JOURNAL OF ELECTRONIC TESTING: Theory and Applications 16, 185–192, 2000c© 2000 Kluwer Academic Publishers. Manufactured in The Netherlands.

On Random Pattern Testability of Cryptographic VLSI Cores

A. SCHUBERT AND W. ANHEIERInstitut fur Theoretische Elektrotechnik und Mikroelektronik (ITEM), University of Bremen, P.O. Box 330440,

D-28334 Bremen, Germanyschubert@item.uni-bremen.de

anheier@item.uni-bremen.de

Received June 15, 1999; Revised July 29, 1999

Editor: C. Landrault

Abstract. In this paper we show, that the statistical properties of cryptographic algorithms are the reason forthe excellent pseudorandom testability of cryptographic processor cores. The work is especially concerned withmodern symmetric block encryption algorithms and their VLSI implementations. For the examination typical basicoperations of these cryptographic algorithms are categorized in classes and analyzed regarding their pseudorandomproperties. Based on the results the pseudorandom properties of symmetric block ciphers can be determined bymeans of data flow graphs (DFG) and so-called predecessor operation lists. This is demonstrated with a paradigmalgorithm, the symmetric block cipher 3WAY. The results of the theoretical analysis lead to a so-called global BISTconcept for cryptographic processor cores. This self-test approach is characterized by central pseudorandom patterngenerators and signature registers at the primary inputs and outputs of the cores. The global BIST is exemplarilyapplied to an implementation of the 3WAY algorithm. Finally, the quality of the developed test approach is determinedby fault simulations.

Keywords: pseudorandom testing, built-in self-test, testing of cores, test-ready intellectual property

1. Introduction

Within the scope of the development of a cryptographicVHDL library VLSI processor cores are designed. Thecryptographic cores are intended for core-based systemdesign. They can be embedded in integrated systemsas on-chip security modules. An important demand onsecurity hardware is high testability. Security reasonsindicate an implementation of the test measures in theform of a built-in self-test (BIST). Generally, BISTtechniques represent the most suitable test method fornewly developed VLSI cores. They meet requirementslike low test costs, modularity and reusability (test-ready intellectual property) [1, 2].

Cryptographic processor cores are characterized bya data path with wide inputs and outputs. For these

kinds of circuits only a BIST based on pseudorandompatterns is suitable. It can be realized by means ofLFSRs (linear feedback shift register) and MISRs (mul-tiple input signature register). Usually BIST test struc-tures are locally applied to macro cells (e.g. PLAs,ROMs, RAMs, multipliers and adders), which aresuitable for an autonomous self-test. The pseudoran-dom test of individual macro cells of a processor core(local BIST) by means of shift registers with addi-tional test functions, test multiplexers or built-in logicblock observers (BILBO) is costly [3]. A more effi-cient approach combined with lower test cost is theglobal BIST. In this approach pseudorandom test pat-terns are only fed to the primary inputs of the datapath. The test responses at the primary outputs of thecore are compressed by signature registers. Conditions

186 Schubert and Anheier

for the global test are:

i. Propagation of pseudorandom test patterns throughthe data path of cryptographic VLSI cores, so thatthe data inputs of every macro cell are stimulatedby pseudorandom patterns.

ii. Generation of new pseudorandom test patterns byoperations in the data path.

iii. Propagation of fault effects (errors) through thedata path.

These conditions are met by symmetric block cipherssuch as DES and IDEA and their VLSI implementa-tions. In [1] the pseudorandom testability of the hard-ware realization of the IDEA algorithm is examined bymeans of specific data flow graphs (DFG) and so-calledpredecessor lists. In this and others works of the authorthe analysis is further extended to other modern sym-metric block ciphers like SAFER K-128, RC5 or 3WAY[4]. The basic operations of these new algorithms areexamined with regard to their property to propagatepseudorandom test patterns. In this paper it will be ex-emplarily shown for the VLSI implementation of thesymmetric block encryption algorithm 3WAY, that thehardware realizations of cryptographic algorithms areespecially suitable for the global BIST. The examina-tion is verified by means of fault simulations.

2. Global BIST

The so-called global BIST uses the inherently goodpseudorandom testability of cryptographic circuits.Thus, the control and observation paths for testing dif-ferent internal circuit modules can be realized withoutmodification of the internal functional architecture. Forcontrolling the test patterns one has to consider only thefunction of the involved control modules and not theirinternal structure [3]. A global pseudorandom BIST(see Fig. 1) has the following advantages compared toa local BIST:r Besides the test of complex macro cells (adders,

multipliers, memories etc.), the test of random logic(registers, multiplexers etc.) and wires is also car-ried out.r Only minimal additional test costs: functional andtest architectures are to a large extent identical, i.e.considerably lower hardware overhead through cen-tral pseudorandom pattern generators (PRPG) andmultiple input signature registers (MISR) and fewerBIST control tasks.

Fig. 1. Global pseudorandom BIST.r Test time is decreased by simultaneous testing of allsubcircuits.

3. Statistical Properties of CryptographicOperations

3.1. Pseudorandom Test Patterns

The statistical properties of pseudorandom number se-quences represent an appropriate basis for the follow-ing examination. The aim is the determination of theability of cryptographic basic operations to propagatepseudorandom test patterns. Pseudorandom test pat-terns are similar to a truly random sequence except fortheir repeatability. In a first approximation the follow-ing three conditions for truly random sequences can beapplied to the statistical qualities of pseudorandom testpatterns [3].

Assumption: In a set ofn-bit test patterns the proba-bility is 0.5, that an arbitrary bit is 1 and 0 respectively:

Condition 1 (serial statistical independence): In aserial bit string of any column the individual bits mustbe statistically independent of each other. Then the con-ditional probabilities between any two bitsy andx are:

P(y = a | x = b) = P(y = a) = 0.5,

wherea, b ∈ {0, 1}.

Condition 2 ( parallel statistical independence): Inany test pattern row the individual bits must also bestatistically independent and the same statements aboutthe conditional probabilities as in condition 1 are valid.

Condition 3(binomial probability distribution of thenumber of signal transitions): The probability distri-bution of the number of signal transitionsm(0≤m≤ n)

Random Pattern Testability 187

Table 1. Typical basic operations of modern cryptographic algorithms.

Operation classes Example operations Algorithms

I Operations in finite groups: (X + Z) mod 256, (X − Z) mod 256 SAFER K-128,Y= X ∗ Z; X,Y, Z= variables orX ⊕ Z 3WAY, RC5, IDEA

II Group operations with an input which is a function (2Z + X) mod 256, (2Z − X) mod 256 SAFER K-128, 3WAYof one or several variables: orX⊕ (U + Z)Y= X ∗ f (Z), Y= X ∗ f (U, Z) or Y= X ∗ f (X,U, Z)

III Pseudorandom S-boxes and similar functions: (45X) mod 257 or (log45 X) mod 257 SAFER K-128Y= prsbox(X)

IV Constant and data dependent bit permutations: ROTL(X), ROTR(X), ROTLZ(X) or SAFER K-128, 3WAY,Y= bper(X) ROTRZ(X) IDEA, RC5

between any two consecutive test patterns has a bino-mial form:

P(msignal transitions) = 2−n ·(

nm

).

3.2. Cryptographic Operations

Group operations and operations with similar proper-ties, bit permutations as well as pseudorandom S-boxesand similar functions are essential elements in modernsymmetric block ciphers (see Table 1).

3.2.1. Group Operations. Group operationsY =X∗Z have the following statistical property: If the pat-terns at inputXandZare statistically independent, thenan uniform probability distributionP(group element)= 1

#group elements(i.e. pseudorandom values) at inputXor Z propagates to outputY. Like the pseudorandominput patterns the patterns at outputY also have thestatistical propertyP(group element)= 1

#group elements.The three conditions for( pseudo) randomnessofSection 3.1 are maintained at the output. In addition tothe propagation of pseudorandom test patterns groupoperations generate pseudorandomness. They producepseudorandom values even with a deterministic inputon condition that the other input is pseudorandom [1].

By means of the XOR operationy = x ⊕ z, whichis the most frequently used group operation in crypto-graphic algorithms, a further interesting aspect of therandomness generation property will be explained inthe following. If both input variablesx andz are sta-tistically independent and the probabilitiesP(x = 1),P(z= 1) andP(y = 1) are denoted byPx, Pz andPy

then the formula for the output probabilityPy of theXOR operation is

Py= (1− Px)Pz+ Px(1− Pz).

This equation can be transformed to

12 − Py= 2

(12 − Px

)(12 − Pz

).

The absolute value of the difference between the ac-tual probability and the probability 0.5 is a measure forthe similarity of a binary variable with the ideal binaryvariable: ∣∣ 1

2 − Py

∣∣= 2∣∣ 1

2 − Px

∣∣∣∣ 12 − Pz

∣∣.Since 0< 2 | 12 − a|< 1 for 0<a< 1 anda 6= 0.5 thefollowing inequation can be derived:

0<∣∣ 1

2 − Py

∣∣< ∣∣ 12 − Px

∣∣, ∣∣ 12 − Pz

∣∣ for

0< Px, Pz < 1 andPx, Pz 6= 0.5.

The sequence at the output of the XOR operationis more similar to an unweighted (pseudo)randomsequence than the two input sequences. Thus, theXOR operation has the property to increase the ex-tent of randomness. The already mentioned special casePx = 0.5 (x is pseudorandom) results in| 12 − Py| =0,wherePy is independent ofPz. The last considerationsconfirm the above statement, that group operationsgenerate pseudorandom values.

Operations of class II have similar properties likeclass I operations. They provide pseudorandom outputvalues if the input variableX is pseudorandom and sta-tistically independent of the functionf (Z), f (U, Z)or f (X,U, Z).

3.2.2. Pseudorandom S-Boxes and Similar Func-tions. The example functions enumerated in Table 1row III of resemble pseudorandom substitution(S)-boxes. The function of a quadraticns × ns S-box canbe described through boolean equations in ANF (al-gebraic normal form) representation. Each of thens

188 Schubert and Anheier

output bits is a function of allns input bits:

fk(x1, x2, . . . , xns

)=a0⊕ a1x1⊕ a2x2⊕ · · ·⊕ ansxns ⊕ a1,2x1x2⊕ · · · ⊕ a1,2,3,4,5,6,7,...,ns

x1x2x3x4x5x6x7 . . . xns.

In case of pseudorandom S-boxes the coefficientsof the ns ANF equations are random and statisti-cally independent from each other. The number ofterms with non-linear orderi (0≤ i ≤ ns) are binomi-ally distributed.

Their number is on average12(nsi ).

Theserial statistical independence(cf. Section 3.1)remains for the output words since the pseudoran-dom S-boxes are memoryless transformations (ANFequations are nonrecursive). Any two input patternsX(t) and X(t + T) with X(t + T) 6= X(t) cause twodifferent ANF equations for the same output bitfk (1≤ k≤ ns). Their XOR difference is a function ofone or more random and statistically independent co-efficients (single probability 0.5). The difference hasthe probability

P( fk(X(t))⊕ fk(X(t + T))= 1)

= P( fk(X(t + T))= 1)= 0.5,

which implies statistical independence.Although each output bit depends on all input bits

the parallel statistical independenceis also valid forthe output bits. Each input pattern determines a coef-ficient subset in the ANF equations. The number ofcombinations with an odd number of coefficients inthese subsets is:(

2w(X)

1

)+(

2w(X)

3

)+· · ·+

(2w(X)

2w(X) − 1

)= 1

222w(X)

,

wherew(X) is the weight of the current input patternX(t). The assumption of random ANF coefficients anda single probability for a set ANF coefficient of 0.5leads to the following probability, that an ANF equationhas a 1 asresult:

P(

fx(x1, x2, . . . , xns

)= 1)= 1

222w(X)2−2w(X) = 0.5.

On account of the statistical independence of thecoefficients the output bits of different ANF equationsare statistically independent from each other.

The pattern of signal transitions between two arbi-trary consecutive output patterns is derived from theXORing of the two patterns. Due to the serial statis-tical independence the probability of every bit column

of the operation is

P(

fk(X(t))⊕ fk(X(t + 1)) = 1)= 21

2

(1− 1

2

)= 0.5.

Together with the already mentioned parallel statis-tical independence abinomial probability distributionof the number of signal transitionsoccurs at the output.

Sufficient condition for a pseudorandom output is aconstantly changing pattern sequence (without repeti-tion) at the input of the pseudorandom S-box. There-fore, pseudorandom S-boxes and similar functionspropagate, increase and generate pseudorandomness.

3.2.3. Constant and Data Dependent Bit Permuta-tions. Theserial statistical independenceremains inthe output words, because the (data dependent) permu-tationsbper(X) are memoryless transformations.

The parallel statistical independenceis preservedfor the bits of the output words, because (data depen-dent) permutations change the order but not the valuesof the bits of the permutated input wordX.

The Hamming weight and binomial probability dis-tribution of the non-zero elements in the individual testpatterns are not changed. This results in abinomialprobability distribution of the number of signal tran-sitionsbetween any two consecutive output patterns.All three conditions for (pseudo)randomness remainuninfluenced by the operation. Accordingly, a pseudo-random test pattern assumed at the permutation inputX propagates to the output.

4. Pseudorandom Properties of 3WAY

The importance of the specific properties of crypto-graphic basic operations for the pseudorandom test ofcryptographic hardware are explained in the follow-ing example. The symmetric block cipher algorithm3WAY [5] is used as a paradigm. The algorithm is an-alyzed concerning the property to propagate pseudo-random test patterns. The 3WAY algorithm consists oftwo subalgorithms: encryption and subkey generation.

4.1. Encryption

The encryption data flow graph (DFG) of 3WAY [5]is depicted in Fig. 2. In addition to the XOR com-bination of data and subkeys (operation class I) andconstant rotations of 32-bit data subblocks (operationclass IV) the 3WAY DFG contains the so-calledθ andγfunction.

Random Pattern Testability 189

Fig. 2. Encryption DPG of 3WAY.

4.1.1. Linear Substitutionθ. The linear substitutionB = θ(A) is a polynomial multiplication, which isdefined as follows [5]:

b(x) = e(xh) · a (x) mod(1+ x12·h)with

e(x) = 1+ x + x2+ x3+ x5+ x6+ x10,

h= n/12 andn = 96.

Table 2. Predecessor operation list of the encryption DFG.

3WAY encryption

Op. no. Op. Operation types Relevant pr in Pred. Pr in Pr out

0 I0, I1, I2, S0, S1, S2 Inputs∗ X,U, Z or S0, S1, S2 − X,U, Z −1 xor X′ = X ∗ S0,U ′ = U ∗ S1, Z′ = Z ∗ S2 X,U, Z or S0, S1, S2 0 X,U, Z Yes

2 θ X′ = X ∗ f (X,U, Z),U ′ = U∗ f (U, Z, X), X,U, Z 1 X,U, Z YesZ′ = Z ∗ f (Z, X,U )

3 π1 X′ = bper(X),U ′ = U, Z′ = bper(Z) X,U, Z 2 X,U, Z Yes

4 γ X′ = X ∗ f (U, Z),U ′ = U ∗ f (Z, X), X,U, Z 3 X,U, Z YesZ′ = Z ∗ f (X,U )

5 π2 X′ = bper(X),U ′ = U, Z′ = bper(Z) X,U, Z 4 X,U, Z Yes

6 xor X′ = X ∗ S0,U ′ = U ∗ S1, Z′ = Z ∗ S2 X,U, Z or S0, S1, S2 5 X,U, Z Yes

. . . . . . . . . . . . . . . . . . . . .

∗Assumption: Data and key inputs are statistically independent.X,U, Z andS0, S1, S1: 32-bit data subblocks and subkey variables.

The polynomiala (x) is the polynomial representationof the binary vectorA= (a0,a1, . . . ,an−1):

a(x)=n−1∑i=0

ai · xi .

An alternative description of the operation consistsof three partial equations. The equations have the formX′ = X ∗ f (X,U, Z),U ′ =U ∗ f (U, Z, X) andZ′ =Z ∗ f (Z, X,U ), e.g.

X′ = X ⊕ (XÀ 16)⊕ (U¿ 16)⊕ (UÀ 16)

⊕ (Z¿ 16)⊕ (UÀ 24)⊕ (Z¿ 8)⊕ (ZÀ 8)

⊕ (X¿ 24)⊕ (ZÀ 16)⊕ (X¿ 16)

⊕ (ZÀ 24)⊕ (X¿ 8).

The equations are realized by XORs and bit shiftsof the 32-bit subblocksX, U andZ and belong to theoperation class II (cf. Section 3.2). Note that due to thebitwise character of the XOR operation the statisticalindependence is only required at bit level.

4.1.2. Non-Linear Substitutionγ. The non-linearsubstitutionB= γ (A) also belongs to the operationclass II and is defined as follows [5]:

bi = ai ⊕(a(i+k)mod96· a(i+2·k)mod96

),

wherek = n/3= 32 for 0≤ i ≤ 95.The above equation can be converted to the following

three partial equations:

X′ = X ⊕ (U + Z), U ′ = U ⊕ (Z + X) and

Z′ = Z ⊕ (X + U ).

Table 2 shows the predecessor operation list, whichis derived from the DFG. In the list the data inputs of

190 Schubert and Anheier

the DFG are assumed to be pseudorandom. If the dataund subkey inputs of the DFG are statistically indepen-dent, then the inputs of every group operation are sta-tistically independent. The DFG and the predecessoroperation list reveal, that the input of every operation,which is relevant for the propagation of pseudoran-domness, is pseudorandom. Thus, pseudorandom testpatterns will propagate through the whole encryptionalgorithm. Furthermore, the group operations of classI and II contained in the algorithm cause the generationof new pseudorandom values at the output of the DFG.They can be used as test patterns again.

Similar properties can also be derived for the decryp-tion DFG of 3WAY. The DFG of the 3WAY decryptiondiffers from the encryption DFG only in the constantbit permutationµ. This permutation inverts the bit or-der of a binary vector and is applied in an additionalinput and output transformation.

4.1.3. Constant Bit Permutationµ. The bit permu-tation B=µ(A) inverts the order of the bits of an-bitdata vector:

bi =an−1−i for 0≤ i ≤ 95.

Referring to the three 32-bit variablesX, U and Zthe following three partial equations result from theabove formula:

x′j = z31− j , u′j = u31− j , z′j = x31− j for 0≤ j ≤ 31.

Since the bit permutationµ belongs to the opera-tion class IV (cf. Section 3.2) it does not change thepseudorandom properties of the decryption DFG.

Besides the propagation and generation of pseudo-random test patterns (controllability), the propagationof errors (observability) is of decisive importance forthe pseudorandom testability of circuits. Symmetricblock ciphers like 3WAY are in particular character-ized by the avalanche effect. This property means, thatwith the modification of only one input bit (key or data)every output bit changes its value with a probabilitynear 0.5 [4]. In a reduced form this principle can befound again in the substructures and basic operationsof a sym. block cipher. Therefore, errors propagatewith very high probability to the primary outputs of acryptographic core.

4.2. Subkey Generation

The subkey generation is kept simple and is partiallybased on the same basic operations as the encryption

Fig. 3. Subkey generation DFG of 3WAY (Decryption).

and decryption DFG. Thus, pseudorandom patterns atthe key inputs propagate to the subkey outputs [5].Fig. 3 shows the DFG of the subkey generation for de-cryption. Notice that the LFSR included in the subkeygeneration and the subsequent expansion do not gen-erate or propagate pseudorandom values, because thefeedback polynomial of the 8-bit LFSR is not primitiveand the expansion multiplies the LFSR output valuefour times and fills the remaining places with zerosto generate the 96-bit round constants [5]. Therefore,the LFSR and the subsequent expansion are the onlyparts of the 3WAY algorithm, in which patterns withoutpseudorandom properties occur.

5. Functional and Test Architecture

Fig. 4 shows the functional architecture of the crypto-graphic processor core, which realizes the sym. blockcipher 3WAY. The data path consists of the two partssubkey generation and encryption. In the cipher datapath a common encryption and decryption round struc-ture is implemented. For carrying out the effective 12encryption rounds the output data of the round struc-ture are fed back via multiplexer and register to theinputs.

In Fig. 4 the global pseudorandom BIST architec-ture for the core is also depicted. By means of LFSRspseudorandom test patterns are fed to the primary keyand data inputs of the processor core. They propagatethrough the data path. In principle random logic likemultiplexer and register does not prevent the propa-gation of pseudorandom test patterns. A MISR com-presses the test responses at the primary outputs ofthe core to a signature. A BIST controller causes theprocessor core controller to carry out several encryp-tions and decryptions. This means, that the processor

Random Pattern Testability 191

Fig. 4. Architecture for the sym. block cipher 3WAY.

core carries out its normal function during the self-test.The cost for this kind of self-test is minimal.

Notice that on account of the data feedback the im-plemented round structure is tested by 12 pseudoran-dom test patterns during one conversion. By contrastmost of the remaining circuit is only occupied with onetest pattern per conversion. This fact has effects on thetest lengths for the different parts of the core.

An advantage of the 3WAY algorithm in comparisonto other corresponding algorithms is that no memoryelements (e.g. subkey RAMs or S-box ROMs) are re-quired for its implementation. Though a test of RAMsand ROMs with pseudorandom test patterns is in prin-ciple possible, memories in a circuit under test usuallylead to an increase of the test length [6]. In case ofembedding the 3WAY functional architecture in a real-ization of the modes of operation according to ISO/IECstandard [4] the presented test principle can be extendedto this larger circuit. Then, the pseudorandom outputvalues of the 3WAY architecture can also be used forthe test of the modes of operation circuit.

6. Fault Simulation

To verify the test architecture of Section 5 as wellas the theoretical analysis of Sections 3 and 4 fault

Table 3. Fault coverages (40 test conversions).

3WAY Fault coverageprocessor core (SA faults) (%) # Total faults

Total data path 99.6 16837

Subkey generation 99.1 7825

Encryption data path 100.0 12366

Round structure 100.0 6168

Table 4. Fault coverage and test length for basic operations of3WAY.

Test length Fault coverageBasic operations∗ (# pr test pattern) (SA faults) (%)

XOR operation 10 100.0

Linear substitutionθ 10 100.0

Non-linear substitutionγ 30 100.0

∗Bit permutationsµ, π1,π2 contain no gates.

simulations are carried out for the data path of thecryptographic processor core. During the fault sim-ulation 40 conversions (20 encryptions and 20 decryp-tions) with 40 pseudorandom test patterns at the dataand key inputs take place. One conversion takes 12clock cycles (further 3 cycles for a following (reset)break). The results of the fault simulation are summa-rized in Table 3. The unfavorable pseudorandom prop-erties of the LFSR and of the expansion are the reasonfor the non-optimal fault coverage in case of the subkeygeneration (cf. Section 4.2). One item is not consid-ered so far: the pseudorandom testability of the basicoperations themselves. The additional Table 4 showsthe results of individual fault simulations for essentialbasic operations. Besides the determination of the dif-ferent fault coverages, the fault simulations contributeto the determination of the test length required for afault coverage over 99%. The results of the fault simu-lation prove, that the global BIST is very efficient withregard to fault coverage and test length.

7. Summary

The statistical properties of typical basic operations ofmodern cryptographic algorithms are described. Basedon these qualities symmetric block ciphers and theirVLSI implementations can be analyzed with regard topropagating pseudorandom test patterns. In this paperthe sym. block encryption algorithm 3WAY is used asa paradigm.

192 Schubert and Anheier

The results of this and others works show, that cryp-tographic processor cores are ideal for an efficientglobal pseudorandom BIST because of their specificstructures and operations. In principle the results canbe used for other circuit architectures with similarproperties. But generally, they can not be applied toVLSI realizations of typical DSP algorithms such asFFT or digital filters. In these algorithms logic andarithmetic operations play an important role, whichdo not propagate pseudorandom patterns. For exam-ple, shift operations, additions and multiplications withoverflow as well as logic operations like OR and ANDbelong to these kinds of operations. In a continuationof this work the BIST concept is extended to largercryptographic processor cores, which contain addi-tional circuits to realize modes of operation accordingto ISO/IEC standard.

References

1. H. Bonnenberg, “Secure Testing of VLSI Cryptographic Equip-ment,” Dissertation No. 10204, ETH Zurich, 1993.

2. Federal Information Processing Standard Publication (FIPS PUB)140,“Telecommunications: General Security Requirements forEquipment using the Data Encryption Standard,” USA, 1982.

3. M. Gerner, B. M¨uller, and G. Sandweg,Selbsttest digitaler Schal-tungen, R. Oldenbourg Verlag, M¨unchen, 1990.

4. B. Schneier,Applied Cryptography, Protocols, Algorithms, andSource Code in C, John Wiley & Sons, New York, 1994.

5. J. Daemen, R. Govaerts, and J. Vandewalle, “A New Approach to

Block Cipher Design,”Fast Software Encryption, Lectures Notesin Computer Science No. 809, Springer, New York, pp. 18–32,1994.

6. P.H. Bardell, W.H. McAnney, and J. Savir,Built-In Test for VLSI:Pseudorandom Techniques, John Wiley & Sons, New York, 1987.

Andreas Schubertreceived the Dipl.-Ing. degree (M.Sc.) in Electri-cal Engineering from the University of Bremen (Germany) in 1994.He joined the Institute for Electromagnetic Theory and Microelec-tronics (ITEM), University of Bremen, in December 1994. His cur-rent research interests are in design and test of cryptographic virtualcomponents.

Walter Anheier received the Diploma and the Doctorate fromRheinisch Westf¨alische Technische Hochschule (RWTH) Aachen,Germany, both in Electrical Engineering, in 1973 and 1980respectively.

From 1977 to 1981, he was an Assistant Professor in the Elec-trical Engineering Department at RWTH Aachen. His research in-terests emphasised on mathematical and physical aspects of numer-ical modeling of semiconductor devices. In 1981 he joined PhilipsSemiconductors in Hamburg, Germany, where he was involved inthe characterization of MOS-devices and monolithic integrated cir-cuits. Later on he was a project manager of several CAD-researchand development projects in the field of MOS-modeling, circuit andhybride simulation and in 1990 he was appointed CAD-Manager ofthe Industrial IC Department at Philips. From 1985 to 1992 he wasalso a lecturer at FH and TU Hamburg.

Since 1992 Dr. Anheier has been as a full Professor in the De-partment of Electrical Engineering at the University of Bremen,Germany. His research interests include various aspects of micro-electronics with emphasis on fast functional simulation, computer-aided testing (CAT) and synthesis of digital systems. He is anassociate member of IEEE and a member of ACM and ITG.