{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,12,31]],"date-time":"2025-12-31T12:17:03Z","timestamp":1767183423211,"version":"build-2065373602"},"reference-count":40,"publisher":"MDPI AG","issue":"1","license":[{"start":{"date-parts":[[2025,1,14]],"date-time":"2025-01-14T00:00:00Z","timestamp":1736812800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/100000001","name":"NSF","doi-asserted-by":"publisher","award":["2016624"],"award-info":[{"award-number":["2016624"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Cryptography"],"abstract":"<jats:p>Design-for-test\/debug (DfT\/D) introduces scan chain testing to increase testability and fault coverage by inserting scan flip-flops. However, these scan chains are also known to be a liability for security primitives. In previous research, the dynamically obfuscated scan chain (DOSC) was introduced to protect logic-locking keys from scan-based attacks by obscuring test patterns and responses. In this paper, we present DOSCrack, an oracle-guided attack to de-obfuscate DOSC using symbolic execution and binary clustering, which significantly reduces the candidate seed space to a manageable quantity. Our symbolic execution engine employs scan mode simulation and satisfiability modulo theories (SMT) solvers to reduce the possible seed space, while obfuscation key clustering allows us to effectively rule out a group of seeds that share similarities. An integral component of our approach is the use of sequential equivalence checking (SEC), which aids in identifying distinct simulation patterns to differentiate between potential obfuscation keys. We experimentally applied our DOSCrack framework on four different sizes of DOSC benchmarks and compared their runtime and complexity. Finally, we propose a low-cost countermeasure to DOSCrack which incorporates a nonlinear feedback shift register (NLFSR) to increase the effort of symbolic execution modeling and serves as an effective defense against our DOSCrack framework. Our research effectively addresses a critical vulnerability in scan-chain obfuscation methodologies, offering insights into DfT\/D and logic locking for both academic research and industrial applications. Our framework highlights the need to craft robust and adaptable defense mechanisms to counter evolving scan-based attacks.<\/jats:p>","DOI":"10.3390\/cryptography9010006","type":"journal-article","created":{"date-parts":[[2025,1,14]],"date-time":"2025-01-14T06:13:07Z","timestamp":1736835187000},"page":"6","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":2,"title":["Protecting Dynamically Obfuscated Scan Chain Architecture from DOSCrack with Trivium Pseudo-Random Number Generation"],"prefix":"10.3390","volume":"9","author":[{"ORCID":"https:\/\/orcid.org\/0009-0005-2033-8433","authenticated-orcid":false,"given":"Jiaming","family":"Wu","sequence":"first","affiliation":[{"name":"Department of Electrical and Computer Engineering, University of Florida, Gainesville, FL 32611, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Olivia","family":"Dizon-Paradis","sequence":"additional","affiliation":[{"name":"Department of Electrical and Computer Engineering, University of Florida, Gainesville, FL 32611, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Sazadur","family":"Rahman","sequence":"additional","affiliation":[{"name":"Department of Electrical and Computer Engineering, University of Central Florida, Orlando, FL 32816, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0471-177X","authenticated-orcid":false,"given":"Damon L.","family":"Woodard","sequence":"additional","affiliation":[{"name":"Department of Electrical and Computer Engineering, University of Florida, Gainesville, FL 32611, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2794-7320","authenticated-orcid":false,"given":"Domenic","family":"Forte","sequence":"additional","affiliation":[{"name":"Department of Electrical and Computer Engineering, University of Florida, Gainesville, FL 32611, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1968","published-online":{"date-parts":[[2025,1,14]]},"reference":[{"key":"ref_1","unstructured":"Aerts, J., and Marinissen, E.J. (1998, January 18\u201323). Scan chain design for test time reduction in core-based ICs. Proceedings of the Proceedings International Test Conference 1998 (IEEE Cat. No. 98CH36270), Washington, DC, USA."},{"key":"ref_2","unstructured":"(2025, January 01). TestMAX ATPG:Advanced Pattern Generation. Available online: https:\/\/www.synopsys.com\/implementation-and-signoff\/test-automation\/testmax-atpg.html."},{"key":"ref_3","unstructured":"(2013). IEEE Standard for Test Access Port and Boundary-Scan Architecture (Standard No. IEEE Std 1149.1-2013)."},{"key":"ref_4","doi-asserted-by":"crossref","first-page":"2842","DOI":"10.1109\/TIFS.2023.3265815","article-title":"Security Analysis of Scan Obfuscation Techniques","volume":"18","author":"Sao","year":"2023","journal-title":"IEEE Trans. Inf. Forensics Secur."},{"key":"ref_5","doi-asserted-by":"crossref","first-page":"2326","DOI":"10.1109\/TCAD.2024.3368289","article-title":"DefScan: Provably Defeating Scan Attack on AES-Like Ciphers","volume":"43","author":"Sao","year":"2024","journal-title":"IEEE Trans. Comput.-Aided Des. Integr. Circuits Syst."},{"key":"ref_6","unstructured":"Yang, B., Wu, K., and Karri, R. (2004, January 26\u201328). Scan based side channel attack on dedicated hardware implementations of Data Encryption Standard. Proceedings of the 2004 International Conferce on Test, Charlotte, NC, USA."},{"key":"ref_7","doi-asserted-by":"crossref","first-page":"2287","DOI":"10.1109\/TCAD.2005.862745","article-title":"Secure Scan: A Design-for-Test Architecture for Crypto Chips","volume":"25","author":"Yang","year":"2006","journal-title":"IEEE Trans. Comput.-Aided Des. Integr. Circuits Syst."},{"key":"ref_8","doi-asserted-by":"crossref","unstructured":"Kodera, H., Yanagisawa, M., and Togawa, N. (2012, January 2\u20135). Scan-based attack against DES cryptosystems using scan signatures. Proceedings of the 2012 IEEE Asia Pacific Conference on Circuits and Systems, Kaohsiung, Taiwan.","DOI":"10.1109\/APCCAS.2012.6419106"},{"key":"ref_9","doi-asserted-by":"crossref","unstructured":"Xu, X., Yang, H., Zou, J., Cai, Z., and He, L. (2023, January 12\u201315). A High Security Encryption Circuit Based on Ring Oscillator PUF and Secure Scan Chain. Proceedings of the 2023 6th International Conference on Electronics Technology (ICET), Chengdu, China.","DOI":"10.1109\/ICET58434.2023.10211600"},{"key":"ref_10","doi-asserted-by":"crossref","unstructured":"Chowdhury, D.R., Rijmen, V., and Das, A. (2008, January 14\u201317). Scan Based Side Channel Attacks on Stream Ciphers and Their Counter-Measures. Proceedings of the Progress in Cryptology\u2014INDOCRYPT 2008, Kharagpur, India.","DOI":"10.1007\/978-3-540-89754-5"},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Atobe, Y., Shi, Y., Yanagisawa, M., and Togawa, N. (2012, January 2\u20135). State dependent scan flip-flop with key-based configuration against scan-based side channel attack on RSA circuit. Proceedings of the 2012 IEEE Asia Pacific Conference on Circuits and Systems, Kaohsiung, Taiwan.","DOI":"10.1109\/APCCAS.2012.6419108"},{"key":"ref_12","doi-asserted-by":"crossref","first-page":"325","DOI":"10.1109\/TDSC.2007.70215","article-title":"Securing Designs against Scan-Based Side-Channel Attacks","volume":"4","author":"Lee","year":"2007","journal-title":"IEEE Trans. Dependable Secur. Comput."},{"key":"ref_13","doi-asserted-by":"crossref","unstructured":"Gaikwad, P., Slpsk, P., and Bhunia, S. (2023, January 23\u201325). Invisible Scan for Protecting Against Scan-Based Attacks: You Can\u2019t Attack What You Can\u2019t See. Proceedings of the 2023 IEEE International Test Conference India (ITC India), Bengaluru, India.","DOI":"10.1109\/ITCIndia59034.2023.10235609"},{"key":"ref_14","unstructured":"Zhang, D., He, M., Wang, X., and Tehranipoor, M. (2017, January 9\u201312). Dynamically obfuscated scan for protecting IPs against scan-based attacks throughout supply chain. Proceedings of the 2017 IEEE 35th VLSI Test Symposium (VTS), Las Vegas, NV, USA."},{"key":"ref_15","doi-asserted-by":"crossref","unstructured":"Subramanyan, P., Ray, S., and Malik, S. (2015, January 5\u20137). Evaluating the security of logic encryption algorithms. Proceedings of the 2015 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), Washington, DC, USA.","DOI":"10.1109\/HST.2015.7140252"},{"key":"ref_16","unstructured":"Rahman, M.S., Nahiyan, A., Amir, S., Rahman, F., Farahmandi, F., Forte, D., Tehranipoor, M., and Dynamically Obfuscated Scan Chain to Resist Oracle-Guided Attacks on Logic Locked Design (2019, August 19). Cryptology ePrint Archive, Paper 2019\/946. Available online: https:\/\/eprint.iacr.org\/2019\/946."},{"key":"ref_17","doi-asserted-by":"crossref","unstructured":"Ahmed, A., Farahmandi, F., Iskander, Y., and Mishra, P. (2018, January 15\u201317). Scalable Hardware Trojan Activation by Interleaving Concrete Simulation and Symbolic Execution. Proceedings of the 2018 IEEE International Test Conference (ITC), Harbin, China.","DOI":"10.1109\/TEST.2018.8624854"},{"key":"ref_18","doi-asserted-by":"crossref","unstructured":"Vafaei, A., Hooten, N., Tehranipoor, M., and Farahmandi, F. (2021, January 18\u201320). SymbA: Symbolic Execution at C-level for Hardware Trojan Activation. Proceedings of the 2021 IEEE International Test Conference (ITC), Shanghai, China.","DOI":"10.1109\/ITC50571.2021.00031"},{"key":"ref_19","doi-asserted-by":"crossref","unstructured":"Fowze, F., Choudhury, M., and Forte, D. (2022, January 14\u201316). EISec: Exhaustive Information Flow Security of Hardware Intellectual Property Utilizing Symbolic Execution. Proceedings of the 2022 Asian Hardware Oriented Security and Trust Symposium (AsianHOST), Singapore.","DOI":"10.1109\/AsianHOST56390.2022.10022071"},{"key":"ref_20","doi-asserted-by":"crossref","unstructured":"Zhao, P., and Liu, Q. (2019, January 16\u201317). Density-based Clustering Method for Hardware Trojan Detection Based on Gate-level Structural Features. Proceedings of the 2019 Asian Hardware Oriented Security and Trust Symposium (AsianHOST), Xi\u2019an, China.","DOI":"10.1109\/AsianHOST47458.2019.9006695"},{"key":"ref_21","doi-asserted-by":"crossref","first-page":"338","DOI":"10.1109\/TIFS.2016.2613842","article-title":"COTD: Reference-Free Hardware Trojan Detection and Recovery Based on Controllability and Observability in Gate-Level Netlist","volume":"12","author":"Salmani","year":"2017","journal-title":"IEEE Trans. Inf. Forensics Secur."},{"key":"ref_22","doi-asserted-by":"crossref","first-page":"13927","DOI":"10.1109\/JIOT.2023.3339488","article-title":"A Side-Channel Hardware Trojan Detection Method Based on Fuzzy C-Means Clustering and Fusion Distance Algorithms","volume":"11","author":"He","year":"2024","journal-title":"IEEE Internet Things J."},{"key":"ref_23","doi-asserted-by":"crossref","unstructured":"Wu, J., Fowze, F., and Forte, D. (2022, January 14\u201316). EXERT: EXhaustive IntEgRiTy Analysis for Information Flow Security. Proceedings of the 2022 Asian Hardware Oriented Security and Trust Symposium (AsianHOST), Singapore.","DOI":"10.1109\/AsianHOST56390.2022.10022211"},{"key":"ref_24","unstructured":"(2025, January 01). Jasper Sequential Equivalence Checking. Available online: https:\/\/www.cadence.com\/en_US\/home\/tools\/system-design-and-verification\/formal-and-static-verification\/jasper-gold-verification-platform\/jaspergold-sequential-equivalence-checking-app.html."},{"key":"ref_25","doi-asserted-by":"crossref","unstructured":"Potluri, S., Aysu, A., and Kumar, A. (2020, January 25\u201326). SeqL: Secure Scan-Locking for IP Protection. Proceedings of the 2020 21st International Symposium on Quality Electronic Design (ISQED), Santa Clara, CA, USA.","DOI":"10.1109\/ISQED48828.2020.9136991"},{"key":"ref_26","doi-asserted-by":"crossref","first-page":"373","DOI":"10.1109\/TETC.2020.3021820","article-title":"A Dynamic-Key Based Secure Scan Architecture for Manufacturing and In-Field IC Testing","volume":"10","author":"Lee","year":"2022","journal-title":"IEEE Trans. Emerg. Top. Comput."},{"key":"ref_27","unstructured":"Katsikas, S.K., L\u00f3pez, J., Backes, M., Gritzalis, S., and Preneel, B. (September, January 30). Trivium: A Stream Cipher Construction Inspired by Block Cipher Design Principles. Proceedings of the Information Security, Samos Island, Greece."},{"key":"ref_28","unstructured":"Biham, E. (2003, January 4\u20138). Algebraic Attacks on Stream Ciphers with Linear Feedback. Proceedings of the Advances in Cryptology\u2014EUROCRYPT 2003, Warsaw, Poland."},{"key":"ref_29","doi-asserted-by":"crossref","unstructured":"Hawkes, P., and Rose, G.G. (2004, March 16). Rewriting Variables: The Complexity of Fast Algebraic Attacks on Stream Ciphers. Available online: https:\/\/eprint.iacr.org\/2004\/081.","DOI":"10.1007\/978-3-540-28628-8_24"},{"key":"ref_30","unstructured":"Zhou, J., Yung, M., and Han, Y. (2003, January 16\u201319). A Fast Correlation Attack for LFSR-Based Stream Ciphers. Proceedings of the Applied Cryptography and Network Security, Kunming, China."},{"key":"ref_31","unstructured":"M\u00e9aux, P., and Wang, Q. (2024, January 17). Extreme Algebraic Attacks. Available online: https:\/\/eprint.iacr.org\/2024\/064."},{"key":"ref_32","doi-asserted-by":"crossref","first-page":"61","DOI":"10.1016\/S0022-4049(99)00005-5","article-title":"A new efficient algorithm for computing Gr\u00f6bner bases (F4)","volume":"139","year":"1999","journal-title":"J. Pure Appl. Algebra"},{"key":"ref_33","unstructured":"Bard, G.V., Courtois, N.T., and Jefferson, C. (2007, January 26). Efficient Methods for Conversion and Solution of Sparse Systems of Low-Degree Multivariate Polynomials over GF(2) via SAT-Solvers. Available online: https:\/\/eprint.iacr.org\/2007\/24."},{"key":"ref_34","unstructured":"Teo, S.G., Wong, K.K.H., Bartlett, H., Simpson, L., and Dawson, E. (2014, January 20\u201323). Algebraic analysis of Trivium-like ciphers (poster). Proceedings of the Twelfth Australasian Information Security Conference (AISC \u201914),\u2014Volume 149, AUS, Auckland, New Zealand."},{"key":"ref_35","doi-asserted-by":"crossref","unstructured":"Dudek, J.M., Meel, K.S., and Vardi, M.Y. (2017). The Hard Problems Are Almost Everywhere For Random CNF-XOR Formulas. arXiv.","DOI":"10.24963\/ijcai.2017\/84"},{"key":"ref_36","doi-asserted-by":"crossref","first-page":"41","DOI":"10.1016\/S0166-218X(99)00032-3","article-title":"Satisfiability threshold for random XOR-CNF formulas","volume":"96\u201397","author":"Creignou","year":"1999","journal-title":"Discret. Appl. Math."},{"key":"ref_37","doi-asserted-by":"crossref","unstructured":"Limaye, N., and Sinanoglu, O. (2020, January 9\u201313). DynUnlock: Unlocking Scan Chains Obfuscated using Dynamic Keys. Proceedings of the 2020 Design, Automation & Test in Europe Conference & Exhibition (DATE), Grenoble, France.","DOI":"10.23919\/DATE48585.2020.9116197"},{"key":"ref_38","doi-asserted-by":"crossref","first-page":"1867","DOI":"10.1109\/TETC.2019.2940750","article-title":"ScanSAT: Unlocking Static and Dynamic Scan Obfuscation","volume":"9","author":"Alrahis","year":"2021","journal-title":"IEEE Trans. Emerg. Top. Comput."},{"key":"ref_39","doi-asserted-by":"crossref","unstructured":"Chen, D., Lin, C., and Beerel, P.A. (2021, January 6\u20138). GF-Flush: A GF(2) Algebraic Attack on Dynamically Secured Scan Chains. Proceedings of the 2021 IEEE International Symposium on Defect and Fault Tolerance in VLSI and Nanotechnology Systems (DFT), Athens, Greece.","DOI":"10.1109\/DFT52944.2021.9568356"},{"key":"ref_40","doi-asserted-by":"crossref","unstructured":"Wu, J., Dizon-Paradis, O., Rahman, S., Woodard, D., and Forte, D. (2024, January 6\u20139). DOSCrack: Deobfuscation Using Oracle-Guided Symbolic Execution and Clustering of Binary Security Keys. Proceedings of the 2024 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), Washington, DC, USA.","DOI":"10.1109\/HOST55342.2024.10545388"}],"container-title":["Cryptography"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2410-387X\/9\/1\/6\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,8]],"date-time":"2025-10-08T10:28:22Z","timestamp":1759919302000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2410-387X\/9\/1\/6"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,1,14]]},"references-count":40,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2025,3]]}},"alternative-id":["cryptography9010006"],"URL":"https:\/\/doi.org\/10.3390\/cryptography9010006","relation":{},"ISSN":["2410-387X"],"issn-type":[{"type":"electronic","value":"2410-387X"}],"subject":[],"published":{"date-parts":[[2025,1,14]]}}}