A Post-processing Scan-Chain Watermarking Scheme for VLSI Intellectual Property Protection

Aijiao Cui and Chip-Hong Chang+

Harbin Institute of Technology Shengzhen Graduate School, China +School of Electrical and Electronic Engineering, Nanayang Technological University, Singapore

Abstract—Preprocessing approaches at various design abstraction levels have been widely studied among the constraint-based watermarking schemes proposed to protect VLSI intellectual property (IP). Post-processing methods attract comparatively less interest and their advantages have not been fully explored. This paper proposes a post-processing scan chain watermarking scheme to incorporate the authorship proof into the scan path of an IP core generated by a Synthesis-for-Testability (SfT) approach. The SfT algorithm is firstly applied on the design to create an optimized scan chain. The scan chain is then partially reordered according to the watermarked constraints generated cryptographically by an authorship message. The watermark is embedded with little perturbation to the optimality already attained by the scan design. This has effectively addressed the unpredictable overhead of watermarking commonly encountered in preprocessing methods. Our method possesses similar robustness as the preprocessing methods. Experimental results on ISCAS’89 and LGSynth’93 benchmark circuits demonstrate that our proposed method causes lower fluctuations in area and timing overheads than the pre-processing SfT watermarking scheme.

I. INTRODUCTION As timescales are often the highest priority to address a

new market or replace a less competitive product, integrated circuit (IC) design companies have invested heavily in third-part and in-house development of Intellectual Property (IP) cores for System-on-a-Chip (SoC) design. Owing to the flagrant theft and abuse of IP cores, protection of IP and enforcement of IP rights are crucial determinants for the success of semiconductor businesses. Several approaches have been proposed [1] to safeguard the interest of IP owners. As an effective and economical self-protection technology, hardware watermarking has attracted the most research interest in the IC community.

Constraint-based watermarking [2] has emerged as a mainstream protection mechanism for very large scale integration (VLSI) IPs. Its main idea is to transform the authorship information into extra design constraints to be added into a constraint-satisfiability problem during the IP creation process. The additional constraints make the watermarked design probabilistically unique among all designs of the same functionality, which can be verified by the probability of coincidence measure. The existence of watermark is usually, but not always, proven by showing that the extra stego constraints are satisfied by the watermarked design [2].

A dichotomy of techniques between preprocessing and post-processing watermarking has been analyzed in [2]. Preprocessing techniques refer to those that embed the watermark before the solution circuit is synthesized and optimized whereas post-processing techniques refer to techniques that insert the watermark after a primarily implementation of the solution circuit. In preprocessing methods [3]-[6], the watermarked solution has been globally optimized by the synthesis tool without distinction of these two different sets of constraints. Thus, it is hard for an attacker to detect the changes caused by the watermark or to reverse engineer parts of the circuit to infer the stego constraints. This makes the watermark more secure and resilient against many forms of removal attacks. The downside is that it is very difficult to predict how the stego constraints will affect the quality of the final design solution. This makes the watermarked design inferior when its quality is out of control. In contrast, post-processing watermarking [7] actually capitalizes on the headroom of the synthesized design for watermark insertion. This gives the designer more control to minimize the impact of watermarking to the quality of the solution. The disadvantage of such approach is that the watermarks are less stealthy. An attacker may require less effort to reverse engineer part of the circuit to make local modifications to tamper the watermark or add his own authorship information without changing the functionality.

In this paper, a post-processing watermarking scheme is proposed. The method is based on the synthesis-for-testability (SfT) technique [4]. Unlike [4], the order of the originally optimized scan chain is partially modified to satisfy the extra constraints generated by the watermark after synthesis and before placement. The overhead due to the watermark insertion has been warily minimized over the preprocessing approach of [4]. The ownership information can be publicly verified in the field by a legal IP user. As the scan design is merged with the IP functional logics, the watermark is harder to be removed than other scan chain watermarking schemes whereby the test circuits and IP functionality are independently optimized [5], [6].

II. PROPOSED POST-PROCESSING SCAN-CHAIN WATERMARKING SCHEME

Our watermarking scheme targets IP cores that are built into SoC with built-in self-test hardware. It leverages on the pervasive use of fully integrated scan circuit and

412978-1-4577-1729-1/12/$26.00 ©2012 IEEE.

combinatorial test pattern generator for the field detection of embedded watermark. We make use of the SfT algorithm [8] to first generate a testable IP solution with reduced combinational logic for the scan function. This will result in an ordered scan chain of N internal flip-flops,

{ } 1

Ni i

R r=

= identified by a set of positions, { }1

N

j jS s

== . A

scan chain ordering, π is defined as a one-to-one mapping of a set of N scan flip-flops, R to a set of positions, S, where sj = π(ri) such that the i-th bit of the test vector is loaded into the j-th scan flip-flop once a test vector has been completely shifted into the scan chain.

Our post-processing watermarking scheme operates on π. The watermark information will be imposed on the scan chain to change the positions of some flip-flops. The reordered scan chain πwm will output a unique bitstream for watermark recovery in response to a specific input vector in test mode. The reordering of π is designed such that the probability that another design produces the same watermark at exactly the same positions in the output bitstream by coincidence is extremely low.

A. Preliminary Vectors Generation Fig. 1 shows a fictitious example of a scan chain with N

= 8 flip-flops to illustrate how the watermark bits printed in bold are embedded. The lower part shows the watermark is recovered from the output bitstream when a verification vector is input into the watermarked scan chain.

Fig. 1. A simple example of post-SfT scan-chain watermarking.

The CUT is first synthesized and optimized using an SfT algorithm to obtain an optimized scan chain ordering π. It maps a set of flip-flops, { }8

1i iR r

== to a set of positions,

{ }8

1j jS s

== . A unique input vector, { }8

1i iX x

== is chosen such

that the output vector, { }8

1i iY y

== contains an approximately

equal number of “1” and “0” bits. The flip-flops in the scan chain that output the “0” and “1” bits of the binary vector Y are then divided into two sets, R0 and R1, accordingly.

The watermark, { } 1

mi iW w == is an m-bit (m < N) stream

that is generated by encrypting the ownership message MSG with a secret key K. The same secret key is used to generate m distinct integer numbers between [1, N] by a pseudorandom number generator (PNG) [9]. Secure hash

algorithm, SHA-1 [9] is used as the keyed one-way function for this PNG. Without the knowledge of the secret key K, it is computationally infeasible to find a collision of this hash function and the probability of generating the same set of integers by coincidence is extremely low. These integers, { } 1

mi i

P p=

= where 1 ≤ pi ≤ N for i = 1, 2, …, m and pi ≠ pj ∀ i≠ j, are indices to the watermarked flip-flop positions in the final scan chain ordering πwm. For the example in Fig. 1, let { }3

1{110}i i

w=

= and

{ }3

1{5,2,7}i i

p=

= be the watermark bits and flip-flop positions that hold the watermark bits. Assume that Y = 10110001 is the scan output upon application of a scan input X = 01001011. Then, R0 = {r2, r5, r6, r7} and R1 = {r1, r3, r4, r8}. The flip-flops assigned to positions s5, s2 and s7 are constrained to output w1, w2 and w3, respectively, under the input vector X’ = πwm(X). Under the input X and scan chain ordering π, those flip-flops at the designated watermarked positions that have already assumed the correct watermark bit values are grouped under RT and the rest are grouped under RF. For this example, RT = {r7} and RF = {r2, r5}. The flip-flops in RT (RF) that hold the values “0” and “1” of Y are further subdivided into RT0 (RF0) and RT1 (RF1), respectively. In this case, RT0 = {r7}, RT1 = ∅, RF0 = {r2, r5} and RF1 = ∅, where ∅ denotes a null set.

B. Watermark Insertion

We can minimize the overhead of watermarking by preserving existing flip-flop positions and reordering only those flip-flops in RF to satisfy the watermarked constraints. This means that the flip-flops in RF0 can only be substituted by the flip-flops from the set R1 − RT1 while the flip-flops in RF1 can only be replaced by the flip-flops from the set R0 − RT0.

Each substitutable flip-flop has a connection cost to any other flip-flops as its predecessor or successor in the scan chain [4]. The eligible flip-flop from R1 − RT1 (for the replacement of RF0) or R0 − RT0 (for the replacement of RF1) that constitutes the minimum flip-flop adjacency cost to the first flip-flop in RF will be selected to replace it. The position index of this substituting flip-flop will be appended to a vacancy set Pf, which is initially empty. The flip-flop that has been replaced will be added to a candidate set Rc so that it can be selected later to fill the vacant positions in Pf. After all the flip-flops in RF have been substituted, the flip-flops in Rc will compete for the vacancies in Pf based on the same minimum adjacency cost criterion. The watermarked scan chain of ordering πwm is generated when all positions in Pf have been filled, i.e., when Pf = ∅.

For the example in Fig. 1, RF0 = {r2, r5} will be replaced by the flip-flops in R1 − RT1 = {r1, r3, r4, r8}. Suppose r4 has the least connection cost to the two adjacent flip-flops, r1 and r3, of r2. Then r4 is placed at the position s2. Its position

Circuit Under Test

r1 π

s1 s2 s3 s4 s5 s6 s7 s8πwm

00011011

1011000101001011 r2 r3 r4 r5 r6 r7 r8

r1 r4 r3 r5 r8 r6 r7 r2 11101000

413

p4 is put in Pf and r2 is added to Rc. If r8 replaces r5 based on the connection cost criterion, then p8 is append to Pf and r5 is added to Rc. Now Rc = {r2, r5}. For the position p4 ∈ Pf, if r5 has lower cost than r2 to r3 and r8, r5 will be selected for p4. Finally, r2 is placed at position p8 to complete the watermarking process.

watermark_insertion (X, π, m, K, N, MSG) { Obtain { } 1

Ni i

Y y=

= by applying { } 1

Ni i

X x=

= to the scan chain;

0 { 0 1 }i iR r R y i N= ∈ = ∀ ≤ ≤ ;

1 { 1 1 }i iR r R y i N= ∈ = ∀ ≤ ≤ ;

{ } 1

mi i

P p=

= = PNG(K, m, N) ;

{ } 1

mi i

W w=

= = digital_signature(MSG, K) ; for (i = 1 to m) { if (

ip iy w= ) {

ip Tr R φ∈ (φ = wi); } else {

ip Fr R φ∈ (φ = wi); } }

C TR R Rφ φ φ= − ;

for (each p Fr R φ∈ ) { // p∈P, φ = 0 or 1

( )1wm pπ − = r with min[cost(r, rp−1) + cost(r, rp+1)], Cr R φ∈ ;

S(r) ∈Pf ; r ∈ Fc; C CR R rφ φ= − ; }

for (each p∈Pf) { ( )1

wm pπ − = r with min[cost(r, rp−1)+cost(r, rp+1)], cr R∈ ; c cR R r= − ;

} return πwm ;

} Fig. 2. Watermarking by post-processing scan chain reordering.

The watermark insertion procedure is shown in Fig. 2. In Fig. 2, ( )1

wm pπ − denotes the flip-flop allocated to the p-th position in the watermarked scan chain πwm. cost(r, rj) represents the cost of connecting the flip-flop r to the flip-flop rj, which can be obtained by analyzing the CUT [4].

C. Watermark Detection

To verify the existence of watermark, the input X’ = πwm(X) = 00011011 is applied on the watermarked scan chain πwm. The output bits from the 5th, 2nd and 7th positions in Y’ are checked. If they are equal to “110”, the authorship is proved. Otherwise, the scan chain is not watermarked or the watermark has been partially or completely removed.

III. WATERMARK STRENGTH The probability of coincidence, Pc denotes the

probability that a non-watermarked design carries the specific watermark by coincidence. It represents the creditability of a watermarking scheme [2]. For the proposed scheme, when the verification vector is input into

a scan chain of an IP, the output sequence at the watermarked positions is equally probable to be any one of the 2m possible permutations of m bits. The probability that the output sequence contains the m watermark bits at the specified positions is given by Pc = 1/2m. The authorship proof is stronger if the length of the watermark is longer. Pc for m = 32, 64 and 128 are 2.33×10−10, 5.42×10−20 and 2.94×10−39, respectively.

Although the proposed post-processing watermarking scheme is different from the preprocessing SfT watermarking scheme [4], their watermarks are both embedded by scan chain ordering. The attack scenarios and resilience analysis of both watermarks are similar and can be referred to [4].

IV. EXPERIMENTAL RESULTS The proposed SfT watermarking scheme is applied on

some circuits with several hundreds to thousands flip-flops from ISCAS’89 and LGSynth’93 benchmark suites. The SfT and post watermarking algorithms are both implemented using C language. To obtain the preliminary vectors, DFTAdvisor and FastScan by Mentor Graphics are used for the insertion of scan chain and generation of test data, respectively. Both the originally optimized designs and the watermarked designs are synthesized using the algebraic script from SIS and mapped to Mississippi State University standard cell library. The results are shown in Table I, where N and m denote the lengths of the scan chain and watermark, respectively. “∆A” and “∆D” represent the percentage area and timing overheads due to watermarking, respectively. A negative percentage implies a reduction in area or timing over the original design. The corresponding percentage overheads of [4] are also listed in the last two columns for comparison. The mean and standard deviation of the percentage overhead are showed in the last two lines. The percentage deviations in area and timing of 40 watermarked designs from their original designs are plotted in Fig. 3 and Fig. 4, respectively. For the watermarking scheme of [4], the deviation in area for “mle” is more than ten percents and the timing deviations are around twenty percents for “elliptic” with 64-bit watermark and “tseng” with 128-bit watermark. For all 40 watermarked designs, the deviations in the area and timing are consistently less than 2% and 4%, respectively. Both the mean and standard deviations of the watermarked designs of proposed post-processing watermarking scheme are smaller than those of [4]. The results demonstrate that the post-processing watermarking scheme has more predictable overheads than the preprocessing SfT watermarking scheme.

V. CONCLUSION A post-processing scan-chain watermarking scheme has been presented. Without the additional watermark constraints, the SfT algorithm can process the design and maximally optimize scan path before the watermark is inserted to reorder of the scan chain. By making use of the

414

coincidence between some bit values of the output vector and the randomly generated watermark bits and positions, the watermarked constraints are satisfied with minimal perturbation made to the optimality already attained by the preprocessed scan design. This has avoided the unexpectedly high compromise in cost and performance of the design specification due to watermarking. The watermark has similar resilience to attacks as the pre-processing watermarking scheme [4] due to the same minimum neighbor cost criterion used for the merging of the test function into the data path. Watermarking on scan chain also enables the watermark to be publicly detectable in the field. The experimental results show that the post-processing watermarking scheme has advantage over the preprocessing watermarking scheme in terms of the controllability of the overhead due to watermarking.

REFERENCES [1] VSI Alliance, Fall Worldwide Member Meeting: A Year of Achievement. Santa Clara, CA, Oct. 1997. [2] A. B. Kahng, J. Lach, W. H. Mangione-Smith, S. Mantik, I. L. Markov, M. Potkonjak, P. Tucker, H. Wang, and G. Wolfe, “Constraint-based watermarking techniques for design IP protection,” IEEE Trans. on Computer-Aided Design of Integrated Circuits and Syst., vol. 20, no. 10, Oct. 2001, pp. 1236-1252. [3] D. Kirovski, Y. Y. Hwang, M. Potkonjak and J. Cong, “Protecting combinational logic synthesis solutions,” IEEE Trans. on Computer-Aided Design of Integrated Circuits and Syst., vol. 25, no. 12, Dec. 2006, pp. 2687-2696. [4] C. H. Chang and A. Cui, “Synthesis-for-Testability Watermarking for Field Authentication of VLSI Intellectual Property,” IEEE Trans. on Circuits and Systems-I, vol. 57, no. 7, July 2010, pp. 1618-1630. [5] A. Cui and C. H. Chang, “Intellectual property authentication by watermarking scan chain in design-for-testability flow,” in Proc. IEEE Int. Symp. on Circuits and Syst., Seattle, USA, May 2008, pp. 2645-2648. [6] A. Cui, and C. H. Chang, “An improved publicly detectable watermarking scheme based on scan chain ordering,” in Proc. IEEE Int. Symp. on Circuits and Syst., Taipei, Taiwan, May 2009, pp. 29-32. [7] A. Cui, C. H. Chang and S. Tahar, “IP watermarking using incremental technology mapping at logic synthesis level,” IEEE Trans. on Computer-Aided Design of Integrated Circuits and Syst., vol. 27, no. 9, September 2008, pp. 1565-1570. [8] R. B. Norwood and E. J. McCluskey, “Synthesis-for-scan and scan chain ordering,” in Proc. of 14th VLSI Test Symposium, Princeton, New Jersey, USA, April 1996, pp. 87-92. [9] A. Menezes, P. van Oorschot and S. Vanstone, Handbook of Applied Cryptography. CRC Press, 1996.

-14

-12

-10

-8

-6

-4

-2

0

2

4

1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 35 37 39

Fig. 3. Area deviation from the original design for the proposed

watermarking scheme and [4].

-10

-5

0

5

10

15

20

25

1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 35 37 39

Fig. 4. Timing deviation from the original design for the proposed

watermarking scheme and [4].

TABLE I. RESULTS OF PROPOSEDWATERMARKING SCHEME AND SCHEME IN [4].

Circuit N m Proposed [4] ∆A(%) ∆D(%) ∆A(%) ∆D(%)

S3384 183 32 0.65 1.23 0.47 4.52 64 1.21 2.04 -2.85 5.03

S9234 228 32 0.13 0.83 0.18 1.86 64 0.11 1.10 0.16 1.24

S15850 597 64 1.11 0.15 0.14 2.16 128 1.86 2.38 0.10 2.66

S13207 669 64 -0.13 -0.67 -0.08 2.64 128 0.85 3.64 -2.11 -4.10

S38584 1426 64 0.56 -0.78 0.43 -0.89 128 1.48 2.35 -0.54 -0.64

S38417 1636 64 -0.01 0.08 -0.27 0.28 128 0.03 0.06 0.10 0.96

S35932 1728 64 0.16 0.0 0.28 -0.34 128 0.43 0.06 0.39 -0.69

sort 136 32 0.20 0.26 -0.45 0.00 64 0.45 0.13 -0.44 0.13

fir 142 32 0.01 0.00 0.03 0.00 64 0.10 0.00 0.15 0.00

elliptic 194 32 0.00 1.41 -0.20 0.71 64 -0.18 2.83 -0.31 20.84

bigkey 224 32 0.02 0.00 0.01 0.00 64 0.03 0.00 0.01 0.00

dsip 224 32 -0.04 2.61 0.59 0.00 64 0.17 2.61 1.74 4.25

psdes 230 32 -0.28 0.31 0.55 0.31 64 -0.09 -0.93 0.83 1.24

r4000_32 249 32 0.06 0.00 0.01 0.00 64 0.00 0.00 0.07 -0.14

diffeq 305 64 0.07 0.24 -0.49 -2.84 128 0.06 0.47 -0.51 -2.60

mle 323 64 0.48 0.00 -12.55 0.00 128 1.14 0.00 -12.44 0.00

tseng 385 64 0.07 2.26 -0.71 -2.26 128 0.63 3.82 -0.63 18.58

valu 495 64 0.24 1.61 0.00 -0.29 128 0.56 2.34 0.01 0.00

pmac 590 64 0.01 0.15 -0.03 -0.59 128 0.33 0.59 0.14 -0.30

frisc 886 64 0.07 0.61 0.03 0.17 128 0.21 0.69 -0.06 -1.30

Mean deviation 0.32 -0.71 0.86 1.27 Standard deviation 0.48 2.83 1.21 4.66

proposed [4]

proposed [4]

415