Paper 2019/005

ScanSAT: Unlocking Obfuscated Scan Chains

Lilas Alrahis, Muhammad Yasin, Hani Saleh, Baker Mohammad, Mahmoud Al-Qutayri, and Ozgur Sinanoglu


While financially advantageous, outsourcing key steps such as testing to potentially untrusted Outsourced Semiconductor Assembly and Test (OSAT) companies may pose a risk of compromising on-chip assets. Obfuscation of scan chains is a technique that hides the actual scan data from the untrusted testers; logic inserted between the scan cells, driven by a secret key, hide the transformation functions between the scan- in stimulus (scan-out response) and the delivered scan pattern (captured response). In this paper, we propose ScanSAT: an attack that transforms a scan obfuscated circuit to its logic- locked version and applies a variant of the Boolean satisfiability (SAT) based attack, thereby extracting the secret key. Our empirical results demonstrate that ScanSAT can easily break naive scan obfuscation techniques using only three or fewer attack iterations even for large key sizes and in the presence of scan compression.

Available format(s)
Publication info
Published elsewhere. ASPDAC 2019
hardware securityscan attackslogic obfuscationip piracyreverse engineering
Contact author(s)
myasin @ tamu edu
2019-01-09: received
Short URL
Creative Commons Attribution


      author = {Lilas Alrahis and Muhammad Yasin and Hani Saleh and Baker Mohammad and Mahmoud Al-Qutayri and Ozgur Sinanoglu},
      title = {ScanSAT: Unlocking Obfuscated Scan Chains},
      howpublished = {Cryptology ePrint Archive, Paper 2019/005},
      year = {2019},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.