3020 IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS, VOL. 37, NO.
12, DECEMBER 2018
Hardware Protection via Logic Locking Test Points
Michael Chen, Member, IEEE, Elham Moghaddam, Member, IEEE, Nilanjan Mukherjee, Senior Member, IEEE,
Janusz Rajski, Fellow, IEEE, Jerzy Tyszer , Fellow, IEEE, and Justyna Zawada, Member, IEEE
Abstract—Growing reverse-engineering attempts to steal or
violate a design intellectual property (IP), or to identify the device
technology in order to counterfeit integrated circuits (ICs), raise
serious concerns in the IC design community. As the information
derived from these practices can be used in a number of mali-
cious ways, various active techniques have been proposed and
deployed to protect IP, of which logic locking is a vital part. It
allows inserting certain gates in a circuit’s data path to lock out-
puts to fixed logic values, if a wrong unlocking key is applied. This
paper demonstrates that test points—industry-proven design-for-
test technology used primarily to enhance the overall design
testability–can also be reused in the mission mode to lock the cir-
cuit, and thus to improve the hardware security against IP piracy.
In particular, it is shown that test points can facilitate the hiding
of design functionality from adversaries. As a result, not only
is the overall design testability improved, but also effective pro-
tection against piracy through unauthorized excess production
and other forms of IP theft is ensured. Experimental results on
industrial designs with test points demonstrate that the proposed
scheme is effective in achieving a desired degree of hardware
obfuscation.
Index Terms—Design for testability, embedded test, hardware
security, logic locking, scan-based testing, test points.
I. I NTRODUCTION
S REPORTED in [34], the global value of counterfeit
A goods for G20 nations can be now in excess of U.S.
$1.7 trillion, and that eliminates or replaces 2.5 million jobs
that would otherwise be deployed for legitimate goods. The
European Union (EU) experienced a tripling in the number
of intellectual property (IP) infringing goods detained at the
EU borders between 2005 and 2013. In 2013 alone, almost
87 000 detention cases were registered by customs, involv-
ing almost 36 million detained articles, the value of which
is estimated to be nearly A C800 million. Globalization of the
Manuscript received July 8, 2017; revised September 26, 2017 and
December 5, 2017; accepted January 12, 2018. Date of publication
February 2, 2018; date of current version November 20, 2018. The work
of J. Tyszer and J. Zawada was supported by the Polish Ministry of Science
and Higher Education under Grant DS-8133/18. This paper was recommended
by Associate Editor S. Bhunia. (Corresponding author: Jerzy Tyszer.)
M. Chen, E. Moghaddam, N. Mukherjee, and J. Rajski are with
the Mentor—a Siemens Business, Wilsonville, OR 97070 USA
(e-mail: michael_chen@mentor.com; elham_moghaddam@mentor.com;
nilanjan_mukherjee@mentor.com; janusz_rajski@mentor.com).
J. Tyszer and J. Zawada are with the Faculty of Electronics and
Telecommunications, Poznań University of Technology, 60-965 Poznań,
Poland (e-mail: jerzy.tyszer@put.poznan.pl; justyna.j.zawada@
doctorate.put.poznan.pl).
Color versions of one or more of the figures in this paper are available
online at http://ieeexplore.ieee.org.
Digital Object Identifier 10.1109/TCAD.2018.2801240
0278-0070 c 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
semiconductor production flow, including design and manu-
facturing processes, makes integrated circuits (ICs) especially
vulnerable to malicious activities and alterations. Reverse
engineering [29], IP piracy [24], IC overbuilding [23], or
repacking of old ICs [23] have quickly become serious chal-
lenges for the IC supply chain. The motivation for reverse
engineering, for example, can be IP theft, IC cloning, or
secret information disclosure. IC reverse engineering identi-
fies the device technology, structure, and/or its functional-
ity. The objective of the attacker is to successfully recover
a design structure by means of destructive or nondestructive
methods [29]. Once the IP netlist is known, it can be ille-
gally sold or used to design other ICs (IC piracy). Also,
one can reuse the components extracted from competing
products, thus revealing trade secrets. Due to these harm-
ful effects, a pure social loss, and the cost of combating IC
counterfeiting and piracy, reverse engineering is considered
to be one of the most serious threats to the semiconductor
industry.
Since enforcement of IP rights significantly varies from
one part of the globe to another, IP protection cannot be
just confined to patents, copyrights, or watermarks. On the
contrary, various active defense methods have been recently
deployed to hinder reverse engineering and to prevent IP
infringements. For instance, camouflaging [20] hampers the
image processing-based extraction of gate-level netlist by con-
cealing some gates [5] or introducing dummy contacts into
the layout [2]. Another technique to impede IP piracy is logic
locking [23]. The additional encryption blocks (also known
as key gates)—typically XOR gates [24], multiplexers [19], or
memory elements—are inserted in certain IC locations in order
to hide functionality and implementation. Clearly, a design
will function properly only if a correct key drives all key
gates. Physical unclonable functions (PUFs) [11], originally
proposed to secure designs through a resilient authentication
based on intrinsic semiconductor process variability, can be
also used to guide the locking method, as shown in [34].
Unfortunately, on-chip storage of various data, including secret
information, is inherently prone to several attacks, including
side-channel analysis, imaging, fault analysis, and Boolean
satisfiability-based (SAT) techniques [23]. Furthermore, the
ability to hide logic circuit’s functionality carries major impli-
cations. When trying to lock design logic, one may introduce
unacceptable area, performance, and power overheads. A com-
prehensive survey of hardware protection techniques can be
found, for example, in [7].
On-chip IP can also be compromised by another form of
vulnerability. It is directly related to structural testing of ICs,
CHEN et al.: HARDWARE PROTECTION VIA LOGIC LOCKING TEST POINTS
and, in particular, to design-for-test (DFT) schemes that may
expose designs to security threats [6]. While DFT aims at
improving controllability and observability of circuit internal
nodes, design for security (DFS) pursues restraining access
to chip internal structures and their proprietary extensions.
Consequently, IC designers face real challenges as far as trade-
offs between achieving high test coverage and maintaining an
acceptable level of security are concerned. Indeed, although
testing remains a crucial quality factor in the IC production
flow, the presence of an on-chip test infrastructure can lead
to a number of threats and may jeopardize the overall system
security. For example, malicious users can deploy scan chains
to recover confidential data stored in cryptographic devices
as demonstrated by backdoors discovered in high-security
devices that can then be exploited by deploying a boundary
scan test access port [27]. Similarly, debug ports provided by
the standard interfaces such as IEEE 1500 can also be mali-
ciously misused. Although certain advanced DFT structures,
e.g., test compression, were believed to be scan-based-attacks
resistant, some techniques, including a differential analysis,
have invalidated this conjecture. Clearly, several countermea-
sures against DFT-based side-channel attacks have also been
proposed and implemented as protection mechanisms. They
include secure test wrappers and protocols, post-manufacturing
disabling of test logic (unbounding—rather impractical for
various forms of in-field test), scrambling scan chains or
output test data, access restrictions, modified or randomly
operating scan chains, encryption with hard-coded keys, and
others [10], [14], [15], [32]. Unfortunately, none of the exist-
ing solutions is able to inherently accommodate all testa-
bility and security demands without compromising either
of them.
Unlike the earlier solutions protecting circuits against mali-
cious attacks through test logic, in this paper, we propose
an innovative dual usage of test points. Test point inser-
tion (TPI) methods are widely accepted and industry proven
DFT techniques that enhance the overall design testabil-
ity. Typically, test points remain transparent in the func-
tional mode, whereas they are selectively activated in the
test mode (TM) to increase controllability and observabil-
ity of internal nodes, or to decrease pattern counts (for
details, see Section II). This paper demonstrates that exactly
the same test points, in addition to their basic DFT func-
tionality, can be reused in the mission mode to form the
foundations of logic locking at the gate level, in which
the circuit’s architecture is blurred. In our approach, test
points assume this additional role to facilitate the hid-
ing of design functionality from adversaries and also to
assure that verified end-users work with a genuine prod-
uct. As a result, not only is the overall design testability
improved, but effective protection against IP piracy is also
ensured. Furthermore, the method avoids the expensive cir-
cuit redesign phase, while the embedded authentication feature
helps to control secure authorized access to IC by the IP
holder.
The security strength depends on an adversary’s inability to
perform operations, such as activating (unlocking) a device,
which valid users of genuine products can easily carry out to
3021
perform correct functional operations. In this paper, we assume
the following threat models [23].
1) The attacker in the integration house may pirate the
third-party IP (3PIP) or use more than the licensed
number of 3PIP instances.
2) The attacker in the foundry may pirate the 3PIP after
extracting it from the design layout.
3) The attacker in the foundry may pirate the IC design
and/or overbuild.
4) The end-user may reverse engineer a locked design to
a gate level netlist [29].
The remainder of this paper is organized as follows.
Section II recalls the main concepts related to various cat-
egories of test points. In Section III, we briefly recapitulate
an assumed IC activation procedure. Section IV presents the
main logic locking procedure based on a test point enabling
scheme. Experimental results obtained for several industrial
designs are presented in Section V. Section VI analyzes possi-
ble attacks and Section VII concludes this paper. A preliminary
version of this paper was presented at the 2016 IEEE Asian
Test Symposium [17].
II. T EST P OINTS
Traditionally, test points have been used in support of
logic built-in self-test (LBIST) by making random resistant
logic more testable. TPI algorithms select circuit’s internal
nets to subsequently add control points (CPs) or observe
points (OPs) to activate faults or observe them, respectively.
Numerous empirical guidelines and approximate techniques
have been proposed to identify suitable CP and OP loca-
tions and improve the overall circuit testability. These methods
are based, for example, on fault simulation [12], approximate
testability measures [18], [31], or hybrid solutions working
with cost functions [8], gradient-based schemes [26], and
signal correlation [4].
Although testability-driven TPI techniques may occasion-
ally decrease counts of deterministic vectors produced by
the automatic test pattern generation (ATPG) tools [13], their
overall performance with respect to the test data volume reduc-
tion remains unpredictable. Consequently, a new TPI paradigm
was introduced in [1]. Contrary to traditional test points, this
technology aims at reducing ATPG test pattern counts and test
data volume through insertion of conflict-aware test points,
further referred to as embedded deterministic test (EDT)1 test
points. A key feature of the scheme is its ability to iden-
tify and resolve conflicts between signals assigned to design’s
internal nodes by ATPG. It allows one to increase the num-
ber of faults detected by a single pattern, and thus to reduce
both the number of deterministic tests and test data volume in
a test compression environment, leading eventually to visibly
shorter ATPG and test application times.
Another class of test points [16] has been proposed recently
to enhance performance of a hybrid EDT/LBIST technology.
This novel TPI technique simultaneously reduces deterministic
1 EDT—the first test data compression technology [21] (commercialized as
the TestKompress tool), where the conflict-aware test points have been used
for the first time.
3022 IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS, VOL. 37, NO. 12, DECEMBER 2018
(a)
(b)
Fig. 1. Basic types of CPs. (a) AND type CP. (b) OR type CP.
test pattern counts and increases detectability of random-
resistant faults by means of the same minimal set of test points.
A key feature of the hybrid test points is the ability to resolve
cases where demands of internal nets for a given logic value
come up against very low likelihood of getting this value with
pseudorandom tests.
Interestingly, EDT, LBIST as well as hybrid test points use
exactly the same logic structures. Fig. 1 illustrates two types
of control test points: an AND CP and an OR CP. The AND
CP is connected to a scan cell (SC) via the extra NAND gate,
whereas the OR CP is driven by the AND gate. In order to
force a fixed logic value at a particular node in a circuit, one
needs to enable the corresponding CP, and then activate it. An
asserted TP enable signal makes it possible for all CPs in the
design to work. An individual activation of a given test point,
however, depends on its driver SC. For example, if an AND
CP is driven by an SC set to the logic value of 1, then it
produces 0 regardless of values arriving from other parts of
the circuit. A similar rule applies to an OR CP which, when
active, produces 1 under otherwise similar conditions.
It is worth noting that only CPs have the ability to change
a circuit’s functionality, as observation points do not impact
functional operations. They do impact, however, the over-
all circuit testability. Hence, it is assumed that both OPs
and CPs are inserted into a circuit by using the state-of-the-
art TPI tool [22]. Furthermore, the scheme presented in this
paper does not deploy any additional test points dedicated
exclusively to logic locking beyond those introduced by any
standard DFT flow.
III. ACTIVATION P ROCEDURE
Our primary objective is to demonstrate that test points can
successfully replace key gates (or equivalent techniques) to
lock a design. This approach assumes that access to a device
is protected by a design-dependent activation module, i.e., it
activates or deactivates a locking scheme based on authoriza-
tion results. It is worth noting that any activation procedure
Fig. 2. Basic DFT/DFS architecture.
verifying a secret-key-based identity can be deployed in con-
junction with the method presented in this paper. For the sake
of completeness and illustration, consider, as an example, the
following activation procedure working with a silicon-based
PUF authentication and a key exchange protocol (KEP).
A crucial requirement is that a circuit must be activated
via a pay-per-device key generated by a trusted party (verifier)
in a response to requests generated by a party (prover) with an
access to a PUF. The remote activation module in Fig. 2 con-
tains a PUF, which extracts characteristics of a design in the
form of challenge-response pairs (CRPs) by taking advantage
of imperfections and uncertainties in a fabrication process.
Note that linear error-correcting codes are often used to reduce
a PUF response bit error due to inevitable noise these circuits
may produce. The PUF response is used to check the authen-
ticity of a design and to generate a chip-dependent key to
unlock the device. This unique key is a result of processing
data delivered by the verifier and the PUF response gener-
ated for a particular challenge. The same key subsequently
allows the PUF module to enable (or disable) the scram-
bler. To hinder attacks based on pre-recording and replaying
previously used CRPs, one may deploy a strong PUF [11]
in order to enlarge the CRP space. Note that this activation
mechanism enables identification of counterfeit chips during
activation.
To generate a design-unlocking key, a trusted party creates
a post-fabrication database of CRPs for every IC. The physical
access to PUF measurements is permanently disabled before
deployment, e.g., by burning irreversible fuses, so other par-
ties cannot build a CRP database. If the response sent by the
prover matches the particular challenge in the database, then
the chip is unlocked. The remote activation scheme works as
follows.
1) The prover sends an activation request to the verifier.
2) Given a challenge, the verifier requests a PUF response.
3) If the response matches a database entry, the unique key
unlocking the device is provided to the prover; otherwise
the verifier launches a locking scheme.
CHEN et al.: HARDWARE PROTECTION VIA LOGIC LOCKING TEST POINTS
IV. L OGIC L OCKING
A principle idea proposed in this paper is to reuse
an existing DFT infrastructure to instantly modify design
internal functionality once an attempt to unauthorized access
is detected. Initially, the circuit is locked, i.e., it operates
in a mode exhibiting incorrect behavior. Thus, in order to
enable a mission mode, a proper key has to be provided
before a start-up. A failure to comply with this requirement
triggers subsequent changes in the circuit internal function-
ality. They are primarily attributed to signal perturbations
caused by activation of control test points, traditionally dis-
abled and transparent in the mission mode. The test points
become operational gradually through a process of their
selective activation. The same procedure of locking design
functionality may entail a gradual deactivation of selected test
points.
The new DFT/DFS method virtually preserves the original
design as it adds only two modules: 1) an activation module,
e.g., a PUF block and 2) a scrambler. This is illustrated in
Fig. 2 where two arrangements of CPs are also presented. The
top scan chain exclusively hosts drivers of CPs. This setup is
referred to as a dedicated scan chain. On the contrary, a mixed-
mode scan chain consists of CP drivers interspersed among
other (traditional) SCs. The scan enable (SE) signal is split
into two parts. The first one controls regular SCs and bypasses
the scrambler. The other part goes to the scrambler where it
is replaced with a signal produced locally for the purpose of
the locking procedure. Clearly, when the scrambler takes over,
all scan chains hosting CPs drivers have to be appropriately
initialized.
The activation procedure of Section III allows a scrambler to
enable/disable control test points. Accordingly, the scrambler
has two operating modes. In the transparent mode, the original
circuit works as intended, i.e., all test points are disabled and
remain transparent for the circuit operations. When the acti-
vation module receives a wrong key, the scrambler enters the
locking mode, in which one can intentionally conceal design
functionality by asserting the TPE signal (see Fig. 3) which
enables all CPs. From then on, the scrambler shifts certain
binary sequences into respective scan chains to gradually acti-
vate or deactivate successive groups of CPs. For example, an
active AND CP injects a constant logic value of 0 at its site
and gates all other signals converging at this particular loca-
tion. Similarly, an active OR CP replaces signals merging at
its location with the constant value of 1. As a result, the design
operates in a mode which exhibits incorrect functionality, and
its behavior becomes unpredictable, which makes it difficult
for an adversary to comprehend the actual functionality of the
design.
The scrambler may operate in a variety of fashions. Its
basic low-cost architecture, proposed in this paper, is shown in
Fig. 3. The TM signal toggles between the functional and TMs.
During a production test, signal TM is asserted and both test
point enable (TPE) and SE signals are controlled by a tester.
While in the functional mode, the scrambler controls TPE,
whereas SE depends on a clock cycle counter functioning
in such a way that for every predefined number of cycles,
SE becomes asserted, and either a constant logic value of
3023
Fig. 3. Scrambler architecture.
1 or pseudorandom values are shifted into dedicated or mixed-
mode scan chains. It allows groups of control test points to
be activated/deactivated at a time. Note that SCs hosted by
the mixed-mode scan chains are driven (typically in a ran-
dom fashion) either by the scrambler or by regular flip-flops
belonging to exactly the same chains and now working in the
functional mode.
The clock cycle counter provides a rate, which determines
how quickly the circuit changes its behavior. The approach
that uses pseudorandom values results in activation and deac-
tivation of selected groups of CPs, with the average number
of active CPs saturating over time. This is counteracted by
deploying a weighted pseudorandom pattern generator (PRPG)
whose outputs are obtained by connecting a biasing logic, such
as multiple input AND or OR gates, with the outputs of a con-
ventional PRPG, as shown in Fig. 3. If one employs a constant
value of 1 to feed the dedicated scan chains, then successive
CPs remain activate until all of them are involved in concealing
the circuit’s original functionality. Furthermore, subsequently
loading an opposite logic value to the same scan chains can
deactivate the CPs, one group at a time. The above processes
continue until the successful application of a predetermined
key. Recall that a valid key applied before launching the device
unlocks it by setting TPE to low, disabling the scrambler, and
thus making the CPs transparent in the mission mode.
In order to more effectively hide on-chip security features
and to provide a second line of defense against a piracy, the
PRPG uses a randomly seeded LFSR. This mechanism pro-
duces a new PRPG seed at every circuit reset. As a result,
every time the device is launched, an attacker faces differ-
ent output data since different groups of test points can be
then activated for varying durations. Nonrepeatable and non-
predictable seeds can be derived, for example, by sampling
sources of uncontrollable randomness, typically present in
physical structures of chips.
In addition to the basic scheme of Fig. 2, the proposed
method can also be deployed in conjunction with logic BIST
or on-chip test compression environment such as the EDT
technology [21]. This is further illustrated in Fig. 4. For the
sake of simplicity, we omit here the SE signal driving regular
scan chains. As can be seen, the scrambler outputs are placed
between a decompressor (PRPG) and the front of scan chains.
In this scenario, the test point drivers receive data produced
either by the scrambler or by the decompressor (in the TM).
3024 IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS, VOL. 37, NO. 12, DECEMBER 2018
Fig. 4. Scrambler with decompressor/PRPG.
From a hardware perspective, logic locking schemes can
be evaluated based on the area overhead they introduce and
performance degradation they may cause. Clearly, the advan-
tage of leveraging test points is the reuse of DFT logic in the
mission mode. Consequently, the only area overhead is the
scrambler (PUF is used for chip authenticity, and thus, deploy-
ing that for logic locking has no additional cost). Since test
points incur some additional silicon real estate and, potentially,
performance degradation, this problem has been extensively
studied [30] with a conclusion that the resultant overheads are
typically acceptable or even negligible.
V. E XPERIMENTAL R ESULTS
Experiments reported in this section examine the ability
of hybrid control test points, inserted by the state-of-the-art
technique [16], to change (obfuscate) a circuit’s functional-
ity when an unauthorized access is detected. Recall that these
test points aim at increasing the overall circuit’s testability
both in terms of fault coverage and pattern count. The num-
ber of inserted test points is 2% fraction of all SCs deployed
in the designs. This threshold is known to be an acceptable
value across the industry, especially in terms of the resultant
silicon overhead. Moreover, the number of CPs is restricted
to 5 on a single path to reduce the overall impact on tim-
ing closure. All experiments are conducted for five industrial
designs and a circuit from an IWLS’05 benchmark suit. The
basic data regarding the designs such as the number of gates,
the number of primary inputs and outputs, the number of SCs
and the number of scan chains, is listed in Table I. As a ref-
erence, the last two columns of Table I provide the number of
deployed CPs, also reported as a fraction of the total number
of test points (TTPF).
Testability improvements due to hybrid test points can be
seen in Table II. All results were obtained for stuck-at tests.
The first part of the table provides the LBIST test coverage
after applying 10K pseudorandom test patterns. The baseline
test cases represent designs with no test points, whereas the
column “hybrid TPs” corresponds to the same circuits with
hybrid test points in place. The second part of the table reports
TABLE I
C IRCUIT C HARACTERISTICS
TABLE II
C IRCUITS ’ T ESTABILITY
the ATPG test coverage with the corresponding test pattern
counts attributed to the baseline (no TPs) case and the test
points, respectively. As might be expected, the hybrid test
points increase test coverage and reduce test pattern counts,
on the average, 10% and 2× times, respectively.
A successful application of the proposed method depends,
among many factors, on the ability of control test points to
launch a transition that reaches as many SCs as possible. As
can be verified, this reachability question is equivalent to the
concept of transitive closure [25]. Consider, for example, an
industrial design with 72 000 SCs and 100 control test points
that suffice to achieve certain testability goals. Fig. 5 gives
the total number of SCs that can be reached from a randomly
selected test point in successive clock cycles. In particular,
99.4% of all SCs are reachable from the starting CP after
15 clock cycles. Note that the bars corresponding to cycles
from 9 to 15 represent cases where an increase in additional
SCs that can be reached from the starting point is rather small,
and thus differences between bars are less visible. Further
experimental results, not reported here, have confirmed that
the remaining CPs used in the same design have a similar
transitive closure, although they require a test-point-dependent
number of clock cycles. It is worth noting that 100 CPs is a tiny
fraction (0.14%) of all SCs. It clearly indicates, therefore, that
the strategy based on the CPs have a great potential to sub-
stantially perturb internal signals, and thus the entire design
functionality.
In order to determine the transitive closure for a given set
of control test points, it suffices to observe that this problem
can be mapped into a breadth-first search (BFS) on a struc-
ture graph (S-graph), which has been used in the partial
scan synthesis [3]. In this graph, vertices represent flip-flops.
A directed edge from node f1 to node f2 indicates that there
CHEN et al.: HARDWARE PROTECTION VIA LOGIC LOCKING TEST POINTS
Fig. 5. Transitive closure for a single CP.
exists a combinational path between flip-flops f 1 and f 2 , where
f 1 is a driver and f 2 is a receiver. Flip-flops f 1 and f 2 are said
to be adjacent. To solve the transitive closure problem, we run
BFS several times on the S-graph to completion, starting at
flip-flops driving successive test points. The set of all visited
vertices that results from this computation is the transitive clo-
sure set consisting of all reachable cells. In addition, the set
of reachable SCs may be further used to examine how many
primary outputs (POs) are reachable along the combinational
paths. Finally, the longest path in the full BFS tree rooted at
the test point nodes is indicative of the minimal number of
clock cycles required to arrive with the transitive closure.
Solving the transitive closure problem delivers important
information regarding circuit areas that are completely covered
by selected test points and indicates locations where extra CPs
are still required in order to increase the likelihood of obfus-
cating certain internal signals. It is worth noting that having
an acceptable transitive closure does not guarantee reachabil-
ity of all SCs during the actual circuit operations, and these
numbers must be regarded the upper bounds. Indeed, some
segments of a circuit may resist certain changes of logic val-
ues. For example, a 32-input AND gate is very unlikely to
assume, in a random fashion, the value of 1 on its output,
and thus it may block changes in other parts of the circuit
as well. Furthermore, every sequential circuit features states
which are very unlikely to occur, and thus chances to satisfy
conditions needed to corrupt signals in the corresponding parts
of the design might be low. Nevertheless, the transitive clo-
sure of a given group of test points remains indicative of how
likely it is to obfuscate dedicated design internals and the cor-
responding functionality. The same data may also guide the
selection of test point sites, should one would like to extend
the frontier of internal nodes covered by obfuscating signals
produced, in turn, due to additional CPs.
The results of transitive closure analysis for POs and SCs
are summarized in Table III. For each design, the two columns
list the transitive closure and the corresponding number of
clock cycles. As can be seen, the control test points yield
the transitive closure comprising, on the average across all
examined designs, 90% of all deployed SCs and 84% of POs.
This is achieved in relatively short periods of time, as shown in
the columns “clock cycles.” Clearly, this result indicates that it
is fair to expect that in a few clock cycles since a hostile attack
3025
TABLE III
T RANSITIVE C LOSURE FOR H YBRID T EST P OINTS
Ethernet
TABLE IV
L OGIC L OCKING R ESULTS A FTER 10K C LOCK C YCLES
began, a circuit will launch the defense obfuscation procedure
in its whole capacity, as detailed in the previous sections.
The example of Fig. 5 is typical of the behavior that one
may expect from large digital circuits; however, verifying facts
of this kind requires further and more detailed analysis. One
of popular security metrics for combinational logic locking
schemes uses the Hamming distance between the outputs of
locked and unlocked circuits [23]. Consequently, the second
phase of our experiments has been conducted by means of sim-
ulations tackling two scenarios. First, we assume that a correct
key is applied to a circuit, thus a design works as intended.
All memory elements (SCs) are initialized with pseudoran-
dom values. Then, with every clock cycle, the primary inputs
receive pseudorandom values as well. The POs and the content
of SCs, captured every clock cycle, form a reference for sub-
sequent experiments. SCs acting as drivers of test points are
excluded here. The second scenario mimics an unauthorized
access when a design enters the locking mode. At every clock
cycle, the CPs are randomly activated/deactivated, the SCs
capture responses from combinational logic, and the primary
inputs are fed in a random manner. Each simulation comprises
10K clock cycles. Comparing results from both experiments
yields the number of affected (perturbed) outputs and SCs in
the logic locking mode.
The results, averaged over 100 simulation runs, are summa-
rized in Table IV. Note that the number of deployed CPs is
provided in Table I. Each column lists the fraction of POs and
SCs which were affected by the locking scheme at least once
during 10K clock cycles. As can be seen, hybrid control test
points allow the locking scheme to perturb, on the average,
59% of POs and 60% of SCs. It clearly correlates with our
earlier observations derived from the transitive closure metrics.
Additional experimental results are shown in Fig. 6. It illus-
trates a cumulative fraction of affected POs (a blue curve) and
SCs (a red curve) over successive 10K clocks cycles for the
3026 IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS, VOL. 37, NO. 12, DECEMBER 2018
Fig. 6. Cumulative fraction of perturbed POs and SCs.
examined designs. In other words, these diagrams give the total
number of outputs and SCs that have been perturbed at least
once up to a given clock cycle. Finally, Fig. 7 displays the
fraction of perturbed outputs and memory elements in a form
of time series, i.e., a series of data points indexed in a clock
cycles order. It allows one to observe how the numbers of dis-
turbed outputs or pseudo-outputs keep changing in the time
domain.
VI. ATTACKS
Depending on their targets, malicious attacks can be classi-
fied into various categories [9], [23]. We briefly address some
of them here to demonstrate how the proposed scheme can act
as a countermeasure. It is worth noting, although, that vulner-
ability assessment of the presented method can also be carried
out in a manner similar to that of the combinational-locking-
based EPIC scheme [24], which provides robust multilayered
defense against a broad range of attacks. Regarding the threat
models, any attempt to use stolen IC/IP will fail, unless a cor-
rect key is known. Given a gate-level netlist one needs to either
analyze a circuit’s functionality to extract an unlocking key or
bypass/remove the scrambler to disable test points.
Since CPs are integral parts of scan chains controlled exclu-
sively by the scrambler, the chip may be unlocked when the
activation module and the scrambler are bypassed or removed.
However, at 22 nm and below, this attack may require unac-
ceptably high investment, which may not be justified by
CHEN et al.: HARDWARE PROTECTION VIA LOGIC LOCKING TEST POINTS
Fig. 7. Fraction of perturbed POs and SCs per clock cycle.
revenue from pirated ICs. This form of attack could typi-
cally involve some forms of front- or back-side focus ion
beam (FIB) circuit edits. However, this technique is imprac-
tical, if there are hundreds of sites to be altered, especially
when they are in the internal metal layers without damag-
ing other signals or traces. Even if attackers were able to
perform such FIBs, it is not feasible to perform such edits
on large production lines. Furthermore, we assume that an
adversary has no access to the original netlist; if a locked
netlist (with disclosed test points) can be acquired from an
untrusted fab or a designer, then there is no need for logic lock-
ing, and our technique is not applicable. Nevertheless, having
GDSII/OASIS files does not always mean that an untrusted fab
is in possession of a full netlist. Often cells are flat, layer labels
3027
are missing, a layout file is encrypted, or files are partially
split. If the adversary must extract a netlist from a physical
device, then camouflage techniques can make this effort nearly
impossible.
In terms of nondestructive attacks, one may consider meth-
ods that try to reveal a device-unlocking key. These attacks
assume that an attacker has access to a copy of the obfus-
cated netlist and a functional (activated) IC purchased from
the open market (note that it might be infeasible for an adver-
sary to obtain such a chip; for example, the attacker is unlikely
to acquire working devices manufactured for noncommer-
cial purposes or fabricated for the first time—they will not
be available on the market). Typically, the attacker may use
an SAT-based technique in an attempt to discover a key by
3028 IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS, VOL. 37, NO. 12, DECEMBER 2018
applying distinguishing input patterns ruling out incorrect key
values [28], [33]. There are two basic scenarios for SAT-based
attacks in scan-based designs. In scenario 1, the attacker has no
access to an SE input, as it has been permanently disabled after
the manufacturing test. The adversary, therefore, has to apply
stimuli through primary inputs and collect responses from POs
of a complex finite-state machine after using a certain num-
ber of clock cycles per a single input/output pair. Since the
presented test-point-based solution has the ability to gradu-
ally change a circuit behavior and to elongate this process
depending on clock cycles applied, the time required to real-
ize that the locking scheme is in progress increases remarkably
the complexity of analyzing input/output data and makes var-
ious forms of attacks, including SAT-based ones, technically
infeasible.
Scenario 2 assumes that the attacker puts a circuit in a TM,
and thus can provide stimuli and retrieve circuit’s responses
through scan chains. Now an SAT-based attack deals with
a combinational circuit, where in addition to pins, bumps, or
pads (POs), SCs and probed signals are also used as outputs
of a locked logic. Typically, the number of such inputs and
outputs exceeds tens of thousands (see Table I), clearly chal-
lenging SAT solvers. Note that test points are now acting as
conventional locking gates. Furthermore, an SAT-based attack
may become impractical, if it can discriminate at most one
incorrect key value with each distinguishing input pattern—the
attack complexity grows then exponentially with the number
of key bits [33].
If one employs the activation scheme of Section III, then
every chip has unique PUF-based CRPs; therefore, they can-
not be discovered by watching signals on another activated
chip. Different chips have virtually always different keys.
Eavesdropping on data exchanged during chip activation will
not reveal a key for other chips.
In contrast to solutions deploying the key gates as a part
of circuit logic, the proposed scheme is resilient to fault-
analysis attacks addressing low correlation between the key
bits. Typically, these attacks are carried out by determining
an input pattern that sensitizes a single key-bit to an out-
put without any interference with other key-gates or primary
inputs. When such a pattern is found, one may apply it to
the functional IC and obtain the value of a specific key-bit.
Again, the presented method is resilient to key propagation
attacks due to the lack of direct access to the activation module
outputs.
VII. C ONCLUSION
There is a widely accepted consensus that IC designers
can no longer take the security of microelectronics hardware
for granted. In this paper, we introduce a new scheme that
improves a circuit security without compromising its over-
all testability at the same time. By integrating the proposed
logic locking scheme into the TPI flow, the complexity of
determining an IC’s secret content has been significantly
raised. Contrary to several earlier solutions where DFT fea-
tures needed additional precautions to protect designs against
malicious reuse of test logic, the presented approach is the first
example of a solution in which existing on-chip DFT infras-
tructure is reused in the mission mode to prevent IP piracy
and assure that verified end-users work with genuine products.
The experimental results obtained for large industrial designs
illustrate feasibility of the scheme and its effectiveness in hid-
ing design functionality from adversaries, and thus protecting
circuits against various piracy attempts.
R EFERENCES
[1] C. Acero et al., “Embedded deterministic test points for compact cell-
aware tests,” in Proc. ITC, Anaheim, CA, USA, 2015, paper 2.2.
[2] J. P. Baukus, L. W. Chow, and W. Clark, “Integrated circuits protected
against reverse engineering and method for fabricating the same
using an apparent metal contact line terminating on field oxide,”
U.S. Patent 7 294 935, 2007.
[3] S. T. Chakradhar, A. Balakrishnan, and V. D. Agrawal, “An exact algo-
rithm for selecting partial scan flip-flops,” in Proc. DAC, San Diego,
CA, USA, 1994, pp. 81–86.
[4] S.-C. Chang, S.-S. Chang, W.-B. Jone, and C.-C. Tsai, “A novel combi-
national testability analysis by considering signal correlation,” in Proc.
ITC, Washington, DC, USA, 1998, pp. 658–667.
[5] R. P. Cocchi, J. P. Baukus, L. W. Chow, and B. J. Wang, “Circuit
camouflage integration for hardware IP protection,” in Proc. DAC,
San Francisco, CA, USA, 2014, pp. 1–5.
[6] J. Da Rolt et al., “Test versus security: Past and present,” IEEE Trans.
Emerg. Topics Comput., vol. 2, no. 1, pp. 50–62, Mar. 2014.
[7] D. Forte, S. Bhunia, and M. Tehranipoor, Eds., Hardware Protection
Through Obfuscation. Heidelberg, Germany: Springer-Verlag, 2017.
[8] M. J. Geuzebroek, J. T. van der Linden, and A. J. van de Goor,
“Test point insertion that facilitates ATPG in reducing test time and
data volume,” in Proc. ITC, Baltimore, MD, USA, 2002, pp. 138–147.
[9] S. Hamdioui et al., “Hacking and protecting IC hardware,” in Proc.
DATE, Dresden, Germany, 2014, pp. 1–7.
[10] D. Hely et al., “Scan design and secure chip [secure IC testing],” in
Proc. IOLTS, 2004, pp. 219–224.
[11] C. Herder, M.-D. Yu, F. Koushanfar, and S. Devadas, “Physical unclon-
able functions and applications: A tutorial,” Proc. IEEE, vol. 102, no. 8,
pp. 1126–1141, Aug. 2014.
[12] V. S. Iyengar and D. Brand, “Synthesis of pseudo-random pat-
tern testable designs,” in Proc. ITC, Washington, DC, USA, 1989,
pp. 501–508.
[13] A. Kumar, J. Rajski, S. M. Reddy, and T. Rinderknecht, “On the gen-
eration of compact deterministic test sets for BIST ready designs,” in
Proc. ATS, 2013, pp. 201–206.
[14] J. Lee, M. Tehranipoor, C. Patel, and J. Plusquellic, “Securing designs
against scan-based side-channel attacks,” IEEE Trans. Depend. Secure
Comput., vol. 4, pp. 325–336, 2007.
[15] J. Lee, M. Tehranipoor, and J. Plusquellic, “A low-cost solution for
protecting IPs against scan-based side-channel attacks,” in Proc. VTS,
Berkeley, CA, USA, 2006, pp. 94–99.
[16] E. Moghaddam, N. Mukherjee, J. Rajski, J. Tyszer, and J. Zawada, “Test
point insertion in hybrid test compression/LBIST architectures,” in Proc.
ITC, Fort Worth, TX, USA, 2016, paper 2.1.
[17] E. Moghaddam, N. Mukherjee, J. Rajski, J. Tyszer, and J. Zawada,
“On test points enhancing hardware security,” in Proc. ATS, Hiroshima,
Japan, 2016, pp. 61–66.
[18] M. Nakao, K. Hatayama, and I. Highasi, “Accelerated test points selec-
tion method for scan-based BIST,” in Proc. ATS, 1997, pp. 359–364.
[19] J. Rajendran et al., “Fault analysis-based logic encryption,” IEEE Trans.
Comput., vol. 64, no. 2, pp. 410–424, Feb. 2015.
[20] J. Rajendran, M. Sam, O. Sinanoglu, and R. Karri, “Security analysis of
integrated circuit camouflaging,” in Proc. ACM CCS, Berlin, Germany,
2013, pp. 709–720.
[21] J. Rajski, J. Tyszer, M. Kassab, and N. Mukherjee, “Embedded deter-
ministic test,” IEEE Trans. Comput.-Aided Design Integr. Circuits Syst.,
vol. 23, no. 5, pp. 776–792, May 2004.
[22] S. Remersaro, J. Rajski, T. Rinderknecht, S. M. Reddy, and I. Pomeranz,
“ATPG heuristics dependant observation point insertion for enhanced
compaction and data volume reduction,” in Proc. DFTVS, Boston, MA,
USA, 2008, pp. 385–393.
[23] M. Rostami, F. Koushanfar, and R. Karri, “A primer on hardware
security: Models, methods, and metrics,” Proc. IEEE, vol. 102, no. 8,
pp. 1283–1295, Aug. 2014.
CHEN et al.: HARDWARE PROTECTION VIA LOGIC LOCKING TEST POINTS
[24] J. A. Roy, F. Koushanfar, and I. L. Markov, “Ending piracy of integrated
circuits,” IEEE Comput., vol. 43, no. 10, pp. 30–38, Oct. 2010.
[25] R. Sedgewick, Algorithms in C++. Part 5: Graph Algorithms. Boston,
MA, USA: Addison-Wesley, 2002.
[26] B. H. Seiss, P. M. Trouborst, and M. Schulz, “Test point insertion for
scan-based BIST,” in Proc. ETC, 1991, pp. 253–262.
[27] S. Skorobogatov and C. Woods, “Breakthrough silicon scanning discov-
ers backdoor in military chip,” in Proc. CHES, 2012, pp. 23–40.
[28] P. Subramanyan, S. Ray, and S. Malik, “Evaluating the security of logic
encryption algorithms,” in Proc. HOST, Washington, DC, USA, 2015,
pp. 137–143.
[29] R. Torrance and D. James, “The state-of-the-art in semiconductor reverse
engineering,” in Proc. DAC, New York, NY, USA, 2011, pp. 333–338.
[30] H. Vranken, F. S. Sapei, and H.-J. Wunderlich, “Impact of test point
insertion on silicon area and timing during layout,” in Proc. DATE,
Paris, France, 2004, pp. 810–815.
[31] D. Xiang, Y. Xu, and H. Fujiwara, “Nonscan design for testability
for synchronous sequential circuits based on conflict resolution,” IEEE
Trans. Comput., vol. 52, no. 8, pp. 1063–1075, Aug. 2003.
[32] B. Yang, K. Wu, and R. Karri, “Secure scan: A design-for-test archi-
tecture for crypto chips,” in Proc. DAC, Anaheim, CA, USA, 2005,
pp. 135–140.
[33] M. Yasin, B. Mazumdar, J. J. V. Rajendran, and O. Sinanoglu,
“SARLock: SAT attack resistant logic locking,” in Proc. HOST, 2016,
pp. 236–241.
[34] J. Zhang, “A practical logic obfuscation technique for hardware secu-
rity,” IEEE Trans. Very Large Scale Integr. (VLSI) Syst., vol. 24, no. 3,
pp. 1193–1197, Mar. 2016.
Michael Chen (M’82) received the B.S. degree in
electrical engineering and computer science from the
University of California at Irvine, Irvine, CA, USA,
in 1982.
In 1991, he joined Mentor Graphics, Wilsonville,
OR, USA. Prior to joining Mentor Graphics, he
was with Hewlett Packard, Palo Alto, CA, USA,
and Xerox, Norwalk, CT, USA. He is currently
the Business Unit Director with the New Ventures
Division, Mentor—a Siemens Business, Wilsonville,
OR, USA. In this position, he manages leading-
edge technology efforts for the company’s design for security platform. He
was among the first to be invited to talk about designing security into the
IC supply chain. He has served as the Chair of the T3S TAB Committee,
Semiconductor Research Corporation, Durham, NC, USA. He has co-invented
several patents.
Mr. Chen has presented at conferences such as GOMACTech, the IEEE
VLSI Test Symposium, Center for Hardware Assurance, Security and
Engineering, SEMICon West (as a Distinguished Presenter), and the Design
Automation Conference.
Elham Moghaddam (S’07–M’11) received the B.S.
and M.S. degrees in computer engineering from
the Sharif University of Technology, Tehran, Iran,
in 2007, and the Ph.D. degree in computer and
electronic engineering from the University of Iowa,
Iowa City, IA, USA, in 2011.
She is currently a Software Developer with
the Design-to-Silicon Division, Mentor—a Siemens
Business, Wilsonville, OR, USA. Her current
research interests include design for testability, low
power embedded test, built-in self-test, and test
data compression.
3029
Nilanjan Mukherjee (S’87–M’89–SM’14) received
the B.Tech. (Hons.) degree in electronics and elec-
trical communication engineering from the Indian
Institute of Technology Kharagpur, Kharagpur,
India, in 1989, and the Ph.D. degree from McGill
University, Montreal, QC, Canada, in 1996.
He is currently the Engineering Director with
the Design-to-Silicon division at Mentor—a Siemens
Business, Wilsonville, OR, USA. He is a co-inventor
of the EDT technology and was a Lead Developer
for the leading test compression tool in the industry,
TestKompress. Prior to joining Mentor, he was with Lucent Bell, Holmdel,
NJ, USA. He has published over 75 technical papers and has co-invented
45 U.S. patents. His current research interests include next generation test
methodologies for deep submicrometer designs, test data compression, test
synthesis, memory testing, and fault diagnosis.
Dr. Mukherjee was a co-recipient of the Best Paper Award at the 1995 IEEE
VLSI Test Symposium, the Best Paper Award at the 2009 VLSI Design
Conference, the Best Student Paper Award at the Asian Test Symposium
in 2001, the 2006 IEEE Circuits and Systems Society Donald O. Pederson
Outstanding Paper Award recognizing the paper on embedded deterministic
test published in the IEEE T RANSACTIONS ON C OMPUTER -A IDED D ESIGN
OF I NTEGRATED C IRCUITS AND S YSTEMS , and the 2012 IEEE International
Test Conference Most Significant Paper Award. He served on the program
committees of several IEEE conferences.
Janusz Rajski (A’87–SM’10–F’11) received the
M.S. degree from the Technical University of
Gdańsk, Gdańsk, Poland, in 1973, and the Ph.D.
degree from the Poznań University of Technology,
Poznań, Poland, in 1982, both in electrical
engineering.
From 1973 to 1984, he was a Faculty Member
with the Poznań University of Technology. In 1984,
he joined McGill University, Montreal, QC, Canada,
where he became an Associate Professor in 1989.
In 1995, he became a Chief Scientist with Mentor
Graphics. He is currently the Vice President of Engineering at Mentor—a
Siemens Business, Wilsonville, OR, USA. He is also the Principal Inventor
of the embedded deterministic test technology used in the first commercial
test compression product TestKompress. His current research interests include
testing of very large-scale integration systems, design for testability, built-in
self-test, and logic synthesis. He has published over 180 research papers in
the above areas and has co-invented 104 U.S. patents.
Dr. Rajski was a co-recipient of the 1993 Best Paper Award for the paper
on logic synthesis published in the IEEE T RANSACTIONS ON C OMPUTER -
A IDED D ESIGN OF I NTEGRATED C IRCUITS AND S YSTEMS, the 1995 and
1998 Best Paper Awards at the IEEE VLSI Test Symposium, the 1999 and
2003 Honorable Mention Awards at the IEEE International Test Conference,
the 2006 IEEE Circuits and Systems Society Donald O. Pederson Outstanding
Paper Award recognizing the paper on embedded deterministic test pub-
lished in the IEEE T RANSACTIONS ON C OMPUTER -A IDED D ESIGN OF
I NTEGRATED C IRCUITS AND S YSTEMS, the 2009 Best Paper Award at
the VLSI Design Conference, the 2011 Best Paper Award at the IEEE
European Test Symposium, and the 2012 IEEE International Test Conference
Most Significant Paper Award. In 1999, he was a Guest Co-Editor of
the special issue of the IEEE Communications Magazine devoted to test-
ing of telecommunication hardware. He was also an Associate Editor of
the IEEE T RANSACTIONS ON C OMPUTER -A IDED D ESIGN OF I NTEGRATED
C IRCUITS AND S YSTEMS, the IEEE T RANSACTIONS ON C OMPUTERS, and
the IEEE Design and Test of Computers Magazine. He has served on technical
program committees of various conferences.
3030 IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS, VOL. 37, NO. 12, DECEMBER 2018

Jerzy Tyszer (M’91–SM’96–F’13) received the Justyna Zawada (M’14) received the M.S. degree
M.S. and Ph.D. degrees in electrical engineering in computer science from Adam Mickiewicz
from the Poznań University of Technology, Poznań, University, Poznań, Poland, in 2012, and the
Poland, in 1981 and 1987, respectively, and the M.S. degree in telecommunications and the Ph.D.
Dr.Hab. degree in telecommunications from the degree in electrical engineering from the Poznań
Technical University of Gdańsk, Gdańsk, Poland, University of Technology, Poznań, in 2014 and 2017,
in 1994. respectively.
From 1982 to 1990, he was a member of the fac- Her current research interests include design for
ulty of Poznań University of Technology, Poland. testability, built-in self-test, automatic test pattern
In January 1990, he joined McGill University, generation, and test security.
Montreal, Canada where was Research Associate
and Adjunct Professor. In 1996, he assumed the position of Professor at
the Faculty of Electronics and Telecommunications of Poznań University of
Technology, Poznań, Poland. His current research interests include design
automation and testing of very large-scale integration (VLSI) systems, design
for testability, built-in self-test, embedded test, and computer simulation of dis-
crete event systems. He has published eight books, over 140 research papers
in the above areas and has co-invented 70 U.S. patents.
Dr. Tyszer was a co-recipient of the 1995 and 1998 Best Paper Awards
at the IEEE VLSI Test Symposium, the 2003 Honorable Mention Award at
the IEEE International Test Conference, the 2006 IEEE Circuits and Systems
Society Donald O. Pederson Outstanding Paper Award recognizing the paper
on embedded deterministic test published in the IEEE T RANSACTIONS ON
C OMPUTER -A IDED D ESIGN OF I NTEGRATED C IRCUITS AND S YSTEMS, the
2009 Best Paper Award at the VLSI Design Conference, the 2011 Best
Paper Award at the IEEE European Test Symposium, and the 2012 IEEE
International Test Conference Most Significant Paper Award. In 1999, he was
a Guest Co-Editor of the special issue of the IEEE Communications Magazine
devoted to testing of telecommunication hardware. He has served on technical
program committees of various conferences.