

#### Scan chain encryption in Test Standards

Mathieu da Silva, Giorgio Di Natale, Marie-Lise Flottes, Bruno Rouzeyre

#### ▶ To cite this version:

Mathieu da Silva, Giorgio Di Natale, Marie-Lise Flottes, Bruno Rouzeyre. Scan chain encryption in Test Standards. SURREALIST: SecURity, REliAbiLity, test, prIvacy, Safety and Trust of Future Devices, May 2018, Bremen, Germany. , Workshop on SecURity, REliAbiLity, test, prIvacy, Safety and Trust of Future Devices, 2018. lirmm-01882578v2

#### HAL Id: lirmm-01882578 https://hal-lirmm.ccsd.cnrs.fr/lirmm-01882578v2

Submitted on 10 Oct 2018  $\,$ 

**HAL** is a multi-disciplinary open access archive for the deposit and dissemination of scientific research documents, whether they are published or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers.

L'archive ouverte pluridisciplinaire **HAL**, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d'enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.





# SCAN CHAIN ENCRYPTION IN TEST STANDARDS

Mathieu Da Silva, Marie-Lise Flottes, Giorgio Di Natale, Bruno Rouzeyre

**SURREALIST 2018** 

# CONTEXT



• IEEE 1149 (JTAG) for board testing



01/06/2018

# CONTEXT

**o** Threats Unauthorized Malicious device user TDO TDI Device 1 Device 3 Device BSR BSR Scan chain TMS TCK **IDCODE** TDI Untrusted devices BYP TDO Rosenfeld et al., Attacks and Defenses for JTAG, IEEE Design & Test 2010 IR Malicious users TAP (example: scan attacks) controller Yang et al., Secure Scan: A Design-for-Test Architecture for Crypto Chips, TCAD'06 TMS ТСК



## SUMMARY

- **1)** Scan chain encryption
- 2) State-of-the-art based on test communication encryption
- 3) Implementation with block cipher
- 4) Implementation with stream cipher
- 5) Conclusion



# SCAN CHAIN ENCRYPTION

#### • Solution: test communication encryption



• **Output encryption** prevents reading plain test responses



# SCAN CHAIN ENCRYPTION



- Input decryption prevents sending desired test data
- Output encryption prevents reading plain test responses
- Test/debug only possible by authorized user knowing the secret key



#### Symmetric cipher



• 2 types of symmetric cipher: stream and block ciphers



# STREAM CIPHER / BLOCK CIPHER



- "Naturally" adapted to serial test communication (JTAG, IEEE 1500, IJTAG)
- Smaller area footprint compared to block ciphers
- But ..



### TWO-TIMES PAD: STREAM CIPHER REQUIREMENT

• **Two-times pad**: same key and *IV* re-used => same keystream generated to encrypt different data



 $\Rightarrow$  Possible to carry out attacks if requirement is not fit

 $R1 \oplus S(W, Key) \oplus R2 \oplus S(W, Key)$ 

 $\Rightarrow \text{ Solution: } IV \text{ generated randomly at each circuit reset} \\ R1 \bigoplus S(IV_1, Key) \bigoplus R2 \bigoplus S'(IV_2, Key)$ 



## SUMMARY

- 1) Scan chain encryption
- 2) State-of-the-art based on test communication encryption
- 3) Implementation with block cipher
- 4) Implementation with stream cipher
- 5) Conclusion





01/06/2018

# STREAM-BASED ENCRYPTION ON IEEE 1500 INTERFACE

#### • IEEE 1500 standard

- Similar as JTAG standard, but for SoC wrappers
- Parallel test inputs WPI and parallel test outputs WPO





# STREAM-BASED ENCRYPTION ON IEEE 1500 INTERFACE

- Encrypt test data on a targeted core (IEEE 1500)
  - 1) Send the key to the core via specific scan chain non-visible from the others cores





Rosenfeld et al., Security-Aware SoC Test Access Mechanisms, VTS'11



01/06/2018

# STREAM-BASED ENCRYPTION ON IJTAG INTERFACE

• Encryption of Test Data Register associated to Instruments in the IJTAG network





Kan et al., Echeloned IJTAG data protection, AsianHOST 2016.

# OUR PROPOSITION

• Insertion of block or stream ciphers at Scan-In and Scan-Out



- Assumption: original circuit embedded a crypto-core with its key management and storing
- Scan chain encryption solution shares the key management and storing already implemented



## SUMMARY

- 1) Scan chain encryption
- 2) State-of-the-art based on test communication encryption
- 3) Implementation with block cipher
- 4) Implementation with stream cipher
- 5) Conclusion



# BLOCK CIPHER-BASED SCAN ENCRYPTION

• Implementation on scan chain with 2 PRESENT block ciphers:

- Lightweight (1 PRESENT = 2 139 GE)
- Encryption by 64-bits block size





#### MODE OF OPERATIONS • 64 bits encrypted every 32 clock cycles **Original circuit** $S_2$ $S_1$ $S_i$ $S_{i-1}$ 64 bits (64 bits) (64 bits) (64 bits) (64 bits) Input Scan Output Cipher Scan Cipher Scan chain length #SFF $\Rightarrow$ #SFF = Px64 $\Rightarrow$ No test time overhead on each pattern



#### MODE OF OPERATIONS



## SUMMARY

- 1) Scan chain encryption
- 2) State-of-the-art based on test communication encryption
- 3) Implementation with block cipher
- 4) Implementation with stream cipher
- 5) Conclusion



## STREAM CIPHER-BASED SCAN ENCRYPTION

• Implementation on JTAG:

- 1 TRIVIUM stream cipher (2 016 GE)
- TRNG to generate random IV
- New instruction *GetIV* with a test data register IV





1) TRNG initialization: reach sufficient entropy to generate random number

















### **ENCRYPTION PHASE**

#### • User sends GETIV instruction

 $\Rightarrow$  Shift the content of the IV register out the circuit





#### **ENCRYPTION PHASE**

• User can encrypt and decrypt test data with the **obtained** *IV* and the **shared secret key** 





#### TIME FOR THE INITIALIZATION PROCESS

- $T_{TRNG_{init}}$  to initialize the TRNG
- 80 clock cycles to shift the *IV* in the register
- o 1 152 clock cycles for the stream cipher setup

| Original circuit             | Triple-DES | Pipelined<br>AES-128 | Pipelined<br>AES-256 | RSA 1024   | LEON3      |
|------------------------------|------------|----------------------|----------------------|------------|------------|
| Test time*<br>(clock cycles) | 687 101    | 1 944 877            | 4 559 845            | 39 405 239 | 11 612 051 |
| Test time overhead           |            |                      |                      |            |            |
| Block-based solution (%)     | +0.31      | +0.81                | +0.006               | +0.33      | +0.004     |
| Stream-based solution (%)**  | +0.18      | +0.06                | +0.03                | +0.003     | +0.01      |

\*: Test time considered for a fault coverage of 100%, except for LEON3 where it reaches 70%

\*\*: test time overhead without the initialization of the TRNG



## SUMMARY

- 1) Scan chain encryption
- 2) State-of-the-art based on test communication encryption
- 3) Implementation with block cipher
- 4) Implementation with stream cipher
- 5) Conclusion



# COMPARISON BETWEEN BOTH SOLUTIONS

|                                                         | Block cipher-based solution<br>(PRESENT)                          | Stream cipher-based solution<br>(TRIVIUM)             |  |  |  |  |
|---------------------------------------------------------|-------------------------------------------------------------------|-------------------------------------------------------|--|--|--|--|
| Security                                                |                                                                   |                                                       |  |  |  |  |
| - Scan attacks                                          | Protected                                                         | Protected<br>(two times pad not possible)             |  |  |  |  |
| - Malicious core                                        | Protected                                                         | Protected                                             |  |  |  |  |
| Cost                                                    |                                                                   |                                                       |  |  |  |  |
| - Area                                                  | 10 658.96 μm²                                                     | 5 408.52 μm²<br>(+ 31 200 μm² for TRNG)               |  |  |  |  |
| - Test time                                             | Depends on the scan length<br>(multiple or not of the block size) | Clock cycles required for the<br>initialization phase |  |  |  |  |
| Integration                                             |                                                                   |                                                       |  |  |  |  |
| - Diagnosis & debug                                     | Still possible in-field                                           |                                                       |  |  |  |  |
| - Key management                                        | Re-use key management already implemented                         |                                                       |  |  |  |  |
| <ul> <li>Integration in test<br/>daisy-chain</li> </ul> | Possible issue with the padding of test data                      | No issue                                              |  |  |  |  |





#### ACKNOWLEDGEMENTS

#### • FUI#20 TEEVA Project

#### • Partners



