Abstract: When scan test techniques are applied for cryptographic chips, side channel attack may result in user key leakage. Many secure scan designs have been proposed to protect the user key. This paper meticulously selects three current scan test techniques and analyses their advantages and disadvantages. The paper also compares them in several aspects, such as security and area overhead. User can choose one of them according to the requirements; further combination can be implemented to achieve better performance.
Introduction
Scan chain-based design for testability (DFT) has been the most popular testing technique due to the high fault coverage and low overhead. Nevertheless, for cryptographic IP cores such as Advanced Encryption Standard (AES), Data Encryption Standard (DES) and Triple DES (TDRE), which is key-based algorithm, it is vulnerable to the side-channel attacks (SCA). Since the flip-flops in a scan chain can be accessed and analyzed, secret key can be retrieved and confidential information can be leaked [1] . The secure scan which maintains high testability without compromising the security is required to crypto cores.
Some methods have been proposed to protect the user key from side-channel attack, described as follows. Mirror key register (MKR) is inserted to the AES core so that the user key cannot be loaded in scan test mode [1] . Paul et al. [2] proposed to reorder the scan chain cells by scrambling them and only an authorized user can get the correct order. In [3] , inverters are inserted to scan chains to make it difficult for attackers to discover the internal scan structure and its upgraded version is [4] . Nevertheless, most of these traditional secure DFT techniques try to protect the key within the core and modify the structure of scan chain, the security of the primary inputs and outputs of SoCs is ignored. It can lead to a potential attack via insecure test wrapper [5] . This paper focuses on three secure DFT techniques from two directions. One of them still protects the user key within the core by modifying the IEEE1149.1 standard. The other two techniques are based on IEEE 1500 standard to be suitable for SoC. This paper is arranged as follows. Section II introduces the three techniques in detail. Section III analyses and compares them with respect to several aspects. Section IV is the conclusion part 2 Three secure scan designs Fake key based secure scan technique is based on IEEE standard 1149.1 (JTAG). A new instruction "SecureScanTest" is add to instruction decoder. It is invoked whenever the normal mode is changed to scan test mode. The architecture is illustrated in the Fig. 1 from [6] . First the scan output is blocked by an AND gate with signal "ScanOutputGatingSignal". Unless the signal is changed to 1, the gated scan output will maintain at 0 so that the scan chain possibly including encrypted data can be shifted to flush out. Then during the normal scan test mode, fake key is loaded instead of user key into AES core by asserting the signal "LoadKey" which is generated by the new instruction. Further a counter is inserted to tell the the number of scan shifts to flush out the encrypted data. Golden key based secure test wrapper technique is based on IEEE standard 1500. Its authentication mechanism is utilized to lock and unlock the modified standard test wrapper. The architecture is illustrated in the Fig. 2 from [5] ,where the modified components are highlighted. Some specified wrapper boundary cells are modified to construct an on-chip LFSR path which generates a golden key. The inputs and outputs of scan chains are gated with "unlock" signal which is generated by the STW controller. Only if the test patterns are matched with generated golden key, the test wrapper is unlocked. The WIR is also modified to decode a new instruction "UNLOCK_STW" and to generate STW control signals. [7] . KATAN can be implemented with software, on a secure sever, as well as with hardware. An on-chip true random number generator (TRNG) [8] is utilized to generate random number nonce as plaintext. KATAN software receives it via a serial interface. The plaintext is also transmitted to the on-chip KATAN hardware. KATAN software and hardware use the same key which is securely stored on sever and in an on-chip no-volatile memory. The cipher text generated by the software and the hardware are then evaluated in an on-chip comparator. If they match, then the test wrapper is unlocked by an "UnlockWrapper" signal and enable normal scan test. 
Analysis and Comparison
Three kinds of techniques in two types secure scan designs are compared in this part. This work focuses on comparing them in four aspects, with some slight issues also mentioned.
First of all, the standards related issue is compared. The fake key technique in [6] is based on the IEEE std. 1149.1, while golden key technique and KATAN technique are based on IEEE std. 1500. The fake key technique modifies the standard instruction decoder by adding a new private instruction to choose between user key and fake key to be loaded during normal and test mode, respectively. There is no modification required to IEEE 1500 standard in KATAN based technique. By contrast, the golden key based technique modifies boundary register, wrapper instruction register, and test wrapper controller. In compatibility aspect, none of these three techniques change the crypto core so that they are compatible with their corresponding standards and the AES core also can be reused in designing in a SoC [6] . To reduce the congestion of test control interface wiring of IEEE 1500 wrappers in SoCs, an IEEE 1149.1 tap controller is required and connected with the wrapper by using a glue logic block [9] . Consequently, the two secure wrapper techniques are also compatible with IEEE std. 1149.1. The standards related can be summarized in the table 1. 
Protection mechanisms are analyzed and compared between the three techniques. The key idea of the [6] is loading fake key instead of user key during the test mode. Further meticulous care is taken by blocking the scan output using a signal generated by instruction decoder so that no scan output can be observed during the scan mode. Both of the two secure test wrapper techniques adopt locking and unlocking authentication mechanism to protect the crypto core. And both inputs and outputs of scan chains are gated by unlock signal determined by a comparator. The difference is, the golden key based technique [5] uses an embedded LFSR as golden key and compare it with input bit stream, while the KATAN based technique uses a light weight cipher algorithm both in hardware part (embedded on chip) and software part (test server), and compare their cipher texts.
Security issue is analyzed and compared in some aspects. For an attacker, all the attacks such as side channel attack [1] , and signature attack [10] are created only to obtain the secret key. Therefore the most effective method is to protect secret key. The fake key method uses fake key instead of the user key in test mode to ensure the security of the user key. Some other protection measures are also applied for possible small leaks such as probable residual encrypted data. Though a meticulous care is taken, primary inputs and outputs may supply attack channel if in SoC environment. Secure scan wrappers liberate this issue by wrapping the whole core and locking it unless the identity of tester is authorized. In [5] , wrapper boundary register is modified by inserting an extra mux in some specified cells to generate a new LFSR path. The length and degree of LFSR are determined by the required security, but higher security produces more penalties. There are still three attack scenarios in spite of the external and internal protection. Further the reliability of LFSR seed leads doubt in [7] and [11] since non-irreducible polynomials of LFSR may be obtained by brute-force attack. To solve this potential problem, KATAN based wrapper adopts challenge-response structure rather than LFSR to verify the identity of tester. Instead, new problem is incurred by interface between secure chip and test server. Man-in-the-middle attack is feasible if the attacker has physical access to the chip so that attacker can eavesdrop on the serial communication taking place between them. Moreover, the security of the KATAN key may be susceptible since it requires additional non-volatile memory. For this reason, a physically unclonable functions (PUF) based method is proposed by the same author [12] . Although there are still some possible leaks in these advanced techniques to a certain degree, the advantages can be extracted and combined to generate a more perfect method under the circumstances.
We implemented above-mentioned techniques on same benchmark with identical AES core. First the boundary or wrapper boundary cell is compared, refer table 2. Fake key based technique uses a standard boundary scan cell (BSC) without any modification. Also KATAN based technique uses a standard wrapper boundary scan cell (WBC). Standard wrapper cell may have many kinds of structures, in order to compare properly between two secure test wrappers, golden key based method adopts a modified WBC based on the same structure with an extra mux. The result shows the IEEE 1149.1 BSC has the least area as compared to other two techniques. From structure point of view, KATAN based technique may has the largest area since an on-chip KATAN cipher block seems larger than a LFSR key embedded in the boundary register. On the contrary, KATAN based authentication mechanism is smaller due to its light weight, only 32 bit cipher. Furthermore, the length of LFSR key and KATAN can be changed according to the expected trade-off between cost and security. 
Conclusion
This paper discusses three recent secure DFT techniques for crypto core and analyzes and compares in several aspects such as security, architecture, and area overhead. Both advantages and disadvantages are stated in the paper. To achieve the expected trade-off among testability, security and test cost, user can select the proper technique. Furthermore the combination of them can be considered.
