The System-on-Chip era is marked by the wide adoption of reusable IP cores. Trading of IP cores in an open environment poises new problem in tracking illegal IP distribution. Watermarking techniques [1], [2], [3], [4] have been proposed as an active approach to protect the copyrights of VLSI designs. Based on the watermark detection, these techniques can be classified under static or dynamic watermarking schemes [5]. The dynamic watermarking [3], [4] avoids the risk of exposing the constraint generator in static watermarking [1], [2] during verification by allowing the authorship to be detected by running the watermarked IP with some specific input patterns. If the dynamic watermarking scheme is applied at the DfT stage [3], [4], the ownership can be directly detected in the field even after the IP core has been integrated into SoC and packaged.

In [3], we proposed a dynamic watermarking scheme based on the power-driven scan chain ordering problem. When a specific input vector is injected, the output response will contain the watermark at some selected scan flip-flop positions. This scheme is found to possess some weaknesses. To verify the authorship, the positions of these specific flip-flops must be known, which needs special measure to ensure its security for public authentication. Also, the test patterns distributed with the watermarked IP may create a security leak due to the biased selection of the watermarked flip-flops based on the weighted transitions of the test and response vectors. These make the watermark vulnerable to attack without removing the entire scan chain. These weaknesses arise because not all flip-flops in the scan chain have equal privileges to be allocated to every position specified by the extra constraints imposed by the watermark.

In this paper, we propose an improvement to overcome the above weaknesses in our DfT watermarking scheme [3]. Both the switching power minimization criterion and the extra constraints generated by the watermark information are considered for a more 'random' allocation of all flip-flops in the scan chain instead of giving some flip-flops the prerogative to assumed positions dictated by the specific output response vector [3]. A public-key cryptosystem is also used to assure that the authorship can be authenticated publicly without divulging the watermark information.

SECTION II

## REVIEW OF PREVIOUS WORK

This section reviews our earlier watermarking scheme based on scan chain ordering [3]. The example in [3], as shown in Fig. 1, is used for the illustration. At the DfT stage, the extra constraints are imposed on the ordering of the flip-flops so that the watermark bits, *w*_{1}, *w*_{2} and *w*_{3} will be extracted from some reordered flip-flop positions, *mp*_{1}, *mp*_{2} and *mp*_{3}, which are randomly generated by the signature. The watermarking process finds a permutation, π_{wm}(*R*) of the scan flip-flops that will minimize the test switching power. When a specific input test vector is applied onto the scan-in pin, *S*_{in}, the watermark bits will be detected at positions *mp*_{1},*mp*_{2} and *mp*_{3} of its output response vector. The watermarked scan chain, π_{wm}(*R*) = *r*_{2} *r*_{1} *r*_{5} *r*_{7} *r*_{4} *r*_{6} *r*_{3} with *mp*_{1} = *p*_{4}, *mp*_{2} = *p*_{2} and *mp*_{3} = *p*_{7} is shown at the bottom of Fig. 1, where *p*_{i} is the *i*-th flip-flop position of the watermarked scan chain.

To verify the authorship, the IP owner must be able to show that the bits extracted from *p*_{4},*p*_{2} and *p*_{7} match the bits *w*_{1}, *w*_{2} and *w*_{3}. By revealing the positions hosting the watermark bits publicly for authentication, it is easier for the attacker to erase the watermark information on those flip-flops without removing the scan chain. The watermarked constraint is imposed by a power-driven scan chain ordering algorithm. Based on the number of weighted transitions [6], a heuristic Nearest Neighbor (NN) greedy algorithm is used to re-allocate flip-flops into the scan chain. For the positions that host the watermark bits, the flip-flops are constrained to be selected from a subset of the unallocated flip-flops according to the values of the watermark bits. For example, in Fig. 1, as *p*_{2} is a watermarked position, the search for the nearest neighbor to the flip-flop in *p*_{1} (which is *r*_{2} in this case) is limited only to the scan flip-flops *r*_{1},*r*_{4} and *r*_{5}. However, from the weighted transitions of the test patterns, the nearest neighbor to *r*_{2} is actually *r*_{3}, which is not a member of {*r*_{1}, *r*_{4}, *r*_{5}}. Thus, from the test patterns, if the flip-flop is not the real nearest neighbor to the preceding flip-flop in the watermarked scan chain, the watermarked flip-flop and its information will be exposed, making the scheme vulnerable. These weaknesses will be overcome by the improved scheme proposed in the next section.

SECTION III

## IMPROVED WATERMARKING SCHEME

Let be the original scan chain with *N* scan flip-flops and be the *N* flip-flop positions. A weighted connected graph, *G*(*V*, *E*) can be built from the complete test set. Each vertex of the graph represents a scan flip-flop. An edge *E*(*r*_{i},*r*_{j}) connecting two flip-flops, *r*_{i} and *r*_{j} carries a weight equal to the total number of bit differences between *r*_{i} and *r*_{j} for the entire test set. The watermark is embedded to find a permutation π_{wm}(*R*) with minimal test switching power such that a specific output vector can be obtained when a user-specific test vector is applied onto *S*_{in}. The watermarking process is detailed as follows:

### A. Watermark Generation

The IP ownership is displayed by a meaningful text string *M*. This arbitrary length binary string is shortened to a fixed length hash-code, *H* using the secure hash algorithm, SHA-1 [7]. Directed by *H*, a pseudorandom number generator (PNG) [7] is used to generate a sequence of *N* unique numbers, . This is the watermarked constraint used for the scan chain reordering.

### B. Generation of Reference Output Vector

A designated input vector, , *x*_{i} ∊ {0,1}, is shifted into the initial scan chain to obtain an output vector, , *y*_{i} ∊ {0,1}. Suppose there are *N*_{0} “0” bits and *N*_{1} “1” bits in *Y*. The *N*_{0} and *N*_{1} flip-flops are assigned to two sets, *R*_{0} and *R*_{1}, respectively. Let *Z* be an *N*-bit binary vector where the first *N*_{0} bits are “0” and the remaining *N*_{1} bits are , *z*_{i} = 0 for 1 ≤ *i* ≤ *N*_{0} and *z*_{i} = 1 for (*N*_{0} + 1) ≤ *i* ≤ *N*. *Q* is encrypted using a private key, *K*_{e}, of a public-key cryptosystem (PKC) [7] to generate a random number sequence, , *c*_{i} = *q*_{j}, 1 ≤ *j* ≤ *N*. The bit sequence *Z* is then ordered according to *C* to generate , where .

### C. Waterarmark Insertion

During the watermarking process, the allocation of a flip-flop to a position in the scan chain is directed by the integer sequence *Q* and the binary vector *U*. Let *p*_{j} = π_{wm}(*r*_{i}) denote the mapping of a vertex, *r*_{i} ∊ *R* to a position, *p*_{j} ∊ *P*. The first position, *p*_{1} will be arbitrarily allocated to any flip-flop from *R*_{ϕ}, where ϕ ∊ {0, 1} and . Then the allocated flip-flop, is removed from *R*_{ϕ}. For all other positions, *p*_{i}, 2 ≤ *i* ≤ *N*, the NN algorithm is used to select a flip-flop from , that has the least edge cost in the graph *G* to the vertex . The selected flip-flop is then removed from the set *R*_{ϕ}. This process is repeated until every scan flip-flop in *R* has been allocated to a unique position in the scan chain. The watermark insertion procedure is summarized by the pseudo code in Fig. 2.

### D. Public and Field Verification of Authorship

The verifier is given *X*′ = π_{wm}(*X*), the number sequence, *C* and the public key of the IP owner, *K*_{d} for authorship authentication. A response vector, *Y*′ is obtained by loading *X*′ onto the watermarked scan chain in the test mode. If and are numbers of “0” and “1” bits of *Y*′, respectively, an *N*-bit binary vector, with “0”s followed by “1”s is created and permuted according to the order of *C* to obtain a reference sequence, û. *C* is decrypted using the public key, *K*_{d} to obtain *Q* = *f*_{D}(*K*_{d},*C*). *Q* is then used to permute *Y*′ to obtain a binary sequence *U*′ such that the *q*_{i}-th (*q*_{i} ∊ *Q*) element of *U*′ is equal to the *i*-th element of *Y*′, i.e., . If *U*′ perfectly matches or is highly correlated with û, the authorship is verified as *Q* can only be generated by the IP owner.

### E. A Simple Example

Consider the scan chain in Fig. 3. *V*_{i} and *R*_{i} on the left hand side denote the *i*-th test and response vectors, respectively for the original scan chain, π (*R*) = *r*_{1} *r*_{2} *r*_{3} *r*_{4} *r*_{5} *r*_{6} *r*_{7}. The connected graph for the scan chain is shown in Fig. 4(a). Suppose *Y* = “0110011” is obtained when *X* = “0010110” is loaded into the scan chain. From *Y* and π(*R*),*R*_{0} = {*r*_{1},*r*_{4},*r*_{5}}, *R*_{1} = {*r*_{2},*r*_{3},*r*_{6},*r*_{7}} and *Z* = “0001111”. The vertices corresponding to the flip-flops in *R*_{0} and *R*_{1} are marked with dot lines and continuous lines, respectively in Fig. 4. Assume that *Q* = {3, 4, 2, 7, 5, 1, 6} and *C* = *f*_{E}(*K*_{e}, *Q*) = {4, 1, 6, 3, 5, 7, 2}. Then, according to *Z* and *C*, *U* = “1010110”.

For , the flip-flop allocated to *p*_{1} must come from *R*_{1} to produce a “1” bit in the first flip-flop of the watermarked scan chain. If *r*_{2} is arbitrarily selected, *R*_{1} is updated to {*r*_{3},*r*_{6},*r*_{7}}. As , flip-flops from *R*_{0} will be withdrawn to compete for *p*_{2}. From Fig. 4(b), the edge connecting *r*_{1} to *r*_{2} has the smallest cost among all the qualified edges connected to *r*_{2}, so *r*_{1} is allocated to *p*_{2} and removed from *R*_{0}. Similarly, *r*_{5} is allocated to the next position, *p*_{3} since and *e*(*r*_{1},*r*_{5}) < *e*(*r*_{1},*r*_{4}). The process is repeated until all flip-flops are allocated. The ordering of the final watermarked scan chain is π_{wm}(*R*) = *r*_{2} *r*_{1} *r*_{5} *r*_{4} *r*_{7} *r*_{6} *r*_{3}. This is shown in the lower part of Fig. 3. To verify the IP authorship, the vector *X*′ = “010011” is loaded into the watermarked scan chain in the test mode to obtain *Y*′ = “000111”, from which is produced. According to *Y*′ and the given *C*, the sequence is permuted to obtain û = “1010110”. *C* is then decrypted with the public key *K*_{d} to obtain *Q* = {3, 4, 2, 7, 5, 1, 6}. *Y*′ is permuted according to *Q*, to obtain *U*′. If *U*′ matches û, the authorship is proved. Otherwise, the watermark is either not present or has been modified or erased.

SECTION IV

## WATERMARK RESILIENCE ANALYSIS

The probability of coincidence, *P*_{c} is a key measure of the strength of a watermarking scheme. It denotes the probability that a non-watermarked design carries the watermark by coincidence. For our proposed scheme, if the output sequence under the input vector *X*′ has the same permutation of “0” and “1” bits as *Y*′, the design is said to possess the watermark. *P*_{c} can then be expressed as:
TeX Source
$$P_c = {P^{N_0}_{N_0}\cdot P^{N_1}_{N_1} \over P^{N \over N}} = {N_0!N_1! \over N!}\eqno{\hbox{(1)}}$$

A lower *P*_{c} implies a stronger authorship proof. From (1), the longer the scan chain length and the more balance between the numbers of “0” and “1” bits in *Y*′, the stronger the watermarking scheme.

False positive response occurs when *Y*′ is obtained from the injection of some input vectors other than *X*′ into the watermarked scan chain. If there are *N*_{C}(τ) output responses that match at least τ (0 ≤ τ ≤ 1) fraction of the bits of *Y*′ when *N*_{T} randomly generated test vectors are applied onto the scan chain, then we can define:
TeX Source
$$P_{\lambda}(\tau) = {N_C(\tau) \over N_T}\eqno{\hbox{(2)}}$$where *P*_{λ}(τ = 1) gives the exact false positive rate. When τ decreases, *P*_{λ} increases and a threshold for τ can be determined empirically that with high degree of confidence, *Y*′ will not appear in the output responses for a given number of input vectors tested. Hence the authenticity of the design can be assured as long as *P*_{λ}(τ) is very low.

In what follows, four typical attacks are analyzed with Alice as the IP owner and Bob as the attacker. Variables with subscripts “*A*” and “*B*” are associated with Alice and Bob, respectively.

### A. Ghost Search

Without touching Alice's design, Bob may load *X*_{B}′ into Alice's watermarked design during test mode to obtain *Y*_{B}′ and generate the sequence *Z*_{B}. He may refer to an encrypted number sequence, *C*_{B} to permute *Z*_{B} to generate *U*_{B}. Bob will then find a set of numbers, *Q*_{B} to realize the mapping of *Y*′_{B} to *U*_{B}. This attack scenario can not be substantiated as it is computationally infeasible for Bob to find a key to decrypt *C*_{B} to the sequence *Q*_{B} or reverse a keyed one-way PNG to generate *Q*_{B}. Alternatively, Bob may first generate *Q*_{B} using the PNG and then map the *Y*′_{B} to a bit sequence, *U*_{B} according to *Q*_{B}. However, it is computationally intractable for Bob to find a key pair (*K*_{e}, *K*_{d}) for the encryption of *Q*_{B} and the decryption of *C*_{B} [7].

### B. Denial Attacks

Bob may deny that Alice has inserted her ownership information into the design. He may claim that Alice may have randomly found *X*′_{A} and the corresponding sets of *Q*_{A}, *Z*_{A}, *C*_{A} and *U*_{A}. To repudiate Bob's accusation, Alice needs to repeat the verification process in Section III.D and show that the probability for the output response to a randomly generated input vector other than *X*′_{A} to match *Y*′_{A} is very low, i.e., *P*_{λ}(τ = 1) must be very low.

### C. Removal Attacks

It is obvious that no watermark can survive upon removal of the scan chain. The IP core of the scan chain is assumed to be watermarked with other technique, for example, [2] before its test circuit is watermarked by the proposed scheme to enable public and field authentication. Without overly perturbing the useful test circuit, Bob may randomly reorder some scan flip-flops in the scan chain in order to alter the watermark information to invalidate the authorship proof during field authentication. Bob needs to change the circuit routing to reorder sufficient number of flip-flops to modify at least (1− τ) fraction of *Y*′_{A}. Assume α scan flip-flops can be reordered with reasonable effort and without obvious degradation to the circuit performance. Further assume that β (β ≤ α) bits will be altered in this process. In most cases, α < (1− τ) · *N* as *N* is usually much greater than α. This means that β < (1− τ) · *N*. It can be shown that it is difficult to alter enough bits to invalidate the authorship for a large *N*.

### D. Unauthorized Addition Attacks

If Bob would like to insert his own information into Alice's design, he will have to remove the scan chain and repeat the proposed watermarking process to generate his own scan chain. This amounts to a task of difficulty equivalent to the complete repetition of the scan chain design without knowing the IP circuit.

SECTION V

## EXPERIMENTAL RESULTS

In the experiment, the DfT tool, DFTadvisor and the ATPG tool, FastScan by Mentor Graphics are used to generate the initial vectors, *Y* from *X* on the originally optimized scan design. The watermarking scheme is applied on sequential circuits from ISCAS89, ISCAS99 and LGSynth93 benchmark suites. All calculations were performed on a 750-MHz Sun UltraSPARC-III with Solaris operating system and 2 GB of memory.

Tables I shows the results of watermarking 14 benchmark circuits. The set of pseudorandom numbers is generated according to the scan chain length, *N*. WT_{org} and WT_{wm} denote the number of weighted transitions of the originally optimized scan chain and that of the watermarked scan chain, respectively. ΔWT is calculated as the percentage increments from WT_{org} to WT_{wm}. A negative percentage implies performance improvement due to watermarking. The switching power overhead is less than 4% for all designs. The average overhead is less than 2%, which shows that the proposed watermarking scheme incurs very low overhead on the test power.

The watermark strength is evaluated by *P*_{c} in Table I. The value of *P*_{c} decreases rapidly as the scan chain length, *N* increases. When *N* > 1000, *P*_{c} reduced to less than 1.0 × 10^{−300}. To determine the false positive rate, *P*_{λ}, 200 randomly generated input vectors were applied on each watermarked design. None of the output responses was detected to perfectly match the known *Y*′. When τ is reduced to 0.6, *P*_{λ} remains zero for all designs. When τ is reduced to 0.5, all the watermarked designs have *P*_{λ}≥ 50%. So it is reasonable to assume that when more than 40% of the bits are corrupted, the watermark can not be detected. If we assumed that α = 150 flip-flops in the scan chain can be moved around with reasonable effort and without significantly degrading the circuit performance. The probability of successfully altering at least 40% of *Y*′ by a random derangement of scan flip-flops is zero as long as *N* > α/0.4 = 375, which can be easily satisfied by a design with a reasonable long scan chain.

This paper proposes a publicly detectable IP watermarking scheme. The ownership information is encrypted and transformed into constraints to reorder the scan chain for minimal switching power during test. The proposed method has overcome the vulnerability of previous power-driven scan chain watermarking scheme to enable the IP authorship to be verified publicly in the field without the risk of exposing the watermarked flip-flop locations. Experimental results have shown that the improved method has very low probability of coincidence and acceptably low test power consumption overhead.