ABSTRACT Scan design is a widely used design-for-test methodology since it enhances the controllability and observability of integrated circuits significantly. However, it may become a channel to leak secret information and, hence, threatens the hardware security seriously. In this paper, a secure scan test scheme is presented to thwart all the existing scan-based noninvasive attacks. On one hand, the proposed scheme keeps isolating the cipher key when the crypto chip runs in the test mode. In this period, the data shifted out from scan chains are not related to the cipher key. On the other hand, if the crypto chip first enters the functional mode after power-ON or reset, the switching from the functional mode to the test mode is prohibited. Consequently, the intermediate sensitive data stored in scan chains are protected. The presented scheme allows performing all sorts of tests, such as stuck-at test and delay test with a simple modification, and it maintains the advantages of scan design. Furthermore, it incurs minimal area overhead while protecting powerfully a crypto chip.
I. INTRODUCTION
Cryptographic algorithms are widely utilized to satisfy various requirements such as integrity and confidentiality. In many scenarios they are implemented in hardware because software implementation of cryptographic algorithms has obvious disadvantages in terms of performance such as low data throughput [1] . Although they are open to public, the encrypted information is hard to decrypt without the valid cipher key. In hardware implementation of cryptographic algorithms, the cipher key is usually stored inside the chip and cannot be accessed casually. To detect the faults in crypto module, the scan-based test is imperative. Unfortunately, scan design causes it to face security threats while facilitating the testing of crypto module.
In a crypto chip with scan chain insertion, the intermediate values during encryption process can be scanned out through the output ports of scan chains. Attackers can first apply precomputed plaintexts to input ports and perform encryption for one round in functional mode. Then, they switch the chip The associate editor coordinating the review of this manuscript and approving it for publication was Shuangqing Wei.
into test mode to scan out the corresponding intermediate states. Finally, attackers can decipher the cipher key by analyzing these intermediate results of just one round encryption with 1 or 2 round keys. It has been reported that crypto chips implementing Data Encryption Standard (DES) [2] and Advanced Encryption Standard (AES) [3] can be cracked by scan-based noninvasive attacks. Recently, researchers have found that scan-based attacks can be also applied in hardware implementation of elliptic curve cryptography (ECC) [4] and Rivest-Shamir-Adlemanvc (RSA) [5] . Consequently, developing practical design-for-test (DFT) solutions is essentially necessary to protect cryptographic chips against scan-based noninvasive attacks [6] . In the last decades, researchers have proposed various countermeasures against scan-based attacks, including the followings: 1) Mode Switching Protection: By modifying the test controller, the chip will be reset and non-volatile memory will be wrapped once test mode is requested [7] . It ensures that the confidential information in scan chains is protected during mode switching. This technique can thwart mode-switching attacks but it is not resistant to test-mode-only attacks [8] , [9] . The secure scheme proposed in [29] overcomes test-mode-only attacks by obfuscating the key input in capture phase of test mode. However, it can only be applied in boundary scan design. 2) Advanced DFT architectures: On-chip decompressor, response compactor, X-tolerance, and X-masking were once regarded as natural barriers to scan-based attacks [10] . These advanced DFT architectures make scan-based attacks extremely difficult, resulting in higher security level. However, recently it has been proven that noninvasive attacks can also be conducted on chips with embedded compression [9] , response compactor [11] , and X-tolerance/X-masking [12] , [13] . 3) Partial Scan Design: In partial scan design, flipflops storing the secret information are excluded from scan chains. Therefore, the intermediate encryption data can be prevented from leaking [14] , [15] . However, it decreases the controllability and observability of crypto chips and hence compromises the fault coverage. 4) Scan-out data Obfuscation: This countermeasure introduces obfuscation logic such as lock & key logic and shadow chain to randomize scan-out data [16] - [19] .
The obfuscated scan-out data may misguide attackers to deduce the incorrect key or make attackers unable to infer the cipher key. The scan-out encryption data is obfuscated by dynamically changing connection order of the sub-chains in [16] and [17] . However, it has been found that even if the scan architecture or scan cell order is unknown, the sophisticated scan-based attack can also be carried out [20] . In [18] [25] uses an onchip lightweight block cipher to encrypt test vector to prevent attackers from delivering desired inputs. In this paper, we present a low-area-overhead secure scan test scheme to protect crypto chips against scan-based noninvasive attacks. The proposed scheme can be well applied in regular scan design. The rest of the manuscript is organized as follows: Section II introduces some background knowledge related to research topic. Section III gives a detail description of the presented secure scan test scheme. In Section IV, the performances including testability, security and hardware overhead are analyzed. Finally, the conclusion is given in Section V.
II. PRELIMINARIES A. SCAN DESIGN
Scan design technology is widely adopted in the semiconductor industry because it makes flip-flops controlled and observed directly through shift operation and transforms the testing of a sequential circuit into that of a combinational circuit.
By adding a two-to-one multiplexer at the input, a standard flip-flop is converted into a scan flip-flop (SFF), as depicted in Figure 1 (a). Each SFF has two alternative input sources: data input (Di) driven by the combinational logic of the circuit, and scan input (Si) driven by the output of another SFF. The Di is actually the input of the original standard flip-flop. A test control (TC) input is used to select Di or Si. By serially connecting the output of a SFF to Si of the succeeding SFF, a shift register refereed to as scan chain is formed. By tying Si of the first SFF to a scan input pin (SIP) and the output of the last SFF to a scan output pin (SOP), one can scan the desired values into a scan chain from SIP while scanning out the states of a scan chain through SOP.
All the SFFs have a common test control signal (referred to as System_TC) which switches the chip under test (CUT) between the functional and test mode. When System_TC is logic '0', the CUT is running in the functional mode. When System_TC is kept high for several clock cycles, a test vector can be shifted serially into scan chains while the content of scan chains can be shifted out. Once the whole test vector is delivered into scan chains, System_TC gets to '0' to switch the CUT to the functional mode for one (stuck-at test) or two clock cycles (LOC-based delay test). The value at the data input Di will be captured into the scan flip-flop with the arrival of a rising clock edge. The working mode at this time is called capture mode. When System_TC returns logic '1', the captured test response is scanned out via SOP while a new test vector is delivered into the scan chains via SIP. The process is repeated until the test is completed.
B. AES AND ITS HARDWARE IMPLEMENTATION
AES encryption algorithm has been known as the symmetrickey block cipher standard and is widely used in the information security. It is based on 128-bit input block and may use 3 types of keys with length of 128 bits, 192 bits, or 256 bits. The encryption process comprises several operation rounds, the number of which relies on the key length, i.e. 10, 12, and 14 rounds correspond to 128-bit, 192-bit and 256-bit key respectively. The preround (a 128-bit exclusive-or operation) is implemented prior to round operations, as shown in Figure 2 . The 128-bit input block is defined as plaintext while the output block of the final round is defined as ciphertext. The output block of an intermediate round is defined as state. The round, except for the final round, is comprised of 4 transformations: Sub-Bytes, Shift-Rows, Mix-Columns and Add-RoundKey.
• In Sub-Bytes, a non-linear substitution operation is performed by using a substitution function known as S-Box.
• In Shift-Rows, each row of the state is rotated to the left by a certain number of bytes.
• In Mix-Columns, a linear transformation is performed to mix four bytes per column.
• In Add-RoundKeys, the exclusive-or operation of a 128-bit state and a round key is performed. AES hardware can be divided into 2 categories: iterative and pipelined architecture. In either architecture, one-round operation usually consumes a clock cycle [1] . The result of each round is stored in a state register. In the iterative AES hardware, the output of the state register is fed back into the input of encryption module through a multiplexer to supply the input for next round operation. By using different round keys, the round operation is repeated ten (twelve, or fourteen) times to obtain the ciphertext. In the pipelined AES hardware, the one-round architecture is reproduced ten (twelve, or fourteen) times. The output of a round architecture is connected to the input of the next round architecture. The output state of the last round architecture is the ciphertext. Typically, the round keys are generated by a key unit, in which key expansion is implemented on-the-fly. The key unit can store the current round key and generate the next round key.
III. PROPOSED SECURE SCAN TEST SCHEME A. BASIC IDEA OF PROPOSED SECURE TEST SCHEME
We present a new DFT scheme for IC testing to overcome scan-based noninvasive attacks. The main idea of the proposed secure scheme is as follows. A secure test controller is added to control the switching between the functional and test mode. When a crypto chip firstly enters the functional mode after power-on or reset, it cannot be switched into the test mode. Shift operation is disabled under the circumstance. It ensures that the secret information in scan chains cannot be shifted out. If a crypto chip firstly enters the test mode after power-on or reset, both shift operation and capture operation are enabled. But it is prohibited to load the cipher key into crypto core, even if System_TC becomes '0'. In this case, secret information is isolated from scan chains. The switching between the functional and test mode won't happen unless the system is reset or restarted.
Based on the basic idea described above, the working principle of the secure scheme can be depicted visually in Figure 3 . At power-on, the circuit is firstly initialized. If System_TC=0 after initialization, the circuit enters the functional mode. During this period, the cipher key can be loaded in crypto chip normally and the shift operation is disabled. Even if System_TC turns to '1', the crypto chip remains in the functional mode. If System_TC =1 after initialization, the circuit enters the test mode. During this period, the cipher key is shielded from crypto chip and the shift operation is enabled. If System_TC becomes '0', the capture operation is enabled. However, the crypto chip cannot be switched into the functional mode. The working mode will be reshuffled when the system is restarted or reset again.
B. HARDWARE IMPLEMENTATION OF PROPOSED SECURE TEST SCHEME
The proposed secure DFT architecture is illustrated in Figure 4 . In the schematic diagram, the round key generator and round operation unit are the main parts of AES hardware architecture [1] . Based on the cipher key (i.e. Roundkey 0 shown in Figure 2 ) and key expansion function, the round key generator generates and stores all the round keys. The round operation unit performs basic transformations: Sub-Bytes, Shift-Rows, Mix-Columns and Add-RoundKey. The key register and round register are configured as part of scan chain. In the proposed architecture, the key shielding mechanism is used to shield the cipher key in test mode. In addition, the shift disable mechanism is used to disable the shift operation when the chip enters the functional mode firstly. A secure test controller is utilized to generate the shielding signal, which controls the key shielding mechanism and the shift disable mechanism. The test control logic is described in detail as follows.
1) Secure scan test controller: The architecture of secure scan test controller is shown in Figure 5 . As can be seen from the figure, the controller consists of a flip-flop (F1), a 2-bit counter, an inverter (G1), a 2-input AND gate (G2) and a 2-input OR gate (G3). In addition to clock input signal (CLK), the controller has two input signals: system reset signal (System_RST ) and test control signal (System_TC), and an output signal (Sig_Shielding). Assume that the circuit is always reset by asserting System_RST low at power-on. All the flip-flops in the controller are cleared to '0' during resetting. Assume that the flipflops in the circuit are rising-edge triggered. After resetting, if System_TC = 0 before the first rising edge of CLK, then Sig_Shielding will be '0'. Otherwise, Sig_Shielding will be '1'. Sig_Shielding keeps unchanged even if System_TC changes after the first rising edge of CLK. The detailed analysis of the controller is given in the following paragraphs.
After resetting, the output Q of the flip-flop F1 and the output bits (i.e. MSB and LSB) of the 2-bit counter are all logic '0'. If System_TC is logic '0' at this time, the output of AND gate G2 will be '0'. As both two inputs of OR gate G3 are logic '0', its output will be '0'. The output signal Sig_Shielding and the input D of flip-flop F1, which are both fed by the output of G3, are also logic '0'. The enable input EN connected to LSB is asserted low, so the counter can count up. On arrival of the first rising edge of CLK, the state of the counter goes from ''00'' to ''01'' (i.e. MSB=0, LSB=1). As the input D is equal to '0', the state of F1 remains logic '0'. The enable input EN turns to logic '1' and hence the counter will keep unchanged in the following clock cycles. LSB will always be logic '1' until the counter is reset and the output VOLUME 7, 2019 of the inverter G1 will invariably be logic '0'. Because zero is a controlling value for an AND gate, the output of G2 will always be '0' regardless of the other input System_TC. Zero is a non-controlling value for an OR gate, so the output of G3 is determined by the output of F1. Thus, the next state of F1 is determined by its current state. The state of F1 and the output signal Sig_Shielding remain '0' in the process even if System_TC changes. The timing waveform is illustrated in Figure 6 (a) . Before resetting, the values of Systme_TC, LSB, EN , and Sig_Shielding are considered as unspecified bits (X bits).
As LSB is '0' after resetting, the output of G1 is '1'. If System_TC is logic '1' at this time, then the output of G2 will be '1'. Thus, the output of G3, the input D of flip-flop F1, and the output signal Sig_Shielding are also '1'. On arrival of the first rising edge of CLK, the value of F1 is still '1'. In the meantime, the state of the 2-bit counter reaches ''01'' (i.e., MSB = 0, LSB=1), and then the enable input EN driven by LSB is asserted high. The counter will halt and LSB will always be 1 in the following clock cycles. Thus, the output of G1 will always be '0'. Because zero is a controlling value for the AND gate G2, its output will always be '0' regardless of the other input System_TC. The output of G3 will be equal to the state of F1. Thus, the next state of F1 is equal to its current state. The state of F1 and the output signal Sig_Shielding will remain '1' in the process even if System_TC changes. The timing waveform is illustrated in Figure 6 (b). From the analysis above, Sig_Shielding is determined uniquely by the value of System_TC before the rising edge of the first clock cycle. It will keep unchanged until the system is reset or restarted again.
2) Key Shielding mechanism: The key shielding logic, which is used to shield the cipher key, is illustrated in Figure 7 . It includes several inverters, 2-input NOR gates and OR gates. There are two ways of shielding the cipher key bits. Some bits of the cipher key are propagated through an inverter and then connected to one input of a NOR gate. The other bits of the cipher key are propagated through an OR gate. The other input of the NOR gate or OR gate is feed by Sig_Shielding, which is generated by the secure test controller. If Sig_Shielding is '1', the output of each NOR gate will be '0' and the output of each OR gate will be '1'. Mendacious key will propagate to the round key generator of crypto core while the real cipher key is shielded. The mendacious key can be set arbitrarily by combining shielding way of each cipher key bit. If Sig_Shielding is '0', the output of the additional NOR gates and OR gates will be dominated by the cipher key bits. The additional shielding logic is transparent and the cipher key can be loaded normally.
3) Shift disable mechanism: As shown in Figure 8 , the shift disable mechanism is only comprised of an AND gate. The test control signal System_TC is connected to the TC port of each scan flip-flop via an AND gate. The other input of the AND gate is driven by Sig_Shielding. When Sig_Shielding = 0, the TC port of each scan flip-flop can only receive 0. All the scan flip-flops will be fed by the data input Di while the shift operation is disabled even if System_TC = 1. Otherwise, if Sig_Shielding = 1, the TC port of each the scan flip-flop will be determined by System_TC. The shift operation and capture operation can be launched by assigning System_TC logic '1' and logic '0' respectively. The encryption process cannot be done as the cipher key is isolated.
IV. PERFORMANCE ANALYSIS A. TESTABILITY ANALYSIS
The secure test scheme proposed in [18] can apply stuckat test and LOS (launch-off-shift) based delay test, but it is FIGURE 8. Shift disable mechanism.
not adaptable for LOC delay test. The smart test controller in [26] allows to apply one-capture-cycle LOC delay test, however, the multi-capture-cycle test cannot be executed. These techniques bring inconvenience to chip test. In the proposed technique, the crypto chip can normally enter the test mode when the system test control signal System_TC is set to '1' at power-on or reset. The shift and capture operation can also be switched arbitrarily in the test mode. It allows to apply all sorts of test sets including stuck-at fault test set and LOS/LOC delay fault test set just as conventional scan design.
It should be noted that, the test vectors need to be modified. During test generation for conventional scan design, the values of the cipher key need to be provided. For the proposed secure scan scheme, the test vectors are generated based on the mendacious key. The fault coverage may vary when providing different key bits. To avoid the loss in the fault coverage, we can select an appropriate mendacious key (as discussed in Section III.B).
Besides, the faults on the lines which transfer the cipher key from non-volatile memory to round key generator, cannot be tested by scan test. But it just needs to apply the functional test for some clock cycles to test such faults.
As stated previously, the testability of the crypto chip is not decreased significantly. In addition, the additional logic in the proposed secure scan design won't work when the crypto circuit runs in functional mode. Consequently, the regular function of the crypto circuit is not affected.
B. SECURITY ANALYSIS
Almost without exception, the existing scan-based sidechannel attacks first bring the chip into an expected state and then scan out the sensitive data in scan chains.
In the proposed technique, the cipher key can be loaded into encryption module when the chip runs in the functional mode. The switching from the functional mode to the test mode is forbidden, and then the intermediate encryption results in scan chains cannot be observed by using shift operation. Therefore, the mode-switching attacks can be thwarted. If the chip runs in the test mode, the secret key is isolated from encryption module. Although the attackers can perform shift operation in the test mode, the data stored in scan chains is not related to the cipher key. Thus, the test-modeonly attacks can be thwarted. Compared with the mode reset countermeasure [7] , which is vulnerable to test-mode-only attack, the proposed secure technique has higher security.
C. OVERHEAD ANALYSIS
For evaluating the hardware penalty, the proposed technique is conducted on pipelined [27] and iterative AES circuits [28] with 128-bit cipher key. The netlists of the original design are obtained by synthesizing with Synopsys Design Compiler. Then the scan design is inserted into netlists with Synopsys Test Compiler. Finally, the proposed technique is added into the netlists and synthesized with Synopsys Test Compiler. The experimental results are illustrated in Table 1 . The areas are computed in terms of the number of equivalent two-input NAND gates. The columns labeled ''Original'', ''Scan design'' and ''Proposed'' give the areas of the original AES circuit, the conventional scan design and the proposed secure scan design, respectively. The fifth column gives the area overhead incurred by the proposed technique in the form of equivalent gates. The last column gives the area overhead in percentage compared with conventional scan design. The proposed technique is also compared with other countermeasures against scan-based attacks, such as MKR [3] , SOSD [18] and DOS [19] in Table 2 . SOSD-64 and SOSD-128 refer to the SOSD design in [18] with 64-bit and 128-bit shift register, respectively. DOS-10% and DOS-30% refer to the DOS design in [19] with 10% and 30% permutation rate, respectively. Compared with other secure technique, the area overhead of the proposed secure scan design is lower and more acceptable. Table 3 also gives comparison on several important attributes beyond hardware overhead with other secure scan schemes.
The MKR scheme in [3] , which is similar to the proposed scheme, is also based on secure controller. However, there are great differences between the two schemes. The proposed secure scan architecture does not introduce extra control signals (System_TC is an inherent signal of IP core). Hence, there is no need to modify the IEEE 1149.1 JTAG Controller or to re-synthesize IP design by adding more inputs. It also not necessary to reform scan chains. Only a small test controller and a few logic gates are inserted, which incur very low impact on IP design.
Compared with secure schemes based on test key such as [17] - [19] , the proposed scheme does not require set-up time before test, i.e., extra clock cycles for input test key. Consequently, it has no impact on test time. Furthermore, brute force attack based on exhaustive search is inapplicable on the proposed secure architecture. Its security strength against non-invasive attack is eminently powerful.
In the process of testing, sometimes the test sets need to be adjusted,e.g., deleting useless test vectors, augmenting new test vectors, or reordering test vectors. The proposed technique provides full freedom and flexibility for test set adjustment.
The proposed technique can nicely support offline testing, but it limits the application of online testing. In online testing, a test engineer usually runs the CUT in functional mode for several clock cycles, and then observes the circuit states or responses from scan output pins. It requires the switching between the functional and test mode. This is where the proposed technique needs to be further improved.
As described in the analysis above, the proposed technique has the following merits: strong security for protecting the crypto chip, high testability for chip debug, and low area overhead. The proposed scheme outperforms the existing methods to protect crypto chips in at least some critical attributes.
V. CONCLUSION
In this paper, an effective secure scan test scheme is proposed to defeat the scan-based noninvasive attacks. The proposed scheme isolates the encryption key when the encryption chip runs in test mode. It also does not support the mode switching request when the chip runs in functional mode and thus protects the sensitive data in scan chains. It overcomes all potential scan-based attacks while allowing to perform all types of tests. Compared with other secure schemes, the proposed secure scan design has the obvious advantages in security, testability and area overhead.
