Scan-based Attacks against Cryptography LSIs and their Countermeasure by 奈良 竜太
Scan-based Attacks against Cryptography LSIs
and their Countermeasure
??LSI??????????????
????????????
2011?2?
???????? ????????
??????? ??????????
Ryuta Nara
?? ??
Contents
1 Introduction 1
2 Scan-based Attack againt AES 6
2.1 AES encryption algorithm . . . . . . . . . . . . . . . . . . . . . . . 6
2.1.1 SubBytes: c = SubBytes(b) . . . . . . . . . . . . . . . . . . 9
2.1.2 ShiftRows: d = ShiftRows(c) . . . . . . . . . . . . . . . . . 9
2.1.3 MixColumns: e =MixColumns(d) . . . . . . . . . . . . . . 9
2.1.4 AddRoundKey: f = AddRoundKey(e;RK`) . . . . . . . . . 10
2.2 Scan-based attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.2.1 Scan path test . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.2.2 Problems to retrieve the round keys . . . . . . . . . . . . . . 13
2.2.3 Eliminating the round key RK1 rrom the round function
output f1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.2.4 Obtaining the data dependent on the single element in RK0 14
2.2.5 Correspondence between the round function output and the
scanned data . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.2.6 Yang's method . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.3 Proposed method . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.3.1 Discriminator of RK00;0 . . . . . . . . . . . . . . . . . . . . 22
2.3.2 Retrieving RK00;0 using our discriminator . . . . . . . . . . 24
2.3.3 Retrieving RK0 using our method . . . . . . . . . . . . . . 25
i
ii CONTENTS
2.3.4 Reduction of plaintexts to retrieve RK0 . . . . . . . . . . . 28
2.4 Performance analysis . . . . . . . . . . . . . . . . . . . . . . . . . . 28
2.5 Concluding remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
3 Scan-based Attack againt RSA 33
3.1 RSA Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
3.1.1 Encryption and decryption . . . . . . . . . . . . . . . . . . . 34
3.1.2 Binary method . . . . . . . . . . . . . . . . . . . . . . . . . 34
3.2 Scan-based attack against RSA . . . . . . . . . . . . . . . . . . . . 36
3.2.1 Retrieving a secret exponent using intermediate values [1] . . 36
3.2.2 Problems to retrieve a secret key using scan path . . . . . . 39
3.3 Analysis scanned data . . . . . . . . . . . . . . . . . . . . . . . . . 40
3.3.1 Calculating a scan signature to SF (i) . . . . . . . . . . . . . 43
3.3.2 Scanned data analysis method . . . . . . . . . . . . . . . . . 43
3.3.3 Possibility of successfully retrieving a secret key . . . . . . . 48
3.4 Experiments and analysis . . . . . . . . . . . . . . . . . . . . . . . 48
3.5 Discussions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
3.6 Concluding remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
4 Scan-based Attack againt ECC 52
4.1 Elliptic curve cryptography . . . . . . . . . . . . . . . . . . . . . . 53
4.1.1 Elliptic curve arithmetic . . . . . . . . . . . . . . . . . . . . 53
4.1.2 Point multiplication . . . . . . . . . . . . . . . . . . . . . . . 55
4.2 Attack against elliptic curve cryptography . . . . . . . . . . . . . . 56
4.2.1 Retrieving a secret key using intermediate values during the
point multiplication . . . . . . . . . . . . . . . . . . . . . . . 57
4.2.2 Problems to retrieve a secret key using a scan path . . . . . 59
4.3 Analysis scanned data obtained from an ECC circuit . . . . . . . . 59
4.3.1 Calculating a discriminator to V (i)P . . . . . . . . . . . . . 60
CONTENTS iii
4.3.2 Scanned data analysis method . . . . . . . . . . . . . . . . . 63
4.3.3 Possibility of successfully retrieving a secret key . . . . . . . 66
4.4 Experiments and performance analysis . . . . . . . . . . . . . . . . 66
4.4.1 Architecture of an elliptic curve cryptography circuit . . . . 67
4.4.2 Target scan path architecture . . . . . . . . . . . . . . . . . 70
4.4.3 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
4.4.4 Discussions . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
4.5 Concluding remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
5 State-dependent secure scan architecture 76
5.1 Scan-based attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
5.2 Secure scan architecture . . . . . . . . . . . . . . . . . . . . . . . . 78
5.3 Proposed method . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
5.4 Implementation and Results . . . . . . . . . . . . . . . . . . . . . . 83
5.5 Concluding Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . 86
6 Conclusion 87
6.1 Future works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Acknowledgment 92
List of Publications 100
List of Figures
1.1 Architecture of a security LSI. . . . . . . . . . . . . . . . . . . . . . 3
2.1 AES algorithm. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.2 Key expansion process. . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.3 Scan path model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.4 System mode (Control = 0). . . . . . . . . . . . . . . . . . . . . . . 12
2.5 Test mode (Control = 1). . . . . . . . . . . . . . . . . . . . . . . . 12
2.6 Data dependent on a10;0, a
2
0;0, and RK00;0. . . . . . . . . . . . . . . 16
2.7 Scan chain model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
2.8 A discriminator for retrieving RK00;0. . . . . . . . . . . . . . . . . . 24
2.9 n-bit data based on sd0  sdq (q = 1;    ; n). . . . . . . . . . . . . . 25
2.10 Discriminators D0k; D
1
k;    ; D7k for retrieving RK00;0. . . . . . . . . 28
2.11 Number of plaintexts required to retrieve RK0 or RK00;0 on average. 32
2.12 The experimental results for Experiment 2. . . . . . . . . . . . . . . 32
2.13 The experimental results for Experiment 3. . . . . . . . . . . . . . . 32
3.1 Binary method example (d = 10112). . . . . . . . . . . . . . . . . . 35
3.2 Scan signature SSi. . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
3.3 Scanned data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
3.4 Scanned data example. . . . . . . . . . . . . . . . . . . . . . . . . . 46
3.5 Example of scan signatures. . . . . . . . . . . . . . . . . . . . . . . 47
3.6 Number of required messages to retrieve secret exponents. . . . . . 50
iv
LIST OF FIGURES v
4.1 Point Addition P1 + P2 = Q. . . . . . . . . . . . . . . . . . . . . . . 54
4.2 Point Doubling 2P = Q. . . . . . . . . . . . . . . . . . . . . . . . . 54
4.3 Discriminator Di. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
4.4 Scanned data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
4.5 Scanned data example. . . . . . . . . . . . . . . . . . . . . . . . . . 65
4.6 Discriminator D2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
4.7 Discriminator D1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
4.8 Block diagram of the elliptic curve cryptography (Data path). . . . 68
4.9 Block diagram of the elliptic curve cryptography (Controller). . . . 69
4.10 Number of required points to retrieve secret keys. . . . . . . . . . . 71
4.11 Scanned data modied by [2]. . . . . . . . . . . . . . . . . . . . . . 74
4.12 Scanned data modied by [3]. . . . . . . . . . . . . . . . . . . . . . 74
5.1 State-dependent Scan FF(SDSFF). . . . . . . . . . . . . . . . . . . 81
5.2 Timing chart. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
5.3 Model of proposed scan architecture. . . . . . . . . . . . . . . . . . 82
List of Tables
2.1 Relation of the hamming weight of the rst column of f 11  f 21 and
(b10;0; b
2
0;0). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
3.1 Example parameters in Algorithm 1. . . . . . . . . . . . . . . . . . 40
3.2 Intermediate values at the end of i-th loop of Algorithm 1(message
c = 100111002). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
3.3 Secret exponent example. . . . . . . . . . . . . . . . . . . . . . . . . 49
3.4 Experimental results. . . . . . . . . . . . . . . . . . . . . . . . . . . 50
4.1 Intermediate values at the end of i-th loop of Algorithm 2with input
P and k = 1010. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
4.2 The experimental results . . . . . . . . . . . . . . . . . . . . . . . . 71
5.1 Values in Example 1. . . . . . . . . . . . . . . . . . . . . . . . . . . 84
5.2 Implementation results for an AES cryptography circuit. . . . . . . 85
5.3 Security comparison. . . . . . . . . . . . . . . . . . . . . . . . . . . 85
6
Chapter 1
Introduction
Individual authentication increases in importance as network technology advances.
IC passports, SIM cards, and ID cards used in entering and leaving management
systems are dependent on their embedded LSI chips for keeping their security.
These LSI chips achieve secure communication and reject counterfeit cards. The
LSI chip usually includes cryptography circuits and encrypt/decrypt important
data such as ID numbers and electronic money information.
There are symmetric-key cryptography and public-key cryptography as cryp-
tography circuits inside LSI chips. Symmetric-key cryptography such as DES [4]
and AES [5] are very popular and widely used. They make use of the same secret
key in encryption and decryption. However, it may be dicult to securely share
the same secret key, such as in communicating on the Internet. Public-key cryp-
tography, on the other hand, makes use of dierent keys to encrypt and decrypt
data so that it solves the key sharing problem of symmetric-key cryptography. One
of the most popular public-key cryptography algorithms is RSA [6], which is used
by many secure technologies such as secure key agreement and digital signature.
An elliptic curve cryptography (ECC) [7, 8] is well known as a public-key cryp-
tography with low cost and high throughput. Public-key cryptography is used by
many security applications to achieve secure communication. However, there is a
1
2 CHAPTER 1. INTRODUCTION
threat that a secret key may be retrieved in cryptography LSI circuits.
A scan path is one of the most important testing techniques. In a scan path,
registers inside an LSI are connected serially so that they can be controlled and
observed directly from outside the LSI. Then test eciency can be increased sig-
nicantly. On the other hand, one can obtain register data easily by using a scan
path, which implies that one can retrieve a secret key in a cryptography LSI. This
is called a \scan-based attack", The scan-based attack is a method to retrieve a
secret key from the scanned data obtained from the scan path in the cryptogra-
phy LSI. The scan-based attack has attracted attention over the years as new side
channel attack.
One of the diculties in the scan-based attack is how to retrieve a secret key
from scanned data obtained from a cryptography LSI. In a scan path, registers
inside a circuit have to be connected so that its interconnection length will be
shortened to satisfy timing constraints. This means that no one but a scan-path
designer knows correspondence between registers and the scanned data. In order to
succeed the scan-based attack against the cryptography LSI, an attacker needs to
retrieve a secret key from the scanned data almost \randomly" connected. Yang
et al. rst showed a scan-based attack against DES in 2004 and retrieved a se-
cret key in DES [9]. They also presented the scan-based attack against AES in
2006 [10]. Yang et al. proposes the method to make use of the hamming weight of
the scanned data storing intermediate values during encryption/decryption. This
is because this method only needs the correspondence between the scanned data
and intermediate values, but does not need the bit-to-bit correspondence between
them. To calculate the hamming weight of the scanned data for analysis, Yang's
method needs to specify the position of registers storing the intermediate values so
that Yang et al. needs to observe the change of the intermediate values.
However, Yang's method assumes the following two points below for the obser-
vation.
3RAM Random
Generator
MPU
Internal Bus
I/O
Con-
troller
Crypto-
circuit
Figure 1.1: Architecture of a security LSI.
Assumption 1: A scan path does not include random elements caused by mem-
ories, processors, I/Os, and control circuits other than registers of cryptog-
raphy circuits storing the intermediate values.
Assumption 2: An attacker knows when the registers store the intermediate
values necessary for analysis.
An cryptography circuit is not implemented onto an LSI by itself. It is implemented
onto an LSI with its memories, processors, I/Os, and control circuits (Figure 1.1).
It is quite possible that a scan path includes random elements caused by memories,
processors, I/Os, and control circuits other than registers of cryptography circuits
storing the intermediate values. In that case, an attacker cannot know when the
registers store the intermediate values necessary for analysis. If he/she do not have
both Assumption 1 and Assumption 2 above, it is very hard to retrieve a secret
key by using Yang's method.
In this dissertation, we propose new scan-based attacks against AES, RSA, and
ECC. Our proposed new scan-based attack method against AES has an advantage
that we do not need the correspondence between the scanned data and the registers
of cryptography circuits storing the intermediate values, and further, we do not
have to know when the registers store the intermediate values necessary for analysis.
In addition to these advantages, we successfully reduce considerably the number of
4 CHAPTER 1. INTRODUCTION
input to retrieve a secret key. Therefore, our proposed scan-based attack against
AES is more practical and powerful than Yang's method is. The algorithm of our
scan-based attack can retrieve a secret key of RSA and ECC circuits as well as AES.
Scan-based attacks against public-key cryptography have not been presented yet.
We propose the world's rst scan-based attacks against public-key cryptography
circuits. RSA circuit is more complicated than AES one, and an ECC algorithm is
much more complicated than the RSA one. However, our scan-based attacks are
almost independent of a scan-path structure, so that we successfully retrieve secret
keys inside them by using only 30 through 40 of input.
The purpose of our proposed attacking method is, not to make secure scan
architecture ineective but to retrieve a secret key using scanned data in an cryp-
tography circuit with as few limitations as possible. In fact, our scan-based attack
method without any modication might not work against cryptography LSIs using
some secure scan architecture. However, some secure scan architecture cannot pre-
vent from our proposed scan-based attacks. Sengar's secure scan architecture [2] in-
serts inverters between registers randomly in order to modify scanned data. Testers
can do scan path test because they know positions of inserted inverters, but at-
tackers do not know them and cannot turn modied scanned data back to normal.
However, inserted inverters whether invert or not the scanned data, whose modi-
ed pattern of a particular register is only two. Because our proposed attacking
method checks the same value corresponding the secret key whether exists or not
in columns of the scanned data, Sengar's method is not eective against our pro-
posed scan-based attacks. In order to prevent our proposed scan-based attacks
from retrieving a secret key, we propose a new secure scan architecture named
state-dependent congurable secure scan path. We insert some state-dependent
scan ip-ops (SDSFFs) between registers. The SDSFF dynamically changes in-
verted positions so that our secure scan architecture prevents a secret key from
scan-based attacks eectively.
This dissertation is organized as follows:
5Chapter 2 [Scan-based Attack against AES] describes our proposed scan-
based attack against AES. We explain the algorithm and the architecture of AES
at rst. AES is one of the most popular symmetric-key cryptography algorithm
and it is used by many security applications. We introduce Yang's scan-based at-
tack against AES as a conventional method. We propose the new algorithm of a
scan-based attack against AES in this chapter. We experiment with scanned data
obtained from AES C simulator. Chapter 3 [Scan-based Attack against RSA]
describes our proposed scan-based attack against RSA. We explain the algorithm
and the architecture of RSA. RSA is the rst public-key algorithm in practical
use, which is used by many secure technologies such as secure key agreement and
digital signature. Second, we explain the correspondence between a secret key
and intermediate values during decryption, and then we propose the world's rst
scan-based attack against RSA. We experiment with scanned data obtained from
RSA C simulator. Chapter 4 [Scan-based Attack against ECC] describes our
proposed scan-based attack against elliptic curve cryptography (ECC). We explain
the algorithm and the architecture of ECC at rst. ECC is one of the public-key
algorithm, whose merit is superior cryptography strength. 160-bit key size of ECC
is as the same security level as 1,024-bit key size of RSA. Second, we explain the
algorithm to retrieve a secret-key from intermediate values during a scalar multi-
plication of ECC, and then we propose the world's rst scan-based attack against
ECC. We experiment with scanned data obtained from ECC gate-level simulator.
Chapter 5 [State-dependent Secure Scan Architecture] describes our pro-
posed secure scan architecture. Secure scan architecture is important technique
in order to prevent scan-based attacks. We explain our proposed state-dependent
scan ip-ops (SDSFFs) and the architecture of secure scan path using them. We
experiment with state-dependent secure scan path in order to validate the eec-
tiveness and area overhead. Chapter 6 [Conclusion] summarizes our research
and indicates future works.
Chapter 2
Scan-based Attack againt AES
In this chapter, we propose a scan-based attack method against AES which re-
trieves a secret key, even if its scan path includes random elements other than the
128-bit register storing the round function output in AES. Our proposed method
checks whether data specic to the secret key exists or not in the scanned data.
Unlike Yang's method, our method is not inuenced by other registers since we only
focus on 1-bit register value. Then our method can attack an AES cryptography
LSI, even if its scan path contains registers other then AES circuits.
If a secret key on an AES cryptography LSI is retrieved by using our proposed
method, attackers may make a counterfeit smart card and steal money by using it.
They also may have an unauthorized access to the Internet and do an expensive
shopping. It is worth pointing out that there is vulnerability in the scan path of
an AES-based cryptography LSI.
2.1 AES encryption algorithm
The Advanced Encryption Standard (AES) is a symmetric-key encryption stan-
dard announced in 2001 as FIPS PUB 197 [5] by National Institute of Standards
and Technology (NIST). The AES is expected to completely replace the Data En-
6
2.1. AES ENCRYPTION ALGORITHM 7
cryption Standard (DES) [4], and it has been already used by many cryptography
applications.
The AES algorithm encrypts and decrypts 128-bit data using a 128-bit, 192-bit,
or 256-bit secret key. The AES algorithm is shown in Figure 2.1. See [5] in the
detailed algorithm. After an input data is XORed to the initial round key (which
is called the pre-round function), the AES algorithm encrypts it by applying the
round function to it 10, 12, or 14 times, depending on the key bit length. The
round function uses the round keys generated using the key expansion process as
shown in Figure 2.2.
Assume that a secret key has a length of 128 bits. Hereafter, all the variables
and round keys in the AES algorithm have a length of 128 bits. Each of the
variables and round keys is shown by the 4  4 matrix, each of whose elements
is 8-bit data. For example, let a be a 128-bit plaintext. Then it is composed of
a0;0; a0;1;    ; a3;3, each of which is an element of a which is a 8-bit data (or a byte
data) as in Figure 2.1. In this chapter, similar notations will be applied to other
variables and round keys.
By applying the key expansion process to the 128-bit secret key, we have the
11 round keys, RK0;    ; RK10, whereby the rst one is the initial round key and
each of the others are used for each of the 10 round functions. Each round func-
tion other than the nal one is composed of SubBytes, ShiftRows, MixColumns,
and AddRoundKeys and the nal one is composed of SubByes, ShiftRows, and
AddRoundKeys.
8 CHAPTER 2. SCAN-BASED ATTACK AGAINT AES
e
e
e
e
d
d
d
d
0,1
1,1
2,1
3,1
b
b
b
b
c
c
c
c
0,1
1,1
2,1
3,1
0,2
1,2
2,2
3,2
d
d
d
d
0,3
1,3
2,3
3,3
0,2
1,2
2,2
3,2
a
a
a
a
a
a
a
a
a
a
a
a
b
b
b
b
b
b
b
b
c
c
c
c
c
c
c
c
0,3
1,3
2,3
3,3
0,2
1,2
2,2
3,2
0,3
1,3
2,3
3,3
0,2
1,2
2,2
3,2
e
e
e
e
e
e
e
e
e
e
e
e
0,0
1,0
2,0
3,0
0,3
1,3
2,3
3,3
0,2
1,2
2,2
3,2
0,1
1,1
2,1
3,1
e
e
e
e
e
e
e
e
e
e
e
e
f
f
f
f
0,0
1,0
2,0
3,0
0,3
1,3
2,3
3,3
0,2
1,2
2,2
3,2
0,1
1,1
2,1
3,1
f
f
f
f
f
f
f
f
f
f
f
f
SubBytes
ShiftRows
MixColumn
Add
Roundkey
RK0
RK0
RK0
RK0
0,0
1,0
2,0
3,0
0,3
1,3
2,3
3,3
0,2
1,2
2,2
3,2
0,1
1,1
2,1
3,1
b
b
b
b
0,0
1,0
2,0
3,0
0,3
1,3
2,3
3,3
0,2
1,2
2,2
3,2
0,1
1,1
2,1
3,1
b
b
b
b
b
b
b
b
b
b
b
b
Add
Roundkey
a
a
a
a
0,0
1,0
2,0
3,0
0,3
1,3
2,3
3,3
0,2
1,2
2,2
3,2
0,1
1,1
2,1
3,1
c
c
c
c
c
c
c
c
c
c
c
c
c
c
c
c
0,3
1,3
2,3
3,3
d
d
d
d
0,1
1,1
2,1
3,1
＝
0,1
1,1
2,1
3,1
0,0
1,0
2,0
3,0
0,3
1,3
2,3
3,3
0,2
1,2
2,2
3,2
0,1
1,1
2,1
3,1
Plain Text
Round function
RK0
RK0
RK0
RK0
RK0
RK0
RK0
RK0
RK0
RK0
RK0
RK0
b
b
b
b
0,0
1,0
2,0
3,0
c
c
c
c
0,0
1,0
2,0
3,0
d
d
d
d
0,0
1,0
2,0
3,0
0,0
1,0
2,0
3,0
e
e
e
e
0,0
1,0
2,0
3,0
0,3
1,3
2,3
3,3
0,2
1,2
2,2
3,2
0,1
1,1
2,1
3,1
Pre-round function
d
d
d
d
0,2
1,2
2,2
3,2
d
d
d
d
0,3
1,3
2,3
3,3
d
d
d
d
0,1
1,1
2,1
3,1
d
d
d
d
0,0
1,0
2,0
3,0
Figure 2.1: AES algorithm.
Key
Expand
RK1 RK2 RK10RK9
Secret
Key
Key
Expand
Key
Expand
RK0
Figure 2.2: Key expansion process.
2.1. AES ENCRYPTION ALGORITHM 9
2.1.1 SubBytes: c = SubBytes(b)
The SubBytes function is a non-linear byte-wise substitution using the S-box which
is expressed as follows:
1. Compute the multiplicative inverse in the nite eld GF(28), whose irre-
ducible polynomial is m(x) = x8 + x4 + x3 + x+ 1.
2. Apply the ane transformation over GF(2).
2.1.2 ShiftRows: d = ShiftRows(c)
In the ShiftRows function, each row in the input are cyclically shifted as follows:
1. The rst row is not shifted,
2. The second row is shifted to the left by one byte,
3. The third row is shifted to the left by two bytes, and,
4. The fourth row is shifted to the left by three bytes.
2.1.3 MixColumns: e =MixColumns(d)
The MixColumns function is a column-by-column linear function whereby we con-
sider each column in the input as a four-term polynomial over GF(28). It can be
written as a matrix multiplication as in Eqn (2.1).26666664
e0;k
e1;k
e2;k
e3;k
37777775 =
26666664
02 03 01 01
01 02 03 01
01 01 02 03
03 01 01 02
37777775
26666664
d0;k
d1;k
d2;k
d3;k
37777775 (2.1)
where 0  k  3.
10 CHAPTER 2. SCAN-BASED ATTACK AGAINT AES
2.1.4 AddRoundKey: f = AddRoundKey(e;RK`)
In the AddRoundKey function, the input is XORed to the round key bit by bit.
2.2 Scan-based attack
The purpose of a scan-based attack is to retrieve the secret key from scanned data in
a cryptography circuit. Throughout this chapter, we focus on AES as a cryptogra-
phy. AES encryption repeats the round function 10 times when the size of a secret
key is 128 bits. The round function uses the 11 round keys RK0; RK1;    ; RK10
which are generated from a secret key using the key expansion process as in Fig-
ure 2.2. If one of the 11 round keys is known, its secret key can be easily computed.
A scan-based attack against AES retrieves one of the 11 round keys from scanned
data and then computes the secret key using it.
As an AES cryptography, an architecture as in [11] can be used. Assume that
128-bit plaintext a is given. As in Figure 2.1, the result b is obtained by XORing a
with the round key RK0 (pre-round function). The result goes into the 1st round
function. The output of the 1st round function is stored into the 128-bit register
R and it goes into the 2nd round function. When the secret key bit length is 128,
the loop counts are 10.
In the AES cryptography LSI [11], the following three points are assumed:
1. Attackers can input any plaintext to the AES cryptography LSI.
2. Attackers can obtain scanned data from the scan path.
3. Connection sequence in the scan path is random and unknown.
In [12], two more points are assumed in addition to the points above, which is
described in Section 2.3. The main contribution of this chapter is to propose a
new scan-based attack which just assumes the above three points.
2.2. SCAN-BASED ATTACK 11
2.2.1 Scan path test
A scan path connects registers in an circuit serially so that a tester can observe
the register values inside the circuit easily. The scan path is widely used in recent
circuit implementations due to its testability and easiness.
Scan path test needs to replace standard ip-ops(FFs) with scan ip-ops(SFFs).
An SFF usually consists of an FF and a multiplexer. The multiplexer output pin is
connected to the FF input pin. It selects one from its two inputs. When the select
line of the multiplexer is 0, it outputs the combinational circuits output. When the
select line of the multiplexer is 1, it outputs the SFF output. A scan path model
is shown in Figure 2.3. Control pin is used to choose between the system mode
or the test mode. While Control pin is 0, normal operation is performed in the
system mode as shown in Figure 2.4. While Control pin is 1, SFFs are connected
serially and we obtain scanned data stored in each FF from the scan out as shown
in Figure 2.5.
We call three operations at test mode as "Scan In", "Capture", and "Scan Out"
and we can control and observe internal states of cryptography circuits through
the scan path.
Scan In: Input test patterns to scan FFs inside circuits at test mode.
Capture: Operate normally at system mode.
Scan Out: Observe values of FF inside circuits at test mode.
Testers prepare test patterns for input and anticipated output patterns corresponds
to input patterns. They input test patterns in "Scan In" at test mode, and operate
circuits at one or some cycles in "Capture" at system mode, and obtain scanned
data in "Scan Out" at test mode. If scanned data corresponds with anticipated
output patterns, they nd the circuits operates accurately.
12 CHAPTER 2. SCAN-BASED ATTACK AGAINT AES
Scan in
From
other
circuits
Control
To
other
circuits
Scan out
FF
FF
FF
FF
FF
FF
Combinational
Circuits
Combinational
Circuits
0
1
0
1
0
1
0
1
0
1
0
1
Figure 2.3: Scan path model.
Scan in
From
other
circuits
To
other
circuits
Scan out
FF
FF
FF
FF
FF
FF
Combinational
Circuits
Combinational
Circuits
0
1
0
1
0
1
0
1
0
1
0
1
Figure 2.4: System mode (Control = 0).
Scan in
From
other
circuits
To
other
circuits
Scan out
FF
FF
FF
FF
FF
FF
Combinational
Circuits
0
1
0
1
0
1
0
1
0
1
0
1
Combinational
Circuits
Figure 2.5: Test mode (Control = 1).
2.2. SCAN-BASED ATTACK 13
2.2.2 Problems to retrieve the round keys
Let a be a plaintext, RK` be the round keys, Round be the round function for
1st loop to 10th loop, and Round final be the last round function, where ` in
RK` shows the loop count in the Figure 2.1. Then the round function output f`
at Round ` is expressed as in Eqn. (2.2).
f1 = Round(RK1; aRK0)
f` = Round(RK`; f` 1) (2  `  9)
f10 = Round final(RK10; f9)
(2.2)
In Round 1, a  RK0 shows the pre-round function. At Round 1, the round
function output f1 is given by a function of the plain text a, the round key RK0,
and the round key RK1. At Round 2 or later (2  `  10), the round function
output f` is given by a function of f` 1 and the round key RK`.
As indicated above, f` is inuenced by RK0, RK1,    , RK`. This means that
it is best for us to analyze the round function output f1 at Round 1 because f1 is
given by Round(RK1; a  RK0), which only includes a, RK0, and RK1. Since
the round function output f1 is stored in the register R at several clocks after the
plaintext is inputted, it may be obtained from the scanned data.
However, there are the following three problems to solve in order to retrieve
the round key RK0 from the scanned data:
Problem 1: The round function output f1 includes the two round keys RK0 and
RK1.
Problem 2: The round key RK0 is a 128-bit data. The number of possible values
of RK0 becomes 2128 and it is impractical to perform exhaustive search for
all of them.
Problem 3: The bit-to-bit correspondence between the scanned data and the reg-
ister R is unknown.
14 CHAPTER 2. SCAN-BASED ATTACK AGAINT AES
2.2.3 Eliminating the round key RK1 rrom the round func-
tion output f1
In order to solve the Problem 1 in Section 2.2.2, the round key RK1 have to be
eliminated from the round function output f1. The AddRoundKey is the last sub-
function of the 1st round function. In the AddRoundKey, its input e is XORed to
the round key RK1 and then we have the round function output. Consider that,
if the two identical values are XORed, we will have zero.
Let a1 and a2 be two plaintexts, e1 and e2 be their MixColumns outputs, f 11
and f 21 be the round function outputs, respectively. As shown in Eqn. (2.3), the
result of f 11  f 21 is independent of the round key RK1. e1  e2 can be computed
with only the two plaintexts a1 and a2, and the round key RK0, not using RK1.
f 11  f 21 = (e1 RK1) (e2 RK1)
= e1 RK1 e2 RK1
= e1  e2 RK1RK1
= e1  e2 (2.3)
By using e1  e2, we can eliminate RK1 from the round function output.
2.2.4 Obtaining the data dependent on the single element
in RK0
Problem 2 can be solved as follows: Let us consider to retrieve the round key RK0
from two plaintexts a1 and a2, and their XORed MixColumns outputs e1  e2.
First assume that it is possible to nd anyhow the round function outputs f 11
and f 21 for the plaintexts a1 and a2, respectively, from the scanned data. Then, the
simplest retrieving method is to perform exhaustive search for all possible values
for RK0. However, the number of possible values of RK0 becomes 2128 and it is
impractical to perform exhaustive search for all possible values for RK0.
2.2. SCAN-BASED ATTACK 15
This problem is solved by generating the data which only depends on a single
element of RK0. Let a1 and a2 be two plaintexts which has the same values except
for their rst element a10;0 and a
2
0;0 as in Eqn. (2.4):
a1 =
26666664
a10;0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
37777775 ; a
2 =
26666664
a20;0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
37777775 (2.4)
If a1 and a2 dened above are given to the round function, we have the two round
function outputs f 11 and f
2
1 at Round 1. As in Figure 2.6, only the rst column of
f 11  f 21 depends on a10;0; a20;0, and RK00;0. The other columns of f 11  f 21 becomes
zero. The number of possible values of RK00;0 becomes at most 2
8 = 256 and then
it is very practical to perform exhaustive search for all possible values for RK00;0.
All other elements of the round key RK0 can be retrieved in the same way.
16 CHAPTER 2. SCAN-BASED ATTACK AGAINT AES
RK0
a1 a2
RK1
0,0
1
1,0
1
2,0
1
3,0
1
0
0,0
2
1,0
2
2,0
2
3,0
2
 
 
 
 
e
e
e
e
e
e
e
e
0
a1
0,0
0
2a
0,0
0,0
1
b
2
b 0,0
3,0e
1
e 2,0
1
1
e 1,0
e
1
0,0
3,0e
2
e 2,0
2
2
e 1,0
e
2
0,0
0
f
f
f
f
0,0
1
1,0
1
2,0
1
3,0
1
0,0
2
1,0
2
2
3,0
2
 
 
 
 
f
f
f
f
2,0
0,0
1
d 0,0d
2
3,0f
1
f 2,0
1
1
f 1,0
f
1
0,0
3,0f
2
f 2,0
2
2
f 1,0
f
2
0,0
Figure 2.6: Data dependent on a10;0, a
2
0;0, and RK00;0.
2.2. SCAN-BASED ATTACK 17
2.2.5 Correspondence between the round function output
and the scanned data
In fact, Problem 3 is essential in the scan-based attack. In a scan chain, registers
inside a circuit have to be connected so that its interconnection length will be short
for satisfying constraints. This means that no one but a scan-chain designer knows
correspondence between registers and scanned data. Attackers cannot compare the
expected data with the scanned data and cannot retrieve the round key RK0.
Yang et al. proposed the solution for this problem as in Section 2.2.6
2.2.6 Yang's method
In order to solve Problem 3, Yang et al. proposes the method to make use of the
hamming weight of the rst column of f 11  f 21 to retrieve the round key RK0 [12].
This is because this method only needs the correspondence between the rst column
of f 11 or f
2
1 and the scanned data, but does not need the bit-to-bit correspondence
between them.
Retrieving b0;0 with the hamming weight
The output b of the pre-round function is obtained by XORing a plaintext a and
the round key RK0. On the contrary, RK0 is calculated by a  b. From the
viewpoint of the rst element (0; 0), the following equation can be obtained:
a0;0  b0;0 = a0;0  (a0;0 RK00;0)
= (a0;0  a0;0)RK00;0
= RK00;0 (2.5)
This means that, retrieving RK00;0 is equivalent to retrieving b0;0. Now consider
to retrieve b0;0 from the round function output f1 at Round 1.
First, consider the relation between b and the round function output f1 at
Round 1. Assume that b1 and b2 which has the same values except for their rst
18 CHAPTER 2. SCAN-BASED ATTACK AGAINT AES
Table 2.1: Relation of the hamming weight of the rst column of f 11  f 21 and
(b10;0; b
2
0;0).
Hamming weight (b10;0; b
2
0;0)
9 226, 227
12 242, 243
23 122, 123
24 130, 131
elements b10;0 and b
2
0;0 are obtained. Let us further assume that b
1
0;0 and b
2
0;0 satisfy
Eqn. (2.6) below:0@b10;0
b20;0
1A =
0@ 2m
2m+ 1
1A or
0@b10;0
b20;0
1A =
0@2m+ 1
2m
1A (2.6)
where 0  m  127. The round function outputs f 11 for b1 and f 21 for b2 can be
calculated and then f 11  f 21 is obtained. As shown in Figure 2.6, the rst column
of f 11  f 21 depends on b10;0 and b20;0 and the other elements becomes zero.
Since the number of possible values of (b10;0; b
2
0;0) satisfying Eqn. (2.6) becomes
merely 27 = 128, all possible values of (b10;0; b
2
0;0) can be evaluated and the hamming
weight of the rst column of f 11  f 21 for each of them can be calculated. If and
only if (b10;0; b
2
0;0) is (226; 227), the hamming weight of the rst column of f
1
1  f 21
becomes 9. Then, if the hamming weight of the rst column of f 11  f 21 for two
plaintexts a1 and a2 becomes 9, (b10;0; b
2
0;0) can be (226; 227). There are four such
cases which are summarized in Table 2.1.
Hence, there are still two problems remaining to be solved:
Problem (i): The correspondence between the rst column of the round function
output and the scanned data is unknown.
Problem (ii): Two plaintexts a1 and a2 are required such that, if the pre-round
function is applied to them, b10;0 and b
2
0;0 satisfy Eqn. (2.6).
2.2. SCAN-BASED ATTACK 19
Specifying the rirst column of the round function in the scanned data
In order to solve Problem (i), the 32 1-bit registers storing the rst column of the
round function output at Round 1 must be specied in the scanned data.
By applying the method described in the Section 2.2.4, the rst column of the
round function output depends on the plaintext element a0;0. Several plaintexts
which have the same values except for the element a0;0 are inputted into the AES
circuit and, after Round 1 is over, their scanned data sets are picked up and
compared one another. If one of the scanned data is dierent from another one,
a0;0 causes the dierences. The positions in which the bit data is dierent give the
32 1-bit registers storing the rst column of the round function output at Round
1 in the scanned data, because their positions are the same even if the input is
dierent.
Selection of the plaintext elements a10;0 and a
2
0;0
Consider to solve Problem (ii). Let a1 and a2 be two plaintexts which have the
same value except for their rst elements a10;0 and a
2
0;0 dened as in Eqn. (2.7)
below. 0@a10;0
a20;0
1A =
0@ 2t
2t+ 1
1A or
0@a10;0
a20;0
1A =
0@2t+ 1
2t
1A (2.7)
where 0  t  127. If a10;0 is XORed to RK00;0 and also a20;0 is XORed to RK00;0,
we can have the Eqn. (2.8) below regardless of the value in RK0:0@a10;0 RK00;0
a20;0 RK00;0
1A =
0@ 2m
2m+ 1
1A or
0@2m+ 1
2m
1A
=
0@b10;0
b20;0
1A (2.8)
where 0  m  127. Then the two plaintexts a1 and a2 are prepared which have
the same value except for their rst elements satisfying Eqn. (2.7).
20 CHAPTER 2. SCAN-BASED ATTACK AGAINT AES
Number of plaintexts to retrieve RK0 with Yang's method
Yang et al. shows that six plaintexts on average and 15 plaintexts in the worst case
are required for specifying the 32 1-bit registers in the scanned data in Section 2.2.6.
Since RK0 is composed of four columns, then 4  6 = 24 plaintexts on average
and 4  15 = 60 plaintexts in the worst case are required. Let us consider how
many plaintexts are required to retrieve RK0. The number of possible patterns
for a1 and a2 which satises the discussion in Section 2.2.6 is 128. We have four
hamming weight values of 9, 12, 23, and 24, which lead to retrieving RK0. Thus,
the number of required plaintexts to retrieve one of the elements in RK0 becomes
128=4 = 32 on average and 128  4 = 124 in the worst case. Since the number of
the elements in RK0 is 16, the number of plaintexts to retrieve all the elements in
RK0 becomes 32  16 = 512 on average and 128  16 = 1; 984 in the worst case.
Overall, 24 + 512 = 536 plaintexts on average and 60 + 1; 984 = 2; 044 plaintexts
in the worst case are required to retrieve RK0 by using Yang's method.
2.3. PROPOSED METHOD 21
2.3 Proposed method
In addition to the assumptions described in the Section 2.2.1, Yang's method as-
sumes the following two more points below when specifying the rst column of the
round function in the scanned data.
Assumption 1: A scan path does not include random elements caused by mem-
ories, processors, I/Os, and control circuits other than the register R storing
the round function output.
Assumption 2: We know when the round function output at Round 1 is stored
in the register R.
An AES circuit is not implemented onto an LSI by itself. It is implemented
onto an LSI with its memories, processors, I/Os, and control circuits (Figure 2.7).
It is quite possible that a scan path includes random elements caused by memories,
processors, I/Os, and control circuits other than the register R storing the round
function output.
Further, we cannot know when the round function output at Round 1 is stored
into the register R. After a plaintext is inputted, we may require one clock cycle
to obtain the round function output at Round 1 but may require several clock
cycles to obtain it depending on the AES architecture. If we do not have both
Assumption 1 and Assumption 2 above, it is very hard to retrieve a secret key by
using Yang's method.
In this section, we propose a new scan-based attack method whereby we do not
need the correspondence between the scanned data sd and the register R storing
the round function output, and further, we do not have to know when the round
function output at Round 1 is stored in the register R. In that sense, it is more
practical and powerful attack than Yang's method.
Our method focuses on the round key element RK00;0 which only has 2
8 possible
values. First, we assume one value k for RK00;0 and calculate specic informa-
22 CHAPTER 2. SCAN-BASED ATTACK AGAINT AES
RAM Random
Generator
MPU
Internal Bus
LSI architecture
Traditional
Model
Proposed
Model
I/O
Con-
troller AES
Figure 2.7: Scan chain model.
tion to k, which is called a discriminator to RK00;0. Second, we retrieve several
scanned data sd0;    ; sdn and check if they include the discriminator or not. If
sd0;    ; sdn include the discriminator, k is equal to RK00;0. If they do not include
the discriminator, k is not equal to RK00;0. We can ignore registers other than the
register R storing the round function output, since the discriminator is unique to
RK00;0.
Even if we do not know when the round function output at Round 1 is stored
into the register R, we can retrieve the scanned data several times and connect
them as a single one. We can retrieve RK00;0 when the register R storing the
round function output at Round 1 is included anywhere in the scanned data.
2.3.1 Discriminator of RK00;0
Assume that we have two plaintexts a1 and a2 whose rst element (0; 0) has a
dierent value but other elements have the same values. Let f 11 and f
2
1 be the
round function outputs at Round 1 for a1 and a2, respectively. By calculating
f 11  f 22 as in Figure 2.6, the four elements of 32-bit data in the rst column
only depend on a10;0, a
2
0;0, and RK00;0 and the other elements become zero. The
four elements of 32-bit data in the rst column of f 11  f 22 can be shown as in
2.3. PROPOSED METHOD 23
Eqns. (2.9){(2.11):26666664
f 10;0  f 20;0
f 11;0  f 21;0
f 12;0  f 22;0
f 13;0  f 23;0
37777775 =
26666664
e10;0  e20;0
e11;0  e21;0
e12;0  e22;0
e13;0  e23;0
37777775
=
26666664
02 03 01 01
01 02 03 01
01 01 02 03
03 01 01 02
37777775
26666664
d10;0  d20;0
d11;0  d21;0
d12;0  d22;0
d13;0  d23;0
37777775 (2.9)
Since the two plaintexts a1 and a2 have the same value except for their rst element,
we have d10;0 6= d20;0; d11;0 = d21;0; d12;0 = d22;0, and d13;0 = d23;0 as in Figure 2.6. Then
we have:
=
26666664
02 03 01 01
01 02 03 01
01 01 02 03
03 01 01 02
37777775
26666664
d10;0  d20;0
0
0
0
37777775 (2.10)
At ShiftRows, we have c0;0 = d0;0; c1;0 = d1;0; c2;0 = d2;0, and c3;0 = d3;0. Then we
have:
=
26666664
02(c10;0  c20;0)
c10;0  c20;0
c10;0  c20;0
03(c10;0  c20;0)
37777775 (2.11)
Eqns. (2.9){(2.11) show that the four elements of 32-bit data in f 11  f 21 can be
calculated by XORing the SubByte outputs c10;0 and c
2
0;0, where c
1
0;0 is derived from
a10;0  RK00;0 and c20;0 is derived from a20;0  RK00;0. The 8-bit value of c10;0  c20;0
depends on only a10;0, a
2
0;0 andRK00;0 and, if we can give a
1
0;0 and a
2
0;0 systematically,
c10;0  c20;0 can be used as a candidate of discriminators to retrieve RK00;0.
Now we propose our discriminator to retrieve RK00;0.
24 CHAPTER 2. SCAN-BASED ATTACK AGAINT AES
c ?c = 0 1 0 1 0 0 1 1
c ?c = 1 1 0 1 1 0 1 0
c ?c = 1 1 0 0 1 1 1 1
c ?c = 0 1 1 0 1 1 0 0
c ?c = 1 0 1 1 1 1 0 0
c ?c = 0 1 0 0 1 0 1 0
LSBMSB
Dk
(n bits)
Figure 2.8: A discriminator for retrieving RK00;0.
D1: First we assume one value k for RK00;0. Then let a
0
0;0 be zero and a
q
0;0 (q =
1;    ; n) be a 8-bit arbitrary non-zero value such that ap0;0 6= aq0;0 (p 6= q).
D2: We calculate c00;0 cq0;0 using a00;0, aq0;0 (q = 1;    ; n), and the assumed value
k for RK00;0, by applying the pre-round function and SubBytes to them.
D3: We focus on each bit of c00;0 cq0;0 (q = 1;    ; n). As shown in Figure 2.8, the
LSB of c00;0  cq0;0 (q = 1;    ; n) will give us n-bit data which is dependent
on a00;0, a
1
0;0    an0;0, and k. We employ this n-bit data as the discriminator to
retrieve RK00;0 and it is denoted by Dk.
2.3.2 Retrieving RK00;0 using our discriminator
Using the n-bit discriminator proposed in Section 2.3.1, we retrieve the round key
element RK00;0 as follows: Let a
q
0;0 (1;    ; n) be the 8-bit data which is determined
at Step D1 in Section 5.1 to calculate the discriminator Dk. Then we can have the
(n+ 1) plaintexts as shown in Eqn. (2.12).
a0 =
26666664
0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
37777775 ; a
q =
26666664
aq0;0 0 0 0
0 0 0 0
0 0 0 0
0 0 0 0
37777775 (2.12)
2.3. PROPOSED METHOD 25
sd ?sd =
sd ?sd =
sd ?sd =
sd ?sd =
sd ?sd =
sd ?sd =
size of scan chain
n bits
Data
FF
th
FF
th
FF
th
????????????????
????????????????
????????????????
????????????????
????????????????
????????????????
Scan chain
Figure 2.9: n-bit data based on sd0  sdq (q = 1;    ; n).
where q = 1;    ; n. Assume that we have the scanned data sd0, sd1;    ; sdn
which include the round function output at Round 1 anywhere for a0, a1;    ; an,
respectively. sd0, sd1;    ; sdn can include any register values, such as those in
other circuits. Then we focus on each bit of sd0  sdq (q = 1;    ; n). Since each
bit of sd0, sd1;    ; sdn always has the particular register value, we can have a set
of n-bit data which corresponds to the particular register as in Figure 2.9.
At that time, if there exists the discriminator Dk in a set of the n-bit data,
the assumed value k for RK00;0 is correct since Dk appears in the n-bit data only
when the calculation of c00;0  cq0;0 for q = 1;    ; n is correct. This means that we
succeed to retrieve RK00;0. Otherwise, the assumed value k for RK00;0 is incorrect
and we try the next value for RK00;0.
2.3.3 Retrieving RK0 using our method
Overall process to retrieve RK0 with our method is shown as follows:
P1: Calculation of discriminators.
26 CHAPTER 2. SCAN-BASED ATTACK AGAINT AES
 Let a0;0 be zero and aq0;0 (q = 1;    ; n) be a 8-bit arbitrary non-zero
value such that ap0;0 6= aq0;0 (p 6= q).
 Calculate the discriminator Dk for each k (k = 0;    ; 255) of all 256
patterns of RK00;0.
P2: Obtaining scanned data.
 Let a0 and aq (q = 1;    ; n) be 128-bit plaintexts whose (0; 0) element
is a00;0 and a
q
0;0 (q = 1;    ; n) determined at Step P1, respectively, and
the other elements are all zero.
 Obtain scanned data sd0 and sdq (q = 1;    ; n) including the round
function output at Round 1 using a00;0 and a
q
0;0 (q = 1;    ; n).
 Calculate sd0  sdq (q = 1;    ; n) from the scanned data sd0 and
sdq (q = 1;    ; n).
P3: Retrieving RK00;0.
 Check if the discriminator Dk (k = 0;    ; 255) exists in a set of n-bit
data obtained from sd0 sdq (q = 1;    ; n). If Dk exisits, then RK00;0
is retrieved as k.
P4: Retrieving RK0.
 Retrieve the other elements in RK0 by repeating the above steps.
Our method retrieves RK0 by checking whether the discriminator Dk exists in
each bit of sd0sdq (q = 1;    ; n) or not. When the number of plaintexts prepared
in Steps P1 and P2 above is large enough, our method successfully retrieve the
round key RK0 if the register R storing the round function output at Round 1
is included anywhere in the scanned data. The scanned data may include data
in other circuits, the round function outputs at Round 2 and later, and/or round
function output before Round 1 (that will be zero or anything).
2.3. PROPOSED METHOD 27
The number of required plaintexts to retrieve is calculated as follows: First,
our method requires (n+ 1) plaintexts to retrieve one element of RK0. However,
since the plaintext a0 only consists of zero as in Eqn. (2.12), this plaintext will
be commonly used to retrieve the other elements in RK0. Then we can retrieve
each element other than the rst one in RK0 by using n plaintexts. In summary,
retrieving the round key RK0 requires n + 1 + 15n = 16n + 1 plaintexts in total
by using our proposed method.
As in Section 2.4, the number n of required plaintexts to correctly retrieve a
single element in RK0 will be 16 to 20.
28 CHAPTER 2. SCAN-BASED ATTACK AGAINT AES
Figure 2.10: Discriminators D0k; D
1
k;    ; D7k for retrieving RK00;0.
2.3.4 Reduction of plaintexts to retrieve RK0
Now, we consider to reduce plaintexts required by our proposed method to retrieve
the round key RK0.
As described in Section 2.3.1, our discriminator Dk is a n-bit data composed
of the LSB of c00;0  cq0;0 (q = 1;    ; n). However, since c00;0  c10;0 is a 8-bit data,
we can also have 8 n-bit data, each of which is composed of each bit of c00;0 
cq0;0 (q = 1;    ; n) (See Figure 2.10). These 8 n-bit data can also be used as a set
of discriminators fD0k;    ; D7kg for the value k.
If they all can be found in the scanned data, we can conclude that RK00;0
is k. But if one of them cannot be found in the scanned data, RK00;0 is not k.
Then we can reduce the number of required plaintexts smaller than our original
one proposed in Section 2.3.3.
As in Section 2.4, the number n of required plaintexts to correctly retrieve a
single element in RK0 will be reduced to 14 to 18.
2.4 Performance analysis
In this section, we simulate our proposed method and analyze the number of plain-
texts required to retrieve the round key RK0. We have conducted three types of
experiments:
2.4. PERFORMANCE ANALYSIS 29
1. The AES architecture model is the one in [11] and the size of the secret key
is 128 bits, which is the same condition as Yang's method [12]. The scan
path includes only the register R storing the round function output.
2. The scan path includes the register R storing the round function output at
Round 1 and also registers other than R.
3. The scan path includes the round function output at Round 1 and those at
Round 2 through Round 10.
In each experiment, we generate randomly 10,000 secret keys and retrieve each of
them using our method (Section 2.3.3) and our improved method (Section 2.3.4).
Then we calculate the number of plaintexts required to correctly retrieve each of
them.
Experiment 1 In Experiment 1, our method can retrieve the round key element
RK00;0 by using 16 plaintexts on average and 20 plaintexts in the worst case.
When retrieving all the elements in the round key RK0, we need 1616+1 = 257
plaintexts on average and 20  16 + 1 = 321 plaintexts in the worst case. Our
improved method described in Section 2.3.4 can retrieve the round key element
RK00;0 by using 14 plaintexts on average and 18 plaintexts in the worst case.
When retrieving all the elements in the round key RK0, we need 1416+1 = 225
plaintexts on average and 16 16 + 1 = 257 plaintexts in the worst case.
As described in Section 2.2.6, Yang's method requires 536 plaintexts on aver-
age. Our method achieves 48% reduction of the number of the required plaintexts
experimentally.
Figure 2.11 summarizes the number of required plaintexts on average to retrieve
RK0 comparing Yang's method and our methods.
Experiment 2 In Experiment 2, we rst obtain the scanned data composed
of the 128-bit register R only and then add random bits to it. Total bit length
30 CHAPTER 2. SCAN-BASED ATTACK AGAINT AES
of scanned data is 128 (no extra data is added) to 4,096 (3,968-bit extra data is
added). We calculate the number of required plaintexts by using our improved
method in Section 2.3.4 to correctly retrieve the round key RK0. Figure 2.12
shows the experimental results.
Generally saying, if several plaintexts which have the same value except for
their rst element are given to the AES cryptography LSI, they aect not only the
register R storing the round function output but also the registers in other circuit
elements such as memories and peripheral circuits. Since the scanned data will
include several \extra" data in them, the extra data can be randomly changed by
inputting these plaintexts.
Yang's method assumes in Section 2.2.6 that several plaintexts which have the
same value except for their rst element aect the only round function output, but
which is not the case in a practical AES cryptography LSI.
On the other hand, the experimental results show that our method can suc-
cessfully retrieve the round key even if the scanned data includes the random data
other than the register R storing the round function output. Even if the scanned
data includes the 3,968-bit random data other than the round function output,
our improved method is capable to retrieve the round key RK0 only requiring
20  16 + 1 = 321 plaintexts on average and 23  16 + 1 = 369 plaintexts in the
worst case.
Experiment 3 Figure 2.13 shows the number of required plaintexts to retrieve
the scanned data including the round function output at Round 1 only, and the
number of required plaintexts to retrieve the scanned data including the round
function output at Round 1 through Round 10.
As in Experiment 2, Yang's method assumes in Section 2.2.6 that several plain-
texts which have the same value except for their rst element aect the only round
function output at Round 1. If the scanned data includes not only the round func-
tion output at Round 1 but also round function outputs at Round 2 through 10,
2.5. CONCLUDING REMARKS 31
these input plaintexts aect all of these round function outputs. This means that
we cannot nd out the positions storing the rst column of the round function
output Round 1 unlike the discussion in Section 2.2.6.
On the other hand, even if the scanned data includes the round function output
other than Round 1, the experimental results show that our method can success-
fully retrieve the round key. Even if the scanned data includes all of the round
function output, our improved method is capable to retrieve the round key RK0
only requiring 19  16 + 1 = 305 plaintexts on average and 22  16 + 1 = 353
plaintexts in the worst case.
2.5 Concluding remarks
The scan-based attack proposed by Yang et al. is an eective attack but has dis-
advantages that they assume too ideal AES cryptography LSI. In contrast, our
proposed method can perform scan-based attack without such assumptions. Our
method does not have to know when the round function output is stored in the reg-
ister R. Our method can retrieve the round key RK0 even if its scan path includes
random elements caused by memories, processors, I/Os, and control circuits other
than the register R storing the round function output. Furthermore, our method
can reduce the number of plaintexts by 48% compared with Yang's method. Our
method is more practical and powerful than Yang's method.
32 CHAPTER 2. SCAN-BASED ATTACK AGAINT AES















	







	



 







 








	







Figure 2.11: Number of plaintexts required to retrieve RK0 or RK00;0 on average.








	















	















	







	









	










  
 
  







	














	








Figure 2.12: The experimental results for Experiment 2.












	







	












	








 







	







	
Figure 2.13: The experimental results for Experiment 3.
Chapter 3
Scan-based Attack againt RSA
In this chapter, we propose a scan-based attack against an RSA circuit, which
is almost independent of a scan-path structure. The proposed method is based
on detecting intermediate values calculated in an RSA circuit. We focus on a 1-
bit time-sequence which is specic to some intermediate value. We call it a scan
signature because its value shows their existence in the scanned data obtained from
an RSA circuit. By checking whether a scan signature is included in the scanned
data or not, we can retrieve a secret key in the target RSA circuit even if we do
not know a scan path structure, as long as a scan path is implemented on an RSA
circuit and it includes at least 1-bit of each intermediate value.
3.1 RSA Algorithm
RSA cryptography [6] was made public in 1978 by Ronald Linn Rivest, Adi Shamir,
Leonard Max Adleman. The RSA is known as the rst algorithm which makes
public-key cryptography practicable. It is commonly used to acheive not only
encryption/decription but also a digital signature and a digital authentication,
so that most cryptography LSIs in the market implement and calculate the RSA
cryptography.
33
34 CHAPTER 3. SCAN-BASED ATTACK AGAINT RSA
The security of an RSA cryptography depends on the diculty of factoring
large numbers. To decrypt a ciphertext of an RSA cryptography will be almost
impossible on the assumption that no ecient algorithm exists for solving it.
3.1.1 Encryption and decryption
An RSA algorithm encrypts a plaintext with a public key (n; e) and decrypts a
ciphertext with a secret key (n; d). Let us select two distinct prime numbers p and
q. We calculate n by multiplying p by q, which is used as the modulus for both a
public key and a secret key. To determine exponents of them, we calculate '(pq)1
for multiplying (p  1) by (q   1).
Let us select an integer e satisfying the conditions that 1 < e < '(pq) and, e
and '(pq) is coprime, where e is an exponent of a public key. Let us determine an
integer d satisfying the congruence relation de  1 mod '(pq). That is to say, the
public key consists of the modulus n and the exponent e. The private key consists
of the modulus n and the exponent d.
Let us consider that Alice secretly sends a message m to Bob. First, Alice re-
ceives his public key (n; e). Second, she calculates the ciphertext c with Eqn. (3.1).
c = me mod n (3.1)
Then Alice transmits c to Bob. Bob decrypts c by using his private key and receive
her message m. Eqn. (3.2) represents a decryption computation.
m  cd mod n (3.2)
3.1.2 Binary method
The bit length of an RSA key must be more than 1,024 bits because its security
depends on its key length. It is currently recommended that n be at least 2,048
1'() is Euler's totient function.
3.1. RSA ALGORITHM 35
Algorithm 1 Binary method (MSB to LSB).
Input: c, d, and n.
Output: cd mod n.
i = L  1:
m = 1:
while i  0 do
m = m2 mod n:
if di = 1 then
m = m c mod n:
end if
i = i  1:
end while
return m.
m = 1 m=1 c mod n2 m=c mod n2 m=(c ) c mod n2
2
m=(c ) c mod n
25
c c c
Figure 3.1: Binary method example (d = 10112).
bits long [13]. This means that the exponent d in Eqn. (3.2) is at least 1,024
bits long. When we decrypt a cyphertext, its computation amount becomes quite
large without modication. Since modulo exponentiation dominates the execution
time of decrypting a cyphertext, ecient algorithms have been proposed. The
binary method [14], as shown in Algorithm 1, is one of the most typical exponent
algorithms. In Algorithm 1, the exponent d is represented by d = dL 12L 1 +
dL 22L 2+   + d12+ d0, where L shows the maximum key bit length. Figure 3.1
shows an example of the binary method in case of d = 10112.
36 CHAPTER 3. SCAN-BASED ATTACK AGAINT RSA
3.2 Scan-based attack against RSA
A scan path connects registers in an circuit serially and makes us access to them
directly so that a tester can observe register values inside the circuit easily. We
explain a scan path test in detail at Section 2.2.1.
The purpose of a scan-based attack against RSA is to retrieve a secret exponent
d from scanned data in an RSA circuit. Scan-based attack here requires several
assumptions as in the previous researches in [9, 10, 15, 16], which are summarized
as shown below:
1. Attackers can encrypt/decrypt arbitrary data using the secret key on a target
RSA circuit.
2. Attackers can obtain scanned data from a target RSA circuit.
3. Scanned data is not modied with compactors aimed at test eciency.
4. Attackers know that the binary method in Algorithm 1 is used in a target
RSA circuit.
5. Attackers also know the modulus n used in a target RSA circuit.2
In addition to these, they need to be able to predict the intermediate values of the
binary method using an o-line simulation.
In this section, we explain the scan-based attack against an RSA circuit (Section
3.2.1) and its problems in a practical case (Section 3.2.2).
3.2.1 Retrieving a secret exponent using intermediate val-
ues [1]
In order to retrieve a secret exponent d, we have to solve the integer factorization
in RSA. If the bit length of a secret exponent d is more than 1,024 bits or more
2Note that, since the public key consists of the modulus n and the public exponent e, attackers
can easily know the modulus n.
3.2. SCAN-BASED ATTACK AGAINST RSA 37
than 2,048 bits, it is impossible to solve this problem within a realistic time. How-
ever, if we know all the \intermediate values" during the binary method shown in
Algorithm 1, we can retrieve a secret exponent d in a polynomial time [1].
Let d = dL 12L 1+ dL 22L 2+   + d12+ d0, where L is the maximum key bit
length of d. Assume that all the intermediate values in Algorithm 1 are obtained.
Let m(i) be the intermediate value of m at the end of loop i in Algorithm 1.
Assume also that dL 1; dL 2;    ; di+1 are already retrieved. An attacker tries to
reveal the next bit di. In this case, m(i) is equal to Eqn. (3.3) below, if and only
if di = 0:
c
PL 1
j=i+1 dj2
j i
mod n: (3.3)
Similarly, m(i) is equal to Eqn. (3.4) below, if and only if di = 1:
c
PL 1
j=i+1 dj2
j i+1 mod n: (3.4)
Based on the above discussion, we employ SF (i) dened by Eqn. (4.4) as a
selective function for RSA:
SF (i) = c
P` 1
j=i+1 dj2
j i+1 mod n: (3.5)
` represents a signicant key length, or key length in left-align representation, i.e.,
the secret exponent can be represented by
d = dL 12L 1 +   + d12 + d0

dL 1=0;:::;d`=0
= d` 12` 1 +   + d12 + d0: (3.6)
When using the selective function for RSA above, we have to know in advance
d` 1; d` 2;    ; di+1.
SF (i) 6= SF (j) always holds true for i 6= j for 0  i; j  ` 1. Given a message
c and bit values of secret component d` 1; d` 2;    ; di+1, we assume that di = 1
and check whether SF (i) appears somewhere in intermediate values. If it appears
in them, we really determine di as one. If not, we determine di as zero.
38 CHAPTER 3. SCAN-BASED ATTACK AGAINT RSA
Example 1 Let us consider that the public key (n; e) = (101111001; 1011) and the secret
key (n; d) = (101111001; 10111). The maximum key length L is 8 bits and the secret
exponent d = 10111, i.e, d7 = 0, d6 = 0, d5 = 0, d4 = 1, d3 = 0, d2 = 1, d1 = 1, d0 = 1.
We assume that we do not know d and a signicant key length `. The intermediate values
in Algorithm 1 are summarized in Table 3.2 when we use a message c = 10011100, whose
parameters are shown in Table 3.1.
Now we try to retrieve the 8-bit secret exponent d using intermediate values.
First we try to retrieve the rst bit d` 1 (i = ` 1). We nd d` 1 = 1 by the denition
of a signicant key length `. Then SF (`  1) is calculated as SF (`  1) = c = 10011100.
Since 10011100 appears in Table 3.2, we conrm that d` 1 is retrieved as one. Now we
assume that the secret exponent d = 1. We compare m(`  1) = (c1 mod n) = 10011100
with the binary method result 10001111. Since they are not equal, d 6= 1.
Next, we try to retrieve the second bit d` 2 (i = `   2). We have already known
that d` 1 = 1. We assume here that d` 2 = 1. In this case, SF (`   2) is calculated as
SF (`   2) = 11010. Since 11010 does not appear in Table 3.2, then d` 2 is retrieved
not as one but as zero, i.e., d` 2 = 0. Now we assume that d = 10. We compare
m(` 2) = (c10 mod n) = (m(` 1)2 mod n) = 11010000 with the binary method result
10001111. Since they are not equal, d 6= 10.
Next, we try to retrieve the third bit d` 3 (i = `   3). We have already known that
d` 1 = 1 and d` 2 = 0. We assume here that d` 3 = 1. In this case, SF (`   3) is
calculated as SF (`   3) = 10000010. Since 10000010 appears in Table 3.2, then d` 3 is
retrieved as one, i.e., d` 3 = 1. Now we assume that d = 101. We compare m(`  3) =
(c101 mod n) = SF (`   3) = 10000010 with the binary method result 10001111. Since
they are not equal, d 6= 101.
Next, we try to retrieve the fourth bit d` 4 (i = `   4). We have already known
that d` 1 = 1, d` 2 = 0 and d` 3 = 1. We assume here that d` 4 = 1. In this case,
SF (`  4) is calculated as SF (`  4) = 100111. Since 100111 appears in Table 3.2, then
d` 1 is retrieved as one, i.e., d` 4 = 1. Now we assume that d = 1011. We compare
m(` 4) = (c1011 mod n) = SF (` 4) = 100111 with the binary method result 10001111.
Since they are not equal, d 6= 1011.
3.2. SCAN-BASED ATTACK AGAINST RSA 39
We have already known that d` 1 = 1, d` 2 = 0, d` 3 = 1 and d` 4=1. We assume
here that d` 5 = 1. SF (`  5) is calculated as SF (`  5) = 10001111 (i = `  5). Since
10001111 appears in Table 3.2, then d` 5 is retrieved as one, i.e., d` 5 = 1. Now we
assume that d = 10111. We compare m(` 5) = (c10111 mod n) = SF (` 5) = 10001111
with the binary method result 10001111. Since they are equal to each other, we nd that
the secret exponent d is 10111 and a signicant bit ` is ve.
3.2.2 Problems to retrieve a secret key using scan path
If we retrieve an L-bit secret exponent d using an exhaustive search, we have to try
2L possible values to do it. On the other hand, the method explained in Section
3.2.1 retrieves a secret exponent one-bit by one-bit from MSB to LSB. It tries at
most 2L possible values to retrieve an L-bit secret exponent. Further, the method
just checks whether SF (i) exists in the intermediate value m(i) in Algorithm 1.
In order to apply this method to a scan-based attack, we have to know which
registers store intermediate values, i.e., we have to know correspondence between
scanned data and SF (i).
However, scan paths are usually designed automatically by EDA tools so that
nearby registers are connected together to shorten the scan path length. Only de-
signers can know the correspondence between scanned data and registers and thus
retrieved scanned data can be considered to be \random" for attackers. Therefore,
it is very dicult to nd out the values of SF (i) in scanned data for attackers.
Messerges [1] only shows the correspondence between intermediate values and
a bit of a secret exponent. It does not indicate the method how to discover the
intermediate value from scanned data. For that reason, its analysis method cannot
directly apply to scan-based attacks against an RSA LSI.
We have to nd out only SF (i) somehow in the scanned data to retrieve a
secret exponent d using the method in Section 3.2.1.
40 CHAPTER 3. SCAN-BASED ATTACK AGAINT RSA
Table 3.1: Example parameters in Algorithm 1.
Maximum key length L 8 bits
Modulus n 101111001
Public exponent e 1011
Secret exponent d 10111
Table 3.2: Intermediate values at the end of i-th loop of Algorithm 1 (message
c = 100111002).
i di m
2 m
7 0 1 1
6 0 1 1
5 0 1 1
4 1 1 10011100
3 0 11010000 11010000
2 1 100011110 10000010
1 1 100111000 100111
0 1 1101 10001111
3.3 Analysis scanned data
In order to solve the problem that attackers do not know the correspondence be-
tween registers of the scanned data and ones storing intermediate values during
the binary method, we focus on the general property on scan paths: a bit position
of a particular register r in a scanned data when giving one input data is exactly
the same as that when giving another input data. This is clearly true, since a scan
path is xed in an LSI chip and the order of connected registers in its scan path is
unchanged.
If we execute the binary method for each of N messages on an RSA circuit, a
bit pattern of a particular bit position in scanned data for these N messages gives
3.3. ANALYSIS SCANNED DATA 41
N -bit data. Based on the above property, this N -bit data may give a bit pattern
of a particular bit in an intermediate value when we give each of these N messages
to the RSA circuit.
We can calculate SF (i) from the same N messages and d` 1 down to d0 of
the secret exponent d by using an o-line simulation. By picking up a particular
bit (LSB, for example) in each of SF (i) values for N messages, we also have an
N -bit data (see Figure 3.2). If N is large enough, this N -bit data gives information
completely unique to SF (i). We can use this N -bit data as a scan signature SSi
to SF (i) in scanned data.
Our main idea in this section is that we nd out a scan signature SSi to SF (i)
in scanned data (see Figure 3.3) to retrieve the secret exponent d from d` 1 down
to d0. If an N -bit scan signature SSi appears in the scanned data for N messages,
di is determined as one. If not, it is determined as zero.
In the rest of this section, we rstly propose a scan signature SSi to SF (i).
Secondly we propose an overall method to retrieve a secret exponent d using scan
signatures. Thirdly we analyze the probabilities of successfully retrieving a secret
exponent by using our method.
42 CHAPTER 3. SCAN-BASED ATTACK AGAINT RSA
SF(i) = 0 0 1 … 1 1 … 0 1 1
SF(i) = 1 1 1 … 0 1 … 0 1 1
SF(i) = 0 1 1 … 0 0 … 1 0 0
SF(i) = 0 1 1 … 0 1 … 1 1 0
SF(i) = 1 0 0 … 1 0 … 1 0 1
SF(i) = 0 1 0 … 1 1 … 1 1 0
(N bits)
Input: SF(i) (1 r N),
Output: Scan Signature SS
SS
L bits
Figure 3.2: Scan signature SSi.
…001100001011……110011011000……010000111110…
…111100101100……101101000110……010101001101…
…101110011110……101110011110……110111010110…
…111000101101……111000101101……001110100101…
…010111001110……010111001110……000110001111…
…001000101101……001000101101……011010101000…
sd =
sd =
sd =
sd =
sd =
sd =
Size of scan path
N bits
FF
th
FF
th
FF
th
Scan path
All cycles during binary method
Figure 3.3: Scanned data.
3.3. ANALYSIS SCANNED DATA 43
3.3.1 Calculating a scan signature to SF (i)
Assume that N messages c1;    ; cN are given. Also assume that we have already
known d` 1;    ; di+1 for a secret exponent d. Let SF (i)r be the selective function
for RSA when giving the message cr for 1  r  N . Assuming that di = 1, we can
calculate SF (i)r for 1  r  N .
Let us focus on a particular bit of SF (i)r. If N is large enough, a set of these
bits for SF (i)r (1  r  N) gives information unique to SF (i)r. By using it,
we can check whether SF (i)r are calculated or not in the target. As Figure 3.2
shows, we dene a scan signature SSi to be a set of SF (i)r LSBs for the sake of
convenience.
If SSi appears in scanned data, di is determined as one. If not, di is determined
as zero. After di is correctly determined, we can continue to determine the next
bit of the secret exponent d in the same way.
Our proposed method has an advantage compared to conventional scan-based
attacks [9, 10]. Our method is eective in the case of partial scan architecture. As
long as a scan path includes at least 1-bit of each intermediate value, we can check
whether the scan signature exists or not in the scanned data.
3.3.2 Scanned data analysis method
First we prepare N messages c1;    ; cN and give them to an RSA circuit. For each
of these messages, we obtain all the scanned data from the scan out of the RSA
circuit until it outputs the binary method result. As Figure 3.3 shows, the size
of scanned data for each of these messages is (\scan path length"  \number of
binary method cycles.")
Now we check whether a scan signature SSi to SF (i) appears in the obtained
scanned data under the assumption that we do not know a secret exponent d in
the RSA circuit as follows:
Step 1: Prepare N messages c1; c2;    ; cN , where cr 6= cs for 1  r; s  N and
44 CHAPTER 3. SCAN-BASED ATTACK AGAINT RSA
r 6= s.
Step 2: Input cr (1  r  N) into the target RSA circuit and obtain scanned
data every one cycle while the binary method works, until the RSA circuit
outputs the result. Let sdr denote the obtained scanned data for the message
cr (1  r  N).
Step 3: From the denition, we have d` 1 = 1. Compare m(`  1) = (c1 mod n)
with its binary method result. If they are equal, then we nd that the secret
exponent d is one and stop. If not, go to the next step.
Step 4: Calculate SF (`   2)r assuming d` 2 = 1 for each cr (1  r  N) and
obtain the scan signature SS` 2.
Step 5: Check whether the scan signature SS` 2 exists in the scanned data sd1;    ; sdN ,
which includes the scanned data in all the cycles while the binary method
runs. If it exists, then we can nd out that d` 2 is equal to 1, and if it does
not exist, then we can nd out that d` 2 is equal to 0.
Step 6: Calculate m(`   2) = ((c1)d` 12+d` 2 mod n) and compare it with its
binary method result. If they are equal, then we nd that the secret exponent
d is retrieved and terminate the analysis ow.
Step 7: We determine d` 3; d` 4;    in the same way as Step 4{Step 6 until the
analysis ow is terminated at Step 6.
We show the example below to explain how the method above works.
Example 2 As in Example 1, let us consider that the public key (n; e) = (101111001; 11)
and the secret key (n; d) = (101111001; 10111). The maximum key length L is 8 bits and
the secret exponent d = 1011110 = 101112, i.e, d7 = 0, d6 = 0, d5 = 0, d4 = 1, d3 = 0,
d2 = 1, d1 = 1, d0 = 1. We assume that we do not know d and a signicant key length `.
The parameters are shown in Table 3.1. Assume that the cycle counts of binary method
are 16 and the size of the scan path is 128 in the target RSA circuit.
3.3. ANALYSIS SCANNED DATA 45
(Step 1) First we prepare 8 messages c1; c2;    ; c8, where cr 6= cs for 1  r; s  8
and r 6= s. The target RSA circuit executes the binary method as in Table 3.2.
(Step 2) We input cr (1  r  8) into the target RSA circuit and obtain scanned
data every one cycle while the binary method works, until the RSA circuit outputs the
result. Let sdr denote the obtained scanned data for the messages cr (1  r  8). The
total size of scanned data is 16 128 = 2; 048 (see Figure 3.4).
(Step 3) Let us start to determine d` 1. We nd d` 1 = 1 by the denition of `. It
is not necessary to check whether d` 1 = 1 or not, but we can check it as follows: we
calculate SF (` 1)r = cr for each cr (1  r  8) and obtain the scan signature SS` 1 (see
Figure 3.5). As Figure 3.5 (a) shows, the scan signature SS` 1 becomes \11101001".
Since we nd out that the scan signature SS` 1 exists in bit patterns of scanned data
sdr (1  r  8) in Figure 3.4, we conrm that d` 1 is retrieved as one, i.e., d` 1 = 1.
Now we assume that d = 1. We compare m(`   1) = ((c1)1 mod n) with its binary
method result. In case they are not equal, d 6= 1.
(Step 4, Step 5, Step 6, and Step 7) Next let us determine d` 2. We calculate
SF (`   2)r assuming d` 2 = 1 for each cr (1  r  8) and obtain the scan signature
SS` 2 (see Figure 3.5 (b)). As Figure 3.5 (b) shows, the scan signature SS` 2 becomes
\01111100". Since we nd out that the scan signature SS` 2 does not exist in bit patterns
of scanned data sdr (1  r  8) in Figure 3.4, we can determine that d` 2 is equal to
zero, i.e., d` 2 = 0. Now we assume that d = 10. We compare m(`   2) = (m(`   1)2
mod n) with its binary method result. In case they are not equal, d 6= 10.
(Step 4, Step 5, Step 6, and Step 7) Next let us determine d` 3. We calculate
SF (`   3)r assuming d` 3 = 1 for each cr (1  r  8) and obtain the scan signature
SS` 3 (see Figure 3.5 (c)). As Figure 3.5 (c) shows, the scan signature SS` 3 becomes
\00010110". Since we nd out that the scan signature SS` 3 exists in bit patterns of
scanned data sdr (1  r  8) in Figure 3.4, we can determine that d` 3 is equal to one,
i.e., d` 3 = 1. Now we assume that d = 101. We compare m(`   3) = (m(`   2)2  c1
mod n) = SF (`  3)1 with its binary method result. In case they are not equal, d 6= 101.
(Step 4, Step 5, Step 6, and Step 7) Next let us determine d` 4. We calculate
SF (`   4)r assuming d` 4 = 1 for each cr (1  r  8) and obtain the scan signature
46 CHAPTER 3. SCAN-BASED ATTACK AGAINT RSA
sd =
sd =
sd =
sd =
sd =
sd =
sd =
sd =
16 x 128 = 2,048 bits
8 bits
……101110011110……1011…1101…1110…
……001110111101……1010…0110…0110…
……101110111100……0011…0111…0111…
……110011001111……0110…1100…0100…
……100011110000……0011…0110…0110…
……101000100110……1111…1111…0110…
……011011000000……0111…0111…0100…
……110010111010……1011…0100…1111…
SS SS SS SS
Figure 3.4: Scanned data example.
SS` 4 (see Figure 3.5 (d)). As Figure 3.5 (d) shows, the scan signature SS` 4 becomes
\01101110". Since we nd out that the scan signature SS` 4 exists in bit patterns of
scanned data sdr (1  r  8), we can determine that d` 4 is equal to one, i.e., d` 4 = 1.
Now we assume that d = 1011. We compare m(`   4) = (m(`   3)2  c1 mod n) =
SF (`  4)1 with its binary method result. In case they are not equal, d 6= 1011.
(Step 4, Step 5, Step 6, and Step 7) Finally let us determine d` 5. We calculate
SF (`   5)r assuming d` 5 = 1 for each cr (1  r  8) and obtain the scan signature
SS` 5 (see Figure 3.5 (e)). As Figure 3.5 (e) shows, the scan signature SS` 5 becomes
\11101101". Since we nd out that the scan signature SS` 5 exists in bit patterns of
scanned data sdr (1  r  8), we can determine that d` 5 is equal to one, i.e., d` 5 = 1.
Now we assume that d = 10111. We compare m(`   5) = (m(`   4)2  c1 mod n) =
SF (`  5)1 with its binary method result. In case they are equal to each other, we nd
that the secret exponent d is 10111 and a signicant bit ` is ve.
3.3. ANALYSIS SCANNED DATA 47
Input: SF( -1) (1 r 8)
Output: Scan signature SS
SF( -1) = 1 0 1 1 0 0 1 1
SF( -1) = 1 0 0 1 1 0 0 1
SF( -1) = 0 0 1 0 1 1 0 1
SF( -1) = 0 1 0 1 0 0 1 0
SF( -1) = 1 0 1 0 1 1 0 1
SF( -1) = 0 0 0 1 0 0 1 0
SF( -1) = 1 1 1 1 1 0 0 0
SF( -1) = 0 0 0 1 1 0 0 1
SS
(a) Scan signature
SF( -2) = 0 0 0 0 1 0 1 0
SF( -2) = 1 1 1 1 0 1 0 1
SF( -2) = 0 1 1 0 0 1 1 1
SF( -2) = 1 1 0 0 1 1 0 1
SF( -2) = 1 1 0 0 1 0 1 1
SF( -2) = 0 0 1 1 1 0 1 1
SF( -2) = 0 1 1 0 0 1 1 0
SF( -2) = 0 1 1 1 0 1 0 0
Input: SF( -2) (1 r 8)
Output: Scan signature SS
SS
(b) Scan signature
Input: SF( -3) (1 r 8)
Output: Scan signature SS
SF( -3) = 0 1 1 0 0 1 1 0
SF( -3) = 1 1 1 1 1 0 0 0
SF( -3) = 0 1 1 0 0 1 0 0
SF( -3) = 1 0 0 1 0 0 1 1
SF( -3) = 0 0 0 0 1 1 0 0
SF( -3) = 0 0 0 1 0 0 1 1
SF( -3) = 0 1 1 1 0 0 0 1
SF( -3) = 0 0 0 1 1 0 0 0
SS
(c) Scan signature
SF( -4) = 1 1 0 0 1 0 1 0
SF( -4) = 0 1 0 1 1 1 0 1
SF( -4) = 1 1 1 0 0 1 1 1
SF( -4) = 0 1 1 0 0 1 0 0
SF( -4) = 1 1 0 1 1 0 1 1
SF( -4) = 1 0 1 1 0 0 1 1
SF( -4) = 0 1 1 0 0 1 1 1
SF( -4) = 1 0 1 1 0 0 0 0
Input: SF( -4) (1 r 8)
Output: Scan signature SS
SS
(d) Scan signature
SF( -5) = 0 0 1 0 1 1 1 1
SF( -5) = 0 0 0 1 1 0 0 1
SF( -5) = 0 0 1 0 0 1 0 1
SF( -5) = 0 1 1 1 0 1 0 0
SF( -5) = 0 1 1 1 1 0 1 1
SF( -5) = 1 0 1 0 0 0 0 1
SF( -5) = 0 1 1 0 1 1 1 0
SF( -5) = 1 0 1 1 1 0 1 1
Input: SF( -5) (1 r 8)
Output: Scan signature SS
SS
(e) Scan signature
Figure 3.5: Example of scan signatures.
48 CHAPTER 3. SCAN-BASED ATTACK AGAINT RSA
3.3.3 Possibility of successfully retrieving a secret key
Given that the scan size is  bits and the cycle counts to obtain the binary method
result is T . Assume that scanned data are completely random data.
Even though SF (i)r for 1  r  N is not calculated in the target RSA circuit,
its scan signature may exist in scanned data. When T < 2N , the probability that
the scan signature SSi to SF (i)r exists in somewhere in bit patterns of scanned
data sdr (1  r  N) is T=2N despite we do not calculate SF (i)r.
Suciently large N can decrease the probability that we mistakenly nd out
the scan signature SSi in scanned data. For instance, if  is 3,072, T is 1,024, and
N is 303, then the probability that we mistakenly nd out the scan signature SSi
in scanned data is 3; 072 1; 024=230 ' 2:93 10 3. If  is 6,144, T is 2,048, and
N is 35, then the probability that we mistakenly nd out the scan signature SSi
in scanned data is 6; 144 2; 048=235 ' 3:66 10 4.
3.4 Experiments and analysis
We have implemented our analysis method proposed in Section 3.3 in the C lan-
guage on Red Hat Enterprise Linux 5.5, AMD Opteron 2360SE 2.5GHz, and 16GB
memories and performed the following experiments:
1. First, we have generated secret exponents randomly. Thousand of them have
a bit length of 1,024 and 2,048, respectively. The other hundred of them have
a bit length of 4,096.
2. Next, we have given each of the secret exponents into the target RSA circuit
based on Algorithm 1 and obtained scanned data. The target RSA circuit
obtains binary method results in 1,024 cycles for a 1,024-bit secret exponent,
in 2,048 cycles for a 2,048-bit secret exponent, and in 4,096 cycles for a 4,096-
bit secret exponent. Scan path length for a 1,024-bit secret exponent is 3,072
3These values are derived from the experiments in Section 3.4.
3.4. EXPERIMENTS AND ANALYSIS 49
Table 3.3: Secret exponent example.
4-th secret exponent d
1,024 bits 0x3AD29CF2FC6CB6B0C010B17DF98C5081
4E4585225AC42E8ECB7BB1847498D62F
BA696CDD226EE9195F4E58A89321721F
021C4511E6C994301363706058FF3765
E29EEBA03E370A201BA5B60A356682A5
1D05EE10DF8CB75D7B4578B3D29A515E
2F86DEC487AB6BCD88C7351908D71851
6C11B2419BD8C05739214E6CF44D12F
bits, that for a 2,048-bit secret exponent is 6,144 bits, and that for a 4,096-
bit secret exponent is 12,192 bits. Then total size of the obtained scanned
data for 1,024-bit secret exponent is 3; 072  1; 024 = 3; 145; 728 bits, that
for 2,048-bit secret exponent is 6; 144  2; 048 = 12; 582; 912 bits, and that
for 4,096-bit secret exponent is 12; 192 4; 096 = 49; 938; 432 bits
3. Finally, we have retrieved each of the secret exponents by our proposed anal-
ysis method using the obtained scanned data.
Figure 3.6 and Table 3.4 show the results. Figure 3.6 shows the number N of
required messages to retrieve each secret exponent when giving each of the secret
exponents. For example, the 4th 1,024-bit secret exponent is shown in Table 3.3.
In order to retrieve this secret exponent, we need 29 messages, i.e., n = 29. In this
case, we can successfully retrieve the 4th secret exponent using 29 messages but
fail to retrieve it using 28 messages or less.
Throughout this experiment, the required number of messages is approximately
29.5 on average for 1,024-bit secret exponents and is approximately 32 for 2,048-bit
secret exponents and is approximately 37 for 4,096-bit secret exponents.
50 CHAPTER 3. SCAN-BASED ATTACK AGAINT RSA
Table 3.4: Experimental results.
Key bit length bit 1,024 2,048 4,096
# of retrieving secret exponents 1,000 1,000 100
# of required messages (average) 29.5 32 37
1
1.2
g
 k
e
y
s
0.4
0.6
0.8
o
f 
re
tr
ie
v
in
g
 k
e
y
s
1024
2048
4096
0
0.2
25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
R
a
ti
o
 o
f 
re
tr
ie
v
in
g
 k
e
y
s
R
a
ti
o
 o
f 
re
tr
ie
v
in
g
 k
e
y
s
Size of Ki
R
a
ti
o
 o
f 
re
tr
ie
v
in
g
 k
e
y
s
R
a
ti
o
 o
f 
re
tr
ie
v
in
g
 k
e
y
s
Figure 3.6: Number of required messages to retrieve secret exponents.
3.5 Discussions
We consider secure scan architecture proposed so far against our proposed scan-
based attack.
Firstly, the secure scan architecture proposed in [2] cannot protect our proposed
method from retrieving a secret key. [2] inserts some inverters into a scan path to
invert scanned data. However, since inverted positions of scanned data are always
xed, the value of a 1-bit register sequence is only changed to its inverted value.
By checking whether SSi or inverted SSi exist in the scanned data, our proposed
method can easily make it ineective.
Inoue's secure scan architecture [3] adds unrelated data to scanned data to
confuse attackers. A sequence of scanned data to which unrelated data are added
is xed and it is not always true that they confuse all the bits to protect the scanned
data in order to reduce area overhead. If the register storing scan signature SSi is
3.6. CONCLUDING REMARKS 51
not confused, our proposed method can easily make it ineective, too.
Secondly, [10, 17, 18, 19, 20, 21, 22, 23, 24] require authentication to transfer
between system mode and test mode, and their security depends on authentication
methods. If authentication would be broken-through and attackers could obtain
scanned data, a secret key in an RSA circuit could be retrieved by using our
proposed method. We consider that authentication strength is a dierent issue
from the purpose of this chapter.
Finally, [25, 26, 27] use a compactor so as not to output scanned data corre-
sponding to registers directly. [28] proposes AES-based BIST, whereby there is no
need for scan path test. However, applying these methods eectively to an RSA
circuit is quite unclear because these methods are implemented only on an AES
circuit or just on a sample circuit not for cryptography.
3.6 Concluding remarks
Our proposed scan-based attack can eectively retrieve a secret key in an RSA
circuit, since we just focus on the variation of 1-bit of intermediate values named
a scan signature. By monitoring it in the scan path, we can nd out the register
position specic to intermediate values. The experimental results demonstrate that
a 1,024-bit secret key can be retrieved by using 29.5 messages, a 2,048-bit secret
key by using 32 input, and a 4,096-bit secret key can be retrieved by using 37
messages.
Chapter 4
Scan-based Attack againt ECC
In this chapter, we propose a scan-based attack against elliptic curve cryptography
(ECC) which is almost independent of a scan-path structure1.
An elliptic curve cryptography (ECC) [7, 8] is well known as a public-key cryp-
tography with low cost and high throughput. Finite eld arithmetic is used in ECC
where eld multiplication requires most of the time in decryption and encryption
and thus many research have been done in eld multiplication [29, 30, 31, 32, 33].
Also many research on an ECC circuit implementation are reported as in [31, 32,
33, 34, 35, 36, 37, 38, 39]. For instance, architectures including memories storing
all ECC parameters and eld multipliers which can execute the arbitrary polyno-
mial reduction are proposed in [31, 33] for high-throughput ECC applications. On
the contrary, architectures including minimal memories storing xed polynomial
reduction and a eld-dedicated multiplier are proposed in [32, 38] for low-area and
low-cost ECC applications.
Retrieving a secret key in a security LSI chip by using a scan path, we have to
nd out positions of registers storing the secret key in the scan path. There are,
however, many architectures and implementations as above in ECC and then there
can be many scan-path structures as well. This means that it is very dicult to
1The preliminary version of this chapter appeared in [16].
52
4.1. ELLIPTIC CURVE CRYPTOGRAPHY 53
nd out positions of registers storing a secret key in a scan path in the ECC circuit.
In other words, it is very dicult to retrieve a secret key from the scanned data.
For that reason, scan-based attacks against symmetric-key cryptography succeed
as reported in [9, 10, 15], but a scan-based attack against public-key cryptography
such as ECC has not been proposed yet.
The proposed method is based on detecting intermediate values calculated in
an ECC circuit. We focus on a 1-bit sequence which is specic to some interme-
diate values. Then we check whether data dependent on this intermediate value is
included in the scanned data. As long as a scan path is implemented on the ECC
circuit and it includes at least 1-bit of each intermediate value, we can retrieve a
secret key in the target ECC circuit even if we do not know a scan path structure.
The proposed method reveals the vulnerability of a scan path in the ECC circuit.
4.1 Elliptic curve cryptography
An elliptic curve cryptography makes use of the diculty in solving the discrete
logarithm problem dened in the elliptic curve additive group. This problem is
called the elliptic curve discrete logarithm problem (ECDLP). The 160-bit key in
ECC provides the equivalent security level as the 1024-bit key in RSA [6]. An ECC
circuit can have higher throughput and smaller area than an RSA circuit. This
section briey explains ECC [7, 8].
4.1.1 Elliptic curve arithmetic
An elliptic curve E with non-supersingular over a eld F2m is dened by Eqn. (4.1).
E : y2 + xy = x3 + ax2 + b: (4.1)
Let E(F2m) be a group of points on the elliptic curve E. E(F2m) has the four
properties shown below and forms a group.
54 CHAPTER 4. SCAN-BASED ATTACK AGAINT ECC
 
!
"
#$
#%
Figure 4.1: Point Addition P1+P2 =
Q.
Figure 4.2: Point Doubling 2P = Q.
1. Identity. 1 2 E(F2m) is called the identity and it satises P+1 =1+P =
P for all P 2 E(F2m).
2. Negatives. If P = (x; y) 2 E(F2m), then (x; y) + (x; x + y) = 1. The point
(x; x+ y) is denoted by  P and is called the negative of P .
3. Point addition. Let P1 = (x1; y1) 2 E(F2m) and P2 = (x2; y2) 2 E(F2m),
where P1 6= P2. Then P1 + P2 = (x3; y3) = Q 2 E(F2m), where
x3 = 
2 + + x1 + x2 + a
y3 = (x1 + x3) + x3 + y1
with  = (y1 + y2) = (x1 + x2). Figure 4.1 shows the point addition.
4. Point doubling. Let P = (x1; y1) 2 E(F2m), where P 6=  P . Then 2P =
(x3; y3) = Q 2 E(F2m) where
x3 = 
2 + + a = x21 +
b
x21
y3 = x
2
1 + x3 + x3
with  = x1 + y1=x1. Figure 4.2 shows the point doubling.
4.1. ELLIPTIC CURVE CRYPTOGRAPHY 55
4.1.2 Point multiplication
Let k be anm-bit integer and denoted as k = km 12m 1+km 22m 2+  +k12+k0.
A point multiplication is dened by computing kP with k and P 2 E(F2m). The
point multiplication is calculated in polynomial time by using point addition and
point doubling. Given P , Q, where Q is a result of the point multiplication with
k and P . To determine an integer k satisfying the equation [kP  Q mod f(z)]2
is an elliptic curve discrete logarithm problem (ECDLP). Solving the elliptic curve
discrete logarithm problem requires exponential time. If the integer k is large
enough, the point multiplication Q = kP can be calculated easily. However deter-
mining k from the point P and Q 2 E(F2m) requires very long time. Q can be
used as a public key and k can be used as a secret key in ECC.
The point multiplication kP dominates the execution time of ECC so that
several ecient algorithms have been proposed. Montgomery method [40] is one of
point multiplication algorithms. This algorithm has two advantages. One is that
it does not require any extra storage with a low calculation time. The other is that
the same operations are performed in every iteration of the main loop, therefore it
has a resistance against power analysis attacks [41].
The Montgomery method is rst proposed in [40] and shown in Algorithm 2.
It converts ane coordinate (x; y) into projective coordinates (X;Y; Z) to reduce
total calculation amount. Algorithms in [42, 43, 44, 45] are also based on the
original Montgomery method. In this algorithm, the secret key k is written as
2m 1 + km 22m 2 +    + k12 + k0. km 1 will be always one to achieve the same
number of iterations in the main loop.
2f(z) is an irreducible polynomial.
56 CHAPTER 4. SCAN-BASED ATTACK AGAINT ECC
Algorithm 2 Montgomery method
Input: k = (1; km 2; : : : ; k1; k0)2; P 2 E(F2m)
Output: Q0 = kP
1: Q0 ( P
2: Q1 ( 2P
3: for i = m  2 to 0 do
4: Q1 ki ( Q0 +Q1
5: Qki ( 2Qki
6: end for
7: return Q0
4.2 Attack against elliptic curve cryptography
A scan path connects registers in an circuit serially so that a tester can observe
the register values inside the circuit easily. The scan path is widely used in recent
circuit implementations due to its testability and easiness. We explain a scan path
test in detail at Section 2.2.1.
The purpose of a scan-based attack is to retrieve a secret key from scanned
data in an ECC circuit. Scan-based attack here requires several assumptions as in
the previous research in [9, 10, 15] which are summarized as shown below:
1. Attackers can input an arbitrary point P = (x; y) 2 E(F2m) into a target
ECC circuit.
2. Attackers can obtain scanned data from the target circuit.
In this section, we explain the scan-based attack against ECC.
4.2. ATTACK AGAINST ELLIPTIC CURVE CRYPTOGRAPHY 57
4.2.1 Retrieving a secret key using intermediate values dur-
ing the point multiplication
In order to retrieve a secret key k, we have to solve the discrete logarithm problem
in the elliptic curve additive group. If the bit length of secret key k is more than
160, it is impossible to solve this problem within realistic time. However, if we
know all the \intermediate values" during the point multiplication in Algorithm 2,
we can retrieve a secret key k in a polynomial time [46].
Let k = km 12m 1+km 22m 2+  +k12+k0. Assume that all the intermediate
values in Algorithm 2 are obtained. Let Q0(i) and Q1(i) be the intermediate values
of Q0 and Q1 at the end of loop i in Algorithm 2, respectively.
Assume also that km 1; km 2;    ; ki+1 are already retrieved. An attacker tries
to reveal the next bit ki. In this case, if and only if ki = 0, either Q0(i   1) or
Q1(i  1) is equal to Eqn. (4.2) below: 
m 1X
j=i
kj2
j i+1 + 1
!
P: (4.2)
Similarly, if and only if ki = 1, either Q0(i  1) or Q1(i  1) is equal to Eqn. (4.3)
below:  
m 1X
j=i
kj2
j i+1 + 3
!
P: (4.3)
In [46], dierential power analysis attack is proposed based on the above ECC
properties. Notice that, Q0(i   1) 6= Q1(i   1) for any 1  i  m   1 and that
Q0(i  1) 6= Q0(j   1) and Q1(i  1) 6= Q1(j   1) for 1  i; j  m  1 and i 6= j.
Based on the above discussion, we employ V (i) dened by Eqn. (4.4) as a
selective function:
V (i) =
 
m 1X
j=i
kj2
j i+1 + 1
!
: (4.4)
When using the selective function above, we have to know km 1; km 2;    ; ki+1.
In addition to that, we assume that ki = 0. V (i) 6= V (j) always holds true for
58 CHAPTER 4. SCAN-BASED ATTACK AGAINT ECC
Table 4.1: Intermediate values at the end of i-th loop of Algorithm 2 with input
P and k = 1010.
i Q0 Q1
3 P 2P
2 2P 3P
1 5P 6P
0 10P 1 11P
*1: The result of the point multiplication.
i 6= j for 1  i; j  m   1. Given a point P over the elliptic curve E and
km 1; km 2;    ; ki+1, we assume that ki = 0 and check whether V (i)P appears
somewhere in intermediate values. If it appears in them, we determine ki as zero.
If not, we determine ki as one.
Finally, the LSB of a secret key k is determined by using the nal point multi-
plication result. Since a point multiplication result Q = kP is a public key itself,
it must be obtained easily.
Example 3 Let us consider that the 4-bit secret key k = 1010 = 10102, i.e, k3 = 1,
k2 = 0, k1 = 1, k0 = 0, and m = 4 but assume that we do not know k except for its bit
length. The intermediate values Q0(i) and Q1(i) in Algorithm 2 are summarized in 4.1.
Now we try to retrieve the 4-bit secret key k using intermediate values. Since we
know that k has four bits, k can be written as k = xxxx, where x shows the unknown bit.
In Algorithm 2, MSB of k is dened by one. Then k = 1xxx.
Next we try to retrieve the second bit k2 (i = 2) of k. The MSB of k is one by
denition (k3 = 1). We assume here that k2 = 0. Then V (1) is calculated as V (1) = 5.
Since 5P appears in 4.1, then k2 is retrieved as zero, i.e., k = 10xx.
After that we try to retrieve the third bit k1 (i = 1) of k. We have already known
that k3 = 1 and k2 = 0. We assume here that k1 = 0. V (0) is calculated as V (0) = 9.
Since 9P does not appear in 4.1, then k1 is retrieved as one, i.e., k = 101x.
Finally, we can have the point multiplication result 10P as in Table 4.1. If k = 1010,
4.3. ANALYSIS SCANNED DATA OBTAINED FROM AN ECC CIRCUIT 59
then kP = 10P . If k = 1011, then kP = 11P . Since the result is 10P , then we can have
k = 1010.
4.2.2 Problems to retrieve a secret key using a scan path
If we retrieve an m-bit secret key using an exhaustive search, we have to try 2m
possible values to do it. On the other hand, the method explained in Section 4.2.1
retrieves a secret key one-bit by one-bit from MSB to LSB. It tries at most 2m
possible values to retrieve an m-bit secret key. Further, the method just checks
whether V (i)P is in intermediate values of Algorithm 2.
In order to apply this method to a scan-based attack, we have to know which
registers store intermediate values, i.e., we have to know correspondence between
scanned data and (Q0; Q1).
However, a scan path is usually designed automatically by CAD tools so that
nearby registers are connected together to shorten the scan path length. Only de-
signers can know the correspondence between scanned data and registers and thus
retrieved scanned data can be considered to be \random" for attackers. Therefore,
it is very dicult to nd out the values of V (i)P in scanned data for attackers. As
indicated before, an ECC circuit have very complicated architecture, its scan path
can include too many registers other than those storing intermediate values.
We have to nd out only V (i)P somehow in the scanned data to retrieve a
secret key k using the method in Section 4.2.1.
4.3 Analysis scanned data obtained from an ECC
circuit
In order to solve the problem that attackers do not know the correspondence be-
tween registers of the scanned data and ones storing intermediate values during
point multiplication, we focus on the general property on a scan path below:
60 CHAPTER 4. SCAN-BASED ATTACK AGAINT ECC
Property 1 A bit position of a particular register r in a scanned data when giving
one input data is exactly the same as that when giving another input data.
This property is clearly true, since a scan path is xed in an LSI chip and the order
of connected registers in its scan path is unchanged.
If we execute point multiplication for each of n points on an ECC circuit, a bit
pattern of a particular bit position in scanned data for these n points gives n-bit
data. Based on the above property, this n-bit data also may give a bit pattern of
a particular bit in some intermediate values when we give each of these n points
to the ECC circuit.
By using the same n points we can calculate V (i)P from km 2 down to k1 of
the secret key k. By picking up a particular bit (LSB, for example) in each of
V (i)P values for n points, we also have an n-bit data. If n is large enough, this
n-bit data gives information completely unique to V (i)P . We can use this n-bit
data as a discriminator Di to V (i)P in scanned data.
Our main idea in this section is that we nd out a discriminator Di to V (i)P
in scanned data to retrieve the secret key k from km 2 down to k1. If an n-bit
discriminator Di appears in the scanned data for n points, ki is determined as
zero. If not, it is determined as one.
In the rest of this section, we rstly propose a discriminator Di to V (i)P . Sec-
ondly we propose an overall method to retrieve a secret key k using discriminators.
Thirdly we analyze the probabilities of successfully retrieving a secret key by using
our method.
4.3.1 Calculating a discriminator to V (i)P
Assume that n points P1;    ; Pn over the elliptic curve E are given. Also assume
that we have already known km 2;    ; ki+1 for a secret key k. Assuming that
ki = 0, we can calculate V (i)Pr for 1  r  n. As Figure 4.3 shows, we dene a
4.3. ANALYSIS SCANNED DATA OBTAINED FROM AN ECC CIRCUIT 61
discriminator Di to be a set of LSBs of V (i)Pr
3. If n is large enough, the discrim-
inator Di must give information unique to V (i)Pr for 1  r  n. Consequently, if
Di appears in scanned data, ki is determined as zero. If not, ki is determined as
one. After ki is determined, we can continue to determine next bit of the secret
key k in the same way.
Our proposed method has two advantages compared to conventional scan based
attacks [9, 10]. One is that our method is eective in the case of partial scan
architecture. As long as a scan path includes at least 1-bit of each intermediate
value, we can check whether the discriminator whether exists or not in the scanned
data.
The other is that our method can crack the secure scan technique by [2], which
inserts inverters into the internal scan path to complicate the scan structure. It
protects Yang's method [9, 10] with low area cost. However, the value of a 1-bit
register sequence is only changed to its inverted value. The variation of scanned
data obtained by [2] is not enough to prevent our proposed method from retrieving
a secret key. The detailed discussion will be described in Section 4.4.4.
3Since V (i)Pr shows the point in XZ-plane, it has its X-coordinate and Z-coordinate. In our
method, we just pick up LSB of its X-coordinate as in Figure 4.3.
62 CHAPTER 4. SCAN-BASED ATTACK AGAINT ECC
V(i)P = 1 0 0 … 1 0 … 0 1 0
V(i)P = 0 1 1 … 1 1 … 1 1 1
V(i)P = 0 0 1 … 0 0 … 1 1 0
V(i)P = 0 1 1 … 0 1 … 0 1 1
V(i)P = 1 0 1 … 1 1 … 1 0 1
V(i)P = 1 1 0 … 1 0 … 0 0 0
(n bits)
Input: P  E(F ) (1 r n), V(i)
Output: Discriminator D
D
2m bits
Z-coordinate X-coordinate
Figure 4.3: Discriminator Di.
sd =
sd =
sd =
sd =
sd =
sd =
Size of scan path
n bits
FF
th
FF
th
FF
th
Scan path
……101100001111……
……100101100100……
……101110011110……
……111000101101……
……010111001110……
……001000101101……
Number of
point
multiplication
cycles
1 st
…… 1 0 0 011……
……1 0100……
…… 0 1100 1110……
……111000101101……
…… 1 1 0 110……
……001000101101……
……111100110010……
……100101100100……
……101110011110……
……111000101101……
……010111001110……
……001000101101……
Figure 4.4: Scanned data.
4.3. ANALYSIS SCANNED DATA OBTAINED FROM AN ECC CIRCUIT 63
4.3.2 Scanned data analysis method
First we prepare n points P1;    ; Pn over the elliptic curve E and give them to
an ECC circuit. For each of these points, we obtain all the scanned data from the
scan out of the ECC circuit until the ECC circuit outputs the point multiplication
result. As Figure 4.4 shows, the size of scanned data for each of these points is
(\scan path length"  \number of point multiplication cycles.")
Now we check whether a discriminator Di to V (i)P appears in the obtained
scanned data under the assumption that we do not know a secret key k in the ECC
circuit as follows:
1. Prepare n points P1; P2;    ; Pn 2 E(F2m), where Pr 6= Ps for 1  r; s  n
and r 6= s.
2. Input Pr (1  r  n) into the target ECC circuit and obtain scanned data
every one cycle during point multiplication until the ECC circuit outputs the
result. Let sdr denote the obtained scanned data for the point Pr (1  r  n).
3. Calculate V (m 2)Pr assuming km 2 = 0 for each Pr (1  r  n) and obtain
the discriminator Dm 2 to V (m  2)Pr.
4. Check whether the discriminatorDm 2 exists in the scanned data sd1;    ; sdn.
If it exists, then we can nd out that km 2 is equal to 0, and if it does not
exist, then we can nd out that km 2 is equal to 1.
5. We can determine km 3; km 4;    ; k1 in the same way as Step 4.
6. k0 (LSB of a secret key k) is determined by comparing the expected kP value
with the point multiplication result outputted by the ECC circuit.
We show the example below to explain how the method above works.
Example 4 As in Example 1, let us consider that the 4-bit secret key k = 1010 = 10102,
i.e, k3 = 1, k2 = 0, k1 = 1, k0 = 0, and m = 4 but assume that we do not know k except
64 CHAPTER 4. SCAN-BASED ATTACK AGAINT ECC
for its bit length and k3 = 1. k can be written as k = 1xxx, where x shows an unknown
bit. Assume that the cycle counts of point multiplication are 4 and the size of the scan
path is 62 in the target ECC circuit.
First we prepare 8 points P1; P2;    ; P8 2 E(F24), where Pr 6= Ps for 1  r; s  8
and r 6= s. The target ECC circuit executes the point multiplication as in Table 4.1.
We input Pr (1  r  8) into the target ECC circuit and obtain scanned data every
one cycle during point multiplication until the ECC circuit outputs the result. Let sdr
denote the obtained scanned data for the point Pr (1  r  8). The total size of scanned
data is 4 62 = 248 (see Figure 4.5).
The MSB of k is one by denition (k3 = 1). Let us start to determine k2. We
calculate V (2)Pr = 5Pr assuming k2 = 0 for each Pr (1  r  8) and obtain the
discriminator D2 to 5Pr (see Figure 4.6). As Figure 4.6 shows, the discriminator D2
becomes \10011011". Since we nd out that the discriminator D2 exists in bit patterns
of scanned data sdr(1  r  8) in Figure 4.5, we can determine that k2 is equal to zero,
i.e., k = 10xx.
Next let us determine k1. We calculate V (1)Pr = 9Pr assuming k1 = 0 for each Pr
(1  r  8) and obtain the discriminator D1 to 9Pr (see Figure 4.7). As Figure 4.7
shows, the discriminator D1 becomes \01010100". Since we nd out that the discrimi-
nator D1 does not exist in bit patterns of scanned data sdr(1  r  8) in Figure 4.5, we
can determine that k1 is equal to one, i.e., k = 101x.
Finally let us determine k0. If k = 1010, then kP = 10P . If k = 1011, then
kP = 11P . We calculate 10P1 and 11P1 and compare each of them with the point
multiplication result kP1. The point multiplication result obtained by the ECC circuit is
10P1 and we can determine that k0 is equal to zero, i.e., k = 1010. Therefore we can
retrieve the secret key k = 1010 = 10102.
4.3. ANALYSIS SCANNED DATA OBTAINED FROM AN ECC CIRCUIT 65
sd =
sd =
sd =
sd =
sd =
sd =
sd =
sd =
4 x 62 = 248
8 bits
……100111011010……
……010111001100……
……001110101011……
……101110011101……
……010110110110……
……101101101011……
……111010111010……
……001101010111……
D
Figure 4.5: Scanned data example.
Input: P  E(F ) (1 r 8), V(2)=5
Output: Discriminator D
5P = 0 0 1 1 0 0 0 1
5P = 1 1 0 0 1 1 0 0
5P = 0 1 1 1 1 0 1 0
5P = 0 1 0 1 1 1 0 1
5P = 1 1 1 1 1 0 0 1
5P = 1 0 1 0 1 0 0 0
5P = 1 1 0 0 0 0 1 1
5P = 0 1 1 0 0 1 1 1
D
Z-coordinate X-coordinate
Figure 4.6: Discriminator D2.
Input: P  E(F ) (1 r 8), V(1)=9
Output: Discriminator D
9P = 1 1 1 0 1 0 1 0
9P = 0 1 1 0 0 1 0 1
9P = 1 0 0 0 0 0 1 0
9P = 0 1 0 0 1 1 1 1
9P = 0 1 1 0 1 1 1 0
9P = 1 1 0 1 0 1 0 1
9P = 1 0 1 1 1 0 1 0
9P = 0 1 0 1 0 0 0 0
D
Z-coordinate X-coordinate
Figure 4.7: Discriminator D1.
66 CHAPTER 4. SCAN-BASED ATTACK AGAINT ECC
4.3.3 Possibility of successfully retrieving a secret key
Given that the scan size is  bits and the cycle counts to obtain point multiplication
is T . Assume that scanned data are completely random data.
Even though V (i)Pr for 1  r  n is not calculated in the target ECC architec-
ture, its discriminator may exist in scanned data. When T < 2n, the probability
that the discriminator Di to V (i)Pr exists in somewhere in bit patterns of scanned
data sdr (1  r  n) is T=2n despite V (i)Pr does not calculate.
Suciently large n can decrease the probability that we mistakenly nd out
the discriminator Di in scanned data. For instance, If  is 2,520, T is 15,137, and
n is 32 4, then the probability that we mistakenly nd out the discriminator Di in
scanned data is 2; 520  15; 137=232 ' 8:88  10 3, which is low enough. If  is
25,200, T is 15,137, and n is 36, then the probability that we mistakenly nd out
the discriminator Di in scanned data is 25; 200 15; 137=236 ' 5:55 10 3, which
is also low enough.
4.4 Experiments and performance analysis
Let us analyze the number of points n required to retrieve a secret key k by using
our proposed method. n must be large enough to be unique to V (i)Pr (1  r  n).
But it must be small enough to make retrieving time as short as possible.
In this section, we retrieve some secret keys in the practical ECC architecture to
determine the appropriate number of points n by using our method. We generate
randomly 1,000 secret keys and retrieve each of them. Then we calculate the
number of points required to correctly retrieve the secret keys.
4These values are derived from the experiments in Section 4.3.
4.4. EXPERIMENTS AND PERFORMANCE ANALYSIS 67
4.4.1 Architecture of an elliptic curve cryptography circuit
Block diagram of the target ECC architecture for our scan-based attack is shown
as in Figure 4.8 and Figure 4.9. Its architecture is based on [34, 47] and it executes
point multiplication using the Lopez's method [43], an improved version of the
Montgomery method. The method requires only one inversion and reduces the
number of the multiplications compared with other point multiplication algorithms.
The ECC architecture has an adder, a multiplier and a square unit over F2m .
These computing units can operate in parallel so that they can improve throughput
eectively. Registers are used for input data, temporary data, and parameters for
ECC. The ECC architecture also has registers for a secret key k and attackers
cannot access these registers directly. In this ECC architecture, its secret key k
can be set to be an arbitrary value beforehand.
We have designed the ECC architecture in Verilog HDL and synthesized it using
Synopsys Design Compiler A-2007.12-SP3 with STARC 90nm process library. A
scan path has been implemented automatically using Synopsys DFT Compiler. We
have obtained scanned data from the gate-level ECC circuit using HDL simulator
Synopsys VCS-MX B-2008.125.
The implementation result indicates that the delay time is 1.66 ns, the area
is 32.5k gates and the total number of registers is 2,520 bits. Using this ECC
architecture, the point multiplication requires 15,137 cycles.
5This work is supported by VLSI Design and Education Center(VDEC), the University of
Tokyo in the collaboration with Synopsys Corporation and with STARC.
68 CHAPTER 4. SCAN-BASED ATTACK AGAINT ECC
Parameter B
Parameter C
Coordinate x
Coordinate y
Coordinate X1
Coordinate Z1
Coordinate X2
Coordinate Z2
Temporary t1
Temporary t2
Temporary t3
Temporary t3
163
163
163
163
163
163
163
163
163
163
163
163
163
163
163
163
163
163
163
163
163
163
163
163
163
163
163
163
163
163
163bit registers
OUTER
Select Register
to Bus A
Select Register
to Bus B
Select Operator
Output
1
EN
EN
EN
EN
EN
EN
EN
EN
EN
EN
EN
EN
1
1
1
1
1
1
1
1
1
1
12
1Control
Register enable
Adder
Square
MSD
Multiplier
Digit = 12
Register
Shift Register
163
163
163
163
12
163
163
163
163
163
163
LOAD
MUL
INIT
EN
Figure 4.8: Block diagram of the elliptic curve cryptography (Data path).
4.4. EXPERIMENTS AND PERFORMANCE ANALYSIS 69
To selector
Bus A
To selector
operator output
To controllor
registers EN
To selector
Bus B
Counter
for Multiplier
138 states
8bit
Next state
Current state
Main controller
Pipeline register
Pipeline register
I/O control signals
generator
Counter for
square root
Clock
Counter
Shift register
Secret key
controller10
1
8
8
22
4 4 2 12
8
4
8
8
8
Figure 4.9: Block diagram of the elliptic curve cryptography (Controller).
70 CHAPTER 4. SCAN-BASED ATTACK AGAINT ECC
4.4.2 Target scan path architecture
For simplicity, the scan path used by our experiment just includes all the registers
in the target ECC architecture. This means that it also includes the shift registers
storing the secret key and registers for the controller in our experiment. However,
we assume that attackers just attack scanned data in the data path in the ECC
circuit. This is because of the following reasons:
A controller architecture depends on implementation approach and is essentially
unrelated to cryptography algorithm. For example, our ECC circuit uses a state
machine as a controller but the ECC architecture in [31] uses a user-congurable
circuit as a controller. Unlike cryptography algorithm, the controller architecture
does not have to be open, and it is very hard for attackers to know what kind of
controllers are used in a cryptography circuit.
On the other hand, a modern cryptography algorithm has to be open to check
its security and we need to know it to realize a secure communication. Attackers
can easily know cryptography algorithm used by a target cryptography LSI.
Our proposed attacking method is based on an ECC algorithm and attackers
know its algorithm using a target ECC LSI much easier than its controller architec-
ture. We can say that scan-based attacks analyzing a data path is more practical
than those analyzing a controller.
4.4.3 Results
We have implemented the analysis method proposed in Section 4.3 in C on the
SuSE Linux 9, Intel Xeon 3.4GHz, and 4GB memories and performed the following
experiments.
First, we have generated 1,000 secret keys randomly. Each of the generated
secret keys has a bit length of 163. Next, we have given each of the 1,000 secret
keys into the target ECC circuit and obtained scanned data. Total size of the
obtained scanned data for each secret key is 2; 520  15; 137 = 38; 145; 240 bits.
4.4. EXPERIMENTS AND PERFORMANCE ANALYSIS 71
Table 4.2: The experimental results
Key bit length bit 163
Number of retrieving keys 1,000
Number of required points (Average) 29
Number of required points (Worst) 36
Retrieving time second 40
0 8
1
1.2
n
g
 k
e
y
s
0 2
0.4
0.6
.
io
 o
f 
re
tr
ie
v
in
g
 k
e
y
s
0
.
25 26 27 28 29 30 31 32 33 34 35 36 37
R
a
ti
o
 o
f 
re
tr
ie
v
in
g
 k
e
y
s
R
a
ti
o
 o
f 
re
tr
ie
v
in
g
 k
e
y
s
Number of  required points to retrieve secret keys
R
a
ti
o
 o
f 
re
tr
ie
v
in
g
 k
e
y
s
R
a
ti
o
 o
f 
re
tr
ie
v
in
g
 k
e
y
s
Figure 4.10: Number of required points to retrieve secret keys.
Using these scanned data, we have retrieved each of the secret keys by using our
proposed analysis method. Figure 4.10 and 4.2 show the retrieving results. Fig-
ure 4.10 shows a histogram which demonstrates the number n of required points
to retrieve each secret key versus its frequency. For example, the 572th secret key
is 0x7e5f91be081095bf9eb1bc5d1e46f0001cb1d7b32. In order to retrieve this secret
key, we need 28 points, i.e., n is 28. In this case, we can successfully retrieve
the 572nd secret key using 28 points but fail to retrieve it using 27 points or less.
Throughout this experiment, the required number of points is 29 on average and
36 in the worst case. A retrieving time is at most 40 seconds when analyzing one
secret key.
72 CHAPTER 4. SCAN-BASED ATTACK AGAINT ECC
4.4.4 Discussions
Some secure scan architecture without consideration of a 1-bit sequence which is
specic to some intermediate values cannot protect against our method. Here, we
consider secure scan architecture against our proposed scan-based attack proposed
so far.
Firstly, the most straightforward method against our proposed scan-based at-
tack is to keep scan path open after testing the chip. However, scan path can be
reconnected and be accessed by cracking the package [48].
Secondly, the secure scan architecture proposed in [2] cannot protect against
our proposed method from retrieving a secret key. [2] inserts some inverters into
a scan path to invert scanned data as shown in Figure 4.11. However, since the
value of a 1-bit register sequence is only changed to its inverted value, the variation
of scanned data is not enough to prevent attackers from checking whether the
discriminator exists or not. For instance, assume that the discriminator Di is
10100 : : : 1 and we check whether the discriminator Di exists or not in the scanned
data sd1; sd2;    ; sdn modied by [2] as shown in Figure 4.11. If the discriminator
Di exists in the modied scanned data, we can successfully nd out that ki is zero.
If not, we check whether the inverted discriminator Di inv = 01011 : : : 1 exists or
not. If the inverted discriminator Di inv exists in the modied scanned data, we
can nd out that ki is zero. If the inverted discriminator Di inv does not exist, we
can nd out that ki is one.
[3] adds unrelated data to scanned data to confuse attackers as shown in Fig-
ure 4.12. However, a sequence of scanned data to which unrelated data are added
is xed in each LSI chip and it just confuses only a part of scanned data to achieve
lower area overhead. In other words, unmodied bits exist in the scanned data
sd1; sd2;    ; sdn modied by [3]. In this case, if the discriminator Di exists in
the modied scanned data, we can successfully nd out that ki is zero. If not,
we check whether the disicriminator D1i calculated when ki is one exists or not
4.4. EXPERIMENTS AND PERFORMANCE ANALYSIS 73
in the modied scanned data because a discriminator is dened as not only when
ki is zero but also when ki is one. If the discriminator D
1
i exists in the modied
scanned data, we can successfully nd out that ki is one. Even if these discrimi-
nators do not exist in the modied scanned data, we can use other discriminators
like Di1; Di2;    as shown in Figure 4.12, which are dened as a set of other bits
of V (i)Pr for 1  r  n. If one of these other discriminators exists in the modied
scanned data, we can nd out that ki is zero. Consequently, [3] cannot completely
protect against our method.
Thirdly, [17, 18, 19, 20, 21, 22, 23, 24] require authentication to transfer between
system mode and test mode, and their security depends on authentication methods.
If authentication would be broken-through and attackers could obtain scanned
data, a secret key in an ECC LSI could be retrieved by using our proposed method.
We consider that authentication strength is a dierent issue from the purpose of
this chapter.
Yang's method [10] limits transition between test mode and system mode to
prevent attackers from obtaining scanned data during encryption/decryption using
the secret key in their cryptography circuit. However, it could not support in-eld
testing required for high reliable LSI.
Finally,[25, 26, 27] use a compactor so as not to output scanned data corre-
sponding to registers directly. [28] proposes AES-based BIST, whereby there is no
need for scan path test. However, applying these methods eectively to an ECC
LSI is quite unclear because these methods implement only an AES circuit or just
a sample circuit not for cryptography.
74 CHAPTER 4. SCAN-BASED ATTACK AGAINT ECC
sd =
sd =
sd =
sd =
sd =
sd =
……1111110 0010……
……1001100 0100……
……1011011 1110……
……1110110 1101……
……0101001 1110……
……0010110 1101……
SFF SFF SFF SFF SFF SFF
Inverted
Not inverted
Di
1
0
1
0
0
1
Di-inv
0
1
0
1
1
1
Invert
Figure 4.11: Scanned data modied by [2].
sd =
sd =
sd =
sd =
sd =
sd =
……111101100 10……
……100111110 00……
……101110111 10……
……111000011 01……
……010111101 10……
……001010001 01……
Not confused
FF
0
1
Combinational circuits
FF FF FF
Te
Cd
0
1
0
1
0
1
FF
0
1
FF
0
1
Test enable (Te)
Confusing data (Cd)
Confused
Te
Cd
Te
Cd
V(i)P = 1 0 0 … 0 1 0
V(i)P = 0 1 1 … 1 1 1
V(i)P = 0 0 1 … 1 1 0
V(i)P = 0 1 1 … 1 1 1
V(i)P = 1 0 1 … 1 0 1
V(i)P = 1 1 0 … 1 0 0
D…D D
Figure 4.12: Scanned data modied by [3].
4.5. CONCLUDING REMARKS 75
4.5 Concluding remarks
We have focused on a scan-based attack against an ECC circuit. Three scan-
based attacks against symmetric-key cryptography are reported [9, 10, 15] but
those against public-key cryptography are not reported yet. Since public-key cryp-
tography are more complex than symmetric-key cryptography, scan-based attacks
against symmetric-key cryptography cannot directly applied to retrieve a secret
key in public-key cryptography circuit.
Our proposed scan-based attack can eectively retrieve a secret key k in an
ECC circuit, since we just focus on the variation of 1-bit of intermediate values.
By monitoring it in the scan path, we can nd out the register position specic
to intermediate values. The experimental results demonstrate that a secret key in
a practical ECC circuit architecture can be retrieved by using 29 points over the
elliptic curve E within 40 seconds. We can say that the proposed method reveals
the vulnerability of a scan path in an ECC circuit.
In this chapter, we deal with an elliptic curve cryptography over GF (2m). But
even if we deal with an elliptic curve cryptography over GF (p), where p is prime,
the intermediate values during the point multiplication are determined by its inputs
and a secret key, and consequently, our proposed method can retrieve a secret key
in the similar way.
Chapter 5
State-dependent secure scan
architecture
In this chapter, we propose a new secure scan architecture having tolerability
against [15] by changing structure of a scan path dynamically even after it is
designed.
A test for manufactured chips individually is very important for oering high
quality LSI chips. Recently, circuit size dramatically increases because process
technology makes remarkable progress and CAD tools become widespread. We
have to consider a test for LSI when we design circuits because it is more and more
dicult to test a whole circuit completely.
Scan test is a powerful and popular test technique because it achieves high
fault coverage and is implemented easily. Scan test architecture is designed by
connecting scan FFs(ip-ops) inside circuit, which are registers for a scan test. in
series, which is called a scan path. It has input and output pins outsides the chip
to control and observe the internal states of the circuit.
Since FF is accessible from outside circuit in a scan path, there is a threat for
obtaining condential information such as a secret key which is used for cryptog-
raphy circuits. In fact, scan based attacks are already proposed [9, 12, 15], which
76
77
retrieves the secret key by analyzing scanned data obtained from a cryptography
circuit. It is non-straightforward to analyze, because the connection of scan FFs is
almost random by each layout. However, scan based attacks solve this connection
problem using the characteristic of a scan path.
Secure scan architecture to defend scan based attacks is divided into 2 patterns.
One is a restriction that no one can obtain original scanned data without permis-
sion. Only testers can obtain them for test. This method requires a circuit and a
controller for restriction but security settings can be reasonably exible [12, 19, 23].
However, there are 3 demerits as follows: the circuit and the controller needs to
be re-designed for each cryptography circuit, area overhead for the circuit and the
controller is too large, and if attackers access a scan path with permission, it is
easy to retrieve a secret key by using scan-based attacks.
The other method is making secret information unretrieveable for attackers
even if they can access a scan path. [2] changes inputs and outputs of a scan path
in inside circuit. Even if attackers obtain scanned data, they do not understand
the internal states without modication, and consequently, they cannot use scan-
based attacks. This method does not require a controller and only requires simple
circuits to change data. It also builds a secure scan path automatically by using
CAD tools, and furthermore, it can be adapted to any intellectual property easier.
This method has more advantages compared to the rst method. However, there
is 1 demerit as follows: [2] cannot defend a certain scan-based attack. The scan-
based attack proposed by [15] can retrieve a secret key even by using scanned data
changed by [2].
To defend the scan-based attack [15], our proposed method use a State-dependent
Scan FF(SDSFF) we propose changes an scan FF output using a latch memorizing
a past value of the scan FF. Our proposed method can change a security level
exibly by considering objective circuits, and it also does not need any controller,
and then, area overhead is small.
78 CHAPTER 5. STATE-DEPENDENT SECURE SCAN ARCHITECTURE
5.1 Scan-based attacks
A scan-based attack is one of side channel attacks based on information gained
from the physical implementation of a cryptography. A scan path comprises scan
FFs connected one another in serial. We explain a scan path test in detail at
Section 2.2.1.
By using "Scan In", "Capture", and "Scan Out" through a scan path, which
is same procedures as test, attackers obtain scanned data to know the internal
states of a cryptography circuits. [9, 12] proposed the method to make use of the
hamming weight of scanned data to nd out the internal states. This method only
needs the correspondence between the rst column of AES and the scanned data,
but does not need the bit-to-bit correspondence between them.
On the other hand, [15] proposes a scan-based attack which is almost inde-
pendent of a scan-path structure. This method checks whether a 1-bit sequence
which is specic to some intermediate values is included or not in scanned data.
As long as a scan path is implemented on an AES circuit and it includes at least
1-bit of each intermediate value, [15] can retrieve a secret key even if the scan path
structure is unknown.
5.2 Secure scan architecture
Secure scan architecture for scan based attacks can be divided into 2 types.
Method1: Make scan path unusable for attacker by private controller limita-
tion.
Method2: Make scan path usable for anyone, but make secret information
undecodable.
Generally, a security level will be threatened when mode jump occurs such as
"system mode" to "test mode" or "test mode" to "system mode". For this reason,
5.2. SECURE SCAN ARCHITECTURE 79
method 1 protects circuits from scan based attacks by restricting mode jumps using
a test controller [12, 19, 23].
[12] proposes mirror key register (MKR) architecture to protect secret informa-
tion from attacker. A secret key, which is stored with ROM in a cryptography chip,
only loaded at system mode in secure mode. Testers make a cryptography chip
jump to insecure mode from secure mode for test and that occurs only a power o
reset. Therefore, attackers cannot obtain scanned data during operation. However,
the same number of mirror key registers as the number of scan FFs which hold
target data are required, so this method has large area overhead.
[19] can automatically detect whether or not a scan path comes to a test mode
using Spy Scan FF (SpySFF) inside a scan path. All mode jumps are restricted
so that secret information is safe, but this condition makes primal required test
unexecutable. For this reason, mode jump by enable signal tree is permitted. This
exception is a technique that mode jump is permitted only when output of some
scan FF inside scan path is equal to designated patterns. However, re-designing of
test controller is required for each circuit, also area overhead is large.
In [23], Scan Out is permitted only when M keys (a length is N bits) input
to specic N FFs as test vector to test start. N FFs which are used as keys are
randomly chosen, and is decided at system design timing. As long as N -bit key
does not input to FFs in specic order for M times, no one can obtain inside
information. Probability that attackers nd N -bit key is 1=2N , with M times
input, makes nal probability of 1=2MN . Also, M and N can be chosen freely, and
then a security level can be chosen exibly. On the other hand, area overhead will
be larger because we need to design a controller for checking input keys M times.
[2] protects secret information by making scanned data change undecodable.
This can be done by inserting a number of inverters randomly into a scan path.
There are 2 patterns of which inverter is inserted or is not inserted for each scan
FF. If the number of all scan FF is m, the number of structures that a scan path
can take will be 2m. Therefore, it is substantially safe because attackers only obtain
80 CHAPTER 5. STATE-DEPENDENT SECURE SCAN ARCHITECTURE
structure of the scan path in probability of 1=2n and required impractical time for
decoding. It does not need test controller, and consequently area overhead is very
small, and it is easy to implement by using CAD tools automatically. However, it
has a problem that output is xed for each bit of scanned data. Because places
of inverters is xed after chip layout has designed, [2] cannot defend attacking
method [15] which just focuses on 1-bit of register inside a scan path.
5.3 Proposed method
We propose new secure scan architecture whose path dynamically changes to have
tolerability against the scan-based attack [15]. The attack method uses a charac-
teristic that the structure of scan path is xed once implemented. To protect a
secret key against the attack method, we change the output value of a scan FF by
XOR'ing with the past output value of it. To store the past output value of the
scan FF, we propose a State-dependent Scan FF (SDSFF). The SDSFF changes
the output value of a scan FF with internal states of a circuit.
As shown in Figure 5.1, the SDSFF stores the output value of the scan FF
(SFF1) in a latch when a load signal is enable. The output value S for the next
scan FF (SFF2) is calculated by XOR'ing the output value A of the latch with the
output value B of scan FF1. The value A dynamically changes after the circuits
implemented at the timing when the load signal is enable, and the value S changed
at the same time accordingly. The values among A, B, and the output value S for
scan FF2 is shown Figure 5.1.
If testers use our proposed method, they replace some normal scan FFs with
SDSFFs. Scanned data are changed by SDSFFs, but testers can generate test
patterns and corresponded output patterns because testers know which scan FFs
are replaced with SDSFFs. Attackers, however, do not know which scan FFs are
replaced in a cryptographic circuit, and then, they do not know how scanned data
they obtained are changed. For this reason, our proposed method can defend the
5.3. PROPOSED METHOD 81
D Q
Latch
EN
D Q
0
1
DFF
D
Si
Se
Load
Logic
Next
Scan FF
A
B S
CLK
Truth value
0 0 0
0 1 1
1 0 1
1 1 0
A B S
Figure 5.1: State-dependent Scan FF(SDSFF).
scan-based attack [15] and other attack methods [9, 12], too.
We discuss a test algorithm using our proposed method. The output of a scan
FF changes dynamically by updating the value A with Load signal at the timing
when moving from a test mode to a system mode. We show the timing chart
between a clock signal, Se signal, and Load signal is shown in Figure 5.2. We
dened that an cryptography LSI is operated in a system mode when Se signal is
0 and it is operated in a test mode when Se signal is 1.
While Se signal is 1, scan data shift one by one with every clock cycle, We
input test patterns to scan FFs of scan path. After inputting them, we change Se
signal to 0, which represents system mode. At the same time, Load signal changes
to 1, and a latch of a SDSFF stores output value A of a scan FF1. Load signal
changes to 0 again before the next clock rising occurs. After the clock rises in the
system mode, and as executed results are stored in scan FF, we make Se signal 1
to observe the internal state of the cryptographic circuit. It is important that the
output value A of the latch is updated at every timing to move from the test mode
to the system mode. Thereby, structure of scan path is not xed.
Testers can decode scanned data as they know which scan FFs are replaced
with SDSFFs and the output value A of the latch. Attackers do not know where
SDSFFs insert of a scan path and then they also do not know which bits of scanned
data inverted, thereby they cannot decode and analyze scanned data to retrieve a
82 CHAPTER 5. STATE-DEPENDENT SECURE SCAN ARCHITECTURE
CLK
Se
Load
Scan in Capture Scan out
Test modeSystem modeTest mode
Figure 5.2: Timing chart.
Si A
SDSFF0
B
Si A
SDSFF1
B
Si A
SDSFF2
B
Si A
SDSFF3
B
CLK
Scan
In
D Q
DFF
Scan
Out
A0
B0
A1
B1
A2
B2
A3
B3
Figure 5.3: Model of proposed scan architecture.
secret key. We show the example below to explain how scanned data decode.
Example 5 Let us consider that a scan path model which consists of four SDSFFs
and one DFF for I/O as shown in Figure 5.3. We assume that four scan FFs stores
D1D2D3D4 and four latches of them stores 0101, which means that the data through
SDSFF A1 and A3 are inverted. We input 1001 as a test pattern to the scan path and
show change in scanned data in Table 5.1.
At the rising of the 1st clock cycle, four scan FFs store 1D3D2D1. A1 inverts D2
to D2 when D2 passes through the SDSFF1. We obtain D0, which A3 inverts D0 to D0
when D0 pass through the SDSFF3. We input 0 to the scan path.
At the rising of the 2nd clock cycle, four scan FFs store 01D3D2. A1 inverts D3 to
D3 when D3 passes through the SDSFF1. We obtain D1, which A3 inverts D1 to D1
when D1 pass through the SDSFF3. We input 0 to the scan path.
At the rising of the 3rd clock cycle, four scan FFs store 000D3. A1 inverts 1 to 0
when it is passed through the SDSFF1. We obtain D2, which A3 inverts D2 to D2 when
D2 pass through the SDSFF3. We input 1 to the scan path.
At the rising of the 4th clock cycle, four scan FFs store 1010. A1 inverts 0 to 1 when
5.4. IMPLEMENTATION AND RESULTS 83
it is passed through the SDSFF1. We obtain D3, which A3 inverts D3 to D3 when D3
pass through the SDSFF3.
Before the 5th clock cycle is rising, we change Se signal to 0 and move to a system
mode. At the same time, four latches store 1010, and thereby positions inverting bit
is changed. At the rising of the 5th clock cycle, four scan FFs store executing results
D03D02D01D00. We input 1001 as the same test pattern as the rst time.
At the rising of the 6th clock cycle, four scan FFs store 1D03D
0
2D
0
1. A0 inverts D
0
3
to D03 when D
0
3 passes through the SDSFF0 and A2 inverts D
0
1 to D
0
1 when D
0
1 passes
through the SDSFF2. We obtain D00 and input 0 to the scan path.
At the rising of the 7th clock cycle, four scan FFs store 01D03D02. A0 inverts 0 to 1
when it is passed through the SDSFF0 and A2 inverts D02 to D02 when D
0
2 passes through
the SDSFF2. We obtain D01 and input 0 to the scan path.
A0 inverts 0 to 1 when it is passed through the SDSFF0 and At the rising of the 8th
clock cycle, four scan FFs store 000D03. A2 inverts D03 to D
0
3 when D
0
3 passes through
the SDSFF2. We obtain D02 and input 1 to the scan path.
At the rising of the 9th clock cycle, four scan FFs store 1111. A0 inverts 0 to 1 when
it is passed through the SDSFF0 and A2 inverts 0 to 1 when it is passed through the
SDSFF2. We obtain D03.
5.4 Implementation and Results
We have implemented our proposed method to an AES cryptography circuit in
Verilog-HDL and have synthesized it using Synopsys Design Compiler Z-2007.03-
SP4 with 90nm process library1. The AES cryptography circuit has 716 registers
in total and the length of scan path is 716, too. We have replaced n normal scan
FFs in a scan path with n proposed SDSFFs and have showed area after synthesize
to compared with other scan path methods.
1This work is supported by VLSI Design and Education Center (VDEC), the University of
Tokyo in the collaboration with Synopsys Corporation and with STARC.
84 CHAPTER 5. STATE-DEPENDENT SECURE SCAN ARCHITECTURE
Table 5.1: Values in Example 1.
Clock Cycle A0 A1 A2 A3 Scan In B0 B1 B2 B3 Scan Out
1 D3 D2 D1 D0 {
1st 0 1 D3 D2 D1 D0
2nd Scan shift 0 1 0 1 0 0 1 D3 D2 D1
3rd 1 0 0 0 D3 D2
4th { 1 0 1 0 D3
Load 1 0 1 0 { 1 0 1 0 {
5th Capture 1 0 1 0 { D03 D
0
2 D
0
1 D
0
0 {
1 D03 D
0
2 D
0
1 D
0
0 {
6th 0 1 D03 D
0
2 D
0
1 D
0
0
7th Scan shift 1 0 1 0 0 0 0 D03 D
0
2 D
0
1
8th 1 0 1 0 D03 D
0
2
9th { 1 1 1 1 D03
Load 1 1 1 1 { 1 1 1 1 {
10th Capture 1 1 1 1 { D003 D
00
2 D
00
1 D
00
0 {
The circuit area is 19,030 gates when scan path is not implemented. Imple-
menting scan path, the area increases 19,594 gates. Inserting 358 inverters among
scan path to implement [2], we have 19,863 gates. The increased amount compared
with normal scan path is 269 gates.
To implement our proposed method, we replace normal scan FFs with 45, 60,
90, 179, 358, 716 SDSFFs, and increased amounts compared with normal scan path
are 203, 270, 405, 806, 1,611, 3,218, respectively. A SDSFF uses a latch and an
XOR gate, and it is bigger than [2] using an inverter accordingly. In our method,
when we replace 60 scan FFs with SDSFFs, area is as same as [2], over 60 scan
FFs makes larger area than [2].
5.4. IMPLEMENTATION AND RESULTS 85
Table 5.2: Implementation results for an AES cryptography circuit.
Modied Scan FFs Area gates Area Overhead gates
No Scan { 19030 |
Normal Scan { 19594 0
[2] 358 19863 269(1.4%)
716 22812 3218(16%)
358 21205 1611(8.2%)
Proposed method 179 20400 806(4.1%)
90 19999 405(2.1%)
60 19864 270(1.4%)
45 19797 203(1.0%)
Table 5.3: Security comparison.
[2] Proposed method
Possible patterns against [12] patterns 2n 2n
Possible patterns against [15] patterns 2 2n
If attackers obtain scanned data to retrieve a secret key using the scan-based
attack, they have to nd out the position of SDSFFs in scan path of a cryptography
circuit. The more the number of SDSFFs is, the more dicult to nd out the posi-
tion of SDSFFs. Suppose the number of SDSFFs to replace is n, the combination
number of possible scan path architecture will be 2n, which means, the probability
of specifying structure of scan path by attacker will be 1=2n. We can adjust the
security level against attack methods and by increasing replaced SDSFFs.
86 CHAPTER 5. STATE-DEPENDENT SECURE SCAN ARCHITECTURE
5.5 Concluding Remarks
In this chapter, we have proposed secure scan architecture using SDSFF. We fo-
cused on the point that scan based attack cannot attack when scan path structure
changes dynamically. By using this point, we used a latch for saving past state to
change scan path structure dynamically. We have evaluated the security level and
validity by implemented to an AES cryptography circuit.
Chapter 6
Conclusion
In this dissertation, I proposed new scan-based attacks against AES, RSA and
ECC and a new secure scan architecture.
Scan-based attacks whereby we do not need the correspondence between the
scanned data and the registers of cryptography ciruits storing the intermediate val-
ues, and further, we do not have to know when the registers store the intermediate
values necessary for analysis.
Conventinal scan-based attacks such as Yang's method [12] has following prob-
lems so that it is much dicult to retrieve a secret key in practical security LSIs.
1. A security LSI consists of many circuit other than the cryptography circuit,
such as a microprocessor, memory and a controller. Scan path in the security
LSI generally includes not only registers of the cryptography circuit but also
many registers of other circuits.
2. Attackers cannot know the timing when intermediate values corresponding
to the secret key are stored in registers.
In order to solve these problems, we focus on the general property on scan paths
below:
87
88 CHAPTER 6. CONCLUSION
Property 2 A bit position of a particular register r in a scanned data when giving
one input data is exactly the same as that when giving another input data.
This property is clearly true, since a scan path is xed in an LSI chip and the order
of connected registers in its scan path is unchanged.
A bit pattern of a particular bit position in scanned data for n intermediate
values gives n-bit data. Based on the above property, this n-bit data also may give
a bit pattern of a particular bit in these intermediate values when we give each of
these n inputs to the cryptography circuit.
By using the same n inputs, we can calculate intermediate values correspond-
ing to the secret key. By picking up a particular bit (LSB, for example) in each of
intermediate values for n inputs, we also have an n-bit value. If n is large enough,
this n-bit value gives information completely unique to intermediates values corre-
sponding to the secret key. We can use this n-bit value as a discriminator Di to
intermediates values corresponding to the secret key in scanned data. Methodology
to retrieve the secret key is following steps.
1. Prepare n inputs.
2. Calculate the cryptography algorithm with one of the n inputs by using the
target cryptography circuit and obtain scanned data every one cycle until
the crypgtography circuit outputs the result.
3. Calculate a discriminator from intermediate values corresponding to the se-
cret key.
4. Check whether the discriminator exists in the scanned data. If it exists or
not, then we can determine the particular bit of the secret key.
5. We can determine other bits of the secret key in the same way as Step 3-4.
Our proposed scan-based attack against AES retrieves the secret key in the
AES circuit by using only 225 inputs. We success to reduce the number of inputs
89
by as much as half compared to Yang's AES scan-based attack. In addition, we
experiment with scanned data adding random bits to it. Total bit length of scanned
data is 128 (no extra data is added) to 4096 (3968-bit extra data is added). Even if
the scanned data includes the 3,968-bit random data other than the round function
output, our improved method is capable to decipher the secret key 321 inputs on
average and 369 inputs in the worst case.
Our proposed scan-based attack against RSA succeeds in retrieving the secret
key in the RSA circuit. We experiment three pattern of key bit length, 1,024 bits,
2,048 bits and 4,096 bits. Requiring the average number of inputs is 29.5, 32 and
37, respectively.
Our proposed scan-based attack against ECC succeeds in retrieving the secret
key in the ECC circuit. We experiment 1,000 secret keys generated randomly and
we retrieve all of the secret keys. Key size is 163 bits and the scan path length
is 2,520 bits and the point multiplication requires 15,137 cycles. Requiring the
number of inputs is 29 on average and 36 in the worst case.
State-dependent congurable secure scan architecture achieves eecitive coun-
termeasure against scan-based attacks. By subsititing State-dependent scan ip-
op(SDSFF) for some scan ip-ops, scanned data is changed depend on its state.
Increased area by using SDSFF to prevent scan-based attacks is only 5 through
10 % against cryptography circuit. If attackers obtain scanned data to retrieve
a secret key using the scan-based attack, they have to nd out the position of
SDSFFs in scan path of a cryptography circuit. Suppose the number of SDSFFs
to replace is n, the combination number of possible scan path architecture will be
2n, which means, the probability of specifying structure of scan path by attacker
will be 1=2n.
90 CHAPTER 6. CONCLUSION
6.1 Future works
My future works are summarized as follows:
1. Proposing a theory about the number of input required for retrieving a secret
key.
2. New scan-based attack against compressed scanned data.
3. Experimental evaluation using our proposed method against scanned data
modied by countermeasures.
4. New scan-based attack against other crytography algorithm.
We reveal the number of input required for retrieving secret keys against some
cryptography circuits. However, these numbers are obtained by experimantal re-
sults, so we have not understood the reason why our scan-based attack against
ECC requires the number of inputs is 29 on average and 36 in the worst case
for retrieving the secret key in the ECC circuit. By developing a theory about
the number of input required for retrieving a secret key, our proposed scan-based
attacks must be more eective methods.
All of scan-based attacks are based on the assumption that scanned data is
directly output from registers. In practice, compressing scanned data is sometimes
used in order to reduce the time of scan test. If a scan-based attack by using
compressed scanned data is possible, it must be more practical attacking method.
Some countermeasure against scan-based attack are reported, but all of them
do not experiment with practical circuits. Experiment of scan-based attacks using
modied scanned data by countermeasure is important.
Scan-based attacks are powerful and threat against cryptography circuits. How-
ever, eective attacking method against some cryptogaphy algorithm are not found
out. Camellia [49], for instance, which is one of symmetric-key cryptography algo-
rithm, cannot not be attacked because side-channel attacks have not been reported
6.1. FUTURE WORKS 91
yet. Algorithm of Camellia considers countermeasure against side-channel attacks
so that a scan-based attack against Camellia is dicult, too. Scan-based attacks
against Camellia is worth researching.
Acknowledgment
First and foremost, I would like to give heartful thanks to Professor Nozomu To-
gawa at the department of computer science and Engineering of Waseda University
who gives me constant encouragement, guidance, and support during my research.
He advised me enthusiastically about not only research but also my attitude to it.
Working on my research with him must be the most irreplaceable assets in my life.
I also express my appreciation to Professor Tatsuo Ohtsuki at the department
of computer science and Engineering of Waseda University and Professor Masao
Yanagisawa at the department of Electronic and Photonic Systems of Waseda
University for continuous encouragement, support, direct guidance, and insightful
comments throughout my work. They gave me a lot of helpful suggestions for my
research life.
I also thank Professor Naohisa Komatsu at the department of computer science
and Engineering of Waseda University whose gives me constructive comments and
warm encouragement.
I also thank Professor Satoshi Goto and Professor Takeshi Ikenaga of Waseda
University for giving me a lot of helpful advices and continuous encouragement
during my research at Kita-kyushu.
I also thank Dr. Youhua Shi for giving me a lot of helpful advices and support
my research. He kindly introduce research in a scan-based attack to me. I received
generous support from Ryo Tamura for my English. I also thank Hiroshi Atobe
and Kei Satoh for researching in scan-based attack. I have greatly beneted from
92
93
their research for my dissertation.
I also thank Dr. Kazunori shimizu for giving me a lot of helpful advices and
support not only my research but also my life. He is one of the most respect people
for me.
I also thank all of the students in Professor Togawa's laboratory, Professor
Ohtsuki's laboratory, and Yangisawa's laboratory for their cooperations.
Finally, I thank my families for their kind support over the years.
References
[1] T. S. Messerges, E. A. Dbbish, and R. H. Sloan, \Power analysis attacks of
modular exponentiation in smartcards," in Proc. Workshop on Cryptographic
Hardware and Embedded Systems, ser. Lecture Notes in Computer Science,
vol. 1717, pp. 44{157, 1999.
[2] G. Sengar, D. Mukhopadhyay, and D. R. Chowdhury, \Secured ipped scan-
chain model for crypto-architecture," IEEE Trans. VLSI Syst., vol. 26, no. 11,
pp. 2080{2084, 2007.
[3] M. Inoue, T. Yoneda, M. Hasegawa, and H. Fujiwara, \Partial scan approach
for secret information protection," in Proc. European Test Symposium, pp.
143{148, 2009.
[4] \Data encryption standard (DES)," Federal Information Processing Standards
Publication 46-3 (FIPS 46-3), National institute of standards and technology
(NIST), Tech. Rep., 1999.
[5] \Advanced encryption standard (AES)," Federal Information Processing Stan-
dards Publication 197 (FIPS 197), National institute of standards and tech-
nology (NIST), Tech. Rep., 2001.
[6] R. L. Rivest, A. Shamir, and L. Adelman, \A method for obtaining digital
signature and public-key cryptsystems," vol. 21, pp. 120{126, 1978.
94
REFERENCES 95
[7] V. Miller, \Uses of elliptic curves in cryptography," in Proc. the Advances in
Cryptology, H. Williams, Ed., pp. 417{426, 1986.
[8] N. Koblitz, \Elliptic curve cryptosystems," Mathematics of Computation,
vol. 48, pp. 203{209, 1987.
[9] B. Yang, K. Wu, and R. Karri, \Scan based side channel attack on dedicated
hardware implementations of data encryption standard," in Proc. Interna-
tional Test Conference 2004, pp. 339{344, 2004.
[10] ||, \Secure scan: a design-for-test architecture for crypto chips," IEEE
Trans. Comput.-Aided Design Integr. Circuits Syst., vol. 25, no. 10, pp. 2287{
2293, 2006.
[11] S. Mangard, M. Aigner, and S. Dominikus, \A hignly regular and scalable
AES hardware architecture," IEEE Trans. Comput., vol. 52, no. 1, pp. 483{
491, 2004.
[12] B. Yang, K. Wu, and R. Karri, \Secure scan: a design-for-test architecture for
crypto chips," in Proc. the 42nd Design automation Conference, pp. 135{140,
2005.
[13] R. D. Silverman, \Has the RSA algorithm been compromised as a result
of Bernstein's Paper?" RSA Laboratories, Tech. Rep., Apr. 2002. [Online].
Available: http://www.rsa.com/rsalabs/node.asp?id=2007
[14] J. Stein, \Computational problems associated with Racah algebra," J. Com-
putational Physics, vol. 1, pp. 397{405, 1967.
[15] R. Nara, N. Togawa, M. Yanagisawa, and T. Ohtsuki, \A scan-based attack
based on discriminators for AES cryptosystems," IEICE Trans. Fundamentals,
vol. E92{A, no. 12, pp. 3229{3237, 2009.
96 REFERENCES
[16] ||, \Scan-based attack against elliptic curve cryptosystems," in Proc. IEEE
Asia South Pacic Design Auto Conference, pp. 407{412, 2010.
[17] D. Hely, F. Bancel, M. L. Flottes, and B. Rouzeyre, \Test control for secure
scan designs," in Proc. European Test Symposium, pp. 190{195, 2005.
[18] M. Gomu lkiewicz, W. Nikodem, and T. Tomczak, \Low-cost and universal
secure scan: a design-architecture for crypto chips," in Proc. International
Conference on Dependability of Computer Systems, pp. 282{288, 2006.
[19] D. Hely, F. Bancel, M. L. Flottes, and B. Rouzeyre, \Secure scan techniques:
a comparison," in Proc. of 12th IEEE International On-Line Testing Sympo-
sium, pp. 119{124, 2006.
[20] J. Lee, M. Tehranipoor, and J. Plusquellic, \A low-cost solution for protecting
IPs against scan-based side-channel attacks," in Proc. 24th IEEE VLSI Test
Symposium, pp. 94{99, 2006.
[21] D. Hely, F. Bancel, M. L. Flottes, and B. Rouzeyre, \Securing scan control in
crypto chips," J. Electron Test, pp. 457{464, 2007.
[22] J. Lee, M. Tehranipoor, C. Patel, and J. Plusquellic, \Securing designs against
scan-based side-channel attacks," pp. 325{336, 2007.
[23] S. Paul, R. S. Chakraborty, and S. Bhunia, \VIm-scan: a low overhead scan
design approach for protection of secret key in scan-based secure chips," in
Proc. the 25th IEEE VLSI Test Symmposium, pp. 455{460, 2007.
[24] U. Chandran and D. Zhao, \SS-KTC: a high-testability low-overhead scan
architecture with multi-level security intergration," in Proc. 27th IEEE VLSI
Test Symposium, pp. 321{326, 2009.
REFERENCES 97
[25] D. Mukhopadhyay, S. Banerjee, D. RoyChowdhury, and B. B. Bhattacharya,
\CryptoScan: a secured scan chain architecture," in Proc. 14th Asian Test
Symposium, pp. 348{358, 2005.
[26] G. Sengar, D. Mukhopadhyay, and D. RoyChowdhury, \An ecient approach
to develop secure scan tree for crypto-hardware," in Proc. 15th International
Conference of Advanced Computing and Communications, pp. 21{26, 2007.
[27] Y. Shi, N. Togawa, M. Yanagisawa, and T. Ohtsuki, \A secure test technique
for pipelined advanced encryption standard," IEICE Trans. Information and
Systems, vol. E91{D, no. 3, pp. 776{780, 2008.
[28] M. Doulcier, M. L. Flottes, and B. Rouzeyre, \AES-based BIST: Self-test,
test pattern generation and signature analysis," in Proc. 25th IEEE VLSI
Test Symposium, pp. 94{99, 2007.
[29] T. Beth and D. Gollmann, \Algorithm engineering for public key algorithms,"
IEEE J. Sel. Areas Commun., vol. 7, pp. 458{465, 1989.
[30] L. Song and K. K. Parhi, \Low energy digit-serial/parallel nite eld multi-
pliers," Journal of VLSI Signal Processing, vol. 19, no. 2, pp. 149{166, 1998.
[31] A. Satoh and K. Takano, \A scalable dual-eld elliptic curve cryptographic
processor," IEEE Trans. Comput., vol. 52, no. 4, pp. 449{460, 2003.
[32] S. Kumar, T. Wollinger, and C. Paar, \Optimum digit serial GF(2m) mul-
tipliers for curve-based cryptography," IEEE Trans. Comput., vol. 55, pp.
1306{1311, 2006.
[33] K. Sakiyama, L. Batina, B. Preneel, and I. Verbauwhede, \Multicore curve-
based cryptoprocessor with recongurable modular arithmetic logic units over
GF(2n)," IEEE Trans. Comput., vol. 56, no. 9, pp. 1269{1282, 2007.
98 REFERENCES
[34] G. Orlando and C. Paar, \A high-performance recongurable elliptic curve
processor for GF(2m)," in Proc. Workshop on Cryptographic Hardware and
Embedded Systems, ser. Lecture Notes in Computer Science, vol. 1965, pp.
41{56, 2000.
[35] N. Gura, S. C. Shantz, H. Eberle, S. Gupta, V. Gupta, D. Finchelstein,
E. Goupy, and D. Stebila, \An end-to-end systems approach to elliptic curve
cryptography," in Proc. Workshop on Cryptographic Hardware and Embedded
Systems, ser. Lecture Notes in Computer Science, vol. 2523, pp. 349{365, 2002.
[36] H. Eberle, N. Gura, and S. Chang-Shantz, \A cryptographic processor for
arbitrary elliptic curves over GF(2m)," pp. 444{454, 2003.
[37] A. E. Cohen and K. K. Parhi, \Implementation of scalable elliptic curve cryp-
tosystem crypto-accelerators for GF(2m)," pp. 471{477, 2004.
[38] S. Moon, \A 193-bit encryption processor for elliptic curve cryptosystem using
fast VLSI algorithms in nite elds," pp. 611{613, 2005.
[39] W. N. Chelton and M. Benaissa, \Fast elliptic curve cryptography on FPGA,"
IEEE Trans. VLSI Syst., vol. 16, no. 2, pp. 198{205, 2008.
[40] P. L. Montgomery, \Speeding the pollard and elliptic curve methods for fac-
torizations," Mathematics of Computation, vol. 48, pp. 243{264, 1987.
[41] C. J. S, \Resistance against dierential power analysis for elliptic curve cryp-
tosystems," in Proc. Workshop on Cryptographic Hardware and Embedded Sys-
tems, ser. Lecture Notes in Computer Science, vol. 1717, pp. 292{302, 1999.
[42] G. B. Agnew, R. C. Mullin, and S. A. Vanstone, \An implementation of elliptic
curve cryptosystems over F2155 ," IEEE J. Sel. Areas Commun., vol. 11, no. 5,
pp. 804{813, 1993.
REFERENCES 99
[43] J. Lopez and R. Dahab, \Fast multiplication on elliptic curves over GF(2m)
without precomputation," in Proc. Workshop on Cryptographic Hardware and
Embedded Systems, ser. Lecture Notes in Computer Science, vol. 1717, pp.
316{327, 1999.
[44] K. Okeya, H. Kurumatani, and K. Sakurai, \Elliptic curve with the mont-
gomery form and their cryptographic applications," in Proc. the International
Conference on Theory and Practice of Public-Key Cryptography, ser. Lecture
Notes in Computer Science, vol. 1751, pp. 238{257, 2000.
[45] K. Okeya and K. Sakurai, \Ecient elliptic curve cryptosystems from a scalar
multiplication algorithm with recovery of the y-coordinate on a montgomery-
form elliptic curve," in Proc. Workshop on Cryptographic Hardware and Em-
bedded Systems, ser. Lecture Notes in Computer Science, vol. 2162, pp. 126{
124, 2001.
[46] L. Goubin, \A rened power-analysis attack on elliptic curve cryptosystems,"
in Proc. the International Conference on Theory and Practice of Public-Key
Cryptography, ser. Lecture Notes in Computer Science, vol. 2567, pp. 199{211,
2003.
[47] \Digital signature standard (DSS)," Federal Information Processing Standards
Publication 186-2 (FIPS 186-2), National institute of standards and technol-
ogy (NIST), Tech. Rep., 2000.
[48] O. Kommerling and M. G. Kuhn, \Design principles for tamper-resistant
smartcard processors," in Proc. the USENIX Workshop on Smartcard Tech-
nology (Smartcard '99), 1999.
[49] K. Aoki, T. Ichikawa, M. Kanda, M. Matsui, S. Moriai, J. Nakajima, and
T. Tokita, \The 128-bit block cipher camellia," IEICE Trans. Fundamentals,
vol. E85{A, no. 1, pp. 11{24, 2001.
List of Publications
???????????
1. R. Nara, N. Togawa, M. Yanagisawa, and T. Ohtsuki, \Scan vulnerability
in elliptic curve cryptosystems", IPSJ Trans. SLDM, vol. 4, February Issue,
pp. 47{59, Feb. 2011.
2.  R. Nara, K. Satoh, M. Yanagisawa, T. Ohtsuki, and N. Togawa, \Scan-
based side-channel attack against RSA cryptosystems using scan signatures,"
IEICE Trans. Fundamentals, vol. E93{A , no. 12, pp. 2481{2489, Dec. 2010.
3. K. Tanimura, R. Nara, S. Kohara, Y. Shi, N. Togawa, M. Yanagisawa, and
T. Ohtsuki, \Unied dual-radix architecture for scalable montgomery multi-
plications in GF(P ) and GF(2n)," IEICE Trans. Fundamentals, vol. E92{A,
no. 9, pp. 2304{2317, Sep. 2009.
4.  R. Nara, N. Togawa, M. Yanagisawa, and T. Ohtsuki, \A scan-based
attack based on discriminators for AES cryptosystems," IEICE Trans. Fun-
damentals, vol. E92{A, no. 12, pp. 3229{3237, Dec. 2009.
????????
1.  R. Nara, H. Atobe, Y. Shi, N. Togawa, M. Yanagisawa, and T. Oht-
suki, \State-dependent changeable scan architecture against scan-based side
channel attacks," in Proc. IEEE ISCAS 2010, pp. 1867{1870, May 2010.
100
101
2.  R. Nara, N. Togawa, M. Yanagisawa, and T. Ohtsuki, \Scan-based at-
tack against elliptic curve cryptosystems," in Proc. IEEE ASP-DAC 2010,
pp. 407{412, Jan. 2010.
3. R. Nara, N. Togawa, M. Yanagisawa, and T. Ohtsuki, \Scan-based attack
against elliptic curve cryptosystems," in Proc. IEEE ASP-DAC 2010, Poster
session, Jan. 2010.
4. K. Tanimura,R. Nara, S. Kohara, K Shimizu, Y. Shi, N. Togawa, M. Yanag-
isawa, T. Ohtsuki, \Scalable unied dual-radix architecture for montgomery
multiplication in GF(P ) and GF(2n)," in IEEE ASP-DAC 2008, pp. 697{702,
Jan. 2008.
5. R. Nara, K. Shimizu, S. Kohara, N. Togawa, M. Yanagisawa, T. Ohtsuki,
\An area-ecient GF(2m) MSD multiplier based on an MSB multiplier for
elliptic curve LSI," in Proc. IEICE ITC-CSCC 2007, vol. 1, pp. 37{38, Jul.
2007.
?????????
1. ?????????????????????????\RSA??????
??????????"????????????????????pp. 197{
202?Apr. 2010.
2. ????????????????????\??????????????
?????," ??? DA?????? 2009?vol. 2009?no. 7?pp. 109{114?
Aug. 2009.
3. ??????????????????????????????\GF(2m)
??MSB???????????????? LSI??MSD??????,"
?? ??????????????????pp. 355{360?Apr. 2007.
102
4. ??????????????????????????????\GF(2m)
?? SIMD?MSD??????????????????," ??? DA?
????? 2007?vol. 2007?no. 7?pp. 221{226?Aug. 2007.
5.  ??????????????????????????????\??
????? SIMD?MSD???????" ??? ???????????
?? 2007?vol. 2007?pp. 90{99?Oct. 2007.
???
1.  ?????????????????????????\SASEBO-GII?
????AES???????????????????" ?? ?????
???????????? (SCIS2011)?1D1-2?Jan. 2011.
2.  ????????????????????\RSA??????????
???????????" ?? 2010?????????A-3-6?p. 68?Sep.
2010.
3.  ???????????????????, \?????????????
????AES?????????," ?? ???????????????
?? (SCIS2009)?3A4-3?p. 277?Jan. 2009.
4. ????????????????????????, \?????????
??????????????????????????," ?? VLD??
??VLD2008-67?pp. 43{48?Nov. 2008.
5.  ???????????????????, \???????AES-LSI?
??????????," ?? VLD????VLD2008-68?pp. 49{53?Nov.
2008.
6. ?????????????????????????????, \????
????????????????????????????," ?? VLD
????VLD2008-69?pp. 55{59?Nov. 2008.
103
7. ????????????????????????, \?????????
??? S-Box?????AES?????????????????," ??
VLD????VLD2008-70?pp. 61{66?Nov. 2008.
8.  ?????????????????????????????, \???
???????GF(2m)?? SIMD?MSD??????," ???VLD??
??VLD2007-11?pp. 25{29?May 2007.
9. ???????????????????????????????????
????, \GF(2n)??GF(p)?????????????????????
???????," ???VLD????VLD2007-42?pp. 43{45?Jun. 2007.
10.  ?????????????????????????????????
??????, \???????? GF(2m)?? Digit-Serial??????,"
?? VLD????VLD2006-89?pp. 25{30?Jan. 2007.
11. ??????????????????????????????, \???
????????????????????????LSI," ???VLD??
??VLD2004-125?pp. 5{10?Mar. 2005.
????
1. 2007? 9? IEEE SSCS Japan Chapter VDEC?????????? 2007
??????Ph.D??????? ?????
????
1. 2011? 3? ?????????? 26????????????
2. 2011? 2? ? 23?????????????????????
3. 2010? 3? 2009????????
4. 2009? 8? ?????????????
104
5. 2007? 8? ?????????????
6. 2007? 2007??????????????
