Using Scan Side Channel to Detect IP Theft

Leonid Azriel, Ran Ginosar, Shay Gueron, Avi Mendelson

Research output: Contribution to journalArticlepeer-review


In the growing heterogeneous Internet of Things market, which embraces a plurality of vendors and service providers, IP protection plays a central role. This paper proposes a process for the detection of IP theft in VLSI devices that exploits the internal test scan chains, designed for production test automation. The scan chains supply direct access to the internal registers in the device, enabling combinational analysis of the device logic. By using Boolean function learning methods, the learner creates a partial dependence graph of the internal flip-flops. The graph is further partitioned using the shared nearest neighbors graph clustering method, and individual blocks of combinational logic are isolated. These blocks can be matched with known building blocks that compose the original function. This enables reconstruction of the function implementation to the level of pipeline structure. The IP owner can compare the resulting structure with his own implementation to confirm whether an IP violation has occurred. We demonstrate the power of the presented approach with a test case of an open source Bitcoin SHA-256 accelerator, containing more than 80 000 registers. With the presented method, we discover the microarchitecture of the module, locate all the main components of the SHA-256 algorithm, and learn the module's flow control. In addition to the direct recognition of the IP content, we also demonstrate a combination of reverse engineering and watermark methods. We define a new watermark structure - pipeline-associated watermark (PAW), combined with pipeline stages that can be detected with the scan-based reverse engineering method.

Original languageAmerican English
Article number7967626
Pages (from-to)3268-3280
Number of pages13
JournalIEEE Transactions on Very Large Scale Integration (VLSI) Systems
Issue number12
StatePublished - Dec 2017


  • Hardware security
  • intellectual property protection
  • reverse engineering
  • scan side channel
  • side channel attacks

All Science Journal Classification (ASJC) codes

  • Software
  • Electrical and Electronic Engineering
  • Hardware and Architecture


Dive into the research topics of 'Using Scan Side Channel to Detect IP Theft'. Together they form a unique fingerprint.

Cite this