Jean Da Rolt

New security threats against chips containing scan chain structures

Insertion of scan chains is the most common technique to ensure observability and controllability of sequential elements in an IC. However, when the chip deals with secret information, the scan chain can be used as back door for accessing secret (or hidden) information, and thus jeopardize the overall security. Several scan-based attacks on cryptographic functions have been described and showed the need for secure scan implementations. These attacks assume a single scan chain. However the conception of large designs and restrictions in terms of test costs may require the implementation of many scan chains and additional test infrastructures for test response compaction. In this paper, we present a new generic scan attack that covers a wide range of industrial test infrastructures, including spatial response compressors.

Are advanced DfT structures sufficient for preventing scan-attacks?

Standard Design for Testability (DfT) structures are well known as potential sources of confidential information leakage. Scan-based attacks have been reported in publications since the early 2000s. It has been shown for instance that the secret key for symmetric encryption standards (DES, AES) could be retrieved from information gathered on scan-out pins when scan-chains are fully observed through these pins. However DfT practices have progressed to adapt to large and complex designs such as test response compaction, associated X-masking structure, partial scan, etc. As a side effect, these techniques mask part of the information collected on scan outputs. Thus, at first glance, they may appear as countermeasures against scan-based attacks. Nevertheless, in this paper we show that DfT structures, regardless of their nature, do not inherently enhance security and that specific additional countermeasures are still needed. We propose a new-scan attack able to deal with designs where only part of the internal circuits state is observed for test purpose.

Test Versus Security: Past and Present

Cryptographic circuits need to be protected against side-channel attacks, which target their physical attributes while the cryptographic algorithm is in execution. There can be various side-channels, such as power, timing, electromagnetic radiation, fault response, and so on. One such important side-channel is the design-for-testability (DfT) infrastructure present for effective and timely testing of VLSI circuits. The attacker can extract secret information stored on the chip by scanning out test responses against some chosen plaintext inputs. The purpose of this paper is to first present a detailed survey on the state-of-the-art in scan-based side-channel attacks on symmetric and public-key cryptographic hardware implementations, both in the absence and presence of advanced DfT structures, such as test compression and X-masking, which may make the attack difficult. Then, the existing scan attack countermeasures are evaluated for determining their security against known scan attacks. In addition, JTAG vulnerability and security countermeasures are also analyzed as part of the external test interface. A comparative area-timing-security analysis of existing countermeasures at various abstraction levels is presented in order to help an embedded security designer make an informed choice for his intended application.

A new scan attack on RSA in presence of industrial countermeasures

This paper proposes a new scan-based side-channel attack on RSA public-key cryptographic implementations in the presence of advanced Design for Testability (DfT) techniques. The attack is performed on an actual hardware implementation, for which different test scenarios were conceived (response compaction, X-Masking). The practical aspects of scan-based attacks on the RSA cryptosystem are also presented. Additionally, a novel scan-attack security analysis tool is proposed which helps in evaluating the scan-chain leakage resilience of security circuits.

A novel differential scan attack on advanced DFT structures

Scan chains insertion is the most common technique to ensure the testability of digital cores, providing high fault coverage. However, for ICs dealing with secret information, scan chains can be used as back doors for accessing secret data thus becoming a threat to system security. So far, advanced test structures used to reduce test costs (e.g., response compaction) and achieve high fault coverage (e.g., Xs masking decoder) have been considered as intrinsic countermeasures against these threats. This work proposes a new generic scan-based attack demonstrating that these test structures are not sufficiently effective to prevent leakage through the test infrastructure. This generic attack can be easily adapted to several cryptographic implementations for both symmetric and public key algorithms. The proposed attack is demonstrated on several ciphers.

Thwarting Scan-Based Attacks on Secure-ICs With On-Chip Comparison

Hardware implementation of cryptographic algorithms is subject to various attacks. It has been previously demonstrated that scan chains introduced for hardware testability open a back door to potential attacks. Here, we propose a scan-protection scheme that provides testing facilities both at production time and over the course of the circuits life. The underlying principles to scan-in both input vectors and expected responses and to compare expected and actual responses within the circuit. Compared to regular scan tests, this technique has no impact on the quality of the test or the model-based fault diagnosis. It entails negligible area overhead and avoids the use of an authentication test mechanism.

Secure JTAG Implementation Using Schnorr Protocol

The standard IEEE 1149.1 (Test Access Port and Boundary-Scan Architecture, also known as JTAG port) provides a useful interface for embedded systems development, debug, and test. In an 1149.1-compatible integrated circuit, the JTAG port allows the circuit to be easily accessed from the external world, and even to control and observe the internal scan chains of the circuit. However, the JTAG port can be also exploited by attackers to mount several cryptographic attacks. In this paper we propose a novel architecture that implements a secure JTAG interface. Our JTAG scheme allows for mutual authentication between the device and the tester. In contrast to previous work, our scheme uses provably secure asymmetric-key based authentication and verification protocols. The complete scheme is implemented in hardware and integrated with the standard JTAG interface. Detailed area and timing results are also presented.

A scan-based attack on Elliptic Curve Cryptosystems in presence of industrial Design-for-Testability structures

This paper presents a scan-based attack on hardware implementations of Elliptic Curve Cryptosystems (ECC). Several up-to-date Design-for-Testability (DfT) features are considered, including response compaction, X-Masking and partial scan. Practical aspects of the proposed scan-based attack are described, namely timing and leakage analysis that allows finding out data related to the secret key among the bits observed through the DfT structures. We use an experimental setup which allows full automation of the proposed scan attack on designs including DfT configurations. We require around 8 chosen points to implement the attack for retrieving a 192-bit scalar.

A smart test controller for scan chains in secure circuits

Structural testing is one important step in the production of integrated circuits. The most common DIT technique is the insertion of scan-chains, which increases the observability and the controllability of the circuits internal nodes. Nevertheless, malicious users can use the scan chains to observe confidential data stored in devices implementing cryptographic primitives. Therefore, scan chains inserted in secure ICs can be considered as a source of information leakage. Several countermeasures exist to cope with this type of problem. However, they either introduce high area overheads or they require modifications to the original design or the test protocol. In this paper we present a smart test controller that is able to prevent all known scan attacks. The controller does not require any additional signals, it is transparent to the designer and it does not require any modifications of the test protocol and procedure. Moreover, it introduces a very small area overhead.

Scan Attacks on Side-Channel and Fault Attack Resistant Public-Key Implementations

Cryptographic devices are the targets of side-channel attacks, which exploit physical characteristics (e.g. power consumption) to compromise the system’s security. Several side-channel attacks and countermeasures have been proposed in the literature in the past decade. However, countermeasures are usually designed to resist attacks for a single side-channel. Few papers study the effects of a particular countermeasure on a specific side-channel attack on another attack which was not the target of the countermeasure. In this paper, we present scan-based side-channel attacks on public-key cryptographic hardware implementations in the presence countermeasures for power analysis and fault attacks. These aspects were not considered in any of the previous work on scan attacks. We have also considered the effect of Design for Test structures such as test compression and X-masking in our work to illustrate the effectiveness of our proposed scan-attack on practical implementations. Experimental results showing the requirement of the number of messages/points and retrieval time are presented to evaluate the complexity of the attacks. Results show that algorithmic countermeasures for Simple Power Analysis and Fault attack are not immune against our differential scan-attacks, whereas the algorithmic countermeasures against Differential Power Analysis are secure against such scan-attacks.