DynUnlock: Unlocking Scan Chains Obfuscated using Dynamic Keys by Limaye, Nimisha & Sinanoglu, Ozgur
DynUnlock: Unlocking Scan Chains
Obfuscated using Dynamic Keys
Nimisha Limaye† and Ozgur Sinanoglu‡
† Tandon School of Engineering, New York University ‡ New York University Abu Dhabi, UAE
{nsl278, ozgursin}@nyu.edu
Abstract—Outsourcing in semiconductor industry opened up
venues for faster and cost-effective chip manufacturing. However,
this also introduced untrusted entities with malicious intent, to
steal intellectual property (IP), overproduce the circuits, insert
hardware Trojans, or counterfeit the chips. Recently, a defense
is proposed to obfuscate the scan access based on a dynamic key
that is initially generated from a secret key but changes in every
clock cycle. This defense can be considered as the most rigorous
defense among all the scan locking techniques. In this paper, we
propose an attack that remodels this defense into one that can
be broken by the SAT attack, while we also note that our attack
can be adjusted to break other less rigorous (key that is updated
less frequently) scan locking techniques as well.
I. INTRODUCTION
Many threats have risen as a result of outsourcing in the IC
supply chain. Untrusted entities such as foundry and end-user
can use tools at their disposal, to steal intellectual property (IP)
by reverse engineering, insert hardware Trojans, counterfeit
or overproduce the chip [1], [2], [3]. To thwart these attacks,
logic locking is considered a viable design-for-trust solution.
Earlier logic locking schemes were implemented with high
output corruptibility in mind; with an incorrect key the chip
should produce most erroneous results for the given input
patterns [4], [5]. However, this property was exploited by
boolean satisfiability based attack known as the SAT attack
in retrieving the secret key of logic locking [6].
SAT attack identifies a distinguishing input pattern (DIP)
which prunes the key search space; the attack continues till no
such DIP is found and terminates with the correct key. High
output corruptibility assists this attack as a larger portion of
the key search space is pruned with each DIP. To thwart this
attack scan obfuscation/encryption approaches [7], [8] were
proposed which obfuscates the scan-in and scan-out data based
on a key. As all the successful attacks, such as (App)SAT [9],
[6], in logic locking literature relies on scan access, these
defenses can be said to thwart logic locking attacks. However,
they incur significant area and delay overheads, and mainly
find applications in Crypto chips. To protect against IP piracy
attacks, more general and scalable solutions are required.
Recently, XOR/MUX based scan obfuscation techniques
have been proposed [10], [11], [12], [13] to obfuscate the
scan data via XOR/MUX operations based on a secret key
through key gates inserted between the scan flops. In [10], a
static key is used to obfuscate the scan chain content during
scan in and out of patterns, effectively hindering unauthorized
scan access. However, this defense was also recently broken
by ScanSAT attack [14]. In [11], scan-out ports are blocked
TABLE I: Evolution of scan locking over last two years.
Month, Year Defense Obfuscationtype Attack
Jan, 2018 EFF [10] Static ScanSAT [14]
May, 2018 DFS [11] Static Shift-and-leak [15]
Sept, 2018 DOS [12] Dynamic Imp. ScanSAT [16]
May, 2019 EFF-Dyn [13] Dynamic This work
whenever the chip is in functional mode or upon a mode
switch between functional and test mode, thereby, thwarting
SAT-based attacks. However, this defense was also broken
recently by shift-and-leak attack [15]. Further, in [12], [13], a
dynamic scan locking key is used to obfuscate the scan data;
the keys are generated using a Linear Feedback Shift Register
(LFSR) based on a secret seed. In [12], the key is updated
upon scanning in and out a constant number (p) of patterns,
while in [13], the key is updated in every clock cycle. The
defense in [13] can be viewed as the most rigorous, and thus,
the most secure, dynamic scan locking defense. Indeed, the
defense in [12] was broken recently even for its most rigorous
version where the key is updated for every pattern (p=1) [16].
Yet, the defense in [13] remains unbroken.
The evolution of scan locking defenses and attacks, focusing
on the most recent years, is shown in Table I, illustrating the
attention this area has been attracting lately.
Contributions: In this paper, we propose a state-of-the-art
attack which can break all dynamic scan locking defenses [12],
[13]. We present our DynUnlock attack on the most rigorous
case of dynamic locking [13] where the scan data gets obfus-
cated with a new key in every clock cycle. The contributions
of this paper are as follows:
• We propose DynUnlock that can break all scan locking
defenses.
• We demonstrate our attack on a small ISCAS-89 dynam-
ically scan locked circuit in Section III-A and perform it
on six ISCAS-89 [17] and four ITC-99 [18] benchmarks
for 10 different LFSR seeds each.
• We aim to recover the secret LFSR seed generating the
dynamic keys. We recover the unique seed for 70% of the
circuits, and for the remaining 30% we obtain at most 128
seed candidates out of 2128, which can be further refined
very quickly via brute-force to recover the secret seed.
• The execution times of attack are maximum for s38584,
s38417, and s35932 benchmarks (< 7 minutes) as they
have the maximum number of scan flops post-synthesis.
c© 2020 IEEE. This is the author’s version of the work. It is posted here for your personal use. Not for redistribution.
The definitive Version of Record is published in Proc. Design, Automation and Test in Europe Conference (DATE), 2020.
ar
X
iv
:2
00
1.
06
72
4v
1 
 [c
s.C
R]
  1
8 J
an
 20
20
Fig. 1: Scan obfuscation of s208 ISCAS-89 benchmark locked using three key bits.
Fig. 2: Test authentication scheme for EFF-Dyn. When test key (TK)
mismatches with secret key (SK), comparator output goes low, and
key selector passes the dynamic key from the pseudo-random number
generator (PRNG) to the scan locked circuit. PRNG output updates
every clock cycle.
II. BACKGROUND
SAT attack was a turning point for logic locking research;
researchers have now started exploring approaches to thwart
this fatal attack. Based on the observation that the success
of SAT and other oracle-guided attacks relies on scan access,
one promising approach is to obfuscate the scan data as it is
delivered in and out of the scan chains.
The defense in [13] obfuscated the scan data dynamically
by updating the key in every clock cycle (even within a
pattern), resulting in the ultimate dynamic scan locking tech-
nique. In this paper, we propose an attack which will, break
all versions of dynamic scan locking, including the most
rigorous one [13]. We use [13] as a case study to showcase
our attack methodology while we note that it is guaranteed
to be successful on all other dynamic scan locking versions
that are less rigorous than [13], where the key updates less
frequently[12].
A. Case Study
Dynamic Encrypt Flip-Flop (EFF-Dyn) [13] combines scan
locking approach from [10] and a PRNG, to introduce dynam-
icity in the defense. During functional mode or the capture
operation in test mode (scan enable (SE) signal is low), the
secret scan locking key that is stored in the Tamper-Proof
Memory (TPM) controls the key gates. During testing, an
externally provided test key is expected. When this test key
matches the secret scan locking key, the key gates receive
this correct key during the scan shift operations (SE signal is
high) as well; in case of a mismatch, however, the PRNG that
updates the key in every clock cycle controls the key gates
dynamically. This is illustrated in Fig. 2.
With an incorrect scan locking key, the chip outputs will be
highly corrupted. A testing facility, if trusted, can provide the
scan locking secret key as the external test key to have this
key (known to them) drive the key-gates during both shift and
capture operations during test. Without the knowledge of this
secret key, the access to the scan chains is locked based on a
very dynamic scan locking key generated by the PRNG.
Security Properties. A dynamically obfuscated scan access
is meant to prevent an attacker from applying the generated
DIPs through the scan chains, as the PRNG would be updating
the key in every clock cycle, thereby, providing resilience
against the SAT attack. As a defense that thwarts both SAT and
AppSAT attacks, EFF-Dyn seems to be a promising design IP
protection technique.
III. PROPOSED ATTACK
In this section, we discuss an attack approach on dynami-
cally locked scan chains with EFF-Dyn as a case study. In our
attack, DynUnlock, we aim to recover the seed of the PRNG
which produces the key sequence. With the secret seed known,
an attacker can gain scan access without the knowledge of the
scan locking secret key; an arbitrary test key can be used to
leave the scan access control to the PRNG, which can be easily
modeled by the attacker as long as its seed is known (see threat
model below).
Threat Model. Consistent with the logic locking literature,
we assume that the attacker can obtain the design netlist by
reverse-engineering the GDSII files or a fabricated chip. This
gives her access to all the structural information including
the test authentication scheme, the location of key gates, and
the PRNG structure and thus, its polynomial function. We
also assume that the attacker has access to a working oracle
(functional IC). Though she also has access to scan ports
physically, the attacker needs to get past the scan obfuscation
defense.
A. Attack Methodology
Flowchart. As discussed before, we aim to recover the
PRNG or LFSR seed and not the secret key (SK) for this
particular case.1 But, the methodology can be extended to
other dynamic scan locking techniques whose seed is the secret
1Here we assume that the PRNG is designed using an LFSR.
c© 2020 IEEE. This is the author’s version of the work. It is posted here for your personal use. Not for redistribution.
The definitive Version of Record is published in Proc. Design, Automation and Test in Europe Conference (DATE), 2020.
Fig. 3: Flowchart for the proposed DynUnlock attack.
Fig. 4: Combinational modeling of scan locked s208 circuit in Fig. 1
into a SAT attack compatible combinational circuit. s0, s1, and s2
are the seed bits.
key [12]. We first start by reverse-engineering the LFSR circuit
and obtaining the equations corresponding to each clock cycle.
Next, we determine the location of key gates inserted between
the scan flops and model this sequential logic circuit into a
combinational circuit with scan flops replaced with inputs and
outputs. As per the architecture, scan patterns are shifted in
and out serially whereas key inputs are applied in parallel.
Figure 3 explains the attack methodology in a flowchart.
Combinational Modeling. Consider scan locking on s208
ISCAS-89 benchmark shown in Fig. 1, where the key gates are
inserted after 1st, 2nd, and 5th scan flops. The scan-in patterns
are denoted by a and scan-out patterns are denoted by b; a′
denotes the pattern delivered into an obfuscated scan chain
and applied to the circuit, and b′ is the response of the circuit
captured in the obfuscated scan chain. During shift operations
where dynamic scan obfuscation is in place, a turns into a′;
and post-capture, b′ turns into b, both due to scan obfuscation.
Algorithm 1: Combinational modeling of the dynamic scan locked
circuit. FFloc[ ] stores the positions of the scan locked flops. From
Fig. 1, FFloc[0 : 2] = (1, 2, 5).
Input: seed, a, b′
Output: a′, b
FF = number of scan flops in the circuit;
seed = number of LFSR bits;
cycles = number of LFSR rounds;
ky = dynamic key for yth round;
clk ← 0
for i← 1 to cycles do
ki0 ← ki−11 ⊕ ki−12
for j ← 1 to seed do
kij ← ki−1j−1
for l← FF − 1 to 0 do
i← 0
j ← clk + 1
while i < seed and j <= FF do
al ← al ⊕ kji
i← i+ 1
j ← FFloc[i] + clk
a′l ← al
clk ← clk + 1
clk ← clk + 1
for l← 0 to FF − 1 do
i← seed− 1
j ← FFloc[i] + clk
while i >= 0 and j > FF + 1 do
b′l ← b′l ⊕ kji
i← i− 1
j ← FFloc[i] + clk
clk ← clk − 1
bl ← b′l
Algorithm 1 shows the construction of LFSR keys from a
seed, and a relationship between a - a′ and b - b′ in terms
of the dynamic key bits. The first for loop corresponds to
the LFSR equations, the second for loop corresponds to the
relation between a - a′, while the third for loop corresponds
to the relation between b - b′. This completes our modeling
step which results in a combinational locked circuit with seed
bits acting as primary key inputs.
SAT attack. Once modeling is complete, the combinational
locked circuit is fed to a SAT tool [6] as shown in Fig. 3,
which provides a DIP and its corresponding output pattern.
We modify the code-base to dump a conjunctive normal form
(CNF) after each iteration, which may reveal some of the seed
bits. Unlike [16], we can carry out our attack for just one
capture cycle. To recover more bits, we restart the LFSR circuit
and obtain a new DIP and its corresponding output pattern
2The number of scan flops mentioned in the table are post-synthesis and
may differ from the original number. This reduction is due to the fact that
primary outputs were directly connected to flip flops without combinational
cone between them.
c© 2020 IEEE. This is the author’s version of the work. It is posted here for your personal use. Not for redistribution.
The definitive Version of Record is published in Proc. Design, Automation and Test in Europe Conference (DATE), 2020.
TABLE II: Results for scan locked circuits with 128-bit dynamic keys
fed by an LFSR based on a secret seed. All ten benchmarks can be
broken to obtain the complete 128-bit seed. For s5378, the attack
recovers 16 seed candidates, whereas for s13207, it recovers 128
seed candidates, both of which can be easily brute forced to obtain
the correct seed.
Benchmark # Scan flops2 # Keybits
# Seed
candidates # Iterations
Execution
time (secs)
s5378 160 128 16 17 41
s13207 202 128 128 4 27
s15850 442 128 2 4 89
s38584 1,233 128 1 3 219
s38417 1,564 128 1 7 342
s35932 1,728 128 1 1 254
b20 429 128 1 1 63
b21 429 128 1 1 54
b22 611 128 1 1 99
b17 864 128 1 1 86
from the SAT tool, and recover more seed bits. We repeat
the restart step until all the seed bits have been recovered,
or the remaining seed bits can be brute-forced. Even if the
number of remaining seed bits is large for brute force, we can
obtain a combinational locked circuit for a new capture cycle
and carry over the seed information recovered from previous
capture cycles to either recover the entire seed or reduce the
brute force effort. We, however, have not come across any
benchmark, locked with a key of a practical size, where a
second capture was required, as can be seen in Section IV.
IV. EXPERIMENTAL RESULTS
Setup. We conducted our DynUnlock attack on six ISCAS-
89 [17] and four ITC-99 [18] benchmarks with dynamically
locked scan chains with a 128-bit key. Synopsys Design
Compiler was used to synthesize these benchmarks. All the
experiments have been carried out on a 24-core Intel Xeon
processor running at 3.33 GHz with 96 GB RAM.
Attack results. Our attack results are given in Table II
which shows the number of seed candidates recovered, number
of iterations required by the lingeling SAT solver, and the
attack execution time. As we can see, DynUnlock successfully
unlocks all the circuits by recovering the 128-bit seed. For
benchmarks s5378, s13207, and s15850, the attack obtains
more than one seed candidate, which highlights that with just
one capture cycle, SAT tool was not able to resolve all the
CNF equations. However, these seed candidates are very few in
number which can be easily brute forced to obtain the correct
seed. For the rest of the benchmarks, we directly obtain the
correct seed. All these benchmarks are run for 10 different
LFSR seeds, and the number of seed candidates, number of
iterations, and the execution times are averaged over these 10
runs.
Attack scalability. In our attack, we include the LFSR
structure in the combinational modeling. All the seed bits are
correlated with other seed bits as shown in Fig. 4. Hence, the
SAT attack sometimes resolves only these clauses and leaves
with multiple values for the variables in these clauses, thereby,
increasing the seed candidates. For larger circuits, we obtain
only one seed candidate. Intuitively, in a larger circuit with a
larger number of scan flops, attack success should be higher
as the seed bits will repeat for a larger number of times. We
confirm this intuition from the results in Table II. Furthermore,
for larger circuits (s38584, s38417, and s35932), even if the
key-size is 240 bits, we still recover one seed as shown in
Table III, and upto key sizes of 368, we obtain at most 16
seed candidates, which can be easily brute forced to recover
the correct seed. Thus, our attack is scalable with number
of scan flops as well as with increasing key sizes.
V. DISCUSSION AND CONCLUSION
Among the scan locking solutions that follow the same
threat model used in logic locking, the only defenses that our
attack cannot circumvent are those that incorporate crypto-
graphic functions [7], [8] or PUF structures [19] to generate
dynamic keys. Our attack cannot model such modules into
their combinational logic equivalent. While this is a limitation
of our attack, we note that cryptographic functions incur
significant area and power cost, limiting the use of such
defenses to chips that have these blocks already.
In this paper, we present a novel attack which circumvents
the most dynamic case of scan locking proposed in [13].
We model the sequential circuit into a locked combinational
circuit on which the SAT attack [6] can be applied. We
conducted experiments on large circuits in ISCAS-89 and ITC-
99 benchmark suites and recovered the LFSR seed within
seven minutes for all the benchmarks under consideration.
We also evaluated the scalability of our attack with increasing
key sizes and recovered the seed using at most 27 iterations
and within 23 hours for all the 15 cases for key sizes as
large as 368 bits. Our attack can break any version of dynamic
scan locking. With our attack process, we will never run out of
iterations, as the attack will always provide seed candidates,
if not the correct unique seed.
ACKNOWLEDGEMENT
The authors would like to acknowledge Satwik Patnaik for
his valuable feedback. This work was supported by New York
University NY/Abu Dhabi Center for Cyber Security and Intel
Corporation.
REFERENCES
[1] “The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies,” 2018.
[Online]. Available: https://www.bloomberg.com/news/features/2018-10-04/the-
big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies
[2] “Intellectual Property Rights and Commercial Fraud,” 2018. [On-
line]. Available: https://www.ice.gov/news/releases/orange-county-electronics-
distributor-charged-selling-counterfeit-integrated-circuits
[3] “Reverse Engineering Software,” 2016. [Online]. Available: http://www.chipworks.
com/en/technical-competitive-analysis/resources/reerse-engineering-software
[4] J. A. Roy, F. Koushanfar, and I. L. Markov, “Ending piracy of integrated circuits,”
Computer, vol. 43, no. 10, pp. 30–38, 2010.
[5] J. Rajendran, H. Zhang, C. Zhang, G. S. Rose, Y. Pino, O. Sinanoglu, and R. Karri,
“Fault analysis-based logic encryption,” TCOMP, vol. 64, no. 2, pp. 410–424,
2015.
[6] P. Subramanyan, S. Ray, and S. Malik, “Evaluating the security of logic encryption
algorithms,” in HOST. IEEE, 2015, pp. 137–143.
[7] E. Valea, M. Da Silva, M.-L. Flottes, G. Di Natale, and B. Rouzeyre, “Stream vs
block ciphers for scan encryption,” Microelectronics Journal, vol. 86, pp. 65–76,
2019.
c© 2020 IEEE. This is the author’s version of the work. It is posted here for your personal use. Not for redistribution.
The definitive Version of Record is published in Proc. Design, Automation and Test in Europe Conference (DATE), 2020.
TABLE III: Results for s38584, s38417, and s35932 benchmarks locked using larger keys. We observe that even for a key size as large as
368 bits, there are only at most 16 seed candidates, which can be easily brute forced to recover the correct seed. The maximum time taken
by any benchmark (s38417 for a key as large as 336 bits) is less than 23 hours.
Key bits s38584 s38417 s35932# Seed
candidates # Iterations
Execution
time (secs)
# Seed
candidates # Iterations
Execution
time (secs)
# Seed
candidates # Iterations
Execution
time (secs)
144 1 3 925 1 6 862 1 1 281
160 1 2 557 1 5 583 1 1 634
176 1 2 1,175 1 6 1,711 1 1 372
192 1 4 872 1 6 945 1 1 618
208 1 5 4,897 1 6 1,947 1 1 597
224 1 5 4,792 1 4 1,999 1 1 1,007
240 1 6 2,880 1 5 2,252 1 1 810
256 1 7 9,219 2 7 16,220 1 1 832
272 1 4 2,831 4 7 14,603 1 1 1,364
288 1 7 15,025 16 9 24,546 1 1 2,657
304 4 2 6,465 16 14 33,591 1 1 1,881
320 4 6 12,745 16 21 62,135 1 1 2,992
336 4 5 10,678 16 17 81,504 1 1 2,008
352 4 5 11,502 16 24 74,140 1 1 2,270
368 4 4 11,173 16 27 70,591 1 1 3,231
[8] M. Da Silva, M.-L. Flottes, G. Di Natale, and B. Rouzeyre, “Preventing scan
attacks on secure circuits through scan chain encryption,” TCAD, vol. 38, no. 3,
pp. 538–550, 2018.
[9] K. Shamsi, M. Li, T. Meade, Z. Zhao, D. Z. Pan, and Y. Jin, “AppSAT:
Approximately deobfuscating integrated circuits,” in HOST. IEEE, 2017, pp.
95–100.
[10] R. Karmakar, S. Chatopadhyay, and R. Kapur, “Encrypt Flip-Flop: A Novel Logic
Encryption Technique For Sequential Circuits,” arXiv preprint arXiv:1801.04961,
2018.
[11] U. Guin, Z. Zhou, and A. Singh, “Robust design-for-security architecture for
enabling trust in IC manufacturing and test,” TVLSI, vol. 26, no. 5, pp. 818–830,
2018.
[12] X. Wang, D. Zhang, M. He, D. Su, and M. Tehranipoor, “Secure scan and test
using obfuscation throughout supply chain,” TCAD, vol. 37, no. 9, pp. 1867–1880,
2017.
[13] R. Karmakar, S. Chattopadhyay, and R. Kapur, “A Scan Obfuscation Guided
Design-for-Security Approach For Sequential Circuits,” TCAS II: Express Briefs,
2019.
[14] L. Alrahis, M. Yasin, H. Saleh, B. Mohammad, M. Al-Qutayri, and O. Sinanoglu,
“ScanSAT: unlocking obfuscated scan chains,” in ASP-DAC. ACM, 2019, pp.
352–357.
[15] N. Limaye, A. Sengupta, M. Nabeel, and O. Sinanoglu, “Is Robust Design-for-
Security Robust Enough? Attack on Locked Circuits with Restricted Scan Chain
Access,” arXiv preprint arXiv:1906.07806, 2019.
[16] L. Alrahis, M. Yasin, N. Limaye, H. Saleh, B. Mohammad, M. Alqutayri, and
O. Sinanoglu, “ScanSAT: Unlocking Static and Dynamic Scan Obfuscation,”
TETC, pp. 1–1, 2019.
[17] F. Brglez, D. Bryan, and K. Kozminski, “Combinational profiles of sequential
benchmark circuits,” in ISCAS. IEEE, 1989, pp. 1929–1934.
[18] S. Davidson, “Notes on ITC’99 Benchmarks,” 1999. [Online]. Available:
http://www.cerc.utexas.edu/itc99-benchmarks/bendoc1.html
[19] W. Li, J. Ye, X. Li, H. Li, and Y. Hu, “Bias PUF based Secure Scan Chain Design,”
in AsianHOST. IEEE, 2018, pp. 31–36.
c© 2020 IEEE. This is the author’s version of the work. It is posted here for your personal use. Not for redistribution.
The definitive Version of Record is published in Proc. Design, Automation and Test in Europe Conference (DATE), 2020.
