1. Field of the Invention
This invention relates to the protection of integrated circuitry from reverse engineering, and more particularly to the protection of sensitive portions of integrated circuits (ICs) that have a set/scan test capability.
2. Description of the Related Art
As ICs have become more complex, locating and identifying circuit faults has become more difficult. One technique that is commonly used for this purpose, due to its simplicity and completeness, is referred to as set/scan testing. This technique is described, for example, in Maunder and Tulloss, "Testability on TAP", IEEE Spectrum, February 1992, pages 34-37 (the term "boundary-scan" as used in this article is synonymous with set/scan).
When the set/scan test mode is enabled each flip-flop circuit in the overall IC is connected in series, so that they essentially become a very large shift register. A known pattern is then applied to the circuit to set all of the flip-flops to a known state. In response to one or more clock signals, this pattern is modified by the logic between flip-flops and stored in the next flip-flop in the chain, allowing the resulting bit pattern to be read out of the device. ROM (read only memory) contents can similarly be read to verify their programming. Faulty logic is detected by comparing the output bit pattern to a known-good response, and analyzing the incorrect responses to determine the fault modes (such as fabrication problems, design errors, etc.) that might have caused the error.
The set/scan technique is commonly used in high-density LSI (large scale integration) devices because of its ability to exercise a very high percentage of the circuitry in a time-efficient manner. In addition to supporting manufacturing test, the set/scan functions can later be used by the end equipment to verify that the device is functioning correctly, or by the manufacturer to determine why the device failed in the field.
To achieve the level of observability required to satisfy these needs, every logic element must be exercised. Unfortunately, the level of fault coverage is inversely proportional to the resistance of the device to reverse-engineering attacks. In other words, manufacturers must consider that the more thorough the set/scan capability, the greater the chance that a copyist can discover design details by analyzing a number of corresponding input-output pairs. A tradeoff must therefore be made between faster and more thorough testing versus the amount of design exposure that is considered acceptable.
A thorough set/scan capability includes all of the flip-flops, RAM (random access memory) and ROM cells, and the logic used to connect them. Such circuitry may include sensitive subcircuits which the circuit designer would prefer to secure from reverse engineering. However, the designs of such subcircuits can be determined by considering each one as a "black box" and analyzing the corresponding input-output patterns made available by the set/scan feature. Such an analysis cannot be prevented by the common passive anti-reverse engineering technique of coating the circuit die with an opaque material, since this can only protect the circuit from analysis by visual examination.
Active anti-reverse engineering techniques have been developed, such as that disclosed in Ozdemir et al. U.S. Pat. No. 4,766,516, issued Aug. 23, 1988 and assigned to Hughes Aircraft Company, the assignee of the present invention. In this patent additional circuit elements that do not contribute toward the IC's circuit function, but which inhibit the proper functioning of the IC in case of an attempted copying or unauthorized use, are inserted into the circuit. The identities of the additional circuit elements are disguised by forming them with the visible appearance of an apparent element but with a physical modification that is not readily visible but causes them to function in a different manner, by providing different ICs with unique control codes, or both. However, even techniques such as these cannot provide sufficient protection if a thorough set/scan capability has been implemented. Such protective measures can be circumvented by using the set/scan capability to obtain direct internal access to the IC, including its sensitive subcircuits; analytical techniques can then be used to recover the circuit design. This is the principal reason why set/scan techniques are often avoided when implementing sensitive algorithms, despite the desirability of set/scan as a test procedure.