Scan-based Attacks on Linear Feedback Shift Register Based Stream Ciphers Yu Liu, Kaijie Wu, and Ramesh Karri Abstract—In this paper, we present an attack on stream the test mode, the positions of all scan elements in the cipher implementations by determining the scan chain scan chain can be determined. Then, based on a structure of the linear feedback shift registers in their systematic analysis of the modules in the block cipher implementations. Although scan Design-for-Test (DFT) is a the secret key is easily discovered. powerful testing scheme, we show that it can be used to Countermeasures against scan-based attacks have also retrieve the information stored in a crypto chip thus been proposed. These include secure scan [13], scan compromising its theoretically proven security. chain scrambling [1] and lock and key techniques [2],[3]. The secure scan architecture ensures a reset/clear to all Index Terms—Stream Ciphers, LFSRs, Scan DFT, the register bits in a scan chain when the device switches Side-channel attack from the secure mode to the non-secure mode. The scrambling technique randomizes the order of bits in a I. INTRODUCTION scan chain and only the authorized tester knows the Stream ciphers are an important class of encryption secret order. The lock and key techniques implement key algorithms. They encrypt individual characters of a checking logic into the chip. Upon detecting a wrong test plaintext message one bit at a time. In contrast block key, the internal states of the chip are scrambled. ciphers operate on large blocks of data. Consequently, However, since the secret order of scan flip flops of [1] stream ciphers have simple hardware circuitry, are or the key checking logic of [2] and [3] is common to all generally faster and consume very low power. Stream chips produced in a batch, maintaining the privacy of ciphers are deployed in applications where buffering is these secrets becomes an additional security concern for limited or characters are processed individually such as mass-produced products. in wireless telecommunications applications. Stream In this paper we will propose a scan-based attack on ciphers have limited or no error propagation and hence LFSR-based stream ciphers. The improved attack does are advantageous in noisy environments where NOT require the attacker to scan in any vectors, nor transmission errors are highly probable. Stream ciphers provide any input to the design as required by the are being widely implemented in Radio Frequency scan-attacks on block ciphers. We will introduce the Identification (RFID) tags. RFID tags are made up of a general technique to determine the scan chain structure microchip with some data storage and an antenna. Tag of several types of LFSRs and follow it up with readers broadcast an RF signal to access information demonstrating this attack on six LFSR-based stream stored on the tags. RFIDs are an important cross-section ciphers DECIM [4], Pomaranch [5], A5/1, A5/2 [6], w7 technology whose potential application can be found in [7], and LILI II [8]. practically all areas of daily life and business. Scan-based attacks exploit the scan chains that are II. GENERAL DESCRIPTION OF THE ATTACK inserted into devices for the purpose of test. Until now, We assume that the attacker scan attacks have been demonstrated on DES and AES • knows the Cipher-Under-Attack (CUA) since all block ciphers [9][13]. By loading pairs of known stream ciphers discussed in this paper are public; plaintexts that are different in a single bit position in the • can run the Device-Under-Attack (DUA) for a certain normal mode and then scanning out the internal state in 1 number of clock cycles; The bits of an external LFSR without an input have the • can scan out the states of internal registers of DUA via following relations: scan chains after each clock cycle; Si(t) = Si-1(t-1) for 1 ≤ i ≤ L-1 (1) • does NOT scan in vectors and does not apply chosen S0(t) = ∑0≤i≤L-1 (Ci × SL-1-i(t-1)), Ci = 0 or 1 (2) th inputs to the DUA. Si(t) is the state of i stage at clock cycle t (scanned out th The last assumption makes the proposed attack different as part of the vector Vt) and Si-1(t-1) is the state of (i-1) and more powerful than the one proposed in [9]. After stage at cycle t-1 (scanned out as part of the vector Vt-1). each scan out operation, the attacker will obtain a bit Ci (1 ≤ i ≤ L-1) could be 1 or 0 depending on the vector that includes all bits of the LFSR and all bits of characteristic polynomial of the LFSR. the architectural registers. We define architectural registers as those that are not in the CUA specification C C but are in the DUA implementation. Since LFSRs are CL-1 CL-2 1 0 initialized by the secret key and an initial vector, a S0 S1 SL-2 SL-1 stream-cipher-based DUA can be reproduced if the initial states of all the LFSRs are recovered even though the actual secret key itself may not be known. The goal of C C C1 C0 the attacker is to discover the correspondence between L-1 L-2 the bits of the N-bit scan-out vector and the bits in the In S S S S 0 1 L-2 L-1 LFSRs in the stream cipher. Figure 1: An L-bit external LFSR (a) without an input The attacker will scan out the internal registers at the and (b) with an input time when the DUA is initialized and records the To discover the bit-by-bit correspondence between the scan-out vector V0. He then clocks the DUA by one cycle scan-out vectors and the LFSR, the attacker randomly and records the scan-out vector as V1. In this manner, the picks a bit X from one of the N-bit scan-out vectors, and attacker repeats this procedure for a certain number of performs an α-search defined below, to discover if X rounds for the DUA and uses all the recorded vectors to belongs to the LFSR: reconstruct the state information of the DUA. α-leftward-search: For a given bit X , this search looks for another bit W where W(t-1)=X(t). III. SCAN ATTACK ON LFSRS α-rightward-search: For a given bit X , this search In the following subsections we will describe several looks for another bit Y where X(t)=Y(t+1). attacks that target simple but general LFSR structures. (a) The attack on a specific CUA is a combination of some Vector12345678910Suspect set of W V 000000011 0 A ll b it s exc ept 9 0 or all of these attacks. We will analyze the case where the V1 1 00000000 0 1 , 2, 3, 4, 5, 6, 7, 10 V 0 1 00000001 2 , 3, 4, 5, 6, 7, 10 scan-out vector consists of the bits from an LFSR and 2 V3 0 0 10000011 2, 10 V 1 0 01000000 2 architectural registers. The states of the architectural 4 V5 0 1 00100001 2 V 0010010010 2 registers are assumed to be random. Let N denote the 6 V7 1001001011 Miss length of the scan-out vector and L denote the size of the (b) Vector12345678910Suspect set of W LFSR, N ≥ L. The size of the architectural registers is V 000000011 0 A ll bit s exc ept 8 0 V 1 00000000 0 1 , 2, 3, 4, 5, 6, 7, 10 then N-L. 1 V 0100 00 0 0 0 1 2 , 3, 4, 5, 6, 7, 10 2 V 00100000 1 1 3 , 4, 5, 6, 7 A. Scan Attack on External (Fibonacci) LFSRs 3 V 100100 0 0 0 0 4 , 5, 6, 7 4 V 01001000 0 1 5 , 6, 7 Figure 1 shows two L-bit external LFSRs. One has no 5 V6 0010010 01 0 6, 7 V 1001001011 7 input and the other has one. Since the attack on both are 7 the same, we will only illustrate the attack on the former. Figure 2 A leftward-search returns (a) a miss or (b) a hit 2 Let’s consider an 8-bit external LFSR with feedback rightward-search on an RBB will discover all the bits 3 8 polynomial 1+x +x . To remove any ambiguity we also until the right most bit SL-1. When all bits are discovered, give the corresponding update function of the LFSR as the structure of the LFSR is automatically identified. It is S0(t) = S2(t-1)+ S7(t-1). For simplicity, we assume that the important to note that the scan-out vectors used to bits of the scan-out vectors are in the same sequence as discover the first bits can be reused to discover the rest of st th the bits in the LFSR, i.e. the 1 bit is S0, the 8 bit is S7, bits. Therefore for each DUA the attacker only needs to and the 9th and 10th bits are architectural registers. The scan out MNR+1 vectors. α-leftward-search on this example is shown in Figure 2. B. Scan Attack on Internal (Galois) LFSRs Figure 2(a) assumes that the 9th bit of the scan-out A general structure of an internal LFSR is shown in vectors is chosen to be X. The attacker finds its left Figure 3. The bits in an internal LFSR have the following neighbor W by pruning the “suspect set” of bits which relations: initially includes all bits except X.