CN110020558A - A kind of safe crypto chip Testability Design structure under boundary scan design environment - Google Patents

Abstract

The invention discloses a testability design structure for protecting an AES cryptographic chip from scanning attacks in a boundary scan design environment. The secure testability design structure introduces shift enable logic, scan chain mode switching reset logic and key isolation logic on the basis of conventional boundary scan design structure. The shift enable logic is used to disable the scan shift operation in functional mode; the scan chain mode switch reset logic causes the chip to first perform a reset operation when switching from functional mode to test mode, thus protecting the secret stored in the scan chain information; key isolation logic is used to isolate encryption keys in test mode, preventing attackers from obtaining key information in test mode. The present invention does not introduce new input and output signals, only requires little hardware overhead, can automatically protect the chip, and can resist all potential scan-based side channel attacks without compromising the testability of the circuit.

Description

A Secure Design Structure for Cryptographic Chip Testability in Boundary Scan Design Environment

technical field

The invention belongs to the field of chip security, and more particularly, relates to a security testability design structure for protecting a cryptographic chip from scanning-based non-intrusion attacks.

Background technique

With the development of emerging technologies such as the Internet of Things and big data, information security and privacy have become more and more important, and cryptographic algorithms have been widely used. Since software implementation provides low data throughput and requires more computing resources, cryptographic algorithms are usually implemented using hardware modules. Encryption algorithms have zero tolerance for failures, so encryption hardware needs to undergo rigorous testing.

The scanning design improves the controllability and observability of the internal triggers of the chip, and transforms the test of sequential circuits into the test of combinational circuits, which brings great convenience to the test of integrated circuits, and has become the testability widely used in today's industry. Design technology. As shown in Figure 1(a), by adding a 2-to-1 multiplexer at the input, a flip-flop becomes an internal scan cell (ISC). The ISC has two selectable input sources: data input (DI) and scan input (SI). DI is the input of the original flip-flop, while SI is driven by the output of another ISC. The shift enable signal (Shift_en) determines whether DI or SI is selected. The ISC output is both a data output (DO) and a scan output (SO). In addition, testing a chip with a large number of input/output (I/O) ports is a huge challenge since test equipment typically has limited data channels. The boundary-scan design successfully solves this problem by equipping each chip I/O with a boundary-scan cell (BSC). A BSC consists of two D flip-flops and two multiplexers, as shown in Figure 1(b). As the input BSC, the input source DI is driven by the chip input port (ChipIn), and the data output DO corresponds to the original input (PI) of the internal logic. As an output BSC, the input source DI is driven by the original output (PO) of the internal logic, and the data output DO corresponds to the chip's output port (ChipOut). The value propagated to DO is determined by the operating mode selection signal (Mode_sel). The inner scan chain (or boundary scan chain) is a shift register formed by concatenating the SO of the ISC (or BSC) with the SI of the subsequent cells. The scan chain can be accessed from the outside by connecting the SI of the first scan unit in the scan chain to the chip input pins and the SO of the last scan unit to the chip output pins. When Mode_sel=0 and Shift_en=0, the chip operates in functional mode. At this time, regardless of BSC or ISC, DO is directly driven by DI. When Mode_sel=0, the chip runs in test mode, which has three operation phases: shift, update and capture. In the shift phase, Shift_en=1, the shift clock pulse is applied to the clock input of each BSC and ISC, and the test vector is shifted into the scan chain by the scan shift, and the test response is shifted out of the scan chain at the same time. During the BSC-only update phase, the test data stored in D1 (called the capture flip-flop) is transferred to D2 (called the update flip-flop) by providing a clock pulse to the UpdateClock of each BSC. At this time, the state of D2 is transmitted to the DO of the BSC. In the capture phase, Shift_en=0, a capture clock pulse is applied to each BSC and the clock input of the ISC, and the response value at DI is captured into the D1 of the ISC or BSC.

Inserting a scan chain into the cryptographic chip improves its testability and ensures the test quality of the chip; on the other hand, it also brings security risks to the cryptographic chip. With the help of scan chains, an attacker can load arbitrary plaintext at the input of the chip, and then observe the encrypted intermediate state at the output of the scan chain. Finally, the key is cracked based on the known plaintext, the corresponding intermediate state, and knowledge of the encryption algorithm. AES (Advanced Encryption Standard) is a widely used encryption algorithm, and AES chips are reportedly vulnerable to scan-based attacks. The purpose of the present invention is to improve the existing testability design structure to protect the AES chip from scan-based side channel attacks.

Among the existing patents, no patented invention has been found that is similar to the testability design structure of a secure cryptographic chip in a boundary scan design environment.

SUMMARY OF THE INVENTION

Aiming at the defects of the existing boundary scan technology, the purpose of the present invention is to provide a safe scan design scheme, which can overcome the scan-based side channel attack without affecting the circuit performance and test quality.

In order to achieve the above object, the present invention provides a safe testability design scheme in a boundary scan design environment. Compared with the conventional scan design scheme, the proposed security testability design scheme adds a scan chain reset mechanism, a key isolation mechanism and a shift enable mechanism. When the chip switches between the test mode (Mode_sel=1) and the functional mode (Mode_sel=0), the scan chain is first reset to clear the stored confidential information, thereby preventing scan attacks based on mode switching. In test mode (Mode_sel=1), the key is isolated from the encryption module, so that scanning attacks that rely only on test mode can be overcome. In functional mode (Mode_sel=0), the shift operation is disabled Thus, it is possible to defeat the illegal use of scan attacks with shift operations in functional mode.

The security testability design structure of the present invention adds shift enable logic, scan chain mode switching reset logic and key isolation logic on the basis of conventional boundary scan design, as shown in FIG. 2 . The conventional scan chain is formed by transforming the key register in the round key generator, the round register in the round operation unit and other flip-flops in the chip into scanning units in series. The round operation unit and round key generator here are the core components of the AES encryption chip. The safety control logic introduced by the safety testability design of the present invention is described as follows:

1. Shift enable logic

In order to prevent attackers from illegally using shift operation (Shift_en=1) to obtain intermediate encryption results in functional mode (Mode_sel=0), the global (system) shift control signal SHIFT_EN passes through an AND gate and then controls each scan unit (including Shift enable input Shift_en for boundary scan cells and regular scan cells). The other input of the AND gate is controlled by the working mode selection signal Mode_sel, as shown in FIG. 3 . This ensures that when Mode_sel is 0, the shift enable input port of each scan unit can only receive 0, i.e. the shift operation is disabled in functional mode.

2. Scan chain mode switching reset logic

In the traditional scan structure, the global (system) reset input (System_Reset) drives the reset terminal (Reset) of each scan unit, and the chip can be initialized when System_Reset=0, as shown in FIG. 4(a). In order to perform a reset operation during mode switching, the security scan structure proposed by the present invention introduces a scan chain reset logic, including a D flip-flop, an XOR gate and an AND gate, as shown in Figure 4(b). The inserted D flip-flop stores the Mode_sel value from the previous clock cycle. If the Mode_sel of the current clock cycle is the same as the Mode_sel value of the previous clock cycle, the output of the XOR gate is 1. At this point, System_Reset determines the output of the AND gate, that is, the Reset value of each scan unit. Conversely, if the Mode_sel value of the current clock cycle is different from the Mode_sel value of the previous clock cycle, the output of the XOR gate is 0. At this time, no matter what the value of System_Reset is, the output of the AND gate is 0, and the controlled scanning unit performs the reset operation, so that the encrypted information is cleared. In addition, if System_Reset is 0, no matter what the output of the XOR gate is, the output of the AND gate must also be 0, so the system-level reset operation can be performed normally.

3. Key isolation logic

The typical structure of the AES round key generation module is shown in Figure 5, which consists of a key register and some combinational logic. The key register is used to store and output the generated round key. In the original round key generation module, the DI of each storage unit in the key register receives four input signals through a 4-to-1 multiplexer: the encryption key (userkey, that is, the initial key), the previous Round key (roundkey _i-1 , used for decryption), next round key (roundkey _i+1 , used for encryption) and other inputs, as shown in Figure 6(a). The encryption key is loaded from non-volatile memory at the beginning of encryption and is the basis for generating each round key. The multiplexer has two address inputs (labeled A1 and A2 in Fig. 6(a)) for selecting the current round key that needs to be stored. When {A1,A2} is assumed to be {0,0}, {0,1}, {1,0} and {1,1}, select userkey, roundkey _i-1 , roundkey _i+1 and other inputs respectively. When the encryption circuit is powered on, {Mode_sel,Shift_en} is set to {0,0}, and the chip enters the functional mode. First, set {A1,A2} to {0,0} and send the initial key into the key register. On subsequent clock cycles, set {A1,A2} to {1,0}, the key generator will generate and store the next round of keys. When decrypting, set {A1,A2} to {0,1}, generate and store round keys in reverse order.

The key isolation logic is inserted in the round key generation module. It makes the initial key disabled in the test phase by modifying the address input of the multiplexer, as shown in Fig. 6(b). Mode_sel assists A1 and A2 in controlling the multiplexer through several logic gates. When the encryption circuit enters the functional mode (Mode_sel=0), the inserted logic gates do not work, that is, {A1, A2} is always equal to {A1', A2'}. When Mode_sel=1, {A1, A2} are {0,0}, {0,1}, {1,0} and {1,1} corresponding to {A1', A2'} are {1,1 respectively }, {0,1}, {1,0} and {1,1}, i.e. This means that the initial key cannot be passed into the key register in test mode. It should be noted that if the initial key is isolated, then roundkey _i-1 and roundkey _i+1 are not real round keys, they have nothing to do with the initial key, they only depend on the test data of the scan unit in the key register.

Compared with the prior art, the above technical solutions conceived by the present invention have the following beneficial effects:

1. It can overcome all possible scan-based attacks in a boundary scan design environment without changing the test process, so it has no impact on chip testing, allowing all types of tests to be performed, such as fixed-fault testing and delay-fault testing.

2. The safety test structure proposed by the present invention does not add extra input and output signals, and does not require extra test preparation time, can automatically protect the chip, and has little impact on the circuit design.

3. The area cost is low. The testability design structure conceived by the present invention only adds one flip-flop and a small number of logic gates on the basis of the existing testability structure, and the increased area overhead is very low.

Description of drawings

FIG. 1 is a schematic structural diagram of an internal scan unit and a boundary scan unit.

FIG. 2 is an overall block diagram of the security testability design proposed by the present invention.

Figure 3 is a schematic diagram of the shift enable logic.

FIG. 4 is a schematic diagram of a scan chain with a reset function and a scan chain with a mode switching reset function added.

Figure 5 is the AES round key generation module.

Figure 6 shows the key registration structure of the original AES chip and the key registration structure with isolation function.

Detailed ways

The present invention will be described in detail below with reference to the accompanying drawings.

In order to make the objectives, technical solutions and advantages of the present invention clearer, the present invention will be further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are only used to explain the present invention, but not to limit the present invention.

When using the technology of the present invention to protect the chip, the above-mentioned security control logic needs to be inserted in the chip design stage. After inserting the safety control logic, the working and testing process of the chip is as follows.

1. After power-on, if the mode selection signal and shift enable signal {Mode_sel, SHIFT_EN} are both set to 0, the cryptographic chip runs in functional mode, and the initial key can be loaded into the key register to perform encryption/decryption operations .

2. After power-on, if the mode selection signal and shift enable signal {Mode_sel, SHIFT_EN} are set to {0, 1}, the Shift_en input of each scanning unit is still 0, the shift operation cannot be performed, and the cryptographic chip runs In functional mode, the initial key can be loaded into the key register to perform encryption/decryption operations.

3. Once Mode_sel changes from 0 to 1, the chip is reset immediately, that is, the state of the scanning unit is cleared. A reset operation will delete confidential information stored in the scan chain. Subsequently, the cryptographic chip works in the test mode. The test mode consists of three operating phases (shift phase, update phase, and capture phase), and alternate among these three operating phases. The SHIFT_EN signal is used to control the rotation between operating phases. In the shift phase, SHIFT_EN=1, the scan unit is in serial shift mode. At this time, when a certain number of Clock clock pulses are applied to the clock input of each BSC and ISC, the test vector can be serially scanned into the scan chain through the scan input pin, and the previous test vector can be scanned through the scan output pin. Test response moved out. Once the test vectors are fully scanned into the scan chain, the chip enters the update phase, and one clock pulse will be applied to each BSC's UpdateClock. In this update phase, the test data stored in D1 (BSC's capture flip-flop) is fed to D2 (BSC's update flip-flop), while the test vector is applied to the combinational logic through the DO of the scan cell. Next, SHIFT_EN becomes 0 and the circuit enters the capture phase for one clock cycle. During this capture phase, the test response is loaded into the scan chain via DI. Since the initial key cannot be loaded when Mode_sel=0, the response captured in the capture phase key register is independent of the initial key. This ensures that responses removed from the scan chain do not contain confidential information. By setting SHIFT_EN to '1' again, the previously captured test response will be shifted out of the scan chain through the scan output port, while the next test vector is shifted into the scan chain.

4. If Mode_sel is first set to 1 after power-on, the cryptographic chip will work in the test mode immediately, and the test mode consists of shift phase, update phase and capture phase. The specific operation process is similar to the above 3.

The cryptographic chip can switch the working mode freely. Once a mode switch request is received, the chip is reset immediately.

Based on the detailed description of the security testability design scheme above, its working principle can be summarized as follows: an attacker cannot perform a shift operation in functional mode, and cannot shift the chip from functional mode to test mode to remove the memory in the scan chain. Confidential information cannot be obtained in test mode, so a scan-based non-break-in-time attack is practically impossible.

Those skilled in the art can easily understand that the above are only preferred embodiments of the present invention, and are not intended to limit the present invention. Any modifications, equivalent replacements and improvements made within the spirit and principles of the present invention, etc., All should be included within the protection scope of the present invention.

Claims (4)

1. A safe cryptographic chip testability design structure under the boundary scan design environment is characterized in that, on the basis of conventional boundary scan design, shift enable logic, scan chain mode switching reset logic and key isolation logic are introduced . The shift enable logic is used to disable the scan shift operation in functional mode; the scan chain mode switch reset logic causes the chip to first perform a reset operation when switching from functional mode to test mode, thus protecting the secret stored in the scan chain information; key isolation logic is used to isolate encryption keys in test mode, preventing attackers from obtaining key information in test mode. 2. The design structure for safety testability of claim 1, wherein the shift enable logic is controlled by an operating mode selection signal. If the working mode selection signal is "0" (functional mode), the shift enable logic prohibits the scan chain from performing the shift operation, and the chip can only work in the functional mode. If the operating mode selection signal is "1" (test mode), capture and scan shifting can be performed by setting the global (system) shift enable signal at this time. 3. The safety testability design structure according to claim 1, wherein the scan chain mode switching reset logic stores the operating mode selection signal value of the previous clock cycle and compares it with the operating mode selection signal value of the current cycle, if the two Different, the clear input terminal of the scan unit is assigned a valid value, and a reset operation is performed to clear the information in the scan chain. When the global (system) reset signal is a valid value, the scan chain mode switching reset logic allows the scan chain to be cleared directly, thereby ensuring the normal operation of the system reset. If the working mode selection signal value of the two clock cycles before and after is the same and the global (system) reset signal is invalid, the reset operation will not be performed. 4. The security testability design structure according to claim 1, wherein the key isolation logic is controlled by the operation mode selection signal. If the operating mode selection signal is "0" (functional mode), the key isolation logic allows the chip to load the key normally, that is, the key is not isolated. If the operating mode select signal is "1" (test mode), the key isolation logic isolates the key from the chip. The key isolation logic is inserted in the round key generation module, which by modifying the address input of the multiplexer, makes the encryption key unselectable in the test phase with extremely low hardware overhead, so that it cannot enter the key register.