Secure Scan Design using Shift Register Equivalents against Differential Behavior Attack

Hideo Fujiwara\*\*, Katsuya Fujiwara\*, and Hideo Tamamoto\*



# Outline

- 1. Background and Motivation
- 2. Previous Works
- 3. Objective of the Study
- 4. Proposed Secure Scan Design
  - 4.1 SR-Equivalent Circuits
  - 4.2 How to Design/Control/Observe SR-Equivalent Circuits
  - 4.4 Application to Scan Design
- 5. Differential Behavior Attack
  - 5.1 Differential Behavior Equivalent
  - 5.2 Identification of Scan Structure
  - 5.3 Cardinality of Differential Behavior Equivalents
- 6. Conclusion

# Background and Motivation



Contradiction between Testability and Security  $\rightarrow$  Solution?

## Previous Works

- Recent works focus on secure scan design:
  - > D. Hely, et al. 2004, 2007 scrambling
  - > B. Yang, et al. 2004, 2006 MKR
  - > J. Lee, et al. 2006, 2007 lock & key
  - > S. Paul, et al. 2007 Vlm-scan
  - → G. Sengar, et al. 2007 flipped-scan-chain
  - U. Chandran, et al. 2009 –
- All approaches (*except Sengar*) add extra hardware outside of scan registers.

#### Which means:

- high area overhead
- timing overhead or performance degradation
- increased complexity of testing
- Imited security for the registers part

# Objective of the Study

- Propose a secure scan design approach
  - Satisfies both testability and security
  - Replaces original scan registers with modified scan registers only

#### Which leads to:

- Little area overhead
- No performance overhead
- Introduce SR-equivalent scan circuits
  - How to design/control/observe SR-equivalents
  - How to apply it to scan design
- Consider scan-based differential-behavior attack
  - Propose SR-equivalent scan circuits with dummy FFs to protect differential-behavior attack
- Consider security level
  - Cardinality of d-behavior equivalents



k-stage SR-equivalent circuit, C

A circuit C with a single input x, a single output z, and k flip-flops is called *functionally equivalent* to a k-stage shift register (or *SR-equivalent*)

if the input value applied to x at any time t appears at z after k clock cycles, i.e., z(t+k) = x(t) for any time t.

Example: SR-equivalent circuit  $R_1$ 



| x            | <i>y</i> 1                | <i>y</i> <sub>2</sub>            | <i>Y</i> <sub>3</sub>     | z                             |
|--------------|---------------------------|----------------------------------|---------------------------|-------------------------------|
| (x(0))       | <i>y</i> <sub>1</sub> (0) | <i>y</i> <sub>2</sub> (0)        | <i>y</i> <sub>3</sub> (0) | $z(0) = y_2(0) \oplus y_3(0)$ |
| <i>x</i> (1) | <i>x</i> (0)              | <i>y</i> <sub><i>l</i></sub> (0) | $y_1(0) \oplus y_2(0)$    | $z(1) = y_2(0)$               |
| <i>x</i> (2) | <i>x</i> (1)              | <i>x</i> (0)                     | $x(0) \oplus y_I(0)$      | $z(2) = y_I(0)$               |
|              | <i>x</i> (2)              | <i>x</i> (1)                     | $x(1) \oplus x(0)$        | z(3) = (x(0))                 |



#### How to Design SR-Equivalent Circuits 1/2



Given  $I^2 L F^2 S R$ 

| x            | <i>Y</i> <sub>1</sub> | <i>Y</i> <sub>2</sub>     | <i>Y</i> <sub>3</sub>         | Z.                               |
|--------------|-----------------------|---------------------------|-------------------------------|----------------------------------|
| (x(0))       | y <sub>1</sub> (0)    | <i>y</i> <sub>2</sub> (0) | <i>y</i> <sub>3</sub> (0)     | $z(0)=y_3(0)$                    |
| <i>x</i> (1) | <i>x</i> (0)          | $1 \oplus y_I(0)$         | $x(0) \oplus y_2(0)$          | $z(1)=x(0)\oplus y_2(0)$         |
| <i>x</i> (2) | <i>x</i> (1)          | 1⊕ <i>x</i> (0)           | $x(1) \oplus 1 \oplus y_I(0)$ | $z(2)=x(1)\oplus 1\oplus y_I(0)$ |
|              | <i>x</i> (2)          | 1⊕ <i>x</i> (1)           | $x(2) \oplus 1 \oplus x(0)$   | $z(3) = x(2) \oplus 1 = x(0)$    |

Symbolic simulation



Symbolic simulation

# How to Control/Observe SR-Equivalents



k-stage shift register, SR



k-stage SR-equivalent circuit, C

To utilize the SR-equivalent circuit C as a shift register SR, we need to consider the following two problems.

State-Justification: (Scan-in)

To generate an input sequence to transfer the circuit C into a given desired state, independently of the initial state.

State-Observation: (Scan-out)

To identify the initial state by observing the output sequence from the state, independently of the input sequence.

#### How to Control SR-Equivalent Circuits, R<sub>2</sub>



#### How to Observe SR-Equivalent Circuits, R<sub>2</sub>

|                                                                                                         | x            |                          | <b>y</b> <sub>2</sub>     | $y_3 \rightarrow z$           | SR-equivalent I <sup>2</sup> LF            | <sup>-2</sup> SR, R <sub>2</sub> |
|---------------------------------------------------------------------------------------------------------|--------------|--------------------------|---------------------------|-------------------------------|--------------------------------------------|----------------------------------|
|                                                                                                         | x            | <i>Y</i> <sub>1</sub>    | <i>Y</i> <sub>2</sub>     | <i>Y</i> <sub>3</sub>         | Z.                                         |                                  |
| -                                                                                                       | <i>x</i> (0) | <i>y<sub>I</sub></i> (0) | <i>y</i> <sub>2</sub> (0) | <i>y</i> <sub>3</sub> (0)     | $\boxed{z(0)=1\oplus y_1(0)\oplus y_3(0)}$ |                                  |
|                                                                                                         | <i>x</i> (1) | <i>x</i> (0)             | $1 \oplus y_I(0)$         | $x(0)^{\oplus}y_2(0)$         | $z(1)=1\oplus y_2(0)$                      |                                  |
|                                                                                                         | <i>x</i> (2) | <i>x</i> (1)             | 1⊕ <i>x</i> (0)           | $x(1) \oplus 1 \oplus y_l(0)$ | $z(2)=y_{1}(0)$                            |                                  |
|                                                                                                         |              | <i>x</i> (2)             | 1⊕ <i>x</i> (1)           | $x(2) \oplus 1 \oplus x(0)$   | z(3) = x(0)                                |                                  |
|                                                                                                         |              | l                        |                           |                               | $v_{1}(0) = z(2)$                          |                                  |
| Initial state $(y_1(0), y_2(0), y_3(0))$ is identified<br>from output sequence $z(0), z(1), z(2)$ only, |              |                          |                           | $y_2(0) = 1 \oplus z(1)$      |                                            |                                  |
| INC                                                                                                     | iepend       | ienuy or                 | me input                  | sequence.                     | $y_3(0) = 1 \oplus z(0) \oplus z(2)$       | 13                               |

## Application to Scan Design 1/3







Replacement of scan chain by modified scan chain

# Application to Scan Design 3/3



Scan design with SR-equivalent scan circuit

# Differential Behavior (d-behavior)



- First, the circuit under test is reset and then run in normal mode.
- Next, it is switched to scan mode to scan out the contents of scan registers.
- These steps are repeated using another input sequence that is slightly different from the first input sequence.

Single-bit-change d-behavior for S<sub>1</sub>





- d: differential value
- -: constant value



### Differential-behavior Attack

The attack that inserts differential values into extended scan registers in normal mode and observes the differential behaviors in scan mode is called a *differential-behavior attack*.



#### Differential-behavior set





Extended scan circuit, S<sub>1</sub>

Differential-behavior set (*d-behavior set*, for short) : The set of all d-behaviors for S<sub>1</sub>



Fundamental differential-behavior set (*fundamental d-behavior set*, for short) : The set of all *single-bit-change* d-behaviors for S<sub>1</sub>

### Differential-behavior equivalent relation

Let  $S_1$  and  $S_2$  be extended scan circuits.

 $S_1$  and  $S_2$  are said to be *differential-behavior equivalent* (or *d-behavior equivalent*, for short) if the d-behavior sets of  $S_1$  and  $S_2$  are the same. Example of d-behavior equivalence

 $S_1$  and  $S_2$  are *d-behavior equivalent*.



- *d* : differential value
- : constant value

- 22 -

XOR-superposition of fundamental d-behaviors



Any differential behavior can be uniquely expressed by XOR-superposition of fundamental d-behaviors only.

23

## Theorems

#### Theorem 1:

Any differential behavior can be uniquely expressed by XOR-superposition of fundamental d-behaviors only.

#### Theorem 2:

Let  $S_1$  and  $S_2$  be extended scan circuits.  $S_1$  and  $S_2$  are d-behavior equivalent if and only if fundamental d-behavior sets of  $S_1$  and  $S_2$  are the same.

### Example of d-behavior equivalent relation



Fundamental d-behavior set of  $S_1$  Fundamental d-behavior set of  $S_2^-$ 



This circuit  $R_1$  is an 3-stage SR-equivalent LF<sup>2</sup>SR.

$$\mathbf{x} \longrightarrow y_1 \longrightarrow y_2 \longrightarrow y_3 \longrightarrow \mathbf{z}$$

# of 3-stage SR-equivalents =  $2^{k!}/k! - 1 = 6,719$ # of 3-stage SR-equivalent LF<sup>2</sup>SR =  $2^{k(k1-)/2} - 1 = 7$ 

$$\mathbf{x} \longrightarrow y_1 \longrightarrow y_2 \longrightarrow y_3 \longrightarrow \mathbf{z}$$

# of 3-stage SR-equivalents =  $2^{k!}/k! - 1 = 6,719$ # of 3-stage SR-equivalent LF<sup>2</sup>SR =  $2^{k(k1-)/2} - 1 = 7$ 

Probability to identify the configuration = Reciprocal of the cardinality of SR-equivalents

For 3-stage SR-equivalents:1/6719For 3-stage SR-equivalent LF2SR:1/7



Extended shift register R<sub>1</sub>



Extended scan circuit S<sub>1</sub>



# of 3-stage d-behavior equivalent  $LF^2SR = 1$ 

- 30 -



# of 3-stage d-behavior equivalent  $LF^2SR = 1$ 

Probability to identify the configuration = Reciprocal of the cardinality of d-behavior equivalents

The probability that an attacker can identify the configuration of an extended scan circuit S approximates to the reciprocal of the cardinality of the class of extended scan circuits that are d-behavior equivalent to S.

To evaluate the security level against d-behavior attacks, we clarify the cardinality of each equivalent class.

## Cardinality of d-behavior equivalent classes

(without dummy FF)

| # of SR-Equivalent<br>Scan Circuits        | # of Equivalent<br>Classes                                                                                  | Guaranteed<br>Cardinality                                                                                                                                                           |
|--------------------------------------------|-------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| $2^{\kappa} - 1$                           | 1                                                                                                           | $2^{\kappa} - 1$                                                                                                                                                                    |
| $2^{k(k-1)/2} - 1$                         | $2^{k(k-1)/2} - 1$                                                                                          | 1                                                                                                                                                                                   |
| r(r 1)/2 $r(r r)$                          | $- \frac{1}{2}(\frac{1}{2})/2$                                                                              |                                                                                                                                                                                     |
| $(2^{\kappa(\kappa-1)/2}-1)(2^{\kappa}-1)$ | $2^{\kappa(\kappa-1)/2} - 1$                                                                                | $2^{\kappa} - 1$                                                                                                                                                                    |
|                                            | # of SR-Equivalent<br>Scan Circuits<br>$2^{k} - 1$<br>$2^{k(k-1)/2} - 1$<br>$(2^{k(k-1)/2} - 1)(2^{k} - 1)$ | # of SR-Equivalent       # of Equivalent         Scan Circuits       Classes $2^{k} - 1$ 1 $2^{k(k-1)/2} - 1$ $2^{k(k-1)/2} - 1$ $(2^{k(k-1)/2} - 1)(2^{k} - 1)$ $2^{k(k-1)/2} - 1$ |

Two classes of LF<sup>2</sup>SR and LFSR are not secure because their guaranteed cardinality is 1.

However, all other classes are secure.

## SR-equivalent scan circuits with dummy FF





SR-equivalent scan circuits with dummy FF

|                                    | J                                     | (with dummy F               | F) $O(k^2)$             |
|------------------------------------|---------------------------------------|-----------------------------|-------------------------|
|                                    | # of SR-Equivalent<br>Scan Circuits   | # of Equivalent<br>Classes  | Guarantee<br>Cardinalit |
| $I^2SR$                            | $(3k^2+k)(2^k-1)/2$                   | k(k+1)/2                    | $3(2^{k}-1)$            |
| LF <sup>2</sup> SR<br>(LFSR)       | $(3k^2+k)(2^{k(k-1)/2}-1)/2$          | $(2^{(k-1)(k-2)/2})(2^k-1)$ | $O(k^2)$                |
| $I^{2}LF^{2}SR$<br>( $I^{2}LFSR$ ) | $(3k^2+k)(2^{k(k-1)/2}-1)(2^k - 1)/2$ | $(2^{(k-1)(k-2)/2})(2^k-1)$ | $O(k^2 2^k)$            |

Cardinality of d-behavior equivalent classes

All classes with dummy FF are secure.



Especially the classes of I<sup>2</sup>LF<sup>2</sup>SR and I<sup>2</sup>LFSR with dummy FF are the most secure thanks to high cardinality.

## Enumeration Results by SREEP-2

To examine the actual cardinalities of d-equivalent classes for each type of extended scan circuits, we made a program called *SREEP-2* (*Shift Register Equivalents Enumeration and Synthesis Program -2*).

The enumeration results for extended scan circuits without and with dummy FF are shown in the following slides.

## Cardinality of d-behavior equivalent classes

(without dummy FF) by SREEP-2

|                                   | #   | # of     | # of       | Guaranteed  | Range of    |
|-----------------------------------|-----|----------|------------|-------------|-------------|
|                                   | FFs | Scan     | Equivalent | Cardinality | Cardinality |
|                                   |     | Circuits | Classes    |             |             |
| $I^2SR$                           | k=3 | 7        | 1          | 7           | 7~7         |
|                                   | k=4 | 15       | 1          | 15          | 15~15       |
|                                   | k=5 | 31       | 1          | 31          | 31~31       |
| $LF^2SR$                          | k=3 | 7        | 7          | 1           | 1~1         |
| (LFSR)                            | k=4 | 63       | 63         | 1           | 1~1         |
|                                   | k=5 | 1023     | 1023       | 1           | 1~1         |
| I <sup>2</sup> LF <sup>2</sup> SR | k=3 | 49       | 7          | 7 ,         | 7~7         |
| $(I^2 LFSR)$                      | k=4 | 945      | 63         | 15 /        | 15~15       |
|                                   | k=5 | 31713    | 1023       | 31          | 31~31       |
|                                   |     |          |            | 1           |             |

/ Not Secure

## Cardinality of d-behavior equivalent classes

(with dummy FF) by SREEP-2

|                                                | #   | # of Scan | # of       | Guaranteed  | Range of    |
|------------------------------------------------|-----|-----------|------------|-------------|-------------|
|                                                | FFs | Circuits  | Equivalent | Cardinality | Cardinality |
|                                                |     |           | Classes    |             |             |
| I <sup>2</sup> SR                              | k=3 | 105       | 6          | 17          | 14~21       |
|                                                | k=4 | 390       | 10         | 39          | 30~45       |
|                                                | k=5 | 1240      | 15         | 82          | 62~93       |
| LF <sup>2</sup> SR                             | k=3 | 105       | 14         | 7           | 5~10        |
| (LFSR)                                         | k=4 | 1638      | 120        | 13          | 8~20        |
|                                                | k=5 | 40920     | 1984       | 20          | 11~40       |
| I <sup>2</sup> LF <sup>2</sup> SR              | k=3 | 735       | 14         | 52          | 35~70       |
| $(I^2 LFSR)$                                   | k=4 | 24570     | 120        | 204         | 120~300     |
|                                                | k=5 | 1268520   | 1984       | 639         | 341~1240    |
|                                                |     |           |            |             |             |
| Increased thanks to<br>dummy FF Most secure 38 |     |           |            |             | 38          |

## Conclusions

- Considered a scan-based differential-behavior attack and proposed several classes of SR-equivalent scan circuits using dummy flip-flops in order to protect the scan-based differential-behavior attack.
- Introduced differential-behavior equivalent relation, and clarified the cardinality of differential-behavior equivalent classes.
- The proposed extended scan design is very secure as well as easily testable, the normal delay or performance overhead is zero, and the area overhead can be very low.

# Thank you

