A Novel Secure Scan Design Based on Delayed Physical Unclonable Function

: The advanced integrated circuits have been widely used in various situations including the Internet of Things, wireless communication, etc. But its manufacturing process exists unreliability, so cryptographic chips must be rigorously tested. Due to scan testing provides high test coverage, it is applied to the testing of cryptographic integrated circuits. However, while providing good controllability and observability, it also provides attackers with a backdoor to steal keys. In the text, a novel protection scheme is put forward to resist scan-based attacks, in which we first use the responses generated by a strong physical unclonable function circuit to solidify fuse-antifuse structures in a non-linear shift register (NLSR), then determine the scan input code according to the configuration of the fuse-antifuse structures and the styles of connection between the NLSR cells and the scan cells. If the key is right, the chip can be tested normally; otherwise, the data in the scan chain cannot be propagated normally, it is also impossible for illegal users to derive the desired scan data. The proposed technique not only enhances the security of cryptographic chips, but also incurs acceptable overhead.


Introduction
Some emerging technologies, such as the big data [1,2], Internet of Things [3,4], wireless sensor networks [5][6][7], wireless communication [8,9], are developing rapidly.While they bring convenience to human life, they also face a series of security problems, for instance, information theft, malicious attack, etc.Therefore, information security has attracted more and more attention, at the same time, many researchers take care of security of the underlying hardware [10][11][12].CMC, 2023, vol.74, no.3The security chip is the foundation of information security, if the security of the chip can't be guaranteed, the security of the information can't be promised.In recent years, with the increasing complexity of integrated circuits and expansion of the design scale, the testing of integrated circuits has become a huge challenge.Advanced design for testability (DFT) methods make manufacturing test and online debugging of chips easier and cheaper by embedding some logic structures such as scan chain, decompressor, test response compactor and X -masker into the circuit at the design stage, so they are particularly popular in the semiconductor industry.The scan design is the most universal DFT methodology which replaces internal flip-flops with the scan cells and makes the automatic test pattern generation (ATPG) very efficient [13,14].At present, the vast majority of integrated circuits have introduced scan chains to improve the testability of the chip including the controllability and observability [14].Unfortunately, while the scan design increases the testability, it also provides an attacker with a side-channel.Attackers can control and observe the internal state of the circuit-undertest (CUT) through the side-channel so that carry out illegal attacks on the circuit.Therefore, scanbased non-invasive attacks seriously affect the security of hardware [15].The targets of scan-based attacks mainly include the following aspects: (1) Obtain confidential information which is stored in the chip.The most common method is to crack the key of encryption chips [16,17].A typical situation is that the attacker deliberately inserts pre-computed plaintext into chips in functional mode, then, the scan chain outputs intermediate results of encryption after one clock cycle (one round of encryption operation).As a result, the attacker inversely deduces the key from the output data.(2) Reverse engineering the chips to extract organizational structures and functional characteristics.A timing circuit can be converted into a combinational circuit by full-scan design.An attacker can reveal the internal state of the circuit by the input-output relationships of scan design.Clearly, the scan design facilitates this attack, where the attacker only needs to rely on the most common test devices to access data in the scan chain, then uses the Boolean function learning methods to implement this attack [18].(3) Illegal manipulation or destruction of chips.An attacker can implant illegal data into registers to manipulate and corrupt chips [19].
As seen above, it is easy to perform scan-based attacks on circuits, because such attacks do not need to pay an expensive price.Therefore, scan-based attacks are more likely to attack cryptographic chips compared with attacks based on timing analysis, power and electromagnetic radiation [20].
It is not wise for chip designers to ignore testability for security or security for testability, so maintaining a balance point between security and testability is the collective goal which every designer pursues.For the testability and security of encryption chips, researchers have proposed a number of countermeasures.Hely et al. [21] protected the test mode by inserting a test controller into CUT to resist the switching between functional mode and test mode.Although this countermeasure successfully prevents the mode-switching attack, they are vulnerable to the test-only mode attack.In order to prohibit arbitrary switching between two modes, Wang et al. [22] proposed to separate the key from the cryptographic module in test mode.This scheme is able to successfully prevent attacks with test-only mode and mode switching.Yang et al. [16] divided the CUT operation into two types, i.e., secure mode and insecure mode.In secure mode, the encryption module can't enter the insecure mode to start the test, but it can operate normally.In insecure mode, the chips can be tested but can't move the key into the register.This way makes the key more secure.Authors in [23][24][25] proposed several schemes to obfuscate scan data by altering the construction of the original scan design.For example, in [23] and [24], the authors interfere with the intermediate results by changing the connection relationship in subchains of the scan chain.However, a skilled attacker is still able to carry out signature attacks despite not knowing the styles of connection between scan cells [26,27].Cui et al. [25] proposed a scheme based on static and dynamic obfuscation.The test key is used to control the test control ports of multiple SFFs (scan flip flop) in this scheme.Before performing test, the test key is continuously scanned into the CUT, if the key is correct, the test proceeds normally, otherwise, the controlled units can't obtain the data of the previous SFF, but can obtain the data from the CUT.A lock and key solution based on Physical Unclonable Function (PUF) [12] was proposed in [28].Although this modified design improves security, it induces excessive overhead.Vaghani et al. encrypted the test response with cipher keys, and decrypted the encrypted response with a specific device before using the CUT [29].So it increases the complexity and overhead of the scan design.In addition, there are other countermeasures such as monitoring the behavior of users.When the system detects illegal activities, it will automatically initiate a protection mode.In [30], a method based on machine learning was proposed to detect the user's behavior.However, a drawback they have is that when a new attack occurs, the entire training process must be executed again.
To resist scan-based attacks, this paper proposes a novel PUF-based security architecture.In this scheme, the scan input code (SIC) is required to determine whether the test operation can be performed normally during test mode.If scan input code is incorrect, the scan chain can't transmit data normally.This is realized by inserting some logic elements around the scan cells to form a locking mechanism.Once a wrong code value appears, data obfuscation will occur during the shift.As a result, it is impossible for an attacker to infer the key.A non-linear shift register (NLSR) is added to store the scan input code, and the scan input code is determined by the configuration of the fuse-antifuse structures (referred to CF Unit) in NLSR and styles of connection between NLSR and scan chain.The main contributions of this paper are summarized below: -A novel scan architecture is proposed to combat scan attacks.The security of the scan design is improved by embedding management circuitry into the circuit, and the proposed structure imposes no performance penalty, for example, it reduces overhead without reducing the testability and timing delay of the chip.-We propose a PUF circuit to control fuse-antifuse structures.This method makes each chip have a unique key.In addition, bit-flip caused by external physical factors (such as environment, circuit aging, etc.) can be prevented by solidifying the response generated by PUF into the design.
The rest of this paper is organized as follows.Section 2 reviews a typical scan chain and PUF.Section 3 describes the design goals, basic ideas and architecture of the proposed protection scheme.The experimental results and analysis are presented in Section 4. Section 5 concludes this paper.

Review of Typical Scan Chain and PUF 2.1 Scan Chain
Since scan design provided good controllability and observability, scan chain was first used for IC test in 1973.Through the scan design, sequential circuits with low testability can be transformed into combinatorial circuits.Among the existing DFT techniques, it is recognized as the best technique [14].A standard scan cell is formed by the modification of a D flip-flop.The SFF is composed of a 2-to-1 multiplexer and a D flip-flop, and a common scan chain is formed by connecting multiple SFFs in sequence.

PUF
Over the past 20 years, PUF has gradually changed from theoretical research to practical application, and it has great potential in the field of information security.In 2001, Srini Devadas (CSAIL, Massachusetts Institute of Technology) proposed an IC that used PUF to generate the key.PUF has been widely researched as a new security primitive for integrated circuits.It converts minor process deviations in the manufacturing process (e.g., threshold voltage Vth, drain-source current IDS and drain-source resistance RDSON) into digital information (e.g., current and delay).This bias can construct a number of challenge-response pairs (CRPS) for each chip.CRPS are highly random and unique, these properties cannot be cloned and are difficult to predict.It has come into play in many security situations such as device authentication, random number generation [31], cryptographic key generation, IP protection [32], trust computing and wireless sensor networks etc.
In 2001, Pappu et al. [33] formally introduced the concept of Physical one-way Functions and designed an optical PUF.This PUF exploits the irregularity of particle distribution within the transparent material to generate light spots, which are processed and converted into responses.Tuyls et al. proposed a coating PUF that exploits the capacitive effect [34], where a random coating is added on the chip to change the capacitance values and the measured capacitance values are used as the responses.They are difficult to apply to integrated circuits since the specificity of optics and coatings.In 2002, Gassend et al. [35] proposed a silicon PUF structure that can be applied to actual circuits, which is implemented by random differences generated during the manufacturing process, and the most important feature is that it can be directly connected to digital circuits and easily integrated.In 2004, Dodis et al. proposed the concept of obfuscated extractor [36], which provides a theoretical basis for PUF that is used for key generation.Lee et al. [37] proposed an arbiter PUF that obtains one-bit binary output by comparing the delay of two completely symmetrical paths, which determines the length of the delay by an arbiter and has been widely used in the field of integrated circuits security.In this paper, an arbiter is used to generate a unique response.In 2007, Suh et al. proposed the ring oscillator PUF [34,38], which mainly constructs a unique key for each integrated circuit by comparing the oscillation frequency difference of the ring oscillator.To prevent the phenomenon of bit-flip due to circuit aging, Liu et al. [39] proposed a special ring oscillator RO PUF on the basis of the traditional RO PUF to achieve goals of low power consumption, high reliability and anti-aging by replacing some common inverters in the design in 2017.Holcomb et al. [40] proposed the memory PUF, the most typical memory PUF is random static memory PUF, which generates two stable states of 0 or 1 by powering up SRAM, so that every SRAM will create a PUF output, the largest advantage of this PUF is that there is no need to add additional circuits and SRAM PUF can be implemented by FPGA.

The Proposed Design Methodology for Secure Scan 3.1 Basic Idea of Proposed Secure Scan Design
In order to improve the controllability and observability of integrated circuits, DFT architecture is usually introduced to assist with testing, at the same time, the security of cryptographic chips will also be seriously compromised.Various countermeasures have been proposed by researchers, but they all have their own shortcomings.In this paper, a novel protection method is put forward to target scanbased attacks.In the proposed protection scheme, normal scan operations can be performed if the authorized user knows the correct key.When an unauthorized user performs a scan operation, the internal state of the scan chain will be randomly modified by some combinatorial logic nodes and the incorrect key will shift dynamically in the non-linear shift register, which will eventually lead to obfuscation of scan data.If scan data is dynamically scrambled, the attack will end in failure.
The operation process of secure scan design is as follows.After power-on, the circuit is first reset, the shift enable signal SE of the circuit determines the operation mode.When SE is low-level (i.e., SE = 0), the encryption circuit enters the function mode.When SE becomes '1', scan input code needs to be sequentially scanned into a non-linear shift register in the next N clock cycles.If the scan input code is completely correct, the circuit will perform the normal scan operation and successfully shift the scan data into the scan chain without any external influence.If it is incorrect, the wrong scan input code will cause the circuit to operate in an abnormal test mode and NLSR will produce dynamic obfuscation.During the scan shift, some irregular values will replace values stored in the scan chain, so the attacker can't observe valid data from the output port of the scan chain, and then the encryption key can't be derived.
To make the chip more secure and prevent the circuit from aging, we use a strong PUF to generate keys for integrated circuits.The framework of PUF response solidification is shown in Fig. 1.After power-on, the PUF circuit first receives the corresponding pulse signal, and the output of the PUF will generate a set of binary data accordingly, which will reach T port of every fuse-antifuse structure.Meanwhile, when the enable signal EN of CF is 0, the initial structure of CF units are maintained, i.e., no solidification.When the enable signal EN is valid (i.e., EN = 1), the responses generated by the PUF are solidified into the design.The control port T fed by a bit of PUF responses determine the configuration of CF units.If T is 1, the connection between AF and C is maintained and the connection between F and C is disconnected.Otherwise, if T is 0, the connection between F and C is maintained and the connection between AF and C is disconnected.
The proposed scan design method in this paper is a novel protection architecture.In the next subsection, we will depict the proposed secure design and how the cryptographic chip performs the normal scan operation.

Architecture of Proposed Scan Method
The proposed protection design is presented in Fig. 2, which is mainly composed of the following components: 1) NLSR; 2) Scan Chain; 3) PUF Circuit; 4) Control logic for controlling the shift register and PUF circuit.In this paper, we implant only one scan chain in the circuit.As a matter of fact, multiple scan chains are also applicable to our proposed architecture.The NLSR contains x D flipflops and y CF units, in which x ≤ y.The size of x is determined by the length of scan key.It is worth noting that a 2-to-1 multiplexer is inserted in front of the first D flip-flop, whose two data inputs and control pins are driven by the scan input code, the output of the last CF unit in the NLSR and the output of the counter, respectively.A CF unit is inserted in front of each of the remaining D flip-flops.Its two input pins F and AF are respectively connected to the Q and Q of corresponding D flip-flops, and its design principle is described in Section 3.1.The NLSR is used to control the shift operation of the scan chain and the connection between two successive NLSR cells is reconfigurable due to the introduction of CF units.When solidifying, the port T that determines the configuration of each CF is driven by the responses generated by the PUF.In order to decrease the size of PUF circuit, CF units are divided into several groups and each group is driven by a same PUF unit.For example, if y = 64, we can divide the 64 CF units into 8 groups equally, i.e., each group has 8 CF units.The enable signal EN of the first CF unit of each group (i.e., 1 st , 9 th , 17 th , 25 th • • • ) is controlled by the EN 1 , the enable signal EN of the second CF unit of each group (i.e., 2 nd , 10 th , 18 th , 26 th • • • ) is driven by the EN 2 , and so on for the rest.The control port T of the first 8 CF units is connected to the output port of the first PUF unit, and the control port T of the following 8 CF units is attached to output of the next PUF unit, the rest is similar.Two multiplexers, two buffers and a circuit for detecting the transmission speed of the input signal (marked as PA or NA) make up the design of a PUF unit.It is impossible that two timing paths in a PUF unit are completely symmetrical due to the difference of the manufacturing process, which will cause some delay difference.A timing path includes a multiplexer and a buffer.In the proposed scheme, an arbitration circuit is introduced to detect the delay difference of two paths and generates a random number when the pulse signal is applied.In order to avoid the unbalanced distribution of the generated PUF responses, the SR latch is introduced as an arbiter because it has good symmetry [47].In a balanced SR latch, two NOR gates or NAND gates can be used.The following is an example of NAND latch to show their design principle, as shown in Fig. 3. First, outputs of the buffers in both paths are set to 0. Then, the signal 1 is distributed to the input of the two multiplexers.After a while, signal 1 should be sent to the output ports of both buffers in theory.Due to the differences of the manufacturing process, signal 1 will not arrive at the output of the buffers at the same time.Supposing that the transmission speed of the first path is faster, as shown in Fig. 3b, Q 1 changes from 0 to 1 at t 1 , but Q 2 remains 0. When the signal passes through the NAND gate above, X will go from 1 to 0, however, X is still 1.After Q 2 changes from 0 to 1, X and X will maintain 0 and 1 respectively.Fig. 4 shows that the transmission speed of the second path is faster, i.e., Q 2 becomes 1 at t 1 .When the signal passes through the NAND gate below, X changes from 1 to 0, but X remains 1.After Q 1 changes from 0 to 1, X and X will maintain 1 and 0 respectively.It can be seen that a SR-latch with NAND gates can be used as an arbiter to detect the speed of signal transmission.We also name this SR-latch as NAND-type arbiter (referred to as PA), similarly, an arbiter of SR-latch with NOR gates is called NOR-type arbiter (referred as NA) [48].
) group is decided according to the output of the i th PUF unit.We refer to this process as PUF response solidification.
In the proposed architecture, some logic gates will be introduced to modify the structure of the scan chain in order to lock scan design, i.e., some NAND gates (marked as A i and B i ) will be inserted between SFFs.The output Q (or complementary Q) of each NLSR cell is connected to an input of NAND gate A i and the other input comes from a combinatorial logic node (i.e., a randomly selected node in the CUT).The output of A i is connected to an input pin of B i (i = 1, 2, 3 . . . ) and another input of B i is connected to the output Q of scan flip-flop.Assuming that A i is driven by output Q of the NLSR, the following cases will occur: (1) If Q = 0, the output of A i is 1 and the output of B n depends on the output of the previous SFF; (2) If Q = 1, then the output of A i is opposite to the value of Node i and the output of B i can be represented by B i = Node i + Q.When Node i = 1, the low-level output of A i will cause the succeeding SFF to obtain a steady value 1.On the contrary, when Node i =0, the high-level output of A i will reverse the input of the succeeding SFF to the output of the previous SFF.Thus, the logical obfuscation of the scan chain is achieved by this design, which makes it difficult for illegal users to analyze the key due to the uncertainty of the parameters such as Node i .In order for the scan chain to perform a normal scan operation, it can be easily seen that if one input of A i is driven by the output Q of the D flip-flops in NLSR, then the internal state of the NLSR units must be 1.Conversely, if Q is connected to A i , the internal state of the NLSR cells must be 0. Now we need to define expected values that can perform the scan operation normally as the key to control SFFs.When the control signal Ad = 0, the scan input code is loaded into the NLSR serially so that the scan key is generated.
The output of D flip-flops in NLSR, in addition to being connected to An, drives a multi-input OR gate G 4 .When the SIC is completely shifted to NLSR, the output of G 4 is latched to a D flip-flop DFF 1 , whose clock port clk 1 is driven by the output of G 1 .One input of G 1 is connected to the system clock CLK, and the other input is driven by the Carry output Cout of a counter.The output O of DFF 1 together with the system clock CLK and shift enable signal SE is fed to the clock signal clk 2 through an AND gate G 2 .
Before the chip is put in service, CF units are solidified by one-time programming.When the circuit is power-on or reset, the module-N counter, DFF 1 and NLSR are initialized to 0. For Counter, Cout = 0.The counter has an enable input signal EN, which is connected to the output of G 3 .Two input pins of G 3 are driven by SE and Cout.In test mode (SE = 1), since the output of G 3 is high-level, the enable signal EN becomes 1, at the same time, the Counter will be enabled and start counting from zero.During this period, Ad = 0 and the SIC is shifted into NLSR.When the correct SIC is fully entered, G 4 will generate a low-level and the output port O of DFF 1 will also become 0. Once the SIC is fully loaded, the Counter will reach the maximum value.Hence, Cout will become high-level and G 3 is low-level.At this time, EN = 0 and the Counter will be disabled.In addition, DFF 1 is locked because the clock clk 1 is always equal to 1.At the same time, clk 2 (the output signal of G 2 ) remains 0, so the D flip-flops in NLSR will also be locked and the correct scan key is stored in NLSR.In this case, the output of the NAND gate thus the scan chain can also perform the normal scan operation.
When SIC is not completely correct, the scan key that controls the SFFs will also be wrong.When the signal Cout of Counter reaches the maximum value, the clock signal clk 1 of DFF 1 is disabled and the output 1 of G 4 is latched to DFF 1 , that is, O = 1.From now on, clk 2 following CLK enables each D flip-flop in NLSR.In test mode, the wrong scan key will shift dynamically in NLSR.After the scan key passes through the NAND gates {A i } and {B i }, the locking mechanism between scan cells will create obfuscation.So the attackers can only get wrong scan outputs and they will be misled.
As previously reported, the scan input code is related to the following two factors: (1) the configuration of the CF units; (2) the styles of connection between NLSR and scan chain.An example of deriving scan input code is given below.Let's assume that n = 8, the output Q of each D flip-flop in NLSR is connected to succeeding NLSR unit after solidifying the CF units and the expected scan key is 10011011 which is derived according to the styles of connection between NLSR and scan chain.The scan input code X 1 , X 2 , X 3 , X 4 , X 5 , X 6 , X 7 , X 8 are shifted into NLSR in eight clock cycles.It can be seen from Tab. 1 that the state of NLSR is X 1 , X 2 , X 3 , X 4 , X 5 , X 6 , X 7 , X 8 after eight cycles.According to expected scan key and the state of the NLSR after eight clock cycles, scan input vectors can be inferred.i.e., X 1 , X 2 , X 3 , X 4 , X 5 , X 6 , X 7 , X 8 = 00110001.
The designer should add an output interface to the last CF unit in the NLSR before the chip is tested.When the chip is powered on for the first time, first of all, the designer enters the scan input code.Then the scanned-out data will be observed in the added output port after a few clock cycles.Finally, the designer deduces the configuration information of the NLSR based on the scanned-out data and fuses the added output interface.

Timing Analysis of Proposed Secure Scan Scheme
In order to describe the operational flow of the scan design, Figs. 5 and 6 show the timing diagrams for entering the incorrect key and the correct key respectively.
When the system is reset, the main control signals in the circuit are initialized to 0. In order to enter the functional mode, both RST and SE are set to a low-level.In the functional mode, lowlevel SE causes EN to become low voltage, so the Counter is disabled, and clk 2 also becomes low voltage because of SE.The state of NLSR remains all 0. Therefore, the additional circuit is inactive in functional mode.In order to enter the test mode, the shift enable signal SE is set to 1.At this time, the Counter is enabled and starts counting.At the same time, clk 2 is also activated, and N-bits scan input code is entered into the shift register bit by bit.When scan input code is completely entered, the output signal Cout (i.e., Cout = 1) of the Counter makes its disabled.As described in Section 3.2, if incorrect scan input code is loaded into NLSR during test mode, the output of G 4 will become high-level, so the output of DFF 1 is 1.The clock signal clk 2 is consistent with the system clock signal CLK, wrong scan input code will shift dynamically in NLSR.The timing diagram for entering the incorrect scan key is shown in Fig. 5.
If the correct scan input code is applied, the clock signal clk 2 will be disabled and the correct scan key will be stored in NLSR.This is because the output of G 4 becomes low-level.In this case, the system can perform scan operation normally.The timing diagram for entering the correct scan key is shown in Fig. 6.The proposed scheme has been implemented and verified on several benchmark circuits including Wb-Conmax, Aes-Ite, aeMB, Vga-Lcd, Aes-Pip [49].We evaluate the proposed scheme in terms of testability, security, and performance overhead of the design.

Testability Analysis
We have added protection design to the original circuit, but added part will not affect the testability of the original circuit.When user enters the correct scan input key, the circuit can execute the normal scan operation.This solution is generally applicable to various test techniques including stuck-at fault testing, LoC-based delay fault testing and so on.Furthermore, the test process of these technologies does not change in nature.Hence, there is no impact on the testability of the original module.
For faults that appear in protection circuitry, in general, it is not necessary to perform an additional test operation.For example, if the output of G 4 is stuck at 1, the scanned-out response of CUT will be incorrect even if the scan input code is right.So this fault can be discovered by conventional test and the chip will be considered faulty.If high fault coverage must be ensured in special application, we can introduce build-in self-test (BIST) to test the protection circuitry.

Security Analysis
The security of the proposed architecture is discussed in detail against several known attacks.
(1) Brute Force Attack: It is almost impossible for illegal users to know internal structures of the protection circuitry via brute force attack.The reasons are mainly as follows: 1) The scan input code of the circuit is determined according to the configuration of CF units and styles of connection between the NLSR and the scan chain; 2) The configuration of the CF units is determined by the generated responses of PUF; 3) The responses are transformed by manufacturing process.
Hence, cracking the scan input code is difficult for illegal users by brute force attack without knowing internal structures of the protection circuitry.The probability of accurately guessing the L-bit scan input code is (1/2) L .For L = 64 or 128, it is inferred that the probability of scan input patterns is only 5.4 * 10 −20 or 2.9 * 10 −39 .In this case, it is impossible to obtain the key by brute force attack.In actual situations, the value of L is related to two factors: (a) hardware overhead; (b) attack probability.(2) Differential Attack: In [50], the adversary first performs the system for one or more clock cycles in functional mode after resetting, then enters test mode to obtain intermediate values.
Although the attacker can load the prepared plaintext through the primary input, the output of the scan chain will be obfuscated without the correct scan input key.Therefore, this secure scan design can effectively resist differential attack.(3) Test-Mode-Only Differential Attack: In many security designs, scan chains are reset when switching between test mode and functional mode.Therefore, this can resist normal differential attack [50].However, authors in [51] proposed a new test-mode-only differential attack, this attack achieves key scan cell identification by shifting under all-zero or special test patterns.However, in the proposed architecture, these data are not easily loaded into the scan chain since the protection of the logical obfuscation.Also, the wrong key is dynamically shifted in NLSR during test mode.This leaves the obfuscated bits in an uncertain state during every clock cycle.Therefore, the proposed design can overcome the test-mode-only differential attack.(4) Resetting Attack: When CUT is reset, the attacker knows that the values of all flip-flops are initialized to 0 before scanning out, so the attacker analyzes the correctness of test key by the scanned-out values.However, in the proposed secure design, since the NLSR is dynamically shifted, the scanned-out data is elusive.Therefore, inferring scan input code bit by bit from the scanned-out data is not possible.This solution can effectively prevent resetting attack.

Overhead Analysis
To analyze the overhead, scan designs of the five circuits are synthesized using the Synopsys Design Compiler and Synopsys DFT Compiler respectively.Then, the proposed secure countermeasure is added to the netlist of the scan design and synthesized with DC.In the experiment, the length of test key (N) is set to 64 and 128.Tab. 2 depicts the synthesis results of the standard scan design and the proposed secure scan design, #SFF represents the number of sequential cells, and the columns marked "Scan" and "Secure" show area and power of IP cores with insertion of conventional scan chain and secure scan design respectively.
For different N, the percentage of area overhead and power overhead of the proposed secure design are given in Tab. 3. The third and fifth columns show area and power of the protection circuit respectively.The fourth and sixth columns show the percentage of area overhead and power overhead, respectively.From the table, we can see that the secure design with 128-bit key is slightly larger than the design with 64-bit key in area overhead for the same circuit.Fig. 7 intuitively shows the percentage of area overhead and power overhead of pipelined AES for different N. It can be seen that the area overhead and power overhead also increase as the number of bits of scan input password increases from the figure.For different IP cores, the area overhead percentage has a certain relevance with the circuit scale.In general, the area overhead percentage decreases with the increase of the circuit scale.The number of bits of scan input password (N) 'A(%) 'P(%) The area overhead and performance of the proposed secure design are compared with existing techniques in Tab. 4, including MKR [16], Mode reset [21], DOSD-64 [25], DOSD-128 [25], Scan Chain Encryption [52], DOS-10% [53], DOS-30% [53], SLAKE-8-8 [54], FTSL-64 [28] and FTSL-128 [28].Compared with other countermeasures, the proposed secure design has a low area overhead.Furthermore, the proposed design improves security without affecting performance and testing of IP core in terms of secure performance.MKR [16] uses a secure test controller to manage scan test, which makes brute force attack infeasible, requires no test preparation time and has high pattern application flexibility, however, it can't test key registers.Mode reset [21] has not only similar shortcomings to MKR [16] but also incurs high overhead and is vulnerable to test-mode-only attack.The DOSD [25] design is similar to the proposed design in many performances, but it incurs path delay overhead.Scan Chain Encryption [52] exists many shortcomings, such as high overhead, low pattern application flexibility and multi-cycle for pattern decryption.The area overhead of DOS [53] is relatively large and it is also vulnerable to Memory attack.SLAKE-8-8 [54] requires more cycles test preparation time.Much performance of FTSL [28] design is similar to our proposed design, but it has a larger area overhead.
As can be seen from Tab. 4, proposed secure design has the following advantages: high resistance against scan-based attacks, low area overhead, high pattern application flexibility and no impact on the testability of chips.Notes: ( * ) Ps means the total skew between the clock and data and Cs means the correct skew to capture the desired value.

Conclusion
In this paper, a novel secure scan design is proposed to protect IP cores from scan-based attacks.In this technique, the data transfer of some selected SFFs is controlled by scan input code loaded into the NLSR, which is associated with the configuration of CF units and the styles of connection between the shift register and the scan chain.The configuration of CF units is determined by PUF responses.Finally, the proposed secure design is verified on Wb-Conmax, Aes-Ite, aeMB, Vga-Lcd, Aes-Pip and this scheme has good security, testability, and acceptable hardware overhead compared with other countermeasures.
We assume that the tester is not an attacker in this paper.In addition, this means that the tester needs to be taken into confidential.In the future, the secure design should be developed without the risk of revealing test password.

Figure 1 :
Figure 1: The framework of PUF response solidification

Figure 3 :Figure 4 :
Figure 3: NAND-type arbiter and timing diagram of Q 1 running faster

Figure 5 :
Figure 5: Timing diagram with incorrect scan input code

Figure 6 :
Figure 6: Timing diagram with correct scan input code

Figure 7 :
Figure 7: The percentage of area overhead and power overhead of pipelined AES for different N CMC, 2023, vol.74, no.3

Table 2 :
Synthesis results of scan design and proposed secure design

Table 3 :
Percentage of area overhead and power overhead of proposed secure design

Table 4 :
Comparison of different secure scan designs