Abstract-Scan based Design for Test (DfT) schemes have been in wide use to increase the testability of digital circuits. The main objective is to ensure that nodes in the Circuit Under Test (CUT) are controllable and observable. While such comprehensive access is highly desirable for testing, it is not acceptable for secure chips as it is subject to exploitation. In this work, a new method is presented to protect the sensitive information from attackers using scan chains. The access through the scan chain to the circuit containing the secret information has been severely limited to reduce the risk of a scan-based attack. To ensure the testability of the circuit, a built-in self-test utilizing an LFSR is considered. The proposed scheme can be used as countermeasure against side channel attacks with a low area overhead as compared to the reported solutions.
INTRODUCTION
Scan based test methodology is the dominant method to test digital circuit. It provides strong observability and controllability to test the Circuit Under Test (CUT). While scan chains are invaluable for testing, they are desired for secure chips. Scan chains can be exploited for cryptanalysis as they grant access to the internal nodes of the CUT [1] . They are also susceptible to differential power analysis [2] , timing analysis [3] , fault injection attacks [4, 5] . Scan chains have been used successfully to attack chips implementing the cryptographic algorithms such as RC4 stream cipher and AES block cipher [6] . There is a tradeoff, which needs to be maintained between security and testability. The work carried out by Yang et al. discusses how scan chains can be used to retrieve the secret key of the crypto chips even when the register containing the secret key is not included in the crypto chip [7] . Scan chains in [8] have been used from the perspective of Physically Unclonable Function (PUF). They have exploited the intrinsic characteristics of the scan based testing in the domain of PUF. Yu Zheng et.al [9] [10] have discussed how scan chains can be used from the PUF paradigm to obtain a large number of unique signatures. However, once the chip is authenticated, scan chains can be utilized to attack as discussed in the following ways. First, an attacker tries to determine the position of the critical registers by applying known test vectors at the primary input while the chip is in the functional mode. Once the data is fed into the registers, the chip is forced to enter the test mode and the responses are scanned out. These steps are repeated until there are enough data to build a model. By determining the target registers, secret information can be discovered for the cryptographic chips. In another approach, attackers first determine the position of the critical registers; once defined, inputs are applied in the test mode. Afterwards, by switching to the functional mode the responses are scanned out. Similarly, once enough responses are gathered the chip secret information can be easily be unfolded.
Solutions have been proposed to develop Built-in Self-Test (BIST) as means for Design-for-Test (DfT) [11] but the fault coverage provided by BIST is not as good as that coverage provided by scan based test methods. Hybrid designs have also been proposed in which some parts use BIST and the critical parts utilize scan chains [12] . Yang et al. [7, 13] have discussed an attack with Advanced Encryption Standard (AES) hardware implementation in which scan chains have been used as the tool for the information leakage and the recovery of the crypto key. To mitigate this problem, the authors have introduced a mirror key register for the insecure mode during the test phase the testing. The authors have discussed that even if the key register is not directly scannable, still enough information can be captured by scan chains to extract the key. Hely et.al. [14] have analyzed scan chains based on the assumption that static assignment of registers of the scan chain is risky and can be used to extract the key information. They have introduced the scan chain scrambling technique i.e. for authorized users, the register assignment is static and a key is provided, but for unauthorized users, the assignment becomes semi random. Lee et.al. [15] have presented lock and key technique to mitigate the problem of scan based controllability/observability attack, which arises from the fact that test vectors can be fed directly to determine internal states of the secure circuit. To solve this problem, they have used small chains of Linear Feedback Shift Register (LFSR) to input test vectors. A right test key is needed to enter from insecure to secure mode. A low cost secure scan chain (LCCS) for the intellectual property information has been proposed in [16] . In this work, dummy D flip-flops are added to the scan chains. During the test phase, the key is integrated with respect to the position of the dummy flip-flops. If the correct key is not integrated, an incorrect response will be scanned out. The right test key needs to be entered to dummy flip-flops; otherwise, the circuit gives uncertain responses. Ryuta Nara et.al. [17] have proposed a scan architecture, which changes dynamically based on the states of the flip-flops.
In the proposed method in this work, a direct access through scan chain to the secure circuit is not provided. This will limit the opportunities to use scan chains to plan attacks to 978-1-4799-5341-7/16/$31.00 ©2016 IEEE extract the secret information. However, without direct access through the scan chain the testability can be a major concern. A built-in self-test (BIST) method is developed to address this issue. In the proposed method, the secret code or the key is held by an array of flip-flops, which is not accessible by the scan chains. An LFSR containing three flip-flops is used to generate the test pattern for the secure circuit. The proposed method provides minimum access to the scan chain while addressing the testability issue.
II. SCAN BASED ATTACKS
Scan chains are designed for full access to the circuit-under-test through test access port to apply test patterns to CUT in the test phase. The responses obtained from CUT are also captured by the scan chain for evaluation. To counter the steps involved in the scan-based attack, and make the data obtained from scan chain unusable a method is proposed in [6] 
III. PROPOSED METHOD
In the proposed method, the secret code is generated by an array of flip-flops, which can be used for encryption or identification as shown in Fig. 2 . The flip-flops are hardwired to generate the secret code at the power on state. To protect the secret code against scan-based attack, the direct access to the flip-flops has not been provided in the test mode. Instead, a built-in self-test method is implemented to test the circuit. There are two modes of operation (a) safe mode or secure mode and (b) test scan mode or insecure mode. In the safe mode as shown in Fig 2, the key is generated by the circuit and it can be used for the purpose of encryption or identification. When the operation mode changes from the secure mode to the insecure mode, the following operations takes place to protect the key from unauthorized access through the scan chain. a) A reset signal is applied to the array of the flip-flops containing the secret key to clear the content of all flipflops. b) The first three flip-flops are converted to a 3-bit LFSR to act as an Automatic Test Pattern Generator (ATPG) for the array of flip-flops configured as a shift register in this mode. c) The access to the output of the shift register is granted to the scan-chain. This will allow the scan chain to capture the data and perform a response evaluation operation. d) The data captured by the scan chain is compared against the response of a fault free circuit to determine if the circuit generating the secret key is fault-free or faulty.
It is not need to power-off the circuit to switch from secure mode to insecure since a reset signal is applied to the flip-flops when the operation mode changes. The proposed architecture in the test mode is shown in Fig. 3 . In the test mode, the test pattern is generated by the LFSR and applied to the array of flip-flops configured as a shift register. The length of the key is determined by number of D flip-flops implemented for the required purpose of operation. As compared to existing solutions in the literature [6, 13] , for the proposed solution no separate registers are needed thus reducing the area overhead. A fault in the circuit generating the secret code changes the output data captured by the scan chain. During the transition from secure mode to the insecure mode, a reset pulse is generated by the circuit shown in Fig. 5 to clear the contents of the flip-flops. This will prevent attackers from access to the key through shifting the data right after changing the mode of operation.
To address the testability issue for the key generating circuit a Built-in Self-Test (BIST) is developed as shown in Fig 4a. In the test mode all flip-flops are connected to form a shift register. The first three flip-flops are configured as an LFSR in this mode, which generates a pattern represented by the following equation.
The pattern generated by the LFSR is applied to the rest of the flip-flops and the response the last flip-flop in the shift-register is captured by the scan chain for evaluation. The test pattern generated by the LFSR is shown in Fig. 4b . It can cover all stuck-at faults since the output of each flip-flop has to switch from high-to-low and low-to-high. It can also be used to cover delay faults due to the successive transitions between the adjacent test patterns. A fault in the circuit generating the secret code changes the output data captured by the scan chain. To support the proposed architecture, one state can be added to the IEEE 1149.1 boundary scan architecture as shown in the Fig. 6 . The states of Test Access Port (TAP) controller will include an extra state to support the secure mode. As the Test Mode Select (TMS) switches to the high level, it enters the safe mode and remains in this mode as long as the TMS is high. In this state, the N-bit secret key loads while the access to the main scan chain is disabled. As soon as the TMS switches to low, it will change the state and enter the scan mode. Prior to the switching to the scan mode, the control circuit will generate a pulse to reset the flip-flops.
IV. SIMULATION RESULTS
The proposed secure architecture was implemented in Cadence environment using CMOS 65nm technology to determine the area overhead. The results are compared with existing solution in [16] for evaluation. The effect of number of bits in the secret code, on the area overhead has also been determined. The layout of the key generating circuit for 128-bit key is shown in number of bit for instance the area occupied by 256-bit key is almost double the area overhead of 128-bit key.
V. CONCLUSIONS
Scan flip-flops provide an ideal platform to plan various types of attacks against secure chips. There is dilemma between testability and security. A fully testable circuit may not be secure as the access to observe and control all circuit nodes are granted to the tester. On the other hand, a completely secure chip may not be testable due to restricted access to the circuit. In this work, a built-in self-test solution is proposed to test the secure circuit while limiting the access to the circuit through the scan chain. The proposed scheme operates in two operation modes of (a) secure mode and (b) test mode. In the secure mode, the circuit is completely isolated from the scan chain and in the test mode, an LFSR generates test patterns to test the secure circuit. Simulation results in Cadence environment indicate, that the area overhead of the proposed method is much lower than reported solutions in the literature. 
