JP2011107930A - Semiconductor integrated circuit, information processor, data processing method and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a configuration which prevents leakage of confidential information leak via a scan chain. <P>SOLUTION: Sub chains are set which are obtained, by dividing the scan chain set as a test path for an IC (an integrated circuit) into a plurality of sub paths, and then a dummy sub chain is constituted, such that scan test data can be input and confidential information is not included. A control circuit for performing control of the scan test determines the validity of a test key to be inputted from an external portions. When it is determined that the input test key is not valid, the dummy sub chain is selected as an object to perform the scan test to perform the scan test. According to this processing, all the scan-out results based on the input data of an attacker are allowed as data that utilize the dummy sub chain; and hence, leakage of confidential information is prevented. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to a semiconductor integrated circuit, an information processing apparatus, a data processing method, and a program. More specifically, the present invention relates to a semiconductor integrated circuit, an information processing apparatus, a data processing method, and a program having a configuration that prevents information leakage from a scan circuit that is a test circuit for the semiconductor integrated circuit.

  The modern society is called a card society, and a wide variety of cards such as credit cards, cash cards, prepaid cards, identification cards, and various membership cards are used and are indispensable for daily life. Such various cards often record highly confidential information such as user personal information. Magnetic cards that have been widely used in the past have recorded information on the magnetic stripe on the card, and therefore there is a problem that it is possible to easily read and tamper with magnetic information called skimming. In addition, with the widespread use of cards, a wide variety of services are being provided, and the information stored on the cards is becoming increasingly large and highly valued. Therefore, a card that can safely protect a larger amount of data is now indispensable.

  In order to satisfy such a requirement, there is an IC card in which a semiconductor integrated circuit (IC) is mounted inside the card. There are two types of IC cards, contact type and non-contact type. In either type, various information is stored in the nonvolatile memory in the IC, so more information can be recorded than the magnetic card. is there. In addition, various information and other applications such as programs can be held in the IC, and safety is improved as compared with a magnetic card. As described above, the IC card is excellent in terms of convenience and confidentiality, and is currently widely used in various fields such as a credit card, electronic money, and a satellite pay broadcast card.

  However, on the other hand, damage caused by attacks such as stealing secret information from a semiconductor integrated circuit such as an IC card has also occurred. For example, Non-Patent Documents 1 and 2 disclose attack methods using analysis techniques for ICs. Non-Patent Document 3 discloses an attack technique for acquiring an internal structure and secret information by using a test circuit of the IC itself. In order to counter these various attack methods, countermeasures against fraud analysis on ICs have become indispensable.

  As one of the attacks and analysis methods for the IC, there is a process using a scan test circuit disclosed in Non-Patent Document 3 for inspecting the internal structure of the IC. The attack using the scan circuit is to analyze the internal structure and secret information stored in the IC by inputting / outputting predetermined data to / from the IC. This process does not require reverse engineering of the IC, and analysis can be performed without destroying the IC.

  Therefore, it is indispensable to take measures against attacks using scan circuits as safety measures for IC cards and the like. The scan test is described in, for example, Patent Document 1.

Many flip-flops (FF) are used in ICs (semiconductor integrated circuits).
The scan test is a scan chain having a chain configuration such as a flip-flop (FF) configured inside the IC, that is, whether the circuit inside the IC operates normally by data input / output processing using the scan circuit. In order to confirm whether or not, it is performed as a test at the time of manufacturing the IC.

  The scan circuit is indispensable as a test circuit during IC manufacturing, but an attacker inputs various data using this scan circuit and analyzes the output to analyze the internal structure of the IC. And attacks that illegally acquire internal storage information.

  A flip-flop (FF), which is a component of the scan chain, holds bit values (0, 1) and can input / output bit values at high speed. For example, a cache memory, a register, and other electronic circuits Many are used as constituent elements.

  As one of countermeasures for preventing illegal analysis using such a scan circuit, a method proposed by Lee, Tehranipoor, Patel, and Plusquelic et al. Disclosed in Non-Patent Document 4 (hereinafter referred to as LTPP05). Exists.

  This scan circuit attack countermeasure method [LTPP05] described in Non-Patent Document 4 divides a scan chain to be applied to a scan test into a plurality of subchains, and uses a polynomial known only to the manufacturer in the test circuit as a generator polynomial. An LFSR (linear feedback shift register) is configured.

  At the time of test execution, a scan flip-flop (SFF: Scan Flip-Flop) that selects one sub-chain according to the value set in the LFSR, inputs test data to the selected sub-chain, and is connected to the selected sub-chain The value output from is output.

Further, a secret test key (TK) is used as information necessary for using the test circuit.
At the time of executing the scan test, a test key (TK) is input, and a match with a valid test key held inside is confirmed. If the input test key matches the test key held inside, the initial value of the LFSR can be set from the outside. If the input test key does not match, a random value is automatically set in the LFSR.

  With this configuration, any valid tester who knows the test key (TK) can set an arbitrary initial value for an LFSR having a known structure, so an arbitrary test pattern can be set for an arbitrary subchain. Scan test can be performed after setting.

  However, an attacker who does not know the test key (TK) has an unknown LFSR generator polynomial and cannot set its initial value. For this reason, even if the scan test is executed and the test result for the test pattern set by itself is acquired, it is impossible to specify the subchain selected by the LFSR value. Therefore, it is impossible to specify which sub-chain is the output test result from the IC, making it difficult to associate the input test pattern with the output result, and illegal analysis of the IC internal structure using the scan circuit It is possible to prevent.

However, in the configuration of the attack countermeasure method [LTPP05] disclosed in Non-Patent Document 4, even if the test key (TK) does not match, the test result for the internal structure of the IC that should be kept secret, Output from the output unit.
Therefore, there is a problem that if the attacker can grasp the correspondence between the input test pattern and the output test result, fraud analysis is possible.

  Non-Patent Document 4 states that it is difficult to specify the correspondence between the input and output patterns by calculating the length of the LFSR appropriately. As will be described later, there is actually an analysis method that is more efficient than the analysis method disclosed in Non-Patent Document 4. Accordingly, there is a problem that the length of the LFSR shown in Non-Patent Document 4 can be analyzed within a practical calculation amount range and is insufficient as a safety measure.

Japanese Patent No. 3671948

R. Andeson and M.M. G. Kuhn, “Tamper Resistance-a Category Note,” The Second USENIX Workshop on Electrical Commerce, pp. 1-11, 1996. O. Kommerling and M.M. G. Kuhn, "Design Principles for Tamper-Resistant Smartcard Processors," Smartcard '99, pp. 9-20, 1999. B. Yang, K .; Wu, and R.W. Karri, "Secure Scan: A Design-for-Test Architecture for Crypto Chips," 42th Design Automation Conference 2005, pp. 135-140, 2005. J. et al. Lee, M.C. Tehranipoor, C.I. Patel, and J.M. Plusquelic, “Securing Scan Design Using Lock & Key Technique,” IEEE International Symposium on Defect and Fault Tolerance in VLSI Systems (T5).

  The present invention has been made in view of the above-described problems, for example. A semiconductor integrated circuit, an information processing apparatus, and data processing for preventing information leakage due to an attack using a scan chain of an IC (semiconductor integrated circuit) It is an object to provide a method and a program.

The first aspect of the present invention is:
A plurality of subchains set by dividing a scan chain, which is a scan test path in an integrated circuit, into a plurality of subpaths;
A dummy sub-chain capable of inputting scan test data;
A test key confirmation unit for determining the validity of a test key input from the outside;
If it is determined that the input test key is not valid, a test control unit that selects the dummy sub-chain as a scan test execution target; and
In a semiconductor integrated circuit having

  Furthermore, in one embodiment of the semiconductor integrated circuit of the present invention, the test control unit generates an LFSR unit (linear feedback) for generating selection data for selecting a subchain to be subjected to a scan test based on input data. When the input test key is not valid, the LFSR unit includes a control unit that sets data for selecting the dummy sub-chain as a scan test execution target.

  Furthermore, in one embodiment of the semiconductor integrated circuit of the present invention, the test control unit has a configuration for inputting a random number to the dummy sub-chain when the input test key is not valid.

  Furthermore, in one embodiment of the semiconductor integrated circuit of the present invention, the test control unit includes a random number generation unit, and when the input test key is not valid, the random number generated by the random number generation unit is input to the dummy subchain. It has the composition to do.

  Furthermore, in one embodiment of the semiconductor integrated circuit of the present invention, the LFSR section has a configuration in which a primitive polynomial is a generator polynomial.

  Furthermore, in one embodiment of the semiconductor integrated circuit of the present invention, the dummy sub-chain has a circuit configuration that does not hold confidential information.

  Furthermore, a second aspect of the present invention resides in an information processing apparatus provided with the above semiconductor integrated circuit.

Furthermore, the third aspect of the present invention provides
A data processing method for executing a scan test in an information processing apparatus,
The information processing apparatus includes an integrated circuit, and the integrated circuit includes a plurality of subchains set by dividing a scan chain, which is a scan test path, into a plurality of subpaths, and a dummy capable of inputting scan test data. Have a sub-chain,
A test key checking step of the information processing apparatus for determining the validity of the test key input from the outside;
When the test control unit of the information processing apparatus determines that the input test key is not valid, a test control step of selecting the dummy sub-chain as a scan test execution target;
There is a data processing method to execute.

Furthermore, the fourth aspect of the present invention provides
A program for executing a scan test in an information processing device,
The information processing apparatus includes an integrated circuit, and the integrated circuit includes a plurality of subchains set by dividing a scan chain, which is a scan test path, into a plurality of subpaths, and a dummy capable of inputting scan test data. Have a sub-chain,
A test key confirmation step for causing the test key confirmation unit of the information processing apparatus to determine the validity of the test key input from the outside;
When the test control unit of the information processing apparatus determines that the input test key is not valid, a test control step for selecting the dummy subchain as a scan test execution target;
It is in the program that executes

  The program of the present invention is a program that can be provided by, for example, a storage medium or a communication medium provided in a computer-readable format to an image processing apparatus or a computer system that can execute various program codes. By providing such a program in a computer-readable format, processing corresponding to the program is realized on the information processing apparatus or the computer system.

  Other objects, features, and advantages of the present invention will become apparent from a more detailed description based on embodiments of the present invention described later and the accompanying drawings. In this specification, the system is a logical set configuration of a plurality of devices, and is not limited to one in which the devices of each configuration are in the same casing.

  According to an embodiment of the present invention, a scan chain set as a test path for an IC (integrated circuit) is divided into a plurality of sub-paths, and scan test data can be input so that secret information can be input. A dummy sub-chain that was not included was configured. The control circuit that executes the control of the scan test determines the validity of the test key input from the outside. If the input test key is determined not to be valid, the control circuit selects the dummy sub-chain as the scan test execution target. Execute. By this process, all scan-out results based on the attacker's input data become data using the dummy subchain, and leakage of secret information is prevented.

It is a figure explaining the countermeasure method [LTPP05] using a subchain as a countermeasure with respect to the attack which applied the scan chain in a semiconductor integrated circuit. It is a figure which shows the flowchart explaining the process sequence of the countermeasure technique [LTPP05] using the subchain shown in FIG. It is a figure explaining the structure of the LFSR part used for the countermeasure technique [LTPP05] using the subchain shown in FIG. It is a figure explaining the structure of IC (semiconductor integrated circuit) explaining the countermeasure method with respect to the attack which applied the scan chain in the semiconductor integrated circuit which concerns on 1st embodiment of this invention. FIG. 5 is a flowchart illustrating a processing sequence in the semiconductor integrated circuit according to the first embodiment of the present invention shown in FIG. 4. FIG. 5 is a diagram illustrating a configuration of an LFSR unit used in the semiconductor integrated circuit according to the first embodiment of the present invention illustrated in FIG. 4. It is a figure explaining the structure of IC (semiconductor integrated circuit) explaining the countermeasure method with respect to the attack which applied the scan chain in the semiconductor integrated circuit which concerns on 2nd embodiment of this invention. It is a figure which shows the flowchart explaining the process sequence in the semiconductor integrated circuit which concerns on 2nd embodiment of this invention shown in FIG.

Hereinafter, the details of a semiconductor integrated circuit, an information processing apparatus, a data processing method, and a program according to the present invention will be described with reference to the drawings. The description will be made according to the following items.
1. 1. Outline of attack countermeasure method [LTPP05] using sub-chain 2. Problems with attack countermeasure method [LTPP05] 3. Configuration example of semiconductor integrated circuit of the present invention 3-1. Configuration and processing of the first embodiment of the present invention using a dummy subchain 3-2. The configuration and processing of the second embodiment of the present invention has a configuration in which the output value from the dummy subchain is set to a random value.

[1. Overview of attack countermeasure method [LTPP05] using sub-chain]
First, before describing the configuration of the present invention, an outline of [LTPP05], which is an attack countermeasure technique using a scan chain described in Non-Patent Document 4 described above, will be described.
An outline of the scan chain and the test control circuit in LTPP05 will be described with reference to FIG.
FIG. 1 shows an IC (semiconductor integrated circuit) 100 having a scan chain (scan circuit) applied to a scan test.
In the attack countermeasure method [LTPP05], the scan chain is divided into a plurality (m pieces) of sub-chains 120-1 to 120-m as shown in FIG.

The subchains 120-1 to 120-m have a chain configuration of circuit elements such as flip-flops (FF), arithmetic circuits, and memories. Note that a flip-flop connected in the subchain is called a scan flip-flop (SFF).
For each of the subchains 120-1 to 120-m, a data string set by the test control circuit 110 shown in the lower part of FIG. 1 based on the input data from the scan-in (SI) that is the data input unit shown in the lower part of FIG. Is entered. The processing result is output from the scan-out (SO) which is an output unit via the multiplexer 130.

  Note that the test control circuit 110 determines which sub-chain of the m sub-chains of the first sub-chain 120-1 to the m-th sub-chain 120-m is to receive data. The enable signals (EN1 to ENm) shown in the figure are input to the selected subchain, and scan test data is input to the selected subchain via the test control circuit 110 to perform a scan test.

  As shown in FIG. 1, the test control circuit 110 includes a random number generation unit 118, a control unit (FSM: Finish State Machine) 111, a test key (TK) match confirmation circuit unit 114, a linear feedback shift register (LFSR) unit 113, And a decoder unit 112.

In LTPP05, LFSR is q-bit configuration, and the number of subchains [m] is
m = 2 ^q −1
It is said.
Each of the subchains 120-1 to 120-m has a configuration in which L bits, that is, L SFFs (scan flip-flops) are connected.

Hereinafter, each function of the components constituting the test control circuit 110 will be described.
The test control circuit 110 has the following input units.
SI (scan-in): Input section for test data etc. for each sub-chain,
TC: (test control): an input part of a test execution control signal for inputting an enable signal (enable) indicating the start of the scan test and a disable signal (disable) indicating the end;
CLK (clock): clock signal input unit for timing control,
The multiplexer 130 has the following output unit.
SO (scanout): an output unit that outputs output data from each scan subchain.

Hereinafter, functions of each component of the test control circuit 110 will be sequentially described.
Random number generator 118
The random number generation unit 118 becomes active when an insecure mode signal indicating that the test is not in a safe test executable state is output (high) as an output signal from the control unit (FSM) 111. A random value (random number) of arbitrary bits is generated. The generated random number is input to the LFSR unit 113.

Control part (FSM: Finite State Machine) 111
The control unit (FSM) 111 executes setting and management of a test mode (test mode) at the time of executing a scan test, initial setting processing in each mode, and the like.

Note that there are two types of test modes, a secure mode and a secure mode (insecure mode).
The secure mode is set only when it is confirmed that a correct test key (TK) has been input. Otherwise, the insecure mode is set.
The control unit (FSM) 111 sets an insecure mode as an initial state immediately after power-on or reset.

  When TC (Test Control) shown in FIG. 1 is set to enable, the control unit (FSM) 1111 unit starts from the head of the data input from the SI (Scan In) shown in the drawing. The k bits are input as a test key (TK ′) to the test key (TK) coincidence confirmation circuit unit 114, and a match confirmation process with a valid test key (TK) held by the test key (TK) coincidence confirmation circuit unit 114 is performed. Let it run.

Thereafter, the control unit (FSM) 111 receives information on whether or not the input key (TK ′) matches the valid key (TK) from the test key (TK) match confirmation circuit unit 114.
Key mismatch, ie
TK '≠ TK
In the case of [fail] indicating, q bits from (k + 1) bits to (k + q) bits in the data input from SI (scan-in) are ignored and the LFSR unit 113 ( A random value of r + q) bits is acquired as a random number generated by the random number generation unit 118 and set as an initial value of the LFSR unit 113.

On the other hand, the outputs from the test key (TK) match confirmation circuit unit 114 match, that is,
TK '= TK
In the case of [pass] representing q, q bits from (k + 1) bits to (k + q) bits of data input from SI (scan-in) are set to the LFSR unit 113 as an initial value.
After these processes are completed, the control unit (FSM) 111 maintains the current mode until the next reset, and provides data input from the SI to all subchains 120-1 to 120-m.

  Next, the sequence of data input processing for the subchain executed by the IC 100 shown in FIG. 1 will be described with reference to the flowchart of FIG. The flowchart shown in FIG. 2 is processing executed under the control of the control unit (FSM) 111 unit.

Step 001 (STEP 001)
Set the test mode to insecure mode. As described above, the control unit (FSM) 111 sets an insecure mode as an initial state immediately after power-on or reset.

Step 002 (STEP 002)
TC: Waits until an enable signal indicating the start of the scan test is input from the (test control) signal input unit.

Step 003 (STEP 003)
From the head of the value input from the SI (scan-in) input unit, k bits are input to the test key (TK) coincidence confirmation circuit unit 114 as a test key (TK ′).

Step 004 (STEP 004)
The test key (TK) coincidence confirmation circuit unit 114 executes test key coincidence confirmation circuit processing. That is,
TK '= TK
A confirmation process is executed as to whether the above expression is satisfied [pass] or not satisfied [fail].

Step 005 (STEP 005)
If the result of the test key match confirmation process in step 004 is [fail] indicating a key mismatch, the process proceeds to step 006. If it is [pass] indicating key agreement, the process proceeds to step 007.

Step 006 (STEP 006)
Q bits from the (k + 1) th bit to the (k + q) th bit from the beginning of the value input from the SI (scan-in) input unit are ignored, and the random number generation unit 118 generates a (r + q) -bit random number R. This is set as an initial value in the LFSR 113, and the process proceeds to Step 008.

Step 007 (STEP 007)
The q bits from the top of the value input from the SI (scan-in) input unit to the (k + 1) -th bit to the (k + q) -th bit are set as initial values in the LFSR 113, and the test mode (test mode) is set to the secure mode (secure). mode), the process proceeds to step 008.

Step 008 (STEP 008)
A sub chain selection process is performed by the decoder unit (Decoder) 112. This is a sub-chain selection process for inputting data from a scan-in (SI) input unit, that is, a sub-chain for executing a scan test. The decoder unit 112 uses the data from the scan-in (SI) input unit to determine which of the m sub-chains is to be used as the input sub-chain for the test data, and an enable signal (see FIG. 1). EN1 to ENm) shown in FIG. Scan test data is input to the sub-chain from which the enable signal is output.

Step 009 (STEP 009)
Of the values input from the SI (scan-in) input unit, the next L bits are input to the sub-chain SIi selected by the decoder unit (Decoder) 112. That is, the scan test is started by inputting data for the selected subchain.

Step 010 (STEP 010)
TC: Waits until a disable signal indicating the end of the scan test is input from the (test control) signal input unit.

Step 011 (STEP 011)
A capture process is executed according to the number of clocks input from the clock (CLK) signal input unit.
This is a process in which the bit string input to the sub-chain from the SI (scan-in) input unit is sequentially advanced in the sub-chain according to the clock.

Step 012 (STEP 012)
TC: (test control) After the enable signal indicating the start of the scan test is input from the signal input unit, the value of the sub-chain SIi is set according to the L cycle clock input from the clock (CLK). At the same time as output from scan-out (SO), which is an output unit, the next L bits input from scan-in (SI) are input to sub-chain SIi.

Step 013 (STEP 013)
The LFSR 113 is operated once and the process returns to step 008.

  Steps 008 to 013 are repeatedly executed, scan data is input to each of the m sub-chains, and the scan result is output from scan-out (SO).

  As described above, since a valid test executor can know the subchain selected by the test control circuit 100, it is possible to grasp the corresponding practice of the input data and the output data for the subchains 1 to m, and the correspondence relationship thereof. Based on the above, it can be determined whether or not the constituent circuits of each sub-chain are normal.

Test key (TK) coincidence confirmation circuit unit 114
The test key (TK) coincidence confirmation circuit unit 114 holds the input test key (TK ′) input from the scan-in (SI), which is the data input unit, via the control unit (FSM) 111, and the test key (TK). It is checked whether the valid test key (TK) matches, and if it matches, [pass] is returned to the control unit (FSM).

Linear feedback shift register (LFSR) 113
A configuration example of the LFSR unit is shown in FIG. As shown in FIG. 3, the LFSR 113
q-bit LFSR configuration unit 181,
A selector unit 182, and
r-bit random number part 183,
It consists of these three components.

  The q-bit LFSR configuration unit 181 includes a q-bit LFSR having a primitive polynomial as a generator polynomial, sets a q-bit value input from the control unit (FSM) 111 as an initial value, and sets each flip-flop (FF). The value is output to a decoder unit (Decoder) 112. Also, the MSB value in the q-bit LFSR configuration unit 181 is output to the selector unit 182.

The selector unit 182 uses a test mode signal provided from the control unit (FSM) 111 as an output selection signal,
If the test mode (test mode) = secure mode (secure mode), the input from the q-bit LFSR configuration unit 181 is output.
If the test mode (test mode) = insecure mode (insecure mode), the input from the r-bit random number unit 183 described later is output as it is.

  The r-bit random number unit 183 includes r flip-flops (FFs) configured similarly to the r-bit LFSR configuration unit 181. However, unlike the normal LFSR, in the tap, that is, the generator polynomial, the exclusive OR operation result of each FF corresponding to the term whose coefficient excluding the 0th order term is not 0 is fed back to the selector unit 182 without feeding back to the LSB. As an input.

With the configuration shown in FIG. 3, the LFSR unit 113
Test mode = secure mode (secure mode)
In this case, since the output of the selector unit 182 becomes the MSB of the q-bit LFSR configuration unit 181, a q-bit LFSR circuit having a primitive polynomial as a generator polynomial is obtained.
Also,
Test mode = insecure mode (insecure m
In this case, since the output of the selector unit 182 becomes the output of the r-bit random number unit 183, the circuit outputs a q-bit value from the MSB of the (r + q) -bit LFSR.

Decoder unit (Decoder) 112
The decoder unit (Decoder) 112 changes the q-bit input from the LFSR unit 113 to a number i represented by a decimal number or a hexadecimal number, and i is sent to the MUX 130 as a selection signal in the m: 1 multiplexer (MUX) 130. And ENi, which is an enable signal for the i-th sub-chain, is enabled.

  Various methods other than the method described in Non-Patent Document 4 are conceivable as a method for configuring the decoder unit (Decoder) 112, and the details of each method do not affect the present invention. A description of a typical configuration method and processing procedure is omitted.

  As described above, if the test executor knows the correct test key (TK) by configuring the sub chain and the test control circuit in the scan test, the configuration of the LFSR 113 is known and the initial value is set. Since it can be arbitrarily set, it is possible to know which test pattern input from the scan-in (SI) corresponds to the value output from the scan-out (SO). As a result, an arbitrary test can be executed by a regular test performer. In this way, it is possible to reliably execute a test of a sub-chain that is a plurality of divided scan chains.

  On the other hand, for an attacker who does not know the test key (TK), since the configuration of the LFSR 113 is unknown and an initial value cannot be set, the value output from the scan-out (SO) It is difficult to specify which test pattern corresponds to the test pattern. In the following, the method of acquiring test results by an attacker and the analysis method will be described in detail.

In order to acquire m test results TRj (j = 1,..., M), the attacker randomly generates TK ′ and an initial value s as a preliminary preparation, and 2m test patterns TPi ( i = 1,..., 2m).
Here, the probability that the true test key TK matches the random TK ′ is ½ ^k . If k is sufficiently large, the probability of matching can be ignored. Therefore, after that,
TK ≠ TK '
I believe that.

  First, the attacker uses the setting of the TC (test control) signal input unit as an enable signal indicating the start of the scan test, and randomly generates a test key (TK ′) and an initial value s from the scan-in (SI). Enter in order. Thereby, the control unit (FSM) 111 sets the test circuit 110 to the insecure mode, ignores the input initial value s, and sets a random initial value of (r + q) bits to the LFSR unit 113. Set.

  The decoder unit (Decoder) 112 selects a subchain t (1 ≦ t ≦ m) according to the output from the LFSR unit 113 in which a random initial value is set. Next, the attacker inputs the first test pattern TP1 from scan-in (SI). Here, since the scan flip-flop (SFF) connected to each sub-chain constitutes a shift register, when a test pattern (TP1) is input to the selected sub-chain t, the sub-chain t The value stored in the connected scan flip-flop (SFF) is output from the scan-out (SO).

  However, it should be noted that this value is a value stored in each scan flip-flop (SFF) before the start of the test, and is not a test result for the test pattern (TP1).

  Subsequently, the attacker sets the TC (test control) signal input section to disable indicating the end of the scan test and inputs a clock of 1 cycle to the clock (CLK) to perform a capture process (capture). carry out. By performing the capture, TR1 which is a test result corresponding to the test pattern (TP1) is stored in each scan flip-flop (SFF) of the subchain.

  Therefore, the attacker sets the setting of the TC (test control) signal input portion to enable indicating the start of the scan test, supplies the next test pattern TP2 to the scan-in (SI), and scan-out (SO). Thus, TR1 which is an output from the subchain is acquired.

  At this time, while the test pattern (TP2) is stored in the sub-chain t, a new pseudo-random number is generated in the LFSR unit 113, and the next sub-chain t ′ (1 ≦ t ′ ≦) is generated by the decoder unit (Decoder) 112. m) is selected.

  From the above operation, it can be seen that the attacker inputs TP1 and TP2 in order to obtain TR1 which is the test result for the test pattern TP1. Similarly, when acquiring TR2, by using TP3 and TP4 and repeating these operations, 2m test patterns TPi (i = 1,..., 2m) are input and TP2j−1 M test results TRj (j = 1,..., M) corresponding to (j = 1,..., M) are acquired. Note that the test results corresponding to TP2j are obtained from TRm + 1 to TR2m.

An attacker can acquire a test result for an arbitrary test pattern by repeatedly performing the above-described operation. However, since the value of the LFSR unit 113, that is, the selected subchain cannot be directly known, in order to confirm from which subchain the result (TRj) corresponding to the input test pattern (TPi) is output. Therefore, it is necessary to check m ways from when the output (TRj) is the output of the subchain 1 to when it is the output of the subchain m. Furthermore, since it is necessary to do this for all output TRj, all patterns attacker should check becomes as m ^m, the amount of calculation as well m ^m to confirm this by brute .

Here, when q = 4, since m = 2 ^q −1 = 15, even if an LFSR of only about 4 bits is used, the amount of calculation required by the attacker is
2 ⁵⁸ <15 ¹⁵ <2 ⁵⁹ ,
That is, since a calculation amount corresponding to 59 bits is required, it is difficult to specify which subchain the output TRj corresponding to the input test pattern TPi corresponds to.

[2. [Problems of attack countermeasure method [LTPP05]]
Next, problems in the attack countermeasure method [LTPP05] using the subchain described in Non-Patent Document 4 described above will be examined.
Non-Patent Document 4 above classifies attackers as follows.
(A) Beginner
An attacker who applies only known attacks. It can be avoided by simple encoding of data.
(B) Independent
An attacker with a wealth of money and knowledge. Use of strong cryptographic algorithms is essential for countermeasures.
(C) Business
An attacker who has abundant funds and knowledge, and does not leave illegal activities in order to analyze and eavesdrop on commercially important information.
(D) Government
An attacker who can use unlimited resources.
These are classified into four types.

By using LTPP05 having the above-described subchain configuration on such classification,
(A) For Beginner class attackers,
q = 4 bits,
(B) For an independent class of attackers,
It is said that it is sufficient to use an LFSR of about q = 8 bits.

Also,
(C) For a business class attacker, q = 10 bits or more unless an intrusion attack is performed such as removing the IC package and analyzing the wiring layer or cell layer by FIB or etching. If it is safe.
In addition, it states that it is necessary to combine multiple security measures such as probe measures for (c) Business class and (d) Government class attackers who conduct intrusion attacks. Yes.

However, there is a problem that the amount of calculation required for the attacker can be significantly reduced from the trial calculation described in Non-Patent Document 4.
That is, the test key (TK), even attacker does not know the generator polynomial initial value and LFSR, the number of patterns to be verified, far from all the pattern number m ^m derived by the number q of bits described above It can be reduced.
Hereinafter, this point will be described. For simplicity, it is assumed that the values of r and q are known.

First, the attacker randomly generates a k-bit TK ′, a q-bit initial value s, and an L-bit test pattern TP ₁ , and generates n = 2 ^{r + q} −1 test patterns as TP ₁ = TP _2. = ···· = TP _2n is set.
Next, the attacker inputs the generated test key (TK ′), the initial value (s), and the test pattern (TP _i (i = 1,..., 2n)) to the IC, which is the test result. TR _j (j = 1,..., N) is acquired.

Here, since TK ′ is selected at random, the probability that TK = TK ′ is ½ ^k , and can be ignored if k is sufficiently large. Therefore, the attacker assumes that TK ′ ≠ TK, that is, the insecure mode. As described above, in the insecure mode, the LFSR for selecting a subchain operates as an (r + q) -bit LFSR (however, the output is the value of the q-bit LFSR configuration unit) by the operation of the selector unit in the LFSR unit. . Therefore, the period is 2 ^{r + q} −1 = n at the longest.

Here, since the attacker inputs the test pattern TP _i (i = 1,..., 2n) having the same value, after the scan test of the circuit corresponding to a certain subchain is performed When the scan test of the circuit corresponding to the same subchain is performed again, both test results have the same value. As a result, when the test result TR _c satisfying TR ₁ = TR _c , TR ₂ = TR _{c + 1} ... Is output, it is found that the sub-chain selection order, that is, the output of the LFSR circulated. Therefore, it can be specified that the period of the (r + q) bit LFSR is c. In addition, when the same test result is not output, it is understood that an overlapping value is not output during n times that is the longest period of the (r + q) -bit LFSR, and the period is n.

  Next, the attacker lists all generator polynomial candidates whose period is c from generator polynomials that satisfy the condition of the (r + q) -bit LFSR in LTPP05. In Non-Patent Document 4, the generator polynomial of LFSR in the q-bit LFSR configuration unit is a primitive polynomial in order to ensure the test effectiveness. Here, since the primitive polynomial is always an irreducible polynomial, its constant term must be 1 and the number of non-constant terms must be an even number. Therefore, the total number of generator polynomial candidates that can be q-bit LFSR primitive polynomials can be expressed by the following equation.

On the other hand, since there is no particular limitation on the r-bit random number part, the total number z of generator polynomial candidates satisfying the condition of (r + q) -bit LFSR in LTPP05 is
z = ^2r * ^2q-2 = ^{2r + q-2}
It becomes. In order to confirm the period in all these candidates, the attacker first selects a random initial value that is not 0, and applies this initial value to the LFSR with each candidate as a generator polynomial.

Next, the period is specified by operating the LFSR a maximum of 2 ^{r + q} −1 times, and only the polynomials whose period is c are listed. This makes it possible to list all generator polynomial candidates of (r + q) bits LFSR in LTPP05. Now, let this list be a candidate list (CL: Candidates List). In this case, the calculation amount of the attacker is expressed by the following equation.
(2 ^{r + q} −1) × 2 ^{r + q−2} <2 ^{r + q} × 2 ^{r + q−2} = 2 ^{2 (r + q−1)}

Finally, the attacker applies all possible values as initial values to each generator polynomial candidate existing in the candidate list (CL), and operates the LFSR c times for each initial value, Identify all I / O patterns to be checked. Here, the number of generator polynomial candidates existing in CL is
z <2 ^{r + q-2}
Therefore, the amount of calculation required for the attacker to specify all input / output patterns applies all values (n = 2 ^{r + q} −1) that can be initial values for z polynomials, And when each initial value is applied, it is necessary to operate the LFSR c times that is a period.
z * n * c <2 ^{r + q-2} * 2 ^{r + q} * 2 ^{r + q} = 2 ^{3 (r + q) -2}
It becomes.

From the above, the calculation to be executed by the attacker is the calculation for specifying the candidate list (CL) and the calculation for specifying all input / output patterns, and the calculation amount is as follows.
2 ^{2 (r + q-1)} +2 ^{3 (r + q) -2}
Less than.
Here, the amount of calculation when each bit number is specifically set will be considered. As described above, Non-Patent Document 4 states that if q = 10 bits or more, even a business class attacker who does not perform an intrusion attack is safe in terms of computational complexity. Now, assuming that q = 10 bits and calculating the amount of calculation of the attacker by the security evaluation method described in Non-Patent Document 4,
m ^m = (2 ¹⁰ -1) (2 ¹⁰ -1)
And
2 ¹⁰²²⁸ <m ^m <2 ¹⁰²²⁹
It becomes.

This is a brute force attack of about 10229 bits, and in reality, the calculation amount cannot be confirmed for all patterns. However, when using the attack technique shown in this chapter, if r = 4 bits is set from the example described in Non-Patent Document 4, the amount of calculation is
2 ^{2 (r + q-1)} +2 ^{3 (r + q) -2} = 2 ²⁶ +2 ⁴⁰ <2 ⁴¹
Therefore, even a computer of the current level of PC can be calculated in a few hours. Therefore, even if LTPP05 is applied to prevent unauthorized analysis of the internal structure of an IC using a scan circuit, although the difficulty of analysis is improved, there is a problem that analysis is practical.

[3. Configuration Example of Semiconductor Integrated Circuit of the Present Invention]
Next, a configuration example of the semiconductor integrated circuit of the present invention will be described.
The present invention solves the problems in [LTPP05], which is the attack countermeasure method using the sub-chain described above, and greatly improves the difficulty of illegal analysis of IC secret information and internal structure using a scan circuit. To achieve the configuration described above.

  As described above, in [LTPP05], which is an attack countermeasure method using a subchain, when the test key (TK) input from the outside does not match the valid test key, that is, insecure mode (insecure mode). In this case, by setting a random initial value acquired from the random number generator in the LFSR, it is difficult to specify the selected subchain, and as a result, analysis is difficult.

In contrast, in the configuration of the present invention described below,
In the first embodiment, a dummy subchain is assigned to a portion that does not affect the internal structure analysis of the IC, that is, a circuit configuration portion that does not cause a problem, and an insecure mode (insecure mode) is assigned. ) In some cases, a scan result to which this dummy sub-chain is applied is output.

  In the second embodiment, in the insecure mode, the random value that is the output value of the random number generation unit is not used as the initial value of the LFSR, but as the setting value for the dummy subchain. It is configured to output random values directly.

  With these configurations, in both the first and second embodiments, the attacker can configure the structure of the non-confidential part of the IC internal structure unless the input test key (TK) matches the valid test key. In other words, only the structure of the dummy subchain can be analyzed.

  Furthermore, in the second embodiment, when the test key (TK) does not match, the random value generated by the random number generation unit is set in the dummy subchain, and the dummy subchain processing in which the random value is input The result is output. This makes it difficult to confirm whether the test key (TK) matches or does not match.

As described above, the configuration of the present invention includes a dummy sub chain for testing a circuit that is not confidential in addition to the configuration of the attack countermeasure method [LTPP05] disclosed in Non-Patent Document 4. Add as a subchain.
Further, if the test key (TK) does not match, 0 is set as the initial value of the LFSR. As a result, even if an attacker who does not know the test key (TK) tries to illegally analyze the internal structure of the IC using the scan circuit, the test result of the circuit that is not always confidential when the test key (TK) does not match, that is, Only the test result of the circuit connected to the dummy subchain can be acquired, which makes analysis difficult.
Further, in the second embodiment, it is difficult to check the match of the test key (TK) by making the value output from the dummy sub-chain a random value. Therefore, by applying the present invention to the scan circuit, it is possible to prevent unauthorized analysis of the IC internal structure using the scan circuit.
Details of each embodiment will be described below.

[3-1. Configuration and processing of the first embodiment of the present invention using a dummy subchain]
First, a first embodiment of the present invention will be described with reference to FIG.
The first embodiment of the present invention has a configuration in which the following change is added to the attack countermeasure method [LTPP05] using the subchain described in Non-Patent Document 4 described above.

A dummy sub chain is added as the 1.0th sub chain.
2. In the insecure mode, 0 is given as the initial value of the LFSR.
3. The LFSR initial value setting random number generator is eliminated.
4). The r-bit random number part and the selector part for duplicating the output of the LFSR are eliminated.

Hereinafter, a specific configuration method and an operation at the time of a scan test in the first embodiment will be described.
FIG. 4 shows an outline of the scan chain and the test control circuit in the first embodiment.
FIG. 4 shows an IC (semiconductor integrated circuit) 200 in the first embodiment.
The scan chain is divided into a plurality (m) of subchains 220-1 to 220-m, similar to the configuration of [LTPP05] described above with reference to FIG. Have

  The dummy subchain 251 is a dummy circuit that is not used for actual data processing, for example, in which secret information is not recorded.

The dummy sub-chain 251 and the sub-chains 220-1 to 220-m have a chain configuration of circuit elements such as flip-flops (FF), arithmetic circuits, and memories. When the LFSR has a q-bit configuration, the number of subchains [m] is, for example,
m = 2 ^q −1
And Each of the sub-chains 220-1 to 220-m has a configuration in which L bits, that is, L SFFs (scan flip-flops) are connected.

  Note that the test control circuit 210 determines which sub-chain of the total m + 1 sub-chains of the dummy sub-chain 251 and the sub-chains 220-1 to 220-m is to be input with data. An enable signal (EN0 to ENm) shown in the figure is input to the selected subchain, and scan test data is input to the selected subchain via the test control circuit 210, and a scan test is performed.

  As shown in FIG. 4, the test control circuit 210 includes a control unit (FSM) 211, a test key (TK) coincidence confirmation circuit unit 214, a linear feedback shift register (LFSR) unit 213, and a decoder (Decoder). Part 212.

  For the dummy sub-chain 251 and sub-chains 220-1 to 220-m, the test control circuit 210 shown in the lower part of FIG. 4 is based on the input data from the scan-in (SI) which is the data input part shown in the lower part of FIG. The data string set by is input. The processing result is output from the scan-out (SO) that is an output unit via the multiplexer 230.

As shown in FIG. 4, the configuration of the first embodiment of the present invention does not include the random number generation unit 118 that is the configuration of [LTPP05] described above with reference to FIG.
That is, there is no random number generation unit used for setting the initial value in the LFSR unit 213.

  Further, the multiplexer 230 is configured as m + 1: 1 MUX in order to output a total of m + 1 subchains of the dummy subchain 251 and the subchains 220-1 to 220-m.

  Similar to [LTPP05] described with reference to FIG. 1, the test control circuit 210 includes a control unit (FSM) 211, a test key (TK) match confirmation circuit unit 214, a linear feedback shift register (LFSR) unit 213, and a decoder. (Decoder) 212. However, the control unit (FSM) 211 and the linear feedback shift register (LFSR) unit 213 execute processing different from [LTPP05] described with reference to FIG.

Hereinafter, the test control circuit and each function in the first embodiment will be described.
The test key (TK) coincidence confirmation circuit unit 214 and the decoder (Decoder) 212 are the same as those of LTPP05 described above with reference to FIG.

  That is, the test key (TK) coincidence confirmation circuit unit 214 holds the input test key (TK ′) input from the scan-in (SI), which is a data input unit, via the control unit (FSM) 211, and the test key (TK). It is confirmed whether or not the valid test key (TK) matches, and if it matches, [pass] is returned to the control unit (FSM), and if it does not match, [fail] is returned.

  The decoder unit (Decoder) 212 changes the q-bit input from the LFSR unit 213 to a number i represented by a decimal number or a hexadecimal number, and i is input to the MUX 230 as a selection signal in the m + 1: 1 multiplexer (MUX) 230. And ENi, which is an enable signal for the i-th sub-chain including the dummy sub-chain, is enabled.

  The control unit (FSM) 211 in the first embodiment performs test mode setting and management at the time of scan test execution, and initial setting processing in each mode, similar to the LTPP 05 described above with reference to FIG. Execute.

Note that there are two types of test modes, a secure mode and a secure mode (insecure mode).
The secure mode is set only when it is confirmed that a correct test key (TK) has been input. Otherwise, the insecure mode is set.
The control unit (FSM) 211 sets an insecure mode as an initial state immediately after power-on or reset.

However, in the above-mentioned [LTPP05], in step 006 (STEP 006) which is the processing procedure of the control unit described with reference to the flowchart of FIG. 2, a random number R of (r + q) bits is set as an initial value in the LFSR unit. A random number generator for generating initial values at random is used.
However, the first embodiment of the present invention is different in that (r + q) -bit random number R is not set in the LFSR part, and 0 is set instead of the random number R.

  That is, when the test key (TK ′) input from the outside does not match the valid test key (TK), the above-mentioned [LTPP05] is a step that is the processing procedure of the control unit described with reference to the flowchart of FIG. In 006 (STEP 006), a random number R of (r + q) −bit is set as an initial value in the LFSR section. This random number has been used as information for determining which sub-chain of the sub-chains 120-1 to 120-m shown in FIG. 1 is to be used as a scan test sub-chain.

On the other hand, in the first embodiment, when the test key (TK ′) input from the outside does not match the valid test key (TK), 0 is set in the LFSR unit. This [0] is used as decision information for using the dummy sub-chain 251 shown in FIG. 4 as a scan test sub-chain.
That is, in the first embodiment, when the test key (TK ′) input from the outside does not match the valid test key (TK), the scan test is executed using only the dummy subchain 251.

  As described above, the dummy subchain 251 is a dummy circuit that is not used for actual data processing, for example, in which secret information is not recorded. Therefore, the secret information is not included in the output from the dummy subchain 251 at all, and the secret information is not leaked.

  Hereinafter, a specific processing procedure of the control unit (FSM) 211 in the first embodiment will be described with reference to a flowchart shown in FIG.

Step 021 (STEP 021)
Set the test mode to insecure mode. The control unit (FSM) 211 sets an insecure mode as an initial state immediately after power-on or reset.

Step 022 (STEP 022)
TC: Waits until an enable signal indicating the start of the scan test is input from the (test control) signal input unit.

Step 023 (STEP 023)
The k bits from the head of the value input from the SI (scan-in) input unit are input to the test key (TK) coincidence confirmation circuit unit 214 as a test key (TK ′).

Step 024 (STEP 024)
The test key (TK) coincidence confirmation circuit unit 214 executes test key coincidence confirmation circuit processing. That is,
TK '= TK
A confirmation process is executed as to whether the above expression is satisfied [pass] or not satisfied [fail].

Step 025 (STEP 025)
If the result of the test key match confirmation process in step 024 is [fail] indicating a key mismatch, the process proceeds to step 026. If it is [pass] indicating a key match, the process proceeds to step 027.

Step 026 (STEP 026)
In step 028, q bits from the (k + 1) th bit to the (k + q) th bit from the head of the value input from the SI (scan-in) input unit are ignored and 0 is set as an initial value in the LFSR unit 213. Proceed to

  The setting information [0] of the LFSR unit 213 is output to the decoder unit (Decoder) 212, and is used for processing for setting a sub-chain to which scan test data is input as a dummy sub-chain 251.

Step 027 (STEP 027)
The q bits from the (k + 1) -th bit to the (k + q) -th bit from the beginning of the value input from the SI (scan-in) input unit are set in the LFSR 213 as an initial value, and the test mode (test mode) is set to the secure mode (secure). mode), the process proceeds to step 028.

Step 028 (STEP 028)
A sub-chain selection process is executed by the decoder unit (Decoder) 212. This is a sub-chain selection process for inputting data from a scan-in (SI) input unit, that is, a sub-chain for executing a scan test. Using the data from the scan-in (SI) input unit, the decoder unit 212 determines which one of the dummy sub-chain 251 and the m sub-chains 220-1 to 220-m is a sub-chain for inputting test data. Then, an enable signal (EN0 to ENm shown in FIG. 4) is output to the determined subchain. Scan test data is input to the sub-chain from which the enable signal is output.

  As described above, the decoder unit (Decoder) 212 changes the q-bit input from the LFSR unit 213 to a number i represented by a decimal number or a hexadecimal number, and i is changed in the m + 1: 1 multiplexer (MUX) 230. In addition to being output to the MUX 230 as a selection signal, ENi which is an enable signal for the i-th sub-chain including the dummy sub-chain is enabled.

  In this process, when the process goes through step 026 (STEP 026), that is, when the test key (TK ′) input from the outside does not match the valid test key (TK), the initial value is set in the LFSR unit 213. [0] is input, and the selected sub-chain is set as the dummy sub-chain 251.

Step 029 (STEP 029)
Of the values input from the SI (scan-in) input unit, the next L bits are input to the sub-chain SIi selected by the decoder unit (Decoder) 212. That is, the scan test is started by inputting data for the selected subchain.

Step 030 (STEP 030)
TC: Waits until a disable signal indicating the end of the scan test is input from the (test control) signal input unit.

Step 031 (STEP 031)
A capture process is executed according to the number of clocks input from the clock (CLK) signal input unit.
This is a process in which the bit string input to the sub-chain from the SI (scan-in) input unit is sequentially advanced in the sub-chain according to the clock.

Step 032 (STEP 032)
TC: (test control) After the enable signal indicating the start of the scan test is input from the signal input unit, the value of the sub-chain SIi is set according to the L cycle clock input from the clock (CLK). At the same time as output from scan-out (SO), which is an output unit, the next L bits input from scan-in (SI) are input to sub-chain SIi.

Step 033 (STEP 033)
The LFSR 213 is operated once and the process returns to Step 028.

  Steps 028 to 033 are repeatedly executed, scan data is input to each of the plurality of subchains, and the scan result is output from scan out (SO).

The configuration and processing of the linear feedback shift register unit (LFSR) 213 in the first embodiment will be described with reference to FIG.
As shown in FIG. 6, the linear feedback shift register unit (LFSR) 213 in the first embodiment is configured only by a q-bit LFSR configuration unit.
The r-bit random number part and the selector part included in the linear feedback shift register part (LFSR) 113 of [LTPP05] described above with reference to FIG. 3 are not held.
In the present embodiment, it is composed only of a q-bit LFSR configuration unit using a primitive polynomial as a generator polynomial.

  As described above, in the first embodiment of the present invention, unlike the configuration of [LTPP05] described above with reference to FIGS. 1 to 3, the (r + q) -bit random number R is not set in the LFSR unit. Instead of the random number R, 0 is set.

  That is, when the test key (TK ′) input from the outside does not match the valid test key (TK), 0 is set in the LFSR unit. This [0] is used as decision information for using the dummy sub-chain 251 shown in FIG. 4 as a scan test sub-chain. As a result, in the first embodiment, when the test key (TK ′) input from the outside does not match the valid test key (TK), the scan test is executed using only the dummy sub-chain 251. . The dummy subchain 251 is a dummy circuit that is not used for actual data processing, for example, in which secret information is not recorded. Therefore, the secret information is not included in the output from the dummy subchain 251 at all, and the secret information is not leaked.

  In the above-mentioned [LTPP05], in the insecure mode, that is, when the input key (TK ′) does not match the valid test key (TK), a random initial value that the attacker does not know to the LFSR unit 113 This makes the selection of sub-chains for inputting scan test data complicated and makes it difficult for an attacker to specify input / output patterns. However, as described above, even with such a configuration, an attacker can realistically calculate an input / output pattern by performing a brute force attack on the LFSR configuration and a random initial value of (r + q) bits. It is possible to narrow down to the range.

  In contrast, in the first embodiment of the present invention, a dummy subchain 251 that does not include confidential information is configured as the 0th subchain, and an insecure mode, that is, an input key (TK) When ') does not match the valid test key (TK), setting the initial value of the LFSR unit 213 to 0 always sets the output of the LFSR unit to 0, and the selected subchain set by the decoder unit 212 is a dummy. The sub-chain 251 is used. As a result, the attacker can obtain only the output from the dummy sub-chain 251 as the output for the test pattern input by the attacker. This makes it impossible to analyze confidential internal structures.

  An attacker who does not know the valid test key (TK) inputs a test key (TK ′) that does not match the valid test key (TK). In the first embodiment, in this case, the dummy sub-chain 251 is always selected as the test scan chain. An attacker can input an arbitrary test pattern and acquire the test result as an output. In this case, all outputs are output from the dummy subchain 251.

  Since the circuit under test connected to the dummy sub-chain 251 is a non-confidential part inside the IC, that is, a part that does not affect the safety even if analyzed, the attacker uses the scan circuit to make the IC Even if the internal structure is analyzed, it is impossible to obtain useful information, that is, information that reveals confidentiality.

[LTPP05] described above sets a random initial value of (r + q) bits for the LFSR in the insecure mode. This makes it difficult for an attacker to specify the subchain in which the input test pattern is stored, and as a result, the test result corresponding to the test pattern is calculated from the scanned output data. It has become quantitatively difficult. However, as described above, the attacker creates a specific pattern he desires for the circuit under test connected to a certain subchain, and sets all 2 ^m test patterns to this value. Any one of the m test results to be output can be used as a test result of the circuit under test to be analyzed. Further, as described above, the combination of input and output can be specified with a realistic calculation amount, so that the attacker can finally analyze the internal structure of the IC within the range of the realistic calculation amount.

  On the other hand, in the first embodiment of the present invention, when the input test key (TK ′) is not valid, 0 is set to the LFSR, so that the dummy sub-chain 251 is always selected as the test scan chain. It is said. An attacker can input an arbitrary test pattern and acquire the test result as an output. In this case, all outputs are output from the dummy subchain 251. Since the attacker can analyze only the non-confidential part of the IC, it is possible to improve the safety much more than LTPP05.

  In the insecure mode, the initial value is set to 0 in the LFSR, so that the random number generator required in the configuration of [LTPP05] described above with reference to FIG. 1 becomes unnecessary. Also in the LFSR part, the r-bit random number part and the selector part are not necessary. As a result, in addition to the improvement in safety described above, it is possible to reduce the circuit scale in the test control circuit unit.

[3-2. Configuration and processing of second embodiment of the present invention using dummy sub-chain]
Next, a second embodiment of the present invention will be described with reference to FIG.
Similar to the first embodiment, the second embodiment of the present invention has a dummy sub-chain that does not include confidential information and inputs scan test data in the insecure mode. A random value generated by the random number generation unit is input to the subchain, and a processing result of the dummy subchain to which the random value is input is output. This makes it difficult to confirm whether the test key (TK) matches or does not match.

An outline of the scan chain and the test control circuit in the second embodiment is shown in FIG.
FIG. 7 shows an IC (semiconductor integrated circuit) 300 according to the second embodiment.
The scan chain is divided into a plurality (m) of sub-chains 320-1 to 320-m, similar to the configuration of [LTPP05] described above with reference to FIG. Have The dummy subchain 351 is a dummy circuit that is not used for actual data processing, for example, in which secret information is not recorded.

  The dummy subchain 351 and the subchains 320-1 to 320-1m have a chain configuration of circuit elements such as flip-flops (FF), arithmetic circuits, and memories.

  Note that the test control circuit 310 determines which sub-chain of the total m + 1 sub-chains of the dummy sub-chain 351 and the sub-chains 320-1 to 320-1m is to be input with data. An enable signal (EN0 to ENm) shown in the figure is input to the selected subchain, and scan test data is input to the selected subchain via the test control circuit 310 to perform a scan test.

  4, the test control circuit 310 includes a control unit (FSM: Finish State Machine) 311, a test key (TK) match confirmation circuit unit 314, a linear feedback shift register (LFSR) unit 313, and a decoder (Decoder) unit. 312 and a random number generation unit 318.

  For the dummy sub-chain 351 and the sub-chains 320-1 to 320-m, the test control circuit 310 shown in the lower part of FIG. 7 is based on the input data from the scan-in (SI) that is the data input unit shown in the lower part of FIG. The data string set by is input. The processing result is output from the scan-out (SO) that is an output unit via the multiplexer 330.

  In the second embodiment, a selector 371 that selects an output from the random number generation unit 318 or an output from the control unit and inputs the output to the dummy subchain 351 is provided at the preceding stage of the dummy subchain 351. For example, the selector 371 performs the following processing. For example, in the insecure mode (insecure mode) where the input test key (TK ′) does not match the valid test key (TK), the random value generated by the random number generator is input to the sub-chain for inputting the scan test data. input. That is, in the insecure mode, the processing result of the dummy subchain to which a random value is input is output. This makes it difficult to confirm whether the test key (TK) matches or does not match.

  Note that the multiplexer 330 is configured as m + 1: 1 MUX in order to output a total of m + 1 subchains of the dummy subchain 351 and the subchains 320-1 to 320-1m, as in the first embodiment.

  The specific configuration of the second embodiment and the operation during the scan test will be described below.

  As in the first embodiment, the test control circuit 310 includes a control unit (FSM: Finish State Machine) 311, a test key (TK) coincidence confirmation circuit unit 314, a linear feedback shift register (LFSR) unit 313, and a decoder (Decoder) unit. 312. In the present embodiment, a random number generation unit 318 and a selector 371 are further provided.

  In the second embodiment and the first embodiment, there is a random number generation unit 318, a configuration in which the input to the dummy subchain 351 is switched by the selector 371 in the insecure mode, and a control unit (FSM) 311 Some of the processing is different. Other configurations have the same configuration as the first embodiment.

  The test key (TK) coincidence confirmation circuit unit 314 has an input test key (TK ′) input from the scan-in (SI), which is a data input unit, via the control unit (FSM) 311 and the test key (TK) in advance. It is checked whether the valid test key (TK) matches, and if it matches, [pass] is returned to the control unit (FSM).

  The decoder unit (Decoder) 312 changes the q-bit input from the LFSR unit 313 to a number i represented by a decimal number or a hexadecimal number, and i is input to the MUX 330 as a selection signal in the m + 1: 1 multiplexer (MUX) 330. And ENi, which is an enable signal for the i-th sub-chain including the dummy sub-chain, is enabled.

  The control unit (FSM) 211 executes setting and management of a test mode (test mode) at the time of executing a scan test and initial setting processing in each mode, similar to the LTPP 05 described above with reference to FIG.

As described above, there are two types of test modes, a secure mode and a secure mode (insecure mode).
The secure mode is set only when it is confirmed that a correct test key (TK) has been input. Otherwise, the insecure mode is set.
The control unit (FSM) 311 sets an insecure mode as an initial state immediately after power-on or reset.

  The random number generation unit 318 becomes active when the output signal from the control unit (FSM) 311 is set to an insecure mode, and generates a random value having an arbitrary number of bits. The generated random number is supplied to the dummy sub-chain 351 through the selector 371.

The selector 371 inputs the input signal SI ₀ from the scan-in (SI) to the dummy sub-chain 351 when the output signal from the control unit (FSM) 311 is in the secure mode (secure mode). Select as the signal to be used. On the other hand, when the output signal from the control unit (FSM) 311 is an insecure mode, a signal for inputting the random number Z generated by the random number generation unit 318 to the dummy sub chain 351. Select as.

As in the first embodiment, the control unit (FSM) 311 in the second embodiment, when the test key (TK ′) input from the outside does not match the valid test key (TK), that is, the insecure mode (insecure mode). In (mode), a random number R of (r + q) bits is not set in the LFSR section, and 0 is set instead of the random number R.
This [0] is used as decision information for using the dummy sub-chain 351 shown in FIG. 7 as a scan test sub-chain.

  In the first embodiment, in the insecure mode, the data input to the dummy subchain is a test pattern input from the outside, that is, scan-in (SI). On the other hand, in the second embodiment, in the insecure mode, the data input to the dummy subchain is not the data input from the outside but the random number generated by the random number generation unit 318. The L-bit random number Z generated by the random number generation unit 318 is set.

  Hereinafter, a specific processing procedure of the control unit (FSM) 311 in the second embodiment will be described with reference to a flowchart shown in FIG.

Step 041 (STEP 041)
Set the test mode to insecure mode. The control unit (FSM) 311 sets an insecure mode as an initial state immediately after power-on or reset.

Step 042 (STEP 042)
TC: Waits until an enable signal indicating the start of the scan test is input from the (test control) signal input unit.

Step 043 (STEP 043)
The k bits from the head of the value input from the SI (scan-in) input unit are input to the test key (TK) match confirmation circuit unit 314 as a test key (TK ′).

Step 044 (STEP 044)
The test key (TK) coincidence confirmation circuit unit 314 executes test key coincidence confirmation circuit processing. That is,
TK '= TK
A confirmation process is executed as to whether the above expression is satisfied [pass] or not satisfied [fail].

Step 045 (STEP 045)
If the result of the test key match confirmation process in step 044 is [fail] indicating a key mismatch, the process proceeds to step 046. If it is [pass] indicating a key match, the process proceeds to step 047.

Step 046 (STEP 046)
In step 048, q bits from the (k + 1) th bit to the (k + q) th bit from the head of the value input from the SI (scan-in) input unit are ignored and 0 is set as an initial value in the LFSR unit 313. Proceed to

  The setting information [0] of the LFSR unit 213 is output to the decoder unit (Decoder) 312 and used for the process of setting the sub-chain to which the scan test data is input as the dummy sub-chain 351.

Step 047 (STEP 047)
The q bits from the (k + 1) -th bit to the (k + q) -th bit from the beginning of the value input from the SI (scan-in) input unit are set in the LFSR 313 as an initial value, and the test mode (test mode) is set to the secure mode (secure). mode) and go to step 048.

Step 048 (STEP 048)
A sub chain selection process is executed by the decoder unit 312. This is a sub-chain selection process for inputting data from a scan-in (SI) input unit, that is, a sub-chain for executing a scan test. Using the data from the scan-in (SI) input unit, the decoder unit 312 determines which of the dummy sub-chain 351 or the m sub-chains 320-1 to 320-m is a sub-chain for inputting test data. Then, an enable signal (EN0 to ENm shown in FIG. 7) is output to the determined subchain. Scan test data is input to the sub-chain from which the enable signal is output.

  As described above, the decoder unit (Decoder) 312 changes the q-bit input from the LFSR unit 313 to a number i represented by a decimal number or a hexadecimal number, and i is changed in the m + 1: 1 multiplexer (MUX) 330. While being output to the MUX 330 as a selection signal, ENi which is an enable signal for the i-th sub-chain including the dummy sub-chain is enabled.

  In this process, when the process goes through step 046 (STEP 046), that is, when the test key (TK ′) input from the outside does not match the valid test key (TK), the initial value is set in the LFSR unit 313. [0] is input, and the selected sub-chain is set as the dummy sub-chain 351.

Step 049 (STEP 049)
If the test mode is the insecure mode, the process proceeds to step 050 (STEP 050). Otherwise, the process proceeds to step 051 (STEP 051).

Step 050 (STEP 050)
This is processing in the insecure mode (insecure mode) when the test key (TK ′) input from the outside does not match the valid test key (TK). In this case, the value input from the scan-in (SI) is ignored, and the rebit random number Z generated by the random number generation unit 318 is input to the dummy subchain 351 via the selector 371.

Step 051 (STEP 051)
This is processing in a secure mode (secure mode) such as when a test key (TK ′) input from the outside matches a valid test key (TK). In this case, the next L bits among the values input from the scan-in (SI) are input to the sub-chain (SIi) selected by the decoder unit 312.

Step 052 (STEP 052)
TC: Waits until a disable signal indicating the end of the scan test is input from the (test control) signal input unit.

Step 053 (STEP 053)
A capture process is executed according to the number of clocks input from the clock (CLK) signal input unit.
In this process, the bit string input to the subchain is sequentially advanced in the subchain according to the clock.

Step 054 (STEP 054)
If the test mode is the insecure mode, the process proceeds to step 055 (STEP 055). Otherwise, go to Step 056 (STEP 056).

Step 055 (STEP 055)
TC: After the enable signal indicating the start of the scan test is input from the (test control) signal input unit, the value input from the scan-in (SI) is ignored, and the L generated by the random number generation unit 318 is generated. A bit random number Z ′ is input to the dummy sub-chain 351.

Step 056 (STEP 056)
TC: After an enable signal indicating the start of the scan test is input from the (test control) signal input unit, the decoder unit 312 outputs the next L bits of the value input from the scan-in (SI). Enter into the selected subchain.

Step 057 (STEP 057)
The LFSR 313 is operated once and the process returns to step 048.

  Steps 048 to 057 are repeatedly executed, scan data is input to each of the plurality of subchains, and the scan result is output from scan out (SO).

In the second embodiment, as in the first embodiment, the initial value of the LFSR unit 313 is set to 0 in the insecure mode set when the input key (TK ′) is invalid. Thus, the attacker can obtain only the output of the dummy sub-chain 351. Furthermore, in the insecure mode (insecure mode), the random value Z generated by the random number generation unit 318 is input to the dummy subchain 351 as a pseudo test pattern instead of the test pattern input by the attacker.
This makes it impossible to analyze the internal structure that is confidential to the attacker, and also makes it difficult to confirm whether the test key (TK) matches or does not match.

  As described above, in the second embodiment, as in the first embodiment, a dummy sub-chain is added as a test function for the non-confidential portion of the internal structure of the IC, and the in-secure mode (insecure mode) In the mode), 0 is set as the initial value of the LFSR, and the output as the test result is used as the output of only the dummy subchain 351 to prevent leakage of confidential information.

  In the first embodiment, since the input to the dummy sub-chain is an arbitrary test pattern input by the attacker, when the attacker inputs a plurality of test patterns having the same value, the output test result is also Always the same value. By using this, the attacker can determine whether or not the test key (TK ′) input by himself / herself matches the correct test key (TK). However, since attackers can only perform brute force attacks, if TK is a sufficiently large value and cannot be easily guessed, the superiority of the attacker will be significantly improved. It is not a thing.

  On the other hand, in the second embodiment, the value input to the dummy subchain 351 in the insecure mode is not the value input from the scan-in (SI) by the attacker but the random number Z generated by the random number generator 381. . As a result, even if the attacker inputs a plurality of test patterns having the same value, the test result to be output becomes a random value every time, so that the attacker has the test key (TK ′) entered by himself / herself. It is more difficult to determine whether or not it matches the correct test key (TK).

  In the second embodiment, compared to the first embodiment, the random number generator 381 for generating the random number Z and the data from the scan-in (SI) in the secure mode are input to the dummy sub-chain 351, and the in- Since the selector 371 for selectively inputting the random number Z from the random number generation unit 381 is added in the secure mode, the circuit scale is increased by that amount compared to the first embodiment. However, since the configuration of the LFSR unit 313 is the same as that of the first embodiment, the circuit scale can be reduced when compared with the above-described [LTPP05].

  In the above-described embodiment, the description has centered on the configuration of an IC (semiconductor integrated circuit). A configuration may be adopted in which control of data processing in the semiconductor integrated circuit of each of the embodiments described above is performed in the apparatus. This processing control can be executed by using a program stored in a memory in the semiconductor integrated circuit in the control unit in the semiconductor integrated circuit described in the above embodiment. Alternatively, using a control unit or memory formed in another LSI element connected to the semiconductor integrated circuit in the information processing apparatus, the program is executed and a command is input to the semiconductor integrated circuit having the above configuration. It is also possible to adopt a configuration for controlling data processing such as scan test processing.

  The present invention has been described in detail above with reference to specific embodiments. However, it is obvious that those skilled in the art can make modifications and substitutions of the embodiments without departing from the gist of the present invention. In other words, the present invention has been disclosed in the form of exemplification, and should not be interpreted in a limited manner. In order to determine the gist of the present invention, the claims should be taken into consideration.

  The series of processing described in the specification can be executed by hardware, software, or a combined configuration of both. When executing processing by software, the program recording the processing sequence is installed in a memory in a computer incorporated in dedicated hardware and executed, or the program is executed on a general-purpose computer capable of executing various processing. It can be installed and run. For example, the program can be recorded in advance on a recording medium. In addition to being installed on a computer from a recording medium, the program can be received via a network such as a LAN (Local Area Network) or the Internet and can be installed on a recording medium such as a built-in hard disk.

  Note that the various processes described in the specification are not only executed in time series according to the description, but may be executed in parallel or individually according to the processing capability of the apparatus that executes the processes or as necessary. Further, in this specification, the system is a logical set configuration of a plurality of devices, and the devices of each configuration are not limited to being in the same casing.

  As described above, according to the configuration of one embodiment of the present invention, a scan chain set as a test path for an IC (integrated circuit) is divided into a plurality of sub-paths, and a scan test is further performed. A dummy sub-chain that can input data and does not contain confidential information is configured. The control circuit that executes the control of the scan test determines the validity of the test key input from the outside. If the input test key is determined not to be valid, the control circuit selects the dummy sub-chain as the scan test execution target. Execute. By this process, all scan-out results based on the attacker's input data become data using the dummy subchain, and leakage of secret information is prevented.

100 Semiconductor Integrated Circuit 111 Control Unit (FSM)
112 Decoder part (Decoder)
113 Linear Feedback Shift Register (LFSR)
114 Test Key (TK) Match Confirmation Circuit Unit 120-1 to m Sub chain
130 Multiplexer (MUX)
181 q-bit LFSR configuration unit 182 selector unit 183 r-bit random number unit 200 semiconductor integrated circuit 211 control unit (FSM)
212 Decoder part (Decoder)
213 Linear Feedback Shift Register (LFSR)
214 Test Key (TK) Match Confirmation Circuit Unit 220-1 to m Sub chain
230 Multiplexer (MUX)
251 Dummy Subchain 300 Semiconductor Integrated Circuit 311 Control Unit (FSM)
312 Decoder part (Decoder)
313 Linear Feedback Shift Register (LFSR)
314 Test key (TK) coincidence confirmation circuit unit 318 Random number generation unit 320-1 to m Sub chain
330 Multiplexer (MUX)
351 Dummy Subchain 371 Selector

Claims (9)

A plurality of subchains set by dividing a scan chain, which is a scan test path in an integrated circuit, into a plurality of subpaths;
A dummy sub-chain capable of inputting scan test data;
A test key confirmation unit for determining the validity of a test key input from the outside;
If it is determined that the input test key is not valid, a test control unit that selects the dummy sub-chain as a scan test execution target; and
A semiconductor integrated circuit. The test control unit
An LFSR unit (linear feedback shift register) that generates selection data for selecting a sub-chain to be subjected to a scan test based on input data;
The semiconductor integrated circuit according to claim 1, further comprising: a control unit that sets data for selecting the dummy sub-chain as a scan test execution target in the LFSR unit when the input test key is not valid. The test control unit
The semiconductor integrated circuit according to claim 2, wherein when the input test key is not valid, a random number is input to the dummy subchain. The test control unit
The semiconductor integrated circuit according to claim 3, further comprising: a random number generation unit configured to input a random number generated by the random number generation unit to the dummy sub-chain when the input test key is not valid.   The semiconductor integrated circuit according to claim 2, wherein the LFSR unit has a configuration in which a primitive polynomial is a generator polynomial.   The semiconductor integrated circuit according to claim 1, wherein the dummy sub-chain has a circuit configuration that does not hold confidential information.   An information processing apparatus comprising the semiconductor integrated circuit according to claim 1. A data processing method for executing a scan test in an information processing apparatus,
The information processing apparatus includes an integrated circuit, and the integrated circuit includes a plurality of subchains set by dividing a scan chain, which is a scan test path, into a plurality of subpaths, and a dummy capable of inputting scan test data. Have a sub-chain,
A test key checking step of the information processing apparatus for determining the validity of the test key input from the outside;
When the test control unit of the information processing apparatus determines that the input test key is not valid, a test control step of selecting the dummy sub-chain as a scan test execution target;
Data processing method to execute. A program for executing a scan test in an information processing device,
The information processing apparatus includes an integrated circuit, and the integrated circuit includes a plurality of subchains set by dividing a scan chain, which is a scan test path, into a plurality of subpaths, and a dummy capable of inputting scan test data. Have a sub-chain,
A test key confirmation step for causing the test key confirmation unit of the information processing apparatus to determine the validity of the test key input from the outside;
When the test control unit of the information processing apparatus determines that the input test key is not valid, a test control step for selecting the dummy subchain as a scan test execution target;
A program that executes

Images