In our previous work, we introduced new concepts of secure scan design; shift register equivalent circuits (SR-equivalents, for short) and strongly secure circuits, and also introduced generalized shift registers (GSRs, for short) to apply them to secure scan design. In this paper, we combine both concepts of SR-equivalents and strongly secure circuits and apply them to GSRs, and consider the synthesis problem of strongly secure SR-equivalents using GSRs. We also consider the enumeration problem of GSRs that are strongly secure and SR-equivalent, i.e., the cardinality of the class of strongly secure SR-equivalent GSRs to clarify the security level of the secure scan architecture.

We reported a secure scan design approach using shift register equivalents (SR-equivalents, for short) that are functionally equivalent but not structurally equivalent to shift registers [10 and also introduced generalized shift registers (GSRs, for short) to apply them to secure scan design [11]-[13]. In this paper, we combine both concepts of SR-equivalents and GSRs and consider the synthesis problem of SR-equivalent GSRs, i.e., how to modify a given GSR to an SR-equivalent GSR. We also consider the enumeration problem of SR-equivalent GFSRs, i.e., the cardinality of the class of SR-equivalent GSRs to clarify the security level of the secure scan architecture.

In our previous work [12], [13], we introduced generalized feed-forward shift registers (GF2SR, for short) to apply them to secure and testable scan design. In this paper, we introduce another class of generalized shift registers called generalized feedback shift registers (GFSR, for short), and consider the properties of GFSR that are useful for secure scan design. We present how to control/observe GFSR to guarantee scan-in and scan-out operations that can be overlapped in the same way as the conventional scan testing. Testability and security of scan design using GFSR are considered. The cardinality of each class is clarified. We also present how to design strongly secure GFSR as well as GF2SR considered in [13].

In our previous work [12], [13], we introduced generalized feed-forward shift registers (GF2SR, for short) to apply them to secure and testable scan design, where we considered the security problem from the viewpoint of the complexity of identifying the structure of GF2SRs. Although the proposed scan design is secure in the sense that the structure of a GF2SR cannot be identified only from the primary input/output relation, it may not be secure if part of the contents of the circuit leak out. In this paper, we introduce a more secure concept called strong security such that no internal state of strongly secure circuits leaks out, and present how to design such strongly secure GF2SRs.

In this paper, we introduce generalized feed-forward shift registers (GF2SR) to apply them to secure and testable scan design. Previously, we introduced SR-equivalents and SR-quasi-equivalents which can be used in secure and testable scan design, and showed that inversion-inserted linear feed-forward shift registers (I2LF2SR) are useful circuits for the secure and testable scan design. GF2SR is an extension of I2LF2SR and the class is much wider than that of I2LF2SR. Since the cardinality of the class of GF2SR is much larger than that of I2LF2SR, the security level of scan design with GF2SR is much higher than that of I2LF2SR. We consider how to control/observe GF2SR to guarantee easy scan-in/out operations, i.e., state-justification and state-identification problems are considered. Both scan-in and scan-out operations can be overlapped in the same way as the conventional scan testing, and hence the test sequence for the proposed scan design is of the same length as the conventional scan design. A program called WAGSR (Web Application for Generalized feed-forward Shift Registers) is presented to solve those problems.

It is important to find an efficient design-for-testability methodology that satisfies both security and testability, although there exists an inherent contradiction between security and testability for digital circuits. In our previous work, we reported a secure and testable scan design approach by using extended shift registers that are functionally equivalent but not structurally equivalent to shift registers, and showed a security level by clarifying the cardinality of those classes of shift register equivalents (SR-equivalents). However, SR-equivalents are not always secure for scan-based side-channel attacks. In this paper, we consider a scan-based differential-behavior attack and propose several classes of SR-equivalent scan circuits using dummy flip-flops in order to protect the scan-based differential-behavior attack. To show the security level of those SR-equivalent scan circuits, we introduce a differential-behavior equivalent relation and clarify the number of SR-equivalent scan circuits, the number of differential-behavior equivalent classes and the cardinality of those equivalent classes.

Scan-based side-channel attacks retrieve a secret key in a cryptography circuit by analyzing scanned data. Since they must be considerable threats to a cryptosystem LSI, we have to protect cryptography circuits from them. RSA is one of the most important cryptography algorithms because it effectively realizes a public-key cryptography system. RSA is extensively used but conventional scan-based side-channel attacks cannot be applied to it because it has a complicated algorithm. This paper proposes a scan-based side-channel attack which enables us to retrieve a secret key in an RSA circuit. The proposed method is based on detecting intermediate values calculated in an RSA circuit. We focus on a 1-bit time-sequence which is specific to some intermediate values. By monitoring the 1-bit time-sequence in the scan path, we can find out the register position specific to the intermediate value and we can know whether this intermediate value is calculated or not in the target RSA circuit. We can retrieve a secret key one-bit by one-bit from MSB to LSB. The experimental results demonstrate that a 1,024-bit secret key used in the target RSA circuit can be retrieved using 30.2 input messages within 98.3 seconds and its 2,048-bit secret key can be retrieved using 34.4 input within 634.0 seconds.