs.
The modified scan-chain architecture is, thus, very similar to the
conventional scan chains except for the fact that there are inverters
Manuscript received June 27, 2006; revised October 30, 2006, January 23, at certain locations known to the designer only. The presence of
2007, and April 9, 2007. This paper was recommended by Associate Editor
NOT gates in the scan-data path does not hamper the normal function-
S. Hellebrand.
G. Sengar and D. R. Chowdhury are with the Department of Computer ality of the device. However, it prevents in analyzing the scan data
Science and Engineering, Indian Institute of Technology, Kharagpur 721302, in order to ascertain the intermediate values stored in the flip-flops.
India (e-mail: gaurav@cse.iitkgp.ernet.in; drc@cse.iitkgp.ernet.in). Proper placements of inverters can help in preventing existing scan-
D. Mukhopadhyay is with the Department of Computer Science and En-
gineering, Indian Institute of Technology, Madras 600036, India (e-mail:
chain-based attacks. Still the testing of the circuit can be performed
debdeep@cse.iitm.ernet.in). with the same efficiency of conventional scan chains oblivious of the
Digital Object Identifier 10.1109/TCAD.2007.906483 presence of inverters.
TABLE 1
OVERHEAD ANALYSIS OF FLIPPED SCAN CHAIN IN AES
Next, we show a case study for overhead analysis of the flipped scan
structure.
Fig. 4. Round operation of AES encryption. IV. O VERHEAD OF F LIPPED S CAN C HAIN FOR AES
overhead. The final structure is able to prevent the attack proposed In this section, we analyze the overhead of the flipped scan chain
in [4]. Fig. 4 shows the general structure of the AES algorithm [12]. in an AES hardware implemented using 0.18-µm CMOS technology
How Flipped Scan Chain Prevents the Attack Proposed in [4]: [10]. We analyze the overhead under two conditions: without key
We show that the attack on AES by [4] fails to crack the key for our scheduling (KS) (number of flip-flops 4048) and with KS (number of
AES circuit. In the attack, the first step is to guess the position of the flip-flops 6336). The flip-flops were divided into eight scan chains of
registers to obtain intermediate values of each step. The main motive is equal length. The output of the scan chains was transformed by an
to find the position of the register R (Fig. 4) by exploiting the property 8 × 8 nonlinear mapping of good cryptographic properties [11]. The
of Avalanche effect in good ciphers, where a change in 1-bit of input, gate count of the design of the nonlinear function was 159 gates.
several bits in the output get changed. In order to ascertain the positions The first row of Table I mentions that, in the AES design without
of the register R in the scan structure, the difference in the scan-out KS, the number of flip-flops per scan path is 506. We place ten
pattern was observed. NOT gates per scan chain. Hence, the overhead is due to 80 inverters
Once, the position of register R was ascertained, the second step and 159 gates for the nonlinear mapping. The probability of the
comes to play. In this step, two values of input plaintext were chosen, attacker to break the system is computed, as proved in Theorem 1
which differs in 1-byte. In addition, from the number of ones in the of Section III. If we assume that the attacker knows that there are
difference of the scanned out values of the register R, the values ten flip-flops in the scan chain, then according to Theorem 1, the
of register b was computed using differential property of the AES probability of success of the attacker is 1/(507 C10 ) = 2−70 . Similarly,
algorithm. Finally, with the values of a and the register b, the key for the remaining seven scan chains, the probability of the attacker to
value was calculated using the following: RK0 = B ⊕ A; RK01,1 = be successful is also negligible. Likewise, we compute the overhead
b1,1 ⊕ a1,1 . and security margin for the implementation of AES with KS. The area
The scan-chain-based attack on AES is prevented when the con- overhead of the proposed method was found to be less than 0.1%, as
ventional scan chain is replaced with the flipped scan chain, along compared to an overhead of 1% required for secured scan [4] and 17%
with the nonlinear layer, as shown in Fig. 3. We emphasize the point required for crypto scan [7].
that a stand-alone application of the nonlinear layer cannot prevent
scan-chain-based attacks. This is because, in order to maintain high
V. F URTHER D ISCUSSIONS ON F LIPPED S CAN C HAIN
observability, the nonlinear layer has to be invertible. Thus, without the
flipped scan chain, the attacker may control the input to the nonlinear There is a growing recognition in the industry that the conventional
layer and observe the output and, hence, easily determine the nonlinear scan chains that make ICs testable can potentially be used to break
mapping. However, it is because of the flipped scan chain that the encryption algorithms and steal intellectual properties of chips. Al-
attacker looses controllability and observability of the internal states though the works reported in [1], [4], and [7] focus on methodologies
of the design. for breaking encryption algorithms, scan chains also pose threat to all
The modified scan chain can successfully prevent scan-chain attacks kinds of intellectual property inside the chip. However, the flipped scan
on the AES hardware proposed in [4] because of the following chain is suitable to protect IP cores because it provides minimum con-
reasons. trollability and observability to an unintended user without reducing
1) The exploitation of differential values is now not possible due the fault coverage. The elegance of the method is due to the fact that
to the unknown nonlinear structure. This prevents the attacker to the area overhead is minimal.
ascertain the position of the register R. The security of the flipped scan chain against scan-based attacks
2) The presence of NOT gates in the scan path does not allow to depends on the fact that the attacker is unable to ascertain the structure
ascertain the mapping function of the nonlinear layer. This is of the scan chain due to the presence of inverters in the chain. Since,
because the attacker has no control over the input to the internal scan-chain data are streamed in and out synchronously with a clock,
structures of the design until he knows the structure of the flipped timing measurements does not reveal information about the number of
scan chain. inverters in a scan chain. Similarly, power measurements might reveal
3) Since step 1 fails, step 2 of attack cannot be performed. In information about the number of inverters but not their positions in
addition, it may be noted that step 2 is also not possible. This the scan chain. However, with the development of probing attacks,
is because the attacker requires to compute differences in the the flipped scan chain needs to be implemented carefully, with one
scanned-out values of register R, which is now obscured by the possibility being to use secret value to activate the inverters, so as not
nonlinear layer. to leak its structures to such attackers.
2084 IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS, VOL. 26, NO. 11, NOVEMBER 2007
Manuscript received May 17, 2006; revised January 20, 2007. This paper
was recommended by Associate Editor S. Hellebrand.
K. Yang is with Novas Software, Inc., San Jose, CA 95110 USA (e-mail:
kyang@novas.com).
K.-T. Cheng is with the University of California, Santa Barbara, CA 93106
USA.
Digital Object Identifier 10.1109/TCAD.2007.906479