Cryptography circuits, like most electronic circuits, must undergo tests before they are used. Cryptography circuit tests therefore form part of the general issues of the test of electronic circuits, but with certain particular features.
The tests are used to check after fabrication that the circuits correctly fulfill their intended functions. Specifically, a circuit may comprise several fabrication defects originating notably:                from a lack of homogeneity of the chemical substances used, causing a deterioration in performance;        from the deposition of an impurity such as a dust for example causing a local destruction of the circuit;        from the omission of a fabrication step causing the malfunction of the circuit;        from a confusion in the use of the fabrication masks.        
Amongst these defects, the most unforeseeable problems originate from the deposition of a dust which can cause:                a short circuit, that is to say the unintended connection of two equipotentials or “nodes”;        or a disconnection, that is to say the disconnection of a node, giving rise to two equipotentials.        
In a test phase after fabrication, a circuit is powered in voltage and some of its inputs, very specific inputs, receive test signals. In response to these test signals, a test device can carry out operating checks. For the circuit to be testable, it must fulfill two conditions:                the circuit must be controllable, that is to say that it is possible to bring the circuit to a known state;        it must be observable, that is to say that it is possible to compare a characteristic of the circuit in its known state with a theoretical reference characteristic obtained for example by simulation.        
The implementation of these two conditions allows the test device to form a set of test vectors which are as many different checks to be run on the circuit.
A first key parameter of a test is its coverage. The coverage expresses the proportion of logic nodes that are effectively checked. In order to ensure that a circuit is operational, a coverage approaching 100% is desired, but very rarely achieved in practice.
A second key parameter of the test is its cost, which depends notably on two factors:                the number of test vectors, this quantity having to be reduced to the minimum because it is a condition of the duration of interaction with the circuit, the cost being proportional to this duration, in particular, it is important that the rate of the test is higher than the circuit fabrication flow rate, otherwise the factor limiting the production becomes the test itself. It is notably one of the reasons for which the coverage is never 100%;        the insertion of the test equipment, since it is rare that the circuits can be tested in their current state, depending on whether it is agreed to call functional tests, additional equipment often has to be added in order to allow the controllability or observability of the circuits to be tested, this equipment having a cost which reduces the attractiveness of a hardware solution as opposed to a software solution.        
Several test techniques are known. For the functional test, no equipment is added. The user simply checks that the outputs of the circuit to be tested are fully in line with a well-determined sequence of the inputs of this same circuit. This test method unfortunately has a poor coverage while requiring a very large number of input vectors. It is therefore practically inapplicable.
In the case of chain tests, the circuit is modified so as to be able to fulfill two roles, on the one hand its functionality and on the other hand the production of an offset register linking all the sequential elements of the circuit, typically the D or DFF flip-flops. The added cost is therefore linked to the number of flip-flops of the circuit, the latter requiring two inputs, a first input called “test in” and a second input called “test enable”, which increases the surface area of a circuit. In addition, a functional routing is also added to the routing between flip-flops, reducing the routing possibilities, a critical property in a circuit constrained by interconnection. Finally, it should be noted that the chain test makes it possible to test the nodes bonded to one and the same logic value. This error template is not strictly equal to the true errors that are the short circuits and the disconnections.
In the analog test method called IDDQ, the circuit to be tested is placed in a state and then, with the aid of an ammeter, the current consumed by the circuit is studied. This method makes it possible notably to detect the short circuits as a function of the value of the current consumed. It does not require equipment necessary for observability. However, the IDDQ method is slow. It is also partial because it allows the detection of short circuits only.
In the method called BIST for “built-in self test”, a module outside the portion to be tested is added. Notably its role is to take control of the circuit to be tested and to run its test in a dynamic manner. This method applies to simple units, with trivial functionality such as a memory for example, where the user reads exactly what has been written. It is not appropriate for a complex circuit of the cryptography type.
In addition to their complexity, cryptography circuits have antinomic constraints with respect to their test. Specifically, on the one hand, a single error in the functionality can compromise the integrality of the secrets, hence the need for a comprehensive test, but, on the other hand, the addition of test equipment allowing internal observability, destroys the security of the circuit. In particular, a single bit of an intermediate variable of a cryptography algorithm that can be accessed by a hacker can allow the latter to work his way up to the secrets via a cryptographic analysis. Therefore, it is necessary to test the secure circuits, but no existing test method is satisfactory. The functional test does not allow sufficient coverage while 100% coverage is crucial for a cryptography circuit. The test by chaining DFF flip-flops reveals a vulnerability because a hacker can manage, moreover in a logical manner, to read the state of the encryption processor, more precisely its keys or its intermediate values. In order to counter this type of hacking, one solution proposes to make the chaining structure random. Nevertheless, this approach violates the Kerckhoff principle which imposes the concentration of the security in the keys of reduced size and not in the complexity and the confidentiality of the implementation. The IDDQ test, for its part, is too costly and fragmented, while the BIST test is not suitable for a cryptographic computation.