This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination. IEEE TRANSACTIONS ON VERY LARGE SCALE INTEGRATION (VLSI) SYSTEMS 1 Thwarting Scan-Based Attacks on Secure-ICs With On-Chip Comparison Jean Da Rolt, Giorgio Di Natale, Marie-Lise Flottes, and Bruno Rouzeyre Abstract— Hardware implementation of cryptographic algorithms is subject to various attacks. It has been previously demonstrated that scan chains introduced for hardware testability open a back door to potential attacks. Here, we propose a scan-protection scheme that provides testing facilities both at production time and over the course of the circuit’s life. The underlying principles to scan-in both input vectors and expected responses and to compare expected and actual responses within the circuit. Compared to regular scan tests, this technique has no impact on the quality of the test or the model-based fault diagnosis. It entails negligible area overhead and avoids the use of an authentication test mechanism. Index Terms—Design-for-testability (DfT), scan-based attack, security, testability. I. I NTRODUCTION Many aspects of our daily lives rely on electronic data interchange. Encryption algorithms are used to guarantee the confidentiality, integrity, and authenticity of these exchanges. These algorithms are implemented on dedicated hardware for performance optimization and to embed confidential information, which must be kept secret from unauthorized users. Imperfect production processes of electronic devices lead to the need for manufacturing testing to sort out defective circuits from good ones, whatever be the target application. This is even more relevant for secure circuits where a physical defect could jeopardize the security of the confidential information. However, the most common practice for testing digital devices relies on a scan-chains insertion that guarantees a high fault coverage and thus an ultimate product quality, but opens backdoors to security threats too. The “Scan attacks” described for instance in [1] and [2] utilize the access offered by scan chains’ IOs for retrieving the secret key of an encryption core. These attacks rely on the possibility to observe the circuit’s internal state while this state is related to the secret. A common industrial practice to solve this security threat is to physically disconnect the scan chains after production testing by blowing the fuses located at both ends of the scan chains. However, this solution impedes the testing of those devices requiring being tested after manufacturing. In particular, the correct behavior of the secure circuits should be validated after the introduction of the secret key, which can be programmed at any time of the circuit’s lifecycle. This secured information can indeed be owned by any cir- cuit producer (e.g., designer, manufacturer, and system integrator) or user (e.g., reseller or final customer). In addition, scan disconnection stops any further analysis, e.g., diagnostic, or cannot be considered Manuscript received November 5, 2011; revised February 24, 2013; accepted March 30, 2013. This work was supported by Région Languedoc- Roussillon/Feder under the Contract “Prosecure.” This work is part of J. Da Rolt’s Ph.D. thesis. The authors are with the Laboratoire d’Informatique de Robot- ique et de Microélectronique de Montpellier, Centre National de la Recherche Scientifique, Montpellier 34392, France (e-mail: darolt@lirmm.fr; dinatale@lirmm.fr; flottes@lirmm.fr; rouzeyre@lirmm.fr). Color versions of one or more of the figures in this paper are available online at http://ieeexplore.ieee.org. Digital Object Identifier 10.1109/TVLSI.2013.2257903 as an appropriate response to the scan attack if the connection can be reconstructed. In the literature, several solutions have thus been proposed to avoid disconnecting scan chains after manufacturing testing. However, these solutions are either expensive or not fully safe against new scan attacks. In this brief, we describe a new design-for-testability (DfT) architecture that eliminates the need to disconnect the scan chains. This approach is based on the concept of withholding informa- tion. The test procedure consists in providing both the test vectors and expected test responses to the device-under-test (DUT) for an on-chip comparison. Methods for the on-chip comparison of actual and expected test responses have already been explored in other contexts [3]–[6], mainly to reduce the test data volume to transfer from DUTs to test equipment. However, none of these solutions achieve the target security requirements since individual bit values stored in the scan chains can still be observed or deducted from observed data, thanks to the test circuitry. Because testability features must not be implemented to the detri- ment of the security of the circuit, and vice versa, this brief also discusses test and diagnostic procedures with our DfT proposal, as well as security of the circuit with respect to attacks perpetrate on the test infrastructure. This brief is organized as follows. Section II summarizes the most relevant design-for-testability-and-security proposals from the literature, and discusses their related drawbacks. The detailed imple- mentation of the module in charge of the proposed test strategy is described in Section III, and related costs and impact in terms of insertion in the design flow are also presented. Section IV discusses security, testability, and diagnostic issues related to the introduction of the proposed test scheme. Finally, Section V concludes on this brief. II. RELATED WORKS Several countermeasures have been proposed to face the scan attacks, while allowing access to the scan chain after the manufac- turing test. Two classes of solutions can be found in literature: the use of dedicated secure test wrappers, and the introduction of hidden functions to obfuscate the real contents of the scan chains. Solutions based on the use of secure test wrappers basically implement an FSM with two states: mission mode and test mode. In mission mode, the circuit handles confidential data and the scan chain cannot be accessed (i.e., the scan enable is forced to 0). Conversely, scan facilities can be used in test mode because there is not any confidential data processed in the circuit in this mode. Implementing secure modes for testing without leakage of confidential data depends on: how is implemented the process for switching from (to) mission to (from) test mode; how confidential information is removed from the data flow when a switch to test mode is required; and finally, how to further protect data in mission mode against invasive attacks on the test infrastructure. Switching from mission to test mode is usually implemented by resorting to an authentication protocol. For instance, the solution presented in [7] offers a security extension for IEEE 1149.1 standard where the test controller must receive a secret wrapper key to enable the test mode. More complex wrappers based on challenge- response protocols were proposed in [8] and [9]. However, a secured authentication method requires the implementation of crypto 1063-8210/$31.00 © 2013 IEEE