Академический Документы
Профессиональный Документы
Культура Документы
Abstract—Growing reverse-engineering attempts to steal or semiconductor production flow, including design and manu-
violate a design intellectual property (IP), or to identify the device facturing processes, makes integrated circuits (ICs) especially
technology in order to counterfeit integrated circuits (ICs), raise vulnerable to malicious activities and alterations. Reverse
serious concerns in the IC design community. As the information
derived from these practices can be used in a number of mali- engineering [29], IP piracy [24], IC overbuilding [23], or
cious ways, various active techniques have been proposed and repacking of old ICs [23] have quickly become serious chal-
deployed to protect IP, of which logic locking is a vital part. It lenges for the IC supply chain. The motivation for reverse
allows inserting certain gates in a circuit’s data path to lock out- engineering, for example, can be IP theft, IC cloning, or
puts to fixed logic values, if a wrong unlocking key is applied. This secret information disclosure. IC reverse engineering identi-
paper demonstrates that test points—industry-proven design-for-
test technology used primarily to enhance the overall design fies the device technology, structure, and/or its functional-
testability–can also be reused in the mission mode to lock the cir- ity. The objective of the attacker is to successfully recover
cuit, and thus to improve the hardware security against IP piracy. a design structure by means of destructive or nondestructive
In particular, it is shown that test points can facilitate the hiding methods [29]. Once the IP netlist is known, it can be ille-
of design functionality from adversaries. As a result, not only gally sold or used to design other ICs (IC piracy). Also,
is the overall design testability improved, but also effective pro-
tection against piracy through unauthorized excess production one can reuse the components extracted from competing
and other forms of IP theft is ensured. Experimental results on products, thus revealing trade secrets. Due to these harm-
industrial designs with test points demonstrate that the proposed ful effects, a pure social loss, and the cost of combating IC
scheme is effective in achieving a desired degree of hardware counterfeiting and piracy, reverse engineering is considered
obfuscation. to be one of the most serious threats to the semiconductor
Index Terms—Design for testability, embedded test, hardware industry.
security, logic locking, scan-based testing, test points. Since enforcement of IP rights significantly varies from
one part of the globe to another, IP protection cannot be
just confined to patents, copyrights, or watermarks. On the
contrary, various active defense methods have been recently
I. I NTRODUCTION deployed to hinder reverse engineering and to prevent IP
S REPORTED in [34], the global value of counterfeit infringements. For instance, camouflaging [20] hampers the
A goods for G20 nations can be now in excess of U.S.
$1.7 trillion, and that eliminates or replaces 2.5 million jobs
image processing-based extraction of gate-level netlist by con-
cealing some gates [5] or introducing dummy contacts into
that would otherwise be deployed for legitimate goods. The the layout [2]. Another technique to impede IP piracy is logic
European Union (EU) experienced a tripling in the number locking [23]. The additional encryption blocks (also known
of intellectual property (IP) infringing goods detained at the as key gates)—typically XOR gates [24], multiplexers [19], or
EU borders between 2005 and 2013. In 2013 alone, almost memory elements—are inserted in certain IC locations in order
87 000 detention cases were registered by customs, involv- to hide functionality and implementation. Clearly, a design
ing almost 36 million detained articles, the value of which will function properly only if a correct key drives all key
is estimated to be nearly A C800 million. Globalization of the gates. Physical unclonable functions (PUFs) [11], originally
proposed to secure designs through a resilient authentication
Manuscript received July 8, 2017; revised September 26, 2017 and based on intrinsic semiconductor process variability, can be
December 5, 2017; accepted January 12, 2018. Date of publication also used to guide the locking method, as shown in [34].
February 2, 2018; date of current version November 20, 2018. The work
of J. Tyszer and J. Zawada was supported by the Polish Ministry of Science Unfortunately, on-chip storage of various data, including secret
and Higher Education under Grant DS-8133/18. This paper was recommended information, is inherently prone to several attacks, including
by Associate Editor S. Bhunia. (Corresponding author: Jerzy Tyszer.) side-channel analysis, imaging, fault analysis, and Boolean
M. Chen, E. Moghaddam, N. Mukherjee, and J. Rajski are with
the Mentor—a Siemens Business, Wilsonville, OR 97070 USA satisfiability-based (SAT) techniques [23]. Furthermore, the
(e-mail: michael_chen@mentor.com; elham_moghaddam@mentor.com; ability to hide logic circuit’s functionality carries major impli-
nilanjan_mukherjee@mentor.com; janusz_rajski@mentor.com). cations. When trying to lock design logic, one may introduce
J. Tyszer and J. Zawada are with the Faculty of Electronics and
Telecommunications, Poznań University of Technology, 60-965 Poznań, unacceptable area, performance, and power overheads. A com-
Poland (e-mail: jerzy.tyszer@put.poznan.pl; justyna.j.zawada@ prehensive survey of hardware protection techniques can be
doctorate.put.poznan.pl). found, for example, in [7].
Color versions of one or more of the figures in this paper are available
online at http://ieeexplore.ieee.org. On-chip IP can also be compromised by another form of
Digital Object Identifier 10.1109/TCAD.2018.2801240 vulnerability. It is directly related to structural testing of ICs,
0278-0070 c 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
CHEN et al.: HARDWARE PROTECTION VIA LOGIC LOCKING TEST POINTS 3021
and, in particular, to design-for-test (DFT) schemes that may perform correct functional operations. In this paper, we assume
expose designs to security threats [6]. While DFT aims at the following threat models [23].
improving controllability and observability of circuit internal 1) The attacker in the integration house may pirate the
nodes, design for security (DFS) pursues restraining access third-party IP (3PIP) or use more than the licensed
to chip internal structures and their proprietary extensions. number of 3PIP instances.
Consequently, IC designers face real challenges as far as trade- 2) The attacker in the foundry may pirate the 3PIP after
offs between achieving high test coverage and maintaining an extracting it from the design layout.
acceptable level of security are concerned. Indeed, although 3) The attacker in the foundry may pirate the IC design
testing remains a crucial quality factor in the IC production and/or overbuild.
flow, the presence of an on-chip test infrastructure can lead 4) The end-user may reverse engineer a locked design to
to a number of threats and may jeopardize the overall system a gate level netlist [29].
security. For example, malicious users can deploy scan chains The remainder of this paper is organized as follows.
to recover confidential data stored in cryptographic devices Section II recalls the main concepts related to various cat-
as demonstrated by backdoors discovered in high-security egories of test points. In Section III, we briefly recapitulate
devices that can then be exploited by deploying a boundary an assumed IC activation procedure. Section IV presents the
scan test access port [27]. Similarly, debug ports provided by main logic locking procedure based on a test point enabling
the standard interfaces such as IEEE 1500 can also be mali- scheme. Experimental results obtained for several industrial
ciously misused. Although certain advanced DFT structures, designs are presented in Section V. Section VI analyzes possi-
e.g., test compression, were believed to be scan-based-attacks ble attacks and Section VII concludes this paper. A preliminary
resistant, some techniques, including a differential analysis, version of this paper was presented at the 2016 IEEE Asian
have invalidated this conjecture. Clearly, several countermea- Test Symposium [17].
sures against DFT-based side-channel attacks have also been
proposed and implemented as protection mechanisms. They II. T EST P OINTS
include secure test wrappers and protocols, post-manufacturing
disabling of test logic (unbounding—rather impractical for Traditionally, test points have been used in support of
various forms of in-field test), scrambling scan chains or logic built-in self-test (LBIST) by making random resistant
output test data, access restrictions, modified or randomly logic more testable. TPI algorithms select circuit’s internal
operating scan chains, encryption with hard-coded keys, and nets to subsequently add control points (CPs) or observe
others [10], [14], [15], [32]. Unfortunately, none of the exist- points (OPs) to activate faults or observe them, respectively.
ing solutions is able to inherently accommodate all testa- Numerous empirical guidelines and approximate techniques
bility and security demands without compromising either have been proposed to identify suitable CP and OP loca-
of them. tions and improve the overall circuit testability. These methods
Unlike the earlier solutions protecting circuits against mali- are based, for example, on fault simulation [12], approximate
cious attacks through test logic, in this paper, we propose testability measures [18], [31], or hybrid solutions working
an innovative dual usage of test points. Test point inser- with cost functions [8], gradient-based schemes [26], and
tion (TPI) methods are widely accepted and industry proven signal correlation [4].
DFT techniques that enhance the overall design testabil- Although testability-driven TPI techniques may occasion-
ity. Typically, test points remain transparent in the func- ally decrease counts of deterministic vectors produced by
tional mode, whereas they are selectively activated in the the automatic test pattern generation (ATPG) tools [13], their
test mode (TM) to increase controllability and observabil- overall performance with respect to the test data volume reduc-
ity of internal nodes, or to decrease pattern counts (for tion remains unpredictable. Consequently, a new TPI paradigm
details, see Section II). This paper demonstrates that exactly was introduced in [1]. Contrary to traditional test points, this
the same test points, in addition to their basic DFT func- technology aims at reducing ATPG test pattern counts and test
tionality, can be reused in the mission mode to form the data volume through insertion of conflict-aware test points,
foundations of logic locking at the gate level, in which further referred to as embedded deterministic test (EDT)1 test
the circuit’s architecture is blurred. In our approach, test points. A key feature of the scheme is its ability to iden-
points assume this additional role to facilitate the hid- tify and resolve conflicts between signals assigned to design’s
ing of design functionality from adversaries and also to internal nodes by ATPG. It allows one to increase the num-
assure that verified end-users work with a genuine prod- ber of faults detected by a single pattern, and thus to reduce
uct. As a result, not only is the overall design testability both the number of deterministic tests and test data volume in
improved, but effective protection against IP piracy is also a test compression environment, leading eventually to visibly
ensured. Furthermore, the method avoids the expensive cir- shorter ATPG and test application times.
cuit redesign phase, while the embedded authentication feature Another class of test points [16] has been proposed recently
helps to control secure authorized access to IC by the IP to enhance performance of a hybrid EDT/LBIST technology.
holder. This novel TPI technique simultaneously reduces deterministic
The security strength depends on an adversary’s inability to 1 EDT—the first test data compression technology [21] (commercialized as
perform operations, such as activating (unlocking) a device, the TestKompress tool), where the conflict-aware test points have been used
which valid users of genuine products can easily carry out to for the first time.
3022 IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS, VOL. 37, NO. 12, DECEMBER 2018
(a)
(b)
Fig. 2. Basic DFT/DFS architecture.
Fig. 1. Basic types of CPs. (a) AND type CP. (b) OR type CP.
test pattern counts and increases detectability of random- verifying a secret-key-based identity can be deployed in con-
resistant faults by means of the same minimal set of test points. junction with the method presented in this paper. For the sake
A key feature of the hybrid test points is the ability to resolve of completeness and illustration, consider, as an example, the
cases where demands of internal nets for a given logic value following activation procedure working with a silicon-based
come up against very low likelihood of getting this value with PUF authentication and a key exchange protocol (KEP).
pseudorandom tests. A crucial requirement is that a circuit must be activated
Interestingly, EDT, LBIST as well as hybrid test points use via a pay-per-device key generated by a trusted party (verifier)
exactly the same logic structures. Fig. 1 illustrates two types in a response to requests generated by a party (prover) with an
of control test points: an AND CP and an OR CP. The AND access to a PUF. The remote activation module in Fig. 2 con-
CP is connected to a scan cell (SC) via the extra NAND gate, tains a PUF, which extracts characteristics of a design in the
whereas the OR CP is driven by the AND gate. In order to form of challenge-response pairs (CRPs) by taking advantage
force a fixed logic value at a particular node in a circuit, one of imperfections and uncertainties in a fabrication process.
needs to enable the corresponding CP, and then activate it. An Note that linear error-correcting codes are often used to reduce
asserted TP enable signal makes it possible for all CPs in the a PUF response bit error due to inevitable noise these circuits
design to work. An individual activation of a given test point, may produce. The PUF response is used to check the authen-
however, depends on its driver SC. For example, if an AND ticity of a design and to generate a chip-dependent key to
CP is driven by an SC set to the logic value of 1, then it unlock the device. This unique key is a result of processing
produces 0 regardless of values arriving from other parts of data delivered by the verifier and the PUF response gener-
the circuit. A similar rule applies to an OR CP which, when ated for a particular challenge. The same key subsequently
active, produces 1 under otherwise similar conditions. allows the PUF module to enable (or disable) the scram-
It is worth noting that only CPs have the ability to change bler. To hinder attacks based on pre-recording and replaying
a circuit’s functionality, as observation points do not impact previously used CRPs, one may deploy a strong PUF [11]
functional operations. They do impact, however, the over- in order to enlarge the CRP space. Note that this activation
all circuit testability. Hence, it is assumed that both OPs mechanism enables identification of counterfeit chips during
and CPs are inserted into a circuit by using the state-of-the- activation.
art TPI tool [22]. Furthermore, the scheme presented in this To generate a design-unlocking key, a trusted party creates
paper does not deploy any additional test points dedicated a post-fabrication database of CRPs for every IC. The physical
exclusively to logic locking beyond those introduced by any access to PUF measurements is permanently disabled before
standard DFT flow. deployment, e.g., by burning irreversible fuses, so other par-
ties cannot build a CRP database. If the response sent by the
prover matches the particular challenge in the database, then
III. ACTIVATION P ROCEDURE the chip is unlocked. The remote activation scheme works as
Our primary objective is to demonstrate that test points can follows.
successfully replace key gates (or equivalent techniques) to 1) The prover sends an activation request to the verifier.
lock a design. This approach assumes that access to a device 2) Given a challenge, the verifier requests a PUF response.
is protected by a design-dependent activation module, i.e., it 3) If the response matches a database entry, the unique key
activates or deactivates a locking scheme based on authoriza- unlocking the device is provided to the prover; otherwise
tion results. It is worth noting that any activation procedure the verifier launches a locking scheme.
CHEN et al.: HARDWARE PROTECTION VIA LOGIC LOCKING TEST POINTS 3023
TABLE I
C IRCUIT C HARACTERISTICS
TABLE II
C IRCUITS ’ T ESTABILITY
TABLE III
T RANSITIVE C LOSURE FOR H YBRID T EST P OINTS
Ethernet
Fig. 5. Transitive closure for a single CP.
TABLE IV
L OGIC L OCKING R ESULTS A FTER 10K C LOCK C YCLES
exists a combinational path between flip-flops f 1 and f 2 , where
f 1 is a driver and f 2 is a receiver. Flip-flops f 1 and f 2 are said
to be adjacent. To solve the transitive closure problem, we run
BFS several times on the S-graph to completion, starting at
flip-flops driving successive test points. The set of all visited
vertices that results from this computation is the transitive clo-
sure set consisting of all reachable cells. In addition, the set
of reachable SCs may be further used to examine how many
primary outputs (POs) are reachable along the combinational began, a circuit will launch the defense obfuscation procedure
paths. Finally, the longest path in the full BFS tree rooted at in its whole capacity, as detailed in the previous sections.
the test point nodes is indicative of the minimal number of The example of Fig. 5 is typical of the behavior that one
clock cycles required to arrive with the transitive closure. may expect from large digital circuits; however, verifying facts
Solving the transitive closure problem delivers important of this kind requires further and more detailed analysis. One
information regarding circuit areas that are completely covered of popular security metrics for combinational logic locking
by selected test points and indicates locations where extra CPs schemes uses the Hamming distance between the outputs of
are still required in order to increase the likelihood of obfus- locked and unlocked circuits [23]. Consequently, the second
cating certain internal signals. It is worth noting that having phase of our experiments has been conducted by means of sim-
an acceptable transitive closure does not guarantee reachabil- ulations tackling two scenarios. First, we assume that a correct
ity of all SCs during the actual circuit operations, and these key is applied to a circuit, thus a design works as intended.
numbers must be regarded the upper bounds. Indeed, some All memory elements (SCs) are initialized with pseudoran-
segments of a circuit may resist certain changes of logic val- dom values. Then, with every clock cycle, the primary inputs
ues. For example, a 32-input AND gate is very unlikely to receive pseudorandom values as well. The POs and the content
assume, in a random fashion, the value of 1 on its output, of SCs, captured every clock cycle, form a reference for sub-
and thus it may block changes in other parts of the circuit sequent experiments. SCs acting as drivers of test points are
as well. Furthermore, every sequential circuit features states excluded here. The second scenario mimics an unauthorized
which are very unlikely to occur, and thus chances to satisfy access when a design enters the locking mode. At every clock
conditions needed to corrupt signals in the corresponding parts cycle, the CPs are randomly activated/deactivated, the SCs
of the design might be low. Nevertheless, the transitive clo- capture responses from combinational logic, and the primary
sure of a given group of test points remains indicative of how inputs are fed in a random manner. Each simulation comprises
likely it is to obfuscate dedicated design internals and the cor- 10K clock cycles. Comparing results from both experiments
responding functionality. The same data may also guide the yields the number of affected (perturbed) outputs and SCs in
selection of test point sites, should one would like to extend the logic locking mode.
the frontier of internal nodes covered by obfuscating signals The results, averaged over 100 simulation runs, are summa-
produced, in turn, due to additional CPs. rized in Table IV. Note that the number of deployed CPs is
The results of transitive closure analysis for POs and SCs provided in Table I. Each column lists the fraction of POs and
are summarized in Table III. For each design, the two columns SCs which were affected by the locking scheme at least once
list the transitive closure and the corresponding number of during 10K clock cycles. As can be seen, hybrid control test
clock cycles. As can be seen, the control test points yield points allow the locking scheme to perturb, on the average,
the transitive closure comprising, on the average across all 59% of POs and 60% of SCs. It clearly correlates with our
examined designs, 90% of all deployed SCs and 84% of POs. earlier observations derived from the transitive closure metrics.
This is achieved in relatively short periods of time, as shown in Additional experimental results are shown in Fig. 6. It illus-
the columns “clock cycles.” Clearly, this result indicates that it trates a cumulative fraction of affected POs (a blue curve) and
is fair to expect that in a few clock cycles since a hostile attack SCs (a red curve) over successive 10K clocks cycles for the
3026 IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS, VOL. 37, NO. 12, DECEMBER 2018
examined designs. In other words, these diagrams give the total as a countermeasure. It is worth noting, although, that vulner-
number of outputs and SCs that have been perturbed at least ability assessment of the presented method can also be carried
once up to a given clock cycle. Finally, Fig. 7 displays the out in a manner similar to that of the combinational-locking-
fraction of perturbed outputs and memory elements in a form based EPIC scheme [24], which provides robust multilayered
of time series, i.e., a series of data points indexed in a clock defense against a broad range of attacks. Regarding the threat
cycles order. It allows one to observe how the numbers of dis- models, any attempt to use stolen IC/IP will fail, unless a cor-
turbed outputs or pseudo-outputs keep changing in the time rect key is known. Given a gate-level netlist one needs to either
domain. analyze a circuit’s functionality to extract an unlocking key or
bypass/remove the scrambler to disable test points.
Since CPs are integral parts of scan chains controlled exclu-
VI. ATTACKS sively by the scrambler, the chip may be unlocked when the
Depending on their targets, malicious attacks can be classi- activation module and the scrambler are bypassed or removed.
fied into various categories [9], [23]. We briefly address some However, at 22 nm and below, this attack may require unac-
of them here to demonstrate how the proposed scheme can act ceptably high investment, which may not be justified by
CHEN et al.: HARDWARE PROTECTION VIA LOGIC LOCKING TEST POINTS 3027
revenue from pirated ICs. This form of attack could typi- are missing, a layout file is encrypted, or files are partially
cally involve some forms of front- or back-side focus ion split. If the adversary must extract a netlist from a physical
beam (FIB) circuit edits. However, this technique is imprac- device, then camouflage techniques can make this effort nearly
tical, if there are hundreds of sites to be altered, especially impossible.
when they are in the internal metal layers without damag- In terms of nondestructive attacks, one may consider meth-
ing other signals or traces. Even if attackers were able to ods that try to reveal a device-unlocking key. These attacks
perform such FIBs, it is not feasible to perform such edits assume that an attacker has access to a copy of the obfus-
on large production lines. Furthermore, we assume that an cated netlist and a functional (activated) IC purchased from
adversary has no access to the original netlist; if a locked the open market (note that it might be infeasible for an adver-
netlist (with disclosed test points) can be acquired from an sary to obtain such a chip; for example, the attacker is unlikely
untrusted fab or a designer, then there is no need for logic lock- to acquire working devices manufactured for noncommer-
ing, and our technique is not applicable. Nevertheless, having cial purposes or fabricated for the first time—they will not
GDSII/OASIS files does not always mean that an untrusted fab be available on the market). Typically, the attacker may use
is in possession of a full netlist. Often cells are flat, layer labels an SAT-based technique in an attempt to discover a key by
3028 IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS, VOL. 37, NO. 12, DECEMBER 2018
applying distinguishing input patterns ruling out incorrect key example of a solution in which existing on-chip DFT infras-
values [28], [33]. There are two basic scenarios for SAT-based tructure is reused in the mission mode to prevent IP piracy
attacks in scan-based designs. In scenario 1, the attacker has no and assure that verified end-users work with genuine products.
access to an SE input, as it has been permanently disabled after The experimental results obtained for large industrial designs
the manufacturing test. The adversary, therefore, has to apply illustrate feasibility of the scheme and its effectiveness in hid-
stimuli through primary inputs and collect responses from POs ing design functionality from adversaries, and thus protecting
of a complex finite-state machine after using a certain num- circuits against various piracy attempts.
ber of clock cycles per a single input/output pair. Since the
presented test-point-based solution has the ability to gradu- R EFERENCES
ally change a circuit behavior and to elongate this process
[1] C. Acero et al., “Embedded deterministic test points for compact cell-
depending on clock cycles applied, the time required to real- aware tests,” in Proc. ITC, Anaheim, CA, USA, 2015, paper 2.2.
ize that the locking scheme is in progress increases remarkably [2] J. P. Baukus, L. W. Chow, and W. Clark, “Integrated circuits protected
the complexity of analyzing input/output data and makes var- against reverse engineering and method for fabricating the same
using an apparent metal contact line terminating on field oxide,”
ious forms of attacks, including SAT-based ones, technically U.S. Patent 7 294 935, 2007.
infeasible. [3] S. T. Chakradhar, A. Balakrishnan, and V. D. Agrawal, “An exact algo-
Scenario 2 assumes that the attacker puts a circuit in a TM, rithm for selecting partial scan flip-flops,” in Proc. DAC, San Diego,
CA, USA, 1994, pp. 81–86.
and thus can provide stimuli and retrieve circuit’s responses [4] S.-C. Chang, S.-S. Chang, W.-B. Jone, and C.-C. Tsai, “A novel combi-
through scan chains. Now an SAT-based attack deals with national testability analysis by considering signal correlation,” in Proc.
a combinational circuit, where in addition to pins, bumps, or ITC, Washington, DC, USA, 1998, pp. 658–667.
[5] R. P. Cocchi, J. P. Baukus, L. W. Chow, and B. J. Wang, “Circuit
pads (POs), SCs and probed signals are also used as outputs camouflage integration for hardware IP protection,” in Proc. DAC,
of a locked logic. Typically, the number of such inputs and San Francisco, CA, USA, 2014, pp. 1–5.
outputs exceeds tens of thousands (see Table I), clearly chal- [6] J. Da Rolt et al., “Test versus security: Past and present,” IEEE Trans.
Emerg. Topics Comput., vol. 2, no. 1, pp. 50–62, Mar. 2014.
lenging SAT solvers. Note that test points are now acting as [7] D. Forte, S. Bhunia, and M. Tehranipoor, Eds., Hardware Protection
conventional locking gates. Furthermore, an SAT-based attack Through Obfuscation. Heidelberg, Germany: Springer-Verlag, 2017.
may become impractical, if it can discriminate at most one [8] M. J. Geuzebroek, J. T. van der Linden, and A. J. van de Goor,
“Test point insertion that facilitates ATPG in reducing test time and
incorrect key value with each distinguishing input pattern—the data volume,” in Proc. ITC, Baltimore, MD, USA, 2002, pp. 138–147.
attack complexity grows then exponentially with the number [9] S. Hamdioui et al., “Hacking and protecting IC hardware,” in Proc.
of key bits [33]. DATE, Dresden, Germany, 2014, pp. 1–7.
[10] D. Hely et al., “Scan design and secure chip [secure IC testing],” in
If one employs the activation scheme of Section III, then Proc. IOLTS, 2004, pp. 219–224.
every chip has unique PUF-based CRPs; therefore, they can- [11] C. Herder, M.-D. Yu, F. Koushanfar, and S. Devadas, “Physical unclon-
not be discovered by watching signals on another activated able functions and applications: A tutorial,” Proc. IEEE, vol. 102, no. 8,
pp. 1126–1141, Aug. 2014.
chip. Different chips have virtually always different keys. [12] V. S. Iyengar and D. Brand, “Synthesis of pseudo-random pat-
Eavesdropping on data exchanged during chip activation will tern testable designs,” in Proc. ITC, Washington, DC, USA, 1989,
not reveal a key for other chips. pp. 501–508.
[13] A. Kumar, J. Rajski, S. M. Reddy, and T. Rinderknecht, “On the gen-
In contrast to solutions deploying the key gates as a part eration of compact deterministic test sets for BIST ready designs,” in
of circuit logic, the proposed scheme is resilient to fault- Proc. ATS, 2013, pp. 201–206.
analysis attacks addressing low correlation between the key [14] J. Lee, M. Tehranipoor, C. Patel, and J. Plusquellic, “Securing designs
against scan-based side-channel attacks,” IEEE Trans. Depend. Secure
bits. Typically, these attacks are carried out by determining Comput., vol. 4, pp. 325–336, 2007.
an input pattern that sensitizes a single key-bit to an out- [15] J. Lee, M. Tehranipoor, and J. Plusquellic, “A low-cost solution for
put without any interference with other key-gates or primary protecting IPs against scan-based side-channel attacks,” in Proc. VTS,
Berkeley, CA, USA, 2006, pp. 94–99.
inputs. When such a pattern is found, one may apply it to
[16] E. Moghaddam, N. Mukherjee, J. Rajski, J. Tyszer, and J. Zawada, “Test
the functional IC and obtain the value of a specific key-bit. point insertion in hybrid test compression/LBIST architectures,” in Proc.
Again, the presented method is resilient to key propagation ITC, Fort Worth, TX, USA, 2016, paper 2.1.
attacks due to the lack of direct access to the activation module [17] E. Moghaddam, N. Mukherjee, J. Rajski, J. Tyszer, and J. Zawada,
“On test points enhancing hardware security,” in Proc. ATS, Hiroshima,
outputs. Japan, 2016, pp. 61–66.
[18] M. Nakao, K. Hatayama, and I. Highasi, “Accelerated test points selec-
tion method for scan-based BIST,” in Proc. ATS, 1997, pp. 359–364.
VII. C ONCLUSION [19] J. Rajendran et al., “Fault analysis-based logic encryption,” IEEE Trans.
Comput., vol. 64, no. 2, pp. 410–424, Feb. 2015.
There is a widely accepted consensus that IC designers [20] J. Rajendran, M. Sam, O. Sinanoglu, and R. Karri, “Security analysis of
can no longer take the security of microelectronics hardware integrated circuit camouflaging,” in Proc. ACM CCS, Berlin, Germany,
2013, pp. 709–720.
for granted. In this paper, we introduce a new scheme that [21] J. Rajski, J. Tyszer, M. Kassab, and N. Mukherjee, “Embedded deter-
improves a circuit security without compromising its over- ministic test,” IEEE Trans. Comput.-Aided Design Integr. Circuits Syst.,
all testability at the same time. By integrating the proposed vol. 23, no. 5, pp. 776–792, May 2004.
[22] S. Remersaro, J. Rajski, T. Rinderknecht, S. M. Reddy, and I. Pomeranz,
logic locking scheme into the TPI flow, the complexity of “ATPG heuristics dependant observation point insertion for enhanced
determining an IC’s secret content has been significantly compaction and data volume reduction,” in Proc. DFTVS, Boston, MA,
raised. Contrary to several earlier solutions where DFT fea- USA, 2008, pp. 385–393.
[23] M. Rostami, F. Koushanfar, and R. Karri, “A primer on hardware
tures needed additional precautions to protect designs against security: Models, methods, and metrics,” Proc. IEEE, vol. 102, no. 8,
malicious reuse of test logic, the presented approach is the first pp. 1283–1295, Aug. 2014.
CHEN et al.: HARDWARE PROTECTION VIA LOGIC LOCKING TEST POINTS 3029
[24] J. A. Roy, F. Koushanfar, and I. L. Markov, “Ending piracy of integrated Nilanjan Mukherjee (S’87–M’89–SM’14) received
circuits,” IEEE Comput., vol. 43, no. 10, pp. 30–38, Oct. 2010. the B.Tech. (Hons.) degree in electronics and elec-
[25] R. Sedgewick, Algorithms in C++. Part 5: Graph Algorithms. Boston, trical communication engineering from the Indian
MA, USA: Addison-Wesley, 2002. Institute of Technology Kharagpur, Kharagpur,
[26] B. H. Seiss, P. M. Trouborst, and M. Schulz, “Test point insertion for India, in 1989, and the Ph.D. degree from McGill
scan-based BIST,” in Proc. ETC, 1991, pp. 253–262. University, Montreal, QC, Canada, in 1996.
[27] S. Skorobogatov and C. Woods, “Breakthrough silicon scanning discov- He is currently the Engineering Director with
ers backdoor in military chip,” in Proc. CHES, 2012, pp. 23–40. the Design-to-Silicon division at Mentor—a Siemens
[28] P. Subramanyan, S. Ray, and S. Malik, “Evaluating the security of logic Business, Wilsonville, OR, USA. He is a co-inventor
encryption algorithms,” in Proc. HOST, Washington, DC, USA, 2015, of the EDT technology and was a Lead Developer
pp. 137–143. for the leading test compression tool in the industry,
[29] R. Torrance and D. James, “The state-of-the-art in semiconductor reverse TestKompress. Prior to joining Mentor, he was with Lucent Bell, Holmdel,
engineering,” in Proc. DAC, New York, NY, USA, 2011, pp. 333–338. NJ, USA. He has published over 75 technical papers and has co-invented
[30] H. Vranken, F. S. Sapei, and H.-J. Wunderlich, “Impact of test point 45 U.S. patents. His current research interests include next generation test
insertion on silicon area and timing during layout,” in Proc. DATE, methodologies for deep submicrometer designs, test data compression, test
Paris, France, 2004, pp. 810–815. synthesis, memory testing, and fault diagnosis.
[31] D. Xiang, Y. Xu, and H. Fujiwara, “Nonscan design for testability Dr. Mukherjee was a co-recipient of the Best Paper Award at the 1995 IEEE
for synchronous sequential circuits based on conflict resolution,” IEEE VLSI Test Symposium, the Best Paper Award at the 2009 VLSI Design
Trans. Comput., vol. 52, no. 8, pp. 1063–1075, Aug. 2003. Conference, the Best Student Paper Award at the Asian Test Symposium
[32] B. Yang, K. Wu, and R. Karri, “Secure scan: A design-for-test archi- in 2001, the 2006 IEEE Circuits and Systems Society Donald O. Pederson
tecture for crypto chips,” in Proc. DAC, Anaheim, CA, USA, 2005, Outstanding Paper Award recognizing the paper on embedded deterministic
pp. 135–140. test published in the IEEE T RANSACTIONS ON C OMPUTER -A IDED D ESIGN
[33] M. Yasin, B. Mazumdar, J. J. V. Rajendran, and O. Sinanoglu, OF I NTEGRATED C IRCUITS AND S YSTEMS , and the 2012 IEEE International
“SARLock: SAT attack resistant logic locking,” in Proc. HOST, 2016, Test Conference Most Significant Paper Award. He served on the program
pp. 236–241. committees of several IEEE conferences.
[34] J. Zhang, “A practical logic obfuscation technique for hardware secu-
rity,” IEEE Trans. Very Large Scale Integr. (VLSI) Syst., vol. 24, no. 3,
pp. 1193–1197, Mar. 2016.
Jerzy Tyszer (M’91–SM’96–F’13) received the Justyna Zawada (M’14) received the M.S. degree
M.S. and Ph.D. degrees in electrical engineering in computer science from Adam Mickiewicz
from the Poznań University of Technology, Poznań, University, Poznań, Poland, in 2012, and the
Poland, in 1981 and 1987, respectively, and the M.S. degree in telecommunications and the Ph.D.
Dr.Hab. degree in telecommunications from the degree in electrical engineering from the Poznań
Technical University of Gdańsk, Gdańsk, Poland, University of Technology, Poznań, in 2014 and 2017,
in 1994. respectively.
From 1982 to 1990, he was a member of the fac- Her current research interests include design for
ulty of Poznań University of Technology, Poland. testability, built-in self-test, automatic test pattern
In January 1990, he joined McGill University, generation, and test security.
Montreal, Canada where was Research Associate
and Adjunct Professor. In 1996, he assumed the position of Professor at
the Faculty of Electronics and Telecommunications of Poznań University of
Technology, Poznań, Poland. His current research interests include design
automation and testing of very large-scale integration (VLSI) systems, design
for testability, built-in self-test, embedded test, and computer simulation of dis-
crete event systems. He has published eight books, over 140 research papers
in the above areas and has co-invented 70 U.S. patents.
Dr. Tyszer was a co-recipient of the 1995 and 1998 Best Paper Awards
at the IEEE VLSI Test Symposium, the 2003 Honorable Mention Award at
the IEEE International Test Conference, the 2006 IEEE Circuits and Systems
Society Donald O. Pederson Outstanding Paper Award recognizing the paper
on embedded deterministic test published in the IEEE T RANSACTIONS ON
C OMPUTER -A IDED D ESIGN OF I NTEGRATED C IRCUITS AND S YSTEMS, the
2009 Best Paper Award at the VLSI Design Conference, the 2011 Best
Paper Award at the IEEE European Test Symposium, and the 2012 IEEE
International Test Conference Most Significant Paper Award. In 1999, he was
a Guest Co-Editor of the special issue of the IEEE Communications Magazine
devoted to testing of telecommunication hardware. He has served on technical
program committees of various conferences.