Stream cipher is an important class of encryption algorithm that encrypts plaintext messages one bit at a time. Various stream ciphers are deployed in wireless telecommunication applications because they have simple hardware circuitry, are generally fast and consume very low power. On the other hand, scan-based Design-for-Test (DFT) is one of the most popular methods to test IC devices. All flip-flops in the Design Under Test are connected to one or more scan chains and the states of the flip-flops can be scanned out through these chains. In this paper, we present an attack on stream cipher implementations by determining the scan chain structure of the Linear Feedback Shift Registers in their implementations. Although scan-based DFT is a powerful testing scheme, we show that it can be used to retrieve the information stored in a crypto chip thus compromising its theoretically proven security. 
Many issues regarding information security in RFID systems can be solved by some cryptographic technology. Among all the modern cryptographic technologies, stream cipher encryption is an ideal option due to the proven security, low hardware and power cost, and high efficiency. For example, the Mifare RFID chips, which are used in many mass transit systems worldwide including Boston, London, and Netherlands, encrypt the tag ID using a stream cipher called Crypto-1 [Nohl and Plotz 2007] . However, even if stream cipher encryption is used, RFID chips may still suffer from many advanced attacks. A trio of MIT students has discovered the security weaknesses of the Mifare card used in the Boston public transportation system, and showed how to hack the RFID chip to get free subway rides [Mills 2008] . In this paper, we present a general attack that targets a group of stream ciphers, including one of the candidates of the latest ECRYPT eSTREAM project. 
INTRODUCTION
Stream cipher is an important class of encryption algorithm. They encrypt plaintext messages one bit at a time, in contrast to block ciphers that operate on large blocks of data. Consequently, stream ciphers have simple hardware circuitry, are generally faster and consume very low power. Stream ciphers are deployed in applications where buffering is limited or characters are processed individually such as in wireless telecommunications applications. Stream ciphers have limited or no error propagation and hence are advantageous in noisy environments where transmission errors are highly probable. A stream cipher encrypts plaintext bits using a pseudorandom keystream. As shown in Figure 2 (a), one bit of plaintext is combined with one bit of keystream at a time, typically using a simple XOR operation. Thus, the security of a stream cipher depends on the randomness of its keystream. In practice, the pseudorandom keystream is generated by the keystream generator using a user-provided secret key.
In this article we assume that the user key is preloaded into the device, which is the typical scenario in practice. The keystream generator is implemented either as a Linear Feedback Shift Register (LFSR) or by other methods such as a linear congruence generator. Due to ease of implementation, long period, and uniformly distributed Scan-based Design-For-Test (DFT) is one of the most popular methods to test IC devices. Scan-based DFT ties all flip-flops (FFs) in one or more scan chains, and the states of the FFs can be scanned out through these chains, as shown in Figure 3 . Scanbased DFT provides access to the internal state of (crypto) hardware by improving control of internal nodes from the primary inputs and observation of values on internal nodes at the primary outputs.
A flip-flop included in a scan chain is replaced by a scan flip-flop (a D flip-flop with a MUX at the D input). During normal mode when the Scan Enable signal is set to 0 the scan flip-flop works like a regular D flip-flop. In test mode when the Scan Enable signal is set to 1 scan flip-flops are disconnected from the combinational circuit and connected as a scan chain. Now, the flip-flop contents can be set to predetermined values (controllability) and intermediate state can be scanned out (observability). Scan chains are typically inserted into the design by test synthesis tools. A scan chain is classically organized according to the physical positions of the flip-flops. Even if they are arbitrarily connected it does not improve the security as shown in this paper. During chip packaging, scan chains are either connected to the external JTAG interface for in-field debug and maintenance [Josephson and Poehhnan 2001] or left unbound to prevent access. In the former case, it is easy to compromise the secrets on the chip. In the latter case, unbound scan chains can still be accessed [Yang et al. 2006] .
While scan-based DFT improves the quality of testing, it also opens a powerful side channel to the privacy information stored in the design under test, and hence, weakens the theoretically guaranteed security of cipher algorithms [Goering 2004] . Until now, scan chains in DES and AES block cipher implementations have been exploited to leak their secret keys [Yang et al. 2005; Yang et al. 2006] as follows:
-First, the positions of scan elements in the scan chain are determined. For this, pairs of known plaintexts that are different in a single bit position are applied in the normal mode and then the internal state of the hardware implementation is scanned out in the test mode. -Then the secret key is discovered. Modules in the block cipher are analyzed to identify a class of plaintexts. By applying a small number of plaintexts from this special class in the normal mode and by scanning out the corresponding internal state in the test mode, the secret keys are discovered.
In this article we propose a scan-based attack on the hardware implementations of LFSR-based stream ciphers that use scan-based DFT. In contrast to the scan attacks of block ciphers, the proposed scan attack of stream ciphers does not require the attacker to apply carefully designed plaintexts. It is also worth noticing that hardware designers not realizing the security implications of scan DFT may use it in security devices [Gurkaynak et al.] .
We will introduce the general technique to determine the scan chain structure of several types of LFSR structures used in stream ciphers in Section 4 and follow it up by demonstrating the attack on six stream ciphers DECIM [Berbain et al.] , Pomaranch [Jansen et al.] , A5/1, A5/2 [Erguler and Anarim 2005] , w7 [Thomas et al. 2002] , and LILI II [Clark et al. 2002] .
GENERAL DESCRIPTION OF THE ATTACK
We assume the attacker has physical access to the Device-Under-Attack (DUA). An attacker can temporarily access a victim RFID tag or RFID-based toll card as shown in Figure 1 , launch the attack and return the tag or toll card without being noticed. With the obtained secret keys, the attacker can eavesdrop on the victim's communication or clone the card for unauthorized usage. Specifically, we assume that the attacker -knows the algorithmic details of the stream cipher since they are public; -can run the DUA for a certain number of clock cycles in its normal mode without being noticed; -can scan out the states of internal registers of DUA via scan chains after each clock cycle; -does not need to scan in special inputs in the test mode and does not need to apply chosen inputs to the stream cipher. This makes the proposed attack different from and more powerful than the one proposed in Yang et al. [2006] .
After each scan out operation, the attacker will obtain a bit vector that includes all bits of the LFSR and all bits of the architectural registers (AR). ARs are the registers that are not in the cipher specification but in the DUA implementation. This is because a cipher generally provides only the algorithm-related specifications. Different DUAs of the same cipher may have minor differences. For example, different state coding may introduce different numbers of state registers. Since LFSRs are initialized by the secret key and an initial vector, a stream-cipher-based DUA can be reproduced if the initial states of all the LFSRs are recovered even though the actual secret key itself may not be known. The goal of the attacker is to discover the correspondence between the bits of the scan-out vector and the bits in the LFSRs in the stream cipher.
The attacker scans out the internal registers at the time when the DUA is initialized and records the scan-out vector V 0 . He then resets the DUA, clocks it by one cycle, and records the new scan-out vector as V 1 . The attacker repeats this procedure for a certain number of rounds and uses all the recorded vectors to reconstruct the state information of the DUA. The attack can be vital.
SCAN ATTACK ON LFSR-BASED STREAM CIPHERS
We will describe several attacks that target general LFSR structures. The attack on a specific stream cipher is a combination of some or all of these attacks. We will analyze the case where the scan-out vector consists of bits of the LFSRs and the ARs. The states of the ARs are assumed to be random. Let N be the length of the scan-out vector and L be the length of the LFSR, N ≥ L. Then N − L is the number of FFs in the ARs. The following notations are used in the article.
LFSR: Linear Feedback Shift Register AR:
Architectural Register MNR: Maximum number of rounds needed to determine a flip-flop in a search LBB: Left boundary bit of all the discovered bits RBB: Right boundary bit of the discovered bits N:
The length of the scan-out vector L:
The length of the LFSR
Scan Attack on External (Fibonacci) LFSR-Based Stream Ciphers
Figure 4 shows two L-bit external LFSRs with N − L bits ARs. One LFSR has an input and the other has no input. Since the attacks on both are similar, we will only illustrate the attack using the external LFSR with no input. The bits in an external LFSR without an input have the Update Functions:
The Update Functions show how S i (t) at clock cycle t is updated by the values from time t − 1. S i (t) is the state of the i th stage at clock cycle t (scanned out as part of the vector V t ). S i−1 (t − 1) is the state of the (i − 1) th stage at cycle t − 1 (scanned out as part of the vector V t−1 ).
, S i (t) and S i−1 (t − 1) could be 1 or 0 depending on the characteristic polynomial of the LFSR. To discover the bit-by-bit correspondence between the scan-out vector and the flip-flops in the LFSR, the attacker randomly picks a bit X from one of the scan-out vectors, and checks if X belongs to the LFSR by performing an α-search.
α-search is of two types. For a bit X,the left α-search looks for another bit W where
Let us consider an 8-bit external LFSR with feedback polynomial 1 + x 3 + x 8 . Its update functions are S 0 (t) = S 2 (t − 1) + S 7 (t − 1), and S i (t) = S i−1 (t − 1) for 1 ≤ i ≤ 7. For clarity, we assume that the bits of the scan-out vectors are in the same sequence as the bits in the LFSR, i.e. the 1 st bit is S 0 , the 8 th bit is S 7 , and the 9 th and 10 th bits are ARs. Hence N = 10 and L = 8. The left α-search on this example is shown in Figure 5 (a) where the 9 th bit of the scan-out vector is chosen to be X. The attacker finds its left neighbor W by starting with a "suspect set" which initially contains all bits except X. The attacker prunes this suspect set by eliminating those bits whose values in V i are different from the value of X in V i+1 . This is one round of checking. If the suspect set is emptied after several rounds of checking as shown in Figure 5 (a), the search is unsuccessful in finding a left neighbor and is hence called a miss. The attacker then randomly picks another bit and repeats this procedure. In Figure 5 (b) S 7 is determined to be the left neighbor W of S 8 after 7 rounds of checking, and the search returns a hit.
Since the bits in the LFSR are pseudorandom and the bits in the ARs are assumed random, each bit in the scan-out vector has a 50% chance to be 1 or 0. If a bit is not the Wof the current X, it will be denoted as a false bit, and the probability of eliminating this false bit from the suspect set at the n th round equals
where Pb W (t−1)=X(t) is the probability that W(t − 1) = X(t). Therefore, the probability of eliminating a false bit from the suspect set after n rounds equals 1≤t≤n 0.5
If the chosen X is a bit of the LFSR and has the expected Update FunctionW(t − 1) = X(t), its suspect set will never be emptied. Otherwise, its suspect set will be emptied eventually after certain rounds of searching. Hence the attacker needs to determine the maximum number of rounds (MNR) in the way that a hit is deemed if the set contains just one bit after so many rounds of searching. Given the sizes of today's LFSR-based stream ciphers, we define the MNR as the number of rounds after which more than 99.99% false bits are eliminated. The MNR of α-search for this example and for all the stream ciphers is thus 15.
A hit during left α-search discovers two bits, X and its left neighbor W, in the LFSR. A bit is the Left Boundary Bit (LBB) if its left neighbor is undiscovered. A bit is the Right Boundary Bit (RBB) if its right neighbor is undiscovered. After one successful left α-search, W is the LBB and X is the RBB. In the example of Figure 5 (b), bit 7 is the LBB and bit 8 is the RBB. Repeatedly applying the left α-search on LBB will discover the LFSR bits all the way to its left-most bit S 0 . Repeatedly applying the right α-search on an RBB will discover all bits in the LFSR all the way to the right most bit S L−1 . At this point, the structure of the LFSR is identified. It is important to note that the SAME set of scan-out vectors can be analyzed to discover multiple bits in the LFSR. Therefore for each stream cipher, the attacker only needs to scan out MNR+1 internal state vectors.
Scan Attack on Internal (Galois) LFSR-Based Stream Ciphers
Structure of an internal LFSR in some stream ciphers is shown in Figure 6 . The bits in an internal LFSR have the following relations:
could be 1 or 0 depending on the characteristic polynomial of the LFSR.
When
, and is referred to as a tap bit. When to as a nontap bit. The nontap bits can be discovered by the α-search. Discovering and identifying the tap bits needs a new type of search, named β-search.
In the left β-search, for a selected bit X, a pair of bits in the scan-out vector (W, Z) are found such that
Similarly, in the right β-search, for a selected bit X, a pair of bits in the scan-out vector (W, Z) are found such that
The β-search is based on the observation that S i (t) = S i−1 (t − 1) or S i (t) = S i−1 (t − 1)' when S L−1 (t − 1) = 0 or 1 respectively. For the first β-search, the attacker has to guess two bits, the neighbor bit of X and S L−1 . The number of possible 2-tuples for bit X is P(U , 2) = U (U −1), where U is the number of undiscovered bits in the LFSR. However, when the first β-search returns a hit, bit S L−1 is identified. To discover the remaining bits using β-search, the attacker needs to guess only one bit. This reduces the suspect set of 2-tuples to P(U, 1) = U . The probability of eliminating a 2-tuple from the suspect set in the n th round equals:
More than 99.99% false 2-tuples are eliminated from the suspect set in 15 rounds (MNR). The attack procedure that combines α and β searches is as follows:
The attacker randomly picks a bit and applies the α-leftward-search. If the search returns a miss, the attacker randomly picks another bit and continues with α-leftwardsearches until he gets a hit. The hit discovers a non-tap bit and its left neighbor which are the RBB and LBB of the discovered bits respectively.
The attacker applies the α-leftward-search on LBB and the α-rightward-search on RBB. This step is repeated to grow the discovered section until either the whole LFSR is discovered (LBB = RBB), or both the leftward and the rightward searches return misses. The latter case indicates that the attacker has reached tap-bits.
The attacker applies the β-leftward-search on the LBB and the β-rightward-search on the RBB to locate the left neighbor of LBB and right neighbor of RBB, which will become the new LBB and RBB respectively. Then go to step 2. Steps 2) and 3) are repeated until all the bits in the LFSR are discovered. Since the first β-search identifies bit S L−1 , this bit can be used to identify all the other tap bits in this LFSR.
Scan Attack on Internal LFSRs with Inputs
An internal LFSR with input is the same as the one shown in Figure 6 except that S L−1 is XORed with the input before feedback to the previous stages. The bits have the following relations where In stands for the input:
20:8 Y. Liu et al. Fig. 7 . A jump cell.
could be 1 or 0 depending on the characteristic polynomial of the LFSR. When C i = 0, no feedback is involved and S i (t) = S i−1 (t − 1)(1 ≤ i ≤ L − 1). These non-tap bits can be discovered by α-searches. When C i = 1, S i (t) = S i−1 (t − 1) ⊕ S 0 (t − 1) ⊕ In. Determining these tap bits, however, requires extra effort since In is not accessible by the attacker. The attacker considers two tap bits, LBB S i and the RBB S j at the same time. Since
A new γ -search for such a discovery is defined as follows: γ -search. Given a pair of bits X and F, this search looks for a 2-tuple (W, G) where
The attacker has to guess two bits W and G, therefore the suspect set of 2-tuples for bits X and F is P(U , 2) where U is the number of undiscovered bits. The probability of eliminating a 2-tuple from the suspect set at the n th round is:
More than 99.99% false 2-tuples can be eliminated in 15 rounds (MNR). The attack procedure combining the α and γ searches is similar to the one combining α and β searches. Just replace β with γ in step 3.
Scan Attack on LFSRs with Jump Registers
A modified jump cell, has been proposed to replace the normal register cell used in LFSRs in Jansen [2004] . Figure 7 shows a register cell that can work in two modes controlled by the Jump Control switch. When the switch is open, it works as a normal register cell and when the switch is closed, it works as a jump cell. Clocking an LFSR using normal cells J times produces the same result as clocking once the same LFSR that uses jump cells instead. J is the jump index derived from the characteristic polynomial.
Attacking an LFSR using jump cells does not require any new type of search. However, the number of rounds to eliminate a bit/tuple from the suspect set increases. The bits in an external LFSR using jump cells have the following relations where JC stands for Jump Control:
Observe that when S i (t − 1) = 0, S i (t) = S i−1 (t − 1). The jump version of α-search defined below can discover the bits in an external LFSR using jump cells:
α-leftward-search-J: Given a bit X, it looks for another bit W where
α-rightward-search-J: Given a bit X, it looks for another bit Y where
The probability of eliminating a bit from the suspect set at the n th round is
More than 99.99% false bits are eliminated from the suspect set within 33 rounds (MNR). The MNR to eliminate more than 99.99% tuples from the suspect set is doubled. The attack procedure for the LFSRs using normal cells can also be applied to the LFSRs using jump cells.
Scan Attack on Irregular Clock-Controlled LFSRs
Irregularly stepping the LFSR through successive states is a method to increase the linear complexity of an LFSR while preserving a large period and good statistical properties. Stream ciphers based on regularly clocked LFSRs are susceptible to basic and fast correlation attacks [Goering 2004; Siegenthaler 1985] . Irregular clocking limits the possibilities for mounting classical correlation attacks.
For devices using irregular clocked LFSRs, consecutive scan-out vectors could be partly or completely the same. These redundant vectors should be abandoned. To determine if a vector is redundant, the attacker can check if the bits of interest to the search (i.e., the (X W) in an α-search, the (X W Z) in a β-search, and the (X W F G) in a γ -search) have different values from the bits in the previous vector. The MNR to eliminate the bits/tuples from a suspect set increases inversely with the probability of the LFSR being clocked in a cycle.
Scan Attacks on Stream Ciphers with Multiple LFSRs
Most LFSR-based stream ciphers use more than one LFSR. To determine the scan chain structure, we need to locate all the LFSRs. Therefore, we need to establish a one to one correspondence between the LFSRs discovered and the LFSRs in the cipher. If the LFSRs have different lengths, we can easily get the mapping. If the LFSRs have the same length, we can still map them according to their unique feedback functions.
PUTTING IT ALL TOGETHER: ATTACKS ON SELECTED LFSR-BASED STREAM CIPHERS

DECIM
DECIM is a stream cipher submitted to the ECRYPT eSTREAM project [eStream] . It uses an 80-bit key, a 64-bit IV, and a 192-bit external LFSR. The key stream generation mechanism is shown in Figure 8 . The bits of the external LFSR are numbered from 0 to 191. The Boolean function f is a 13-variable quadratic symmetric function. ABSG is an irregular decimation mechanism. DECIM uses a 32-bit key buffer to maintain a constant throughput for the key stream. The LFSR is regularly clocked.
The α-search is sufficient to attack DECIM. While we estimate that the MNR = 15 is sufficient for an α-search, we use MNR = 17 in our simulations to ensure a high level of confidence. The total number of checking performed is 17 × N = 17 × 228 = 3876. 
A5/1
A5/1 is a stream cipher used to encrypt over the air transmissions in the GSM standard. A GSM conversation is transmitted as a sequence of 228-bit frames (114 bits in each direction) every 4.6 milliseconds. To ensure privacy, each frame is XORed with a 228-bit keystream produced by A5/1. As shown in Figure 9 , A5/1 cipher uses three external LFSRs: R1, R2, and R3, of lengths 19, 22, and 23 bits, respectively. At each cycle, after the initialization phase, the leftmost bits of the LFSRs are XORed to produce one bit key. The three LFSRs are irregularly clocked depending on the output of a majority function M. M computes the majority of S 8 of R1, S 10 of R2, and S 10 of R3. An LFSR shifts only when the state of its selected bit equals M.
To attack A5/1, we need to apply α-searches to determine the three register segments. After that, we can tell them apart by their lengths. The number of vectors used by our simulation is 32 (i.e., MNR = 31) and the total number of comparisons is about 31 × N = 31 × 64 = 1984.
A5/2
A5/2 is a stream cipher used to provide voice privacy in the GSM cellular telephone protocol. A5/2 uses four external LFSRs R1, R2, R3, and R4 of lengths 19, 22, 23, and 17 bits respectively, as shown in Figure 10 . Clocking of R1, R2, and R3 is controlled by R4, and R4 is regularly clocked in each clock cycle. A majority function is attached to an LFSR and outputs the majority of three selected bits from the LFSR. The outputs of all the majority functions and the right most bit from each register are XORed to produce the output.
The procedure to attack A5/2 is basically the same as that of A5/1. The number of scan-out vectors used in our simulation is 42 (i.e., MNR = 41) and the total number of comparisons is approximately 41 × 81 = 3321.
W7
W7 is a synchronous stream cipher optimized for efficient hardware implementation [Thomas and Anthony 2002] . W7 cipher contains eight similar modules each of which consists of three external LFSRs and one majority function, as shown in Figure 11 . The majority function in a module controls the clocking of the LFSRs in the module and the clocking principle is the same as that of A5/1. The outputs of all modules compose a byte of the key stream.
Since all the LFSRs are external, applying α-search is sufficient to discover the bits of all the LFSRs. The identity of a LFSR can be told by matching the unique lengths and feedback functions of discovered LFSRs. The MNR used in our simulation is 83 and the total number of comparisons is 83 × N = 83 × 1024 = 84992.
LILI II
LILI-II is a simple and fast stream cipher that uses two internal LFSRs. As shown in Figure 12 , LILI II has two subsystems: one subsystem generates an irregular clock to control the other subsystem that produces the keystream. The LFSR in the clockcontrol subsystem is regularly clocked. The Fc function in the system takes the first bit in the LFSR S 0 and the 127 th bit in the LFSR S 126 and computes Fc = 2S 0 + S 126 + 1. Since the output of Fc could be 1, 2, 3, or 4, the LFSR in the keystream generation subsystem is clocked 1, 2, 3, or 4 times respectively between two consecutive key bits.
Since both LFSRs are internal, applying α-search and β-search can discover all bits. The identities of the two LFSRs can be told by matching the lengths. The MNR used by our simulation is 62 and the number of checking is 62 × N = 62 × 255 = 15810. 
Pomaranch
The keystream generator in Pomaranch is called the cascade jump controlled sequence generator consisting of 9 modules, as shown in Figure 13 (a). Each module has an 18-bit shift register using F and S cells, as shown in Figure 13 (1) Discover the 9 LFSRs by applying the jump version of α-search.
(2) Identify if a discovered LFSR belongs to an odd module or an even module by matching its feedback function. (3) Since the JC i of the first module is always 0, it will match the discovered LFSR whose F and S cells never switch modes. (4) For the remaining modules, the cell working modes depend on the JC i of the module that in turn depends on the LFSR and the 16-bit key used by the previous module.
Since the LFSR of the first module is identified in step 3), we can guess JC i by simulating every possible 16-bit key (from 0 × 0000 up to 0 × FFFF) and see if it agrees with the cell working modes of any discovered LFSR that belongs to an even module. (5) Repeat step 4 above to attack the remaining modules.
Overall, the MNR used in our simulation is 42 and the total number of checking is 42 × N = 42 × 162 = 6804. Table I summarizes the simulation results of all the ciphers we attack. Note that the number of scan-out vectors needed to launch such scan-based attack is just MNR + 1. The total number of comparisons equals MNR × N, which takes negligible time in a modern computer.
THE STATE-OF-THE-ART COUNTERMEASURES
Not all DFT techniques may introduce security vulnerabilities. For example, in large chips and processors with over tens of thousands of flip-flops, test data is typically compressed on chip. This adds an additional layer of security that prevents the attacker from recovering the bit-by-bit information of the scan chains; the attacker would have to work on compressed scan-out vectors. However, in embedded processors and crypto accelerators used in low-end smart cards, test data is not compressed owing to the limited number of flip-flops. With debug becoming mandatory, test inputs and test outputs are not compressed even in some large processors [Josephson and Poehhnan 2001] . Therefore, the countermeasure that ensures security while maintaining testability is of great interests. However, the state-of-art countermeasures either bring additional security concerns or are not cost-effective when stream ciphers are considered, as we explain below.
The first countermeasure against scan-based attacks is a scan-chain scrambling technique [Hély et al. 2004] . The scrambling technique partitions a scan chain into multiple segments. The connections between segments are via MUXs and can be altered by giving different control signals to these MUXs. If a tester fails authentication, the segments will be connected in an unpredictable way so that the bits in a scan-out vector do not correspond to the bits in a different scan-out vector. Clearly, the effectiveness of such technique relies on the effectiveness of tester authentication. However, this important issue is not addressed by the authors.
Another authentication-based secure-scan architecture called "Lock & Key" is proposed in Lee et al. [2005] . Similar to the scan-scrambling technique, the "Lock & Key" technique also partitions the scan chains into multiple equal-length segments. The test security controller examines the test key that is input through the scan path. If the provided key passes the authentication, the LFSR in the controller will be seeded by the seed provided by the tester so the scan in/out operation is predictable. Otherwise, the LFSR will be seeded randomly and the scan operation is not predictable. Another secure-scan architecture called LCSS is processed in Lee et al. [2006] . LCSS is again an authentication-based technique. The Key Checking Logic (KCL), which is a K-input-1-output combinational logic, examines the key provided through the scan path, and will zero-out the scan-out vectors if an invalid key is detected. It can be seen that the security of both techniques depends on the privacy of the test key. Since all chips produced in a batch will share the same test key, how to keep the test key private among different consumers is a significant security concern, especially when chip fabrications are usually outsourced to a third-party foundry nowadays. A makeup scheme is to implement the key checking circuit using reconfigurable logic and allows end users to reconfigure test keys. But the significant cost at both manufacturing phase and runtime is in conflict with the primary reason to use stream ciphers where efficiency and low-cost are greatly appreciated.
A secure scan architecture that does not depend on tester authentication is shown in Figure 14 [Yang et al. 2006] . The private key used by the crypto core is stored in the KEY register that does not join any scan chain. This technique defines two modes for CUT: Secure mode and Insecure mode. In Insecure mode, the tester can scan in any key to the Mirror Key Register (MKR) for the purpose of testing or debugging. The real private key is not involved in Insecure mode therefore scanning out the internal registers does not leak its secret. In Secure mode, the private key stored in the KEY register is loaded into the Mirror Key Register for normal operations. Transition from Secure mode to Insecure mode is always followed by a global reset. However in the case that a stream cipher is deployed, since the initial status of the LFSR is the secret, employing a Mirror Key Register basically doubles the number of FFs in the circuit. 
CONCLUSION
In this article we propose a new scan attack that targets a group of LFSR-based stream ciphers. The attack analyzes the scan-out vectors to discover the internal states of DUA. The number of scan-out vectors required is less than 20 for some ciphers and is less than 100 for all the ciphers attacked in this paper. The CPU time for processing the vectors and identifying the bits of LFSR is negligible. With the knowledge of the LFSRs used in stream cipher devices, an attacker can clone an authentication device, eavesdrop a private conversation, etc. The state-of-the-art countermeasures either bring additional security concerns, or are not cost-effective when stream ciphers are considered. This calls for new cost-effective secure scan architectures for stream ciphers. If a costeffective secure scan architecture or built-in self-test is used, then this approach will not be successful.
