• Abstract

# An Improved Publicly Detectable Watermarking Scheme Based on Scan Chain Ordering

This paper proposes an improved version of watermarking scheme at the Design-for-Testability (DfT) stage for VLSI Intellectual Property (IP) Protection. The improved scheme overcomes the weaknesses of previous scan chain watermarking scheme by imposing the extra ordering constraints generated by the IP owner's signature on all scan flip-flops impartially. IP authorship can be publicly authenticated in the field by injecting a given test vector and matching a permuted output response vector against a transformed reference pattern. Both the output response and the reference sequence are related to a pseudorandom sequence generated by a public-key cryptographic algorithm. Experimental results show that the improved method has a low probability of coincidence and low test power overhead.

SECTION I

## INTRODUCTION

The System-on-Chip era is marked by the wide adoption of reusable IP cores. Trading of IP cores in an open environment poises new problem in tracking illegal IP distribution. Watermarking techniques [1], [2], [3], [4] have been proposed as an active approach to protect the copyrights of VLSI designs. Based on the watermark detection, these techniques can be classified under static or dynamic watermarking schemes [5]. The dynamic watermarking [3], [4] avoids the risk of exposing the constraint generator in static watermarking [1], [2] during verification by allowing the authorship to be detected by running the watermarked IP with some specific input patterns. If the dynamic watermarking scheme is applied at the DfT stage [3], [4], the ownership can be directly detected in the field even after the IP core has been integrated into SoC and packaged.

In [3], we proposed a dynamic watermarking scheme based on the power-driven scan chain ordering problem. When a specific input vector is injected, the output response will contain the watermark at some selected scan flip-flop positions. This scheme is found to possess some weaknesses. To verify the authorship, the positions of these specific flip-flops must be known, which needs special measure to ensure its security for public authentication. Also, the test patterns distributed with the watermarked IP may create a security leak due to the biased selection of the watermarked flip-flops based on the weighted transitions of the test and response vectors. These make the watermark vulnerable to attack without removing the entire scan chain. These weaknesses arise because not all flip-flops in the scan chain have equal privileges to be allocated to every position specified by the extra constraints imposed by the watermark.

In this paper, we propose an improvement to overcome the above weaknesses in our DfT watermarking scheme [3]. Both the switching power minimization criterion and the extra constraints generated by the watermark information are considered for a more 'random' allocation of all flip-flops in the scan chain instead of giving some flip-flops the prerogative to assumed positions dictated by the specific output response vector [3]. A public-key cryptosystem is also used to assure that the authorship can be authenticated publicly without divulging the watermark information.

SECTION II

## REVIEW OF PREVIOUS WORK

This section reviews our earlier watermarking scheme based on scan chain ordering [3]. The example in [3], as shown in Fig. 1, is used for the illustration. At the DfT stage, the extra constraints are imposed on the ordering of the flip-flops so that the watermark bits, w1, w2 and w3 will be extracted from some reordered flip-flop positions, mp1, mp2 and mp3, which are randomly generated by the signature. The watermarking process finds a permutation, πwm(R) of the scan flip-flops that will minimize the test switching power. When a specific input test vector is applied onto the scan-in pin, Sin, the watermark bits will be detected at positions mp1,mp2 and mp3 of its output response vector. The watermarked scan chain, πwm(R) = r2 r1 r5 r7 r4 r6 r3 with mp1 = p4, mp2 = p2 and mp3 = p7 is shown at the bottom of Fig. 1, where pi is the i-th flip-flop position of the watermarked scan chain.

Fig. 1. Example of watermarking by scan cell ordering.

To verify the authorship, the IP owner must be able to show that the bits extracted from p4,p2 and p7 match the bits w1, w2 and w3. By revealing the positions hosting the watermark bits publicly for authentication, it is easier for the attacker to erase the watermark information on those flip-flops without removing the scan chain. The watermarked constraint is imposed by a power-driven scan chain ordering algorithm. Based on the number of weighted transitions [6], a heuristic Nearest Neighbor (NN) greedy algorithm is used to re-allocate flip-flops into the scan chain. For the positions that host the watermark bits, the flip-flops are constrained to be selected from a subset of the unallocated flip-flops according to the values of the watermark bits. For example, in Fig. 1, as p2 is a watermarked position, the search for the nearest neighbor to the flip-flop in p1 (which is r2 in this case) is limited only to the scan flip-flops r1,r4 and r5. However, from the weighted transitions of the test patterns, the nearest neighbor to r2 is actually r3, which is not a member of {r1, r4, r5}. Thus, from the test patterns, if the flip-flop is not the real nearest neighbor to the preceding flip-flop in the watermarked scan chain, the watermarked flip-flop and its information will be exposed, making the scheme vulnerable. These weaknesses will be overcome by the improved scheme proposed in the next section.

SECTION III

## IMPROVED WATERMARKING SCHEME

Let be the original scan chain with N scan flip-flops and be the N flip-flop positions. A weighted connected graph, G(V, E) can be built from the complete test set. Each vertex of the graph represents a scan flip-flop. An edge E(ri,rj) connecting two flip-flops, ri and rj carries a weight equal to the total number of bit differences between ri and rj for the entire test set. The watermark is embedded to find a permutation πwm(R) with minimal test switching power such that a specific output vector can be obtained when a user-specific test vector is applied onto Sin. The watermarking process is detailed as follows:

### A. Watermark Generation

The IP ownership is displayed by a meaningful text string M. This arbitrary length binary string is shortened to a fixed length hash-code, H using the secure hash algorithm, SHA-1 [7]. Directed by H, a pseudorandom number generator (PNG) [7] is used to generate a sequence of N unique numbers, . This is the watermarked constraint used for the scan chain reordering.

### B. Generation of Reference Output Vector

A designated input vector, , xi ∊ {0,1}, is shifted into the initial scan chain to obtain an output vector, , yi ∊ {0,1}. Suppose there are N0 “0” bits and N1 “1” bits in Y. The N0 and N1 flip-flops are assigned to two sets, R0 and R1, respectively. Let Z be an N-bit binary vector where the first N0 bits are “0” and the remaining N1 bits are , zi = 0 for 1 ≤ iN0 and zi = 1 for (N0 + 1) ≤ iN. Q is encrypted using a private key, Ke, of a public-key cryptosystem (PKC) [7] to generate a random number sequence, , ci = qj, 1 ≤ jN. The bit sequence Z is then ordered according to C to generate , where .

### C. Waterarmark Insertion

During the watermarking process, the allocation of a flip-flop to a position in the scan chain is directed by the integer sequence Q and the binary vector U. Let pj = πwm(ri) denote the mapping of a vertex, riR to a position, pjP. The first position, p1 will be arbitrarily allocated to any flip-flop from Rϕ, where ϕ ∊ {0, 1} and . Then the allocated flip-flop, is removed from Rϕ. For all other positions, pi, 2 ≤ iN, the NN algorithm is used to select a flip-flop from , that has the least edge cost in the graph G to the vertex . The selected flip-flop is then removed from the set Rϕ. This process is repeated until every scan flip-flop in R has been allocated to a unique position in the scan chain. The watermark insertion procedure is summarized by the pseudo code in Fig. 2.

Fig. 2. Watermarking on power-driven scan chain ordering.

### D. Public and Field Verification of Authorship

The verifier is given X′ = πwm(X), the number sequence, C and the public key of the IP owner, Kd for authorship authentication. A response vector, Y′ is obtained by loading X′ onto the watermarked scan chain in the test mode. If and are numbers of “0” and “1” bits of Y′, respectively, an N-bit binary vector, with “0”s followed by “1”s is created and permuted according to the order of C to obtain a reference sequence, û. C is decrypted using the public key, Kd to obtain Q = fD(Kd,C). Q is then used to permute Y′ to obtain a binary sequence U′ such that the qi-th (qiQ) element of U′ is equal to the i-th element of Y′, i.e., . If U′ perfectly matches or is highly correlated with û, the authorship is verified as Q can only be generated by the IP owner.

### E. A Simple Example

Consider the scan chain in Fig. 3. Vi and Ri on the left hand side denote the i-th test and response vectors, respectively for the original scan chain, π (R) = r1 r2 r3 r4 r5 r6 r7. The connected graph for the scan chain is shown in Fig. 4(a). Suppose Y = “0110011” is obtained when X = “0010110” is loaded into the scan chain. From Y and π(R),R0 = {r1,r4,r5}, R1 = {r2,r3,r6,r7} and Z = “0001111”. The vertices corresponding to the flip-flops in R0 and R1 are marked with dot lines and continuous lines, respectively in Fig. 4. Assume that Q = {3, 4, 2, 7, 5, 1, 6} and C = fE(Ke, Q) = {4, 1, 6, 3, 5, 7, 2}. Then, according to Z and C, U = “1010110”.

Fig. 3. Example of improved DfT watermarking scheme.
Fig. 4. Watermarking process according to the cost graph.(a) cost graph. (b) flip-flop for p2. (c) flip-flop for p3.

For , the flip-flop allocated to p1 must come from R1 to produce a “1” bit in the first flip-flop of the watermarked scan chain. If r2 is arbitrarily selected, R1 is updated to {r3,r6,r7}. As , flip-flops from R0 will be withdrawn to compete for p2. From Fig. 4(b), the edge connecting r1 to r2 has the smallest cost among all the qualified edges connected to r2, so r1 is allocated to p2 and removed from R0. Similarly, r5 is allocated to the next position, p3 since and e(r1,r5) < e(r1,r4). The process is repeated until all flip-flops are allocated. The ordering of the final watermarked scan chain is πwm(R) = r2 r1 r5 r4 r7 r6 r3. This is shown in the lower part of Fig. 3. To verify the IP authorship, the vector X′ = “010011” is loaded into the watermarked scan chain in the test mode to obtain Y′ = “000111”, from which is produced. According to Y′ and the given C, the sequence is permuted to obtain û = “1010110”. C is then decrypted with the public key Kd to obtain Q = {3, 4, 2, 7, 5, 1, 6}. Y′ is permuted according to Q, to obtain U′. If U′ matches û, the authorship is proved. Otherwise, the watermark is either not present or has been modified or erased.

SECTION IV

## WATERMARK RESILIENCE ANALYSIS

The probability of coincidence, Pc is a key measure of the strength of a watermarking scheme. It denotes the probability that a non-watermarked design carries the watermark by coincidence. For our proposed scheme, if the output sequence under the input vector X′ has the same permutation of “0” and “1” bits as Y′, the design is said to possess the watermark. Pc can then be expressed as: TeX Source $$P_c = {P^{N_0}_{N_0}\cdot P^{N_1}_{N_1} \over P^{N \over N}} = {N_0!N_1! \over N!}\eqno{\hbox{(1)}}$$

A lower Pc implies a stronger authorship proof. From (1), the longer the scan chain length and the more balance between the numbers of “0” and “1” bits in Y′, the stronger the watermarking scheme.

False positive response occurs when Y′ is obtained from the injection of some input vectors other than X′ into the watermarked scan chain. If there are NC(τ) output responses that match at least τ (0 ≤ τ ≤ 1) fraction of the bits of Y′ when NT randomly generated test vectors are applied onto the scan chain, then we can define: TeX Source $$P_{\lambda}(\tau) = {N_C(\tau) \over N_T}\eqno{\hbox{(2)}}$$where Pλ(τ = 1) gives the exact false positive rate. When τ decreases, Pλ increases and a threshold for τ can be determined empirically that with high degree of confidence, Y′ will not appear in the output responses for a given number of input vectors tested. Hence the authenticity of the design can be assured as long as Pλ(τ) is very low.

In what follows, four typical attacks are analyzed with Alice as the IP owner and Bob as the attacker. Variables with subscripts “A” and “B” are associated with Alice and Bob, respectively.

### A. Ghost Search

Without touching Alice's design, Bob may load XB′ into Alice's watermarked design during test mode to obtain YB′ and generate the sequence ZB. He may refer to an encrypted number sequence, CB to permute ZB to generate UB. Bob will then find a set of numbers, QB to realize the mapping of YB to UB. This attack scenario can not be substantiated as it is computationally infeasible for Bob to find a key to decrypt CB to the sequence QB or reverse a keyed one-way PNG to generate QB. Alternatively, Bob may first generate QB using the PNG and then map the YB to a bit sequence, UB according to QB. However, it is computationally intractable for Bob to find a key pair (Ke, Kd) for the encryption of QB and the decryption of CB [7].

### B. Denial Attacks

Bob may deny that Alice has inserted her ownership information into the design. He may claim that Alice may have randomly found XA and the corresponding sets of QA, ZA, CA and UA. To repudiate Bob's accusation, Alice needs to repeat the verification process in Section III.D and show that the probability for the output response to a randomly generated input vector other than XA to match YA is very low, i.e., Pλ(τ = 1) must be very low.

### C. Removal Attacks

It is obvious that no watermark can survive upon removal of the scan chain. The IP core of the scan chain is assumed to be watermarked with other technique, for example, [2] before its test circuit is watermarked by the proposed scheme to enable public and field authentication. Without overly perturbing the useful test circuit, Bob may randomly reorder some scan flip-flops in the scan chain in order to alter the watermark information to invalidate the authorship proof during field authentication. Bob needs to change the circuit routing to reorder sufficient number of flip-flops to modify at least (1− τ) fraction of YA. Assume α scan flip-flops can be reordered with reasonable effort and without obvious degradation to the circuit performance. Further assume that β (β ≤ α) bits will be altered in this process. In most cases, α < (1− τ) · N as N is usually much greater than α. This means that β < (1− τ) · N. It can be shown that it is difficult to alter enough bits to invalidate the authorship for a large N.

### D. Unauthorized Addition Attacks

If Bob would like to insert his own information into Alice's design, he will have to remove the scan chain and repeat the proposed watermarking process to generate his own scan chain. This amounts to a task of difficulty equivalent to the complete repetition of the scan chain design without knowing the IP circuit.

SECTION V

## EXPERIMENTAL RESULTS

In the experiment, the DfT tool, DFTadvisor and the ATPG tool, FastScan by Mentor Graphics are used to generate the initial vectors, Y from X on the originally optimized scan design. The watermarking scheme is applied on sequential circuits from ISCAS89, ISCAS99 and LGSynth93 benchmark suites. All calculations were performed on a 750-MHz Sun UltraSPARC-III with Solaris operating system and 2 GB of memory.

Tables I shows the results of watermarking 14 benchmark circuits. The set of pseudorandom numbers is generated according to the scan chain length, N. WTorg and WTwm denote the number of weighted transitions of the originally optimized scan chain and that of the watermarked scan chain, respectively. ΔWT is calculated as the percentage increments from WTorg to WTwm. A negative percentage implies performance improvement due to watermarking. The switching power overhead is less than 4% for all designs. The average overhead is less than 2%, which shows that the proposed watermarking scheme incurs very low overhead on the test power.

TABLE I Evaluation of the Watermarking Solution

The watermark strength is evaluated by Pc in Table I. The value of Pc decreases rapidly as the scan chain length, N increases. When N > 1000, Pc reduced to less than 1.0 × 10−300. To determine the false positive rate, Pλ, 200 randomly generated input vectors were applied on each watermarked design. None of the output responses was detected to perfectly match the known Y′. When τ is reduced to 0.6, Pλ remains zero for all designs. When τ is reduced to 0.5, all the watermarked designs have Pλ≥ 50%. So it is reasonable to assume that when more than 40% of the bits are corrupted, the watermark can not be detected. If we assumed that α = 150 flip-flops in the scan chain can be moved around with reasonable effort and without significantly degrading the circuit performance. The probability of successfully altering at least 40% of Y′ by a random derangement of scan flip-flops is zero as long as N > α/0.4 = 375, which can be easily satisfied by a design with a reasonable long scan chain.

SECTION VI

## CONCLUSION

This paper proposes a publicly detectable IP watermarking scheme. The ownership information is encrypted and transformed into constraints to reorder the scan chain for minimal switching power during test. The proposed method has overcome the vulnerability of previous power-driven scan chain watermarking scheme to enable the IP authorship to be verified publicly in the field without the risk of exposing the watermarked flip-flop locations. Experimental results have shown that the improved method has very low probability of coincidence and acceptably low test power consumption overhead.

## Footnotes

A. Cui and C.-H. Chang are with the Centre for High Performance Embedded Systems, Nanyang Technological University, 50 Nanyang Drive, Research Techno Plaza, 3rd Storey, Border X Block, Singapore 637553.

## References

1. Constraint-based watermarking techniques for design IP protection

A. B. Kahng, et al.

IEEE Trans. on Computer-Aided Design of Integrated Circuits and Syst., Vol. 20, issue (10), pp. 1236–1252, 2001-10

2. IP watermarking using incremental technology mapping at logic synthesis level

A. Cui, C. H. Chang, S. Tahar

IEEE Trans. on Computer-Aided Design of Integrated Circuits and Syst., vol. 27, issue (9), p. 1565–1570, 2008-09

3. Intellectual property authentication by watermarking scan chain in design-for-testability flow

A. Cui, C. H. Chang

Seattle, USA
Proc. IEEE Int. Symp. on Circuits and Syst., 2008-05, 2645–2648

4. Intellectual property protection using watermarking partial scan chains for sequential logic test generation

D. Kirovski, M. Potkonjak

Proc. IEEE High Level Design, Verification, and Test Conf., 1998-11

5. A survey on IP watermarking techniques

A. T. Abdel-Hamid, S. Tahar, E.M. Aboulhamid

Design Automation for Embedded Systems, Vol. 10, pp. 1–17, 2005, Springer Verlag

6. Power driven chaining of flip-flops in scan architectures

Y. Bonhomme, P. Girard, C. Landrault, S. Pravossoudovitch

Washington, USA
Proc. IEEE Int. Test Conf., 2002, 796–803

7. Handbook of Applied Cryptography

A. Menezes, P. van Oorschot, S. Vanstone

Handbook of Applied Cryptography, CRC Press, 1996

## Cited By

No Citations Available

## Keywords

### INSPEC: Non-Controlled Indexing

No Keywords Available

### Authors Keywords

No Keywords Available

### More Keywords

No Keywords Available

No Corrections

## Media

No Content Available
This paper appears in:
International Symposium on Circuits and Systems
Issue Date:
2009
On page(s):
29 - 32
ISBN:
N/A
Print ISBN:
978-1-4244-3827-3
INSPEC Accession Number:
10760298
Digital Object Identifier:
10.1109/ISCAS.2009.5117677
Date of Current Version:
26 Jun, 2009

### Articles of Influence

#### Hardware/software co-verification, an IP vendors viewpoint

Hopes, T.

© Copyright 2011 IEEE – All Rights Reserved