Revealing On-chip Proprietary Security Functions with Scan Side Channel Based Reverse Engineering.

Proprietary cryptographic algorithms or protection schemes often constitute part of the security solution in electronic devices. Hence, these devices are prone to reverse engineering attacks that may reveal the details of these algorithms. We propose a novel non-invasive method of reverse engineering of digital integrated circuits that exploits the scan chains originally inserted into the device for production test automation. The scan chains unfold the sequential logic of the device to form a combinational function. The device's functionality is then exposed by examining this function. The resulting function is too large for direct learning, so we developed heuristic learning algorithms that exploit common properties of digital circuits, in particular limited transitive fan-in of combinational logic and sub-circuit sharing properties. \\deleted{We discuss the complexity model and applicability of the algorithms. }With these algorithms we show fast reconstruction of an AES cryptographic accelerator. The algorithm used for the AES is scalable, making it applicable to much larger circuits.