Logic Locking: A Survey of Proposed Methods and Evaluation ...Title: Logic Locking: A Survey of...

Logic Locking: A Survey of Proposed Methods and Evaluation Metrics

Sophie Dupuis1 & Marie-Lise Flottes1

Received: 8 February 2019 /Accepted: 30 April 2019 /Published online: 11 May 2019# Springer Science+Business Media, LLC, part of Springer Nature 2019

AbstractThe outsourcing business model is dominating the semiconductor industry. Due to this loss of control over the design flow,several threats have become a major source of concern, including overproduction and IP overuse. For over a decade, severalsolutions have been proposed in the literature to counteract such threats. These solutions consist in hiding the behavior of the IPs/ICs until the design house securely unlocks them. This way, only unlocked IPs/ICs can be used properly while locked onesproduce erroneous data. In this paper, we survey logic locking approaches and discuss locking quality in hiding expectedbehavior and in resisting to attacks.

Keywords Design-for-hardware-trust . Design-for-security . IP piracy . IP overuse . Logic locking . Overproduction . Security

1 Introduction

Intellectual Property (IP) and Integrated Circuits (ICs) in-fringements – ranging from piracy to overproduction – havebecome a serious threat due to the globalization of the semi-conductor industry supply chain. On one hand, the cost ofmanufacturing has become prohibitive, especially with ever-shrinking technologies, and outsourcing the fabrication pro-cess to offshore - possibly unreliable - foundries has becomethe major trend. A foundry can then manufacture and selladditional ICs without authorization, referred to as overpro-duction. On the other hand, the increase in ICs’ complexityhas made reuse-based design another major trend, with thepurchase of Intellectual Property (IP) cores. A SoC designercan too use an IP in more ICs than the ones he/she paid for tothe IP owner, referred to as overuse.

In order to fight against such threats, an idea is to preventany unauthorized user from using the ICs/IPs. A foundry hasthen nothing to gain by overproducing the ICs since unusableICs cannot be sold on the black market. The principle is thesame for a SoC designer whishing to use an IP more timesthan the number allowed by the requisite fees paid to thevendor. So-called Design-for-Security methods –

modification/addition in the design flow – are of interest, toachieve this purpose.

Logic locking is such a Design-for-Security technique. Itsgoal is to modify the behavior of ICs in such a way that they donot produce expected outputs unless they are properly activatedusing a new primary input, the secret key [14]. For this type ofprotection to be effective, an IC must behave in a sufficientlyerroneous way upon the application of a wrong key value, inorder that it is not usable. Furthermore, an unauthorized usermust not be able to easily retrieve the value of the key. Oracle-guided attacks have been proposed in the literature that aim atretrieving the secret key value by querying the locked netlistwith chosen inputs and keys and comparing the outputs to theones of an activated IC, called the oracle [49].

This paper surveys logic locking methods and attacks. Acomparison is made according to various evaluation metrics.Secret key handling infrastructure (tamper-proof memory…)and related attacks are beyond the scope of this paper.However, circuit activation procedure will be discussed inSection 2 for completeness with the proposed study.

The paper is organized as follows. In Section 2, a taxonomyof different obfuscation techniques is made, the threat modelis detailed and a discussion is made about the activation pro-cedure. Section 3 surveys logic locking methods and the firstoracle-guided attacks proposed in the literature. Section 4 de-tails one oracle-guided attack in particular, the SAT attack[56], which has been widely studied in literature. This sectionalso reports on related countermeasures and attack improve-ments. Eventually, Section 5 concludes on logic locking ap-proaches with a discussion on their limitations and proposalsfor directions for future work.

Responsible Editor: B. Singh

* Sophie [email protected]

1 LIRMM, Université de Montpellier, CNRS, 161 rue Ada,Montpellier, France

Journal of Electronic Testing (2019) 35:273–291https://doi.org/10.1007/s10836-019-05800-4

http://crossmark.crossref.org/dialog/?doi=10.1007/s10836-019-05800-4&domain=pdf

http://orcid.org/0000-0002-4876-2982

mailto:[email protected]

2 Background

2.1 Taxonomy

Numerous techniques have been developed over the past de-cade to fight against IP and IC infringement. A taxonomy ofthe different types of methods is presented in Fig. 1.

Logic locking consists in introducing extra gates in a de-sign, called key-gates, and controlling them from secret extrainput bits: the key [44, 45]. When the key value is^ correct^,the key-gates act as buffers and the IC operates properly. Bycontrast, the key-gates modify the behavior of the signals onwhich they are inserted when the key value is not valid. Anexample of XOR/XNOR insertion in ISCAS benchmark c17is presented in Fig. 2. In this example, each key-gate acts as aninvertor if the key bit driving it has the wrong value.

In the literature, many terms have been used to name thistype of gate level hardware obfuscation technique. The mostcommonly used terms are logic locking, logic encryption andlogic obfuscation, which have been used interchangeably[32]. More rarely, combinational locking has also been used[44]. It is proposed in [10] to differentiate two categories: logicmasking and logic locking. On one hand, logic maskingswitches the expected value of a signal (using e.g. XOR/XNOR gates) in case of an invalid key bit. On the other hand,logic locking sticks a signal to a constant value (using e.g.AND/OR gates) in case of an invalid key bit, whatever thepattern applied on circuit inputs. Another subcategory hasrecently been proposed in [14], logic permutation, which in-serts key-gates that shuffle the circuit’s signals instead of po-tentially changing their value.

In the sequel of this paper, we choose to use the term thathas been widely adopted recently, logic locking. Logic obfus-cation and logic encryption can indeed be confused with othermeanings [10]. Besides, we choose not to make any differen-tiation between locking, masking and permutation, since, inthe end, they all result in an erroneous behavior of the circuitupon the application of a wrong key value.

FSM locking, also called occasionally sequential logiclocking as opposed to combinational logic locking, consistsin augmenting a Finite State Machine (FSM) with a new set ofstates. The goal may be to modify the existing FSM and/or to

form a pre-initialization state space that prevents the ICs fromentering their functional mode unless a correct sequence isapplied to the inputs. For example in Fig. 3, the circuit is inobfuscated mode upon power-up and a valid key values se-quence must be applied for the circuit to reach its normalmode. FSM locking can be performed at RTL level [6, 24]or at gate level [4, 5].

Camouflaging is performed at layout level. Its goal is toprevent reverse engineering. To do so, it consists in hiding thefunctionality of the standard cells by designing cells that per-form different logic functions but look alike at layout level[30, 40]. Figure 4 presents two typical layouts of 2-inputNAND and NOR gates that are easily recognizable by visualinspection thanks to the differences on the top metal layers.On the opposite, their camouflaged counterparts cannot bedistinguished because the metal layers seem identical.Unlike logic locking and FSM locking, camouflaging doesnot involve an explicit secret key.

Despite being different by nature, camouflaging andlocking are closely related [64]. An attacker obtaining acamouflaged netlist from reverse engineering will indeedaim to circumvent the protection by discovering the function-ality of the camouflaged gates (cf. Figure 5). For the method tobe effective, the netlist should produce erroneous outputs if anattacker assigns an arbitrary boolean function to eachcamouflaged cell, in the same way as if an attacker applies awrong key value to a locked IC. Equivalent criteria and heu-ristics can therefore be applied to choose which cells to cam-ouflage. Furthermore, the capabilities of the attacker are

Gate levelCFGnetlist

Layout

Logic Permutation

Logic Masking

Locking

FSM Locking Logic Locking Camouflaging

Fig. 1 Taxonomy of hardware obfuscation techniques

i2

i0i1

i3

i4

o0

o1

k0

k2

k1

Fig. 2 Logic locking on c17 benchmark (dotted lines/gates) [44, 45].Circuits behaves as expected iff (k2, k1, k0) = 101 (k2 = 1 because theNAND gate driving the key-gate was changed into an AND gate)

k0

S1

S5

S7

S8

S0

S2

S3

S6

S4

S9

Obfuscated mode

k4 k3

k1

k2k5

k6

k7

Normal mode

Fig. 3 FSM Locking (dotted lines/states) [4]. Circuit enters the normalmode only upon the application of key sequence {k1, k4, k7, k6}

274 J Electron Test (2019) 35:273–291

similar. He/She can indeed apply oracle-guided attacks to re-solve the functionalities of camouflaged cells. Instead of try-ing a key value during each iteration, he/she tries a set ofactual boolean functions for each camouflaged gate. Becauseof their similarities with logic locking methods/attacks,camouflaging methods/attacks will also be mentioned in thispaper when relevant.

2.2 Threat Model

Several threat models are covered by logic locking and FSMlocking (cf. generic term locking in Table 1) [43]. The pre-dominant scenario is as follows [65] (scenario 1):

& The designer is trusted.& The manufacturer, test-facility and end-user are untrusted.& The attacker is the manufacturer. His/Her goal is to over-

produce the ICs i.e. fabricate more ICs than ordered/authorized and possibly send them illegally on the blackmarket [3]. In the case of a design on which locking hasbeen applied, the attacker’s goal is to bypass the securitymeasure, i.e. discover the value of the key for unlockingthe ICs, thanks to reverse engineering and ad-hoc attacks.

Lockingmay nonetheless similarly be used to fight IP over-use, from the 3PIP vendor’s perspective [15] (scenarios 2 and3). Besides, locking prevents the recovery of the functionalitywith reverse engineering, whether the attacker is the SoC in-tegrator, the manufacturer or an end-user (scenarios 4 to 8).

Regarding camouflaging, the attacker is an end-user thatobtains a fabricated IC and tries to perform reverse engineer-ing to steal a design (scenario 9).

To carry out an oracle-guided attack, the attacker’s abilitiesare usually as follows. He/She has access to:

& The locked netlist, possibly obtained from reverse engi-neering of the GDSII, masks, or from an IC. The extremedifficulty of successfully completing this reverse engineer-ing step, as well as the time required for the operation areonly rarely mentioned [36, 37].

& A functional IC – legally purchased and properlyunlocked (activated). It is also rarely mentioned that thisassumption may not be verified, in the case of ICsmanufactured for non-commercial purpose, e.g. militaryequipment, or not yet available on the market becausemanufactured for the first time [37].

Besides, the attacker can distinguish regular and key circuitinputs in order to simulate the locked netlist with chosen data.The key bits are indeed the ones connected to a tamper-proofmemory.

2.3 Metrics

Two types of metrics are of interest to evaluate a locking/camouflaging method: cost metrics and quality metrics (cf.Figure 6).

Cost metrics refer to time tomarket (CAD effort for lockingimplementation), resulting IC’s performance (potential penal-ties on area, delay and power consumption of the resultingICs) and impact on manufacturing test (testability/test cover-age). This aspect, rarely mentioned in the literature, is furtherdetailed in the next subsection since it is correlated with theactivation procedure.

Quality metrics refer to the method’s efficiency inprotecting the design. Regarding locking, they depend onthe following criteria:

& The method should properly prevent an unauthorized userfrom using the locked IC. In other words, locked circuitsshould produce not exploitable outputs (in other words,good output corruption) upon the application of an invalidkey value.

& Protected circuits should be resilient to attacks aiming atexposing the secret key value, i.e. should provide [55]:

– Resilience against oracle-guided attacks comparing out-puts values to the ones of an oracle,

– Resilience against reverse engineering (an attacker can notexpose the key only by obtaining the gate-level netlist),

– Resilience against side-channel analysis based attacks.

i2

i0i1

i3

i4

o0

o1G6

G4

?

?

?G1

Fig. 5 Camouflaging modeling at netlist level (dotted gates)

Fig. 4 Layouts of standard-cells and their camouflaged counterpart [40].(a) NAND gate, (b) NOR gate, (c) camouflaged NAND gate, (d)camouflaged NOR gate

J Electron Test (2019) 35:273–291 275

& The method may provide protection against other threats,such as Hardware Trojan insertion [59].

Regarding camouflaging, the attacker must not be able tomanufacture new functional ICs from a reverse engineerednetlist since the functionality of camouflaged gates is notknown. To achieve this, outputs produced from a reverseengineered netlist with inaccurate camouflaged gates’ func-tionalities should sufficiently differ from outputs generatedfrom the design under attack. In addition, the functionalityof camouflaged gates should not be identifiable by attackssuch as oracle-guided attacks either.

2.4 Activation Procedure: When and how?

Two different activation strategies have been proposed in theliterature: activation prior to manufacturing test (referred to aspre-test activation) or after manufacturing test (referred to aspost-test activation) [67] (cf. Figure 7). The choice for one ofthese strategies usually depends on the business model of thedesign company, which may be fabless and must taskmanufacturing and post-production test to untrusted parties.

Although each step can be separately delegated to a thirdparty, the two most used business models in the literaturedescribe a retrieval of the ICs by the design company eitherafter packaging or after the test procedure. In the former case,it is commonly assumed that activation is performed beforetest by an untrusted party (cf. top line of Fig. 7), in the lattercase, the activation is performed post-test by the design com-pany (cf. bottom line of Fig. 7).

This section details security issues related to activation, ifconducted by an untrusted party.When an untrusted party is incharge of the activation, activation must indeed be done with-out revealing the secret key value. Second, security issuesrelated to the delegation of the test procedure to an untrustedparty are also discussed. Last, the implication of pre-test acti-vation and post-test activation strategies in terms of impact ontest quality are described. In any case, activation and produc-tion test patterns are elaborated by the design company andmust be provided to those in charge of performing the testprocedure.

Activation by an untrusted party Considering a lockingmethod as described before, the key is identical for all ICs.Therefore, this key cannot be revealed to an untrusted party incharge of the activation, otherwise it would make the protec-tion pointless since knowing the key of an ICwould entitle theactivation of other ICs. In order to provide a secure loading ofthe key, it has been proposed to combine locking with hard-ware metering, allowing at the same time IC differentiationafter activation although the key that was defined by the logiclocking method is the same for all produced ICs. Hardwaremetering, introduced in the early 2000, provides the possibil-ity to mark-then-track each individual IC manufactured fromthe same mask [25]. Hardware metering relies on extra func-tions implemented for unique and unclonable identification ofeach IC, typically using a PUF (Physical UnclonableFunction). These extra functions are used to build a locking/de-locking mechanism being characteristic of each single IC.

Table 1 Attack scenarios and corresponding countermeasures

Scenario Parties involved Attack Countermeasure

3PIP Vendor SoC Integrator Manufacturer End-user

1 Trusted Defender Attacker Untrusted Overproduction Locking

2 Defender Trusted Attacker Untrusted IP overuse Locking

3 Defender Attacker Untrusted Untrusted IP overuse Locking

4 Trusted Defender Attacker Untrusted Reverse engineering Locking

5 Defender Trusted Attacker Untrusted Reverse engineering Locking

6 Defender Attacker Untrusted Untrusted Reverse engineering Locking

7 Trusted Defender Untrusted Attacker Reverse engineering Locking

8 Defender Trusted Untrusted Attacker Reverse engineering Locking

9 Untrusted Untrusted Defender Attacker Reverse engineering Camouflaging

Side−channel analysis

Metrics

Impact on manufacturing test

and power consumption)

Hardware footprint

(in terms of area, delay

(computation time)

Design cost

Cost Quality

Output corruption

Resilience to attacks

Oracle−guided attacks

Resilience to additional threat

Reverse engineering

Fig. 6 Cost and quality metrics to evaluate locking and camouflaging

276 J Electron Test (2019) 35:273–291

Hardware metering can be used for proof of ownership of aparticular IC or for preventing piracy and overbuilding sinceICs are locked until the designer provide the unlocking se-quence. Active metering approaches are distinguished accord-ing to the IC control access. Internal active metering refers tomethods for which locks and lock’s controls are introduced inthe design, while external active metering refers to methodsfor which de-locking control is achieved by an external cryp-tographic function.

For logic locking, an activation protocol has been proposedin [44, 45], based on public-key cryptography. Upon initialpower-up, each IC generates its own unique random ID num-ber, using e.g. a Physically Unclonable Function (PUF). Thetester and the designer establish a secure link, based on public-key cryptography, so that the tester sends securely that ID tothe designer, who sends back an activation key for that spe-cific IC. An infrastructure generating a smaller area overheadis proposed in [38] (cf. Figure 8) in which the – unique –response of a PUF is XORed with the key accessible to theuser. The result of this operation must be the logic locking keyvalue – not accessible to the user. The user key value is there-fore also unique per IC.

For FSM locking, the PUF is used for diversity of power-up states [24]. The initial power-up state of the FSM in aparticular IC is unique since determined by a PUF responseto a given challenge. Then, a unique key sequence allows theFSM to transition from this power-up state to the functionalreset state. The resulting FSM is called BBoosted FSM^(BFSM). Note that the set of extra states must be sufficientlylarge so that the probability to power-up an IC into a state ofthe original FSM is very low. The paths from any power-state

to the reset-state must differ in at least one transition in theBFSM.

Manufacturing test by an untrusted party Regarding possi-ble attacks to discover the secret key value during the testprocedure, pre-test activation and post- test activation mustbe differentiated.

Two attacks have been proposed to reveal the secret key ofactivated ICs in the case of pre-test activation. The first attack[67] consists in using an ATPG tool using pattern/response asconstraints, the only unknown inputs being the key bits. Theobjective is to solve circuit equations in such a way that keybits result in the maximum fault coverage, assuming that testpatterns have been developed under key constraint for maxi-mum fault coverage. The second attack [36, 37] selects key bitvalues iteratively so that the selected values reduce the cumu-lative Hamming distance between the collected responsesfrom the simulation and the expected ones known from thetest sequence.

Similar attacks can not be performed in the case of post-testactivation, since the test is conducted in the absence of the key.

Test quality It is necessary, in case of pre-test activation, toensure that the activation does not lead to a decrease in faultcoverage. The introduction of extra-gates (typically XORs)and extra – stucked – key inputs may indeed introduce faultredundancy. Among others, stuck-at-Bkey bit values^ are ob-viously not detectable, since they require to set the signals at¬key bit value which is impossible due to pre-activation.Besides, stuck-at-B¬key bit values^, which requires settingthe key bit value on the key input, are redundant faults donethanks to pre-activation.

In case of post-test activation, fault coverage will not beaffected if there is no constraint on the key values duringATPG. Assuming a structural test procedure with full control-lability of primary and key inputs, ATPG allows a test gener-ation where primary and key inputs are computed for maxi-mum fault coverage and are not related to the valid key any-more. If key-inputs are not controllable – because they areconnected to a memory – a test key may be stored into thememory in addition to the activation key, or even several testkeys, if needed for the ATPG to reach a high fault coverage.

on the

market

ICs

LockedICs

ATPG Test patterns/Expected responses

Activation

Test

Test Packaging

Test patterns/Excpected responsesATPG

Constrained

Pre−test activation

Post−test activation

Packaging

Lockedgate levelnetlist

Fabrication

Activation

PhysicalSynthesis

Layout

Fig. 7 Activation protocols. Modified steps in dotted red lines, steps conducted by untrusted third-parties with a light grey background

Logic locking key

PUF

Accessibleto user

Non accessibleto user

User key

ChallengeResponse Key gate

Fig. 8 Infrastructure for key unification [38]

J Electron Test (2019) 35:273–291 277

In case of post-test activation performed by an untrustedparty, a hardware metering infrastructure is needed. The testprocedure described before is not possible since each non-activated circuit responds differently. To counter this problem,a logic locking method was proposed in [36, 37] that allows toperform test on locked ICs, even in the presence of a hardwaremetering infrastructure. The idea, as described in the nextsection, is that each IC responds correctly whatever the valueof the key, for a predetermined set of test patterns.

3 Logic Locking

Logic locking has beenwidely investigated for a decade. Afterthe original idea was proposed, many improvements wereinvestigated as described afterwards.

3.1 Initial Proposal

In 2008, Roy et al. introduced the idea of embedding a so-called combinational locking mechanism into an IC to fightagainst overproduction [44, 45]. The method, called BEndingPiracy of Integrated Circuits^ (EPIC), consists in embeddingin the original circuit k key-gates controlled from a k-bit key.The key-gates are inserted randomly, avoiding critical paths. Ifa wrong key value is applied, all key-gates controlled from awrong key bit invert the value of the signal on which they areinserted, leading to corrupted responses on the circuit’s out-puts. The key-gates are XOR or XNOR gates, possiblycoupled with inverters. Since the attacker doesn’t know ifinverters have been inserted along with XOR/XNOR key-gates or if they were part of the original circuit, he/she cannotinfer the value of the key bit to obtain the expected behavior.

This original proposal does not discuss the quality of thelocking mechanism w.r.t the ability to hide the expected be-havior of the circuit. Furthermore, its ability to resist attackslies in the complementary features for key differentiation (onekey per device) and secure key settings (PUF, RSA). It will beseen later that the locking method alone is vulnerable to at-tacks. From there, logic locking methods have been improved,choosing insertion criteria and heuristics to insert key-gates atlocations that benefit different quality criteria. The followingsubsections list works that have been proposed in the literaturein order to improve logic locking according to the qualitymetrics presented in Fig. 6.

3.2 Improvement of Output Corruption

The first metric chosen to assess the quality of logic locking interms of output corruption was the Hamming distance (HD)between the circuit’s outputs generated from the correct keyand the ones produced from wrong keys. In other words, awrong key should affect half of the outputs bits (i.e. 50% HD),

for all inputs patterns. A small percentage of incorrect outputsindeed still allows approximate computing, which toleratesalmost correct data processing [17]. The case of a large per-centage of incorrect outputs is similar, all the outputs can beinverted before processing.

This criterion was firstly used in the context of logiclocking in [2] by Baumgarten et al. They insert Look-up tables(LUTs) so that every path from an input to an output passesthrough a LUT. LUTs are inserted on signals that are highlyobservable near the middle of the paths between inputs andoutputs.

Rajendran et al. use fault simulation techniques in [38, 41]to guide XOR/XNOR insertion. The proposed fault analysisbased logic locking (FLL) uses a new insertion criterion calledthe fault impact. The fault impact of a gate in a circuit corre-sponds to the number of patterns that detect the stuck-at-0fault at the output of this gate by the total number of outputbits that get affected by that stuck-at-0 fault plus the equivalentfor stuck-at-1. The locations with the highest fault impact areiteratively chosen. A variant inserting multiplexers instead ofXOR/XNOR gates is also proposed. To do so, one input ofeach MUX is the signal on which the MUX is inserted, theother input is another signal in the design, and the selection ofthe MUX is the key bit. Unlike XOR/XNOR insertion, noinverter is needed since the attacker cannot know which inputsignal of the MUX is the Bright^ signal. However, applying awrong key will not always have an impact if both MUX inputsignals have the same value. The Bfake^ signal must be care-fully selected so that the probabilities of having differentvalues on both signals are maximized.

Samimi et al. also iteratively choose the locations generat-ing the highest HD in [46]. However, they use simulation datato evaluate the effect of each signal.

In [1], Alasad et al. propose to lock half of the outputs if awrong key value is provided to obtain exactly a 50% HD. Todo so, MUXes are inserted at the outputs of the circuit. Theoutputs and their complementary are the inputs of the MUXeswhereas the key bits are the selections. A process conceptuallysimilar to a Hardware Trojan [59] is also inserted. If the validkey is provided, the Trojan is triggered and activates the cir-cuit; otherwise, the MUXes invert half of the outputs. Thismethod is costly in terms of additional logic. Furthermore, itdoes not appear to be safe against reverse engineering. Anattacker having the netlist should indeed be able to easily findand remove all MUXes.

In [75–77], Zamanzadeh and Jahanian propose to scramblesignal interconnections by inserting so-called WireScrambling cells (WS-cells). WS-cells are inserted by cuttingseveral signals and are implemented using MUXes. The keybits are the selections of the MUXes that are required to con-nect correctly the inputs to the outputs (i.e. construct the orig-inal signals). An algorithm inserts WS-cells according to sev-eral criteria regarding the signals to choose: signals with multi

278 J Electron Test (2019) 35:273–291

connections and high toggle rates to cause more output vari-ations and achieve 50% HD, signals in the middle of thecircuit blending both good controllability and observability,not in a critical paths, and on different paths. Experimentalresults show HD below 40%.

Colombier et al. propose to insert AND/OR gates in [9, 10]in order to block the primary output driven by each key-gate ifthe corresponding key bit is false. Starting from the outputs,the locking gates are inserted as deeply as possible in the logic,i.e. by maximizing the number of logic levels between thekey-gate and the output. The number of logic level that canbe reached depends on the types of the gates. The lockingvalue of a gate (e.g. ‘0’ for the AND gate) must be the sameas the output of the preceding gate, if this one is locked (e.g.‘0’ for the AND gate). This method is not resilient againstreverse engineering because of the use of AND/OR gates thatallows an attacker having the netlist deducing the value ofeach key bit from the type of the inserted gate.

To evaluate the quality of the method, authors propose notto use the HD but a new metric including the number ofoutputs spanned by the key-gates amongst other, whichshould be as high as possible so that one key-gate locks asmany outputs as possible. This criterion is less precise, but lesscomputationally expensive than the calculation of the HD.

3.3 Resilience to Oracle-Guided Attacks

Rajendran et al. proposed the first oracle-guided attack, thesensitization attack [39, 68]. In the proposed attack, the attack-er searches for specific input patterns that sensitize each of thekey bits to an output without being masked or corrupted byother key bits. To do so, the other key bits have to be muted.By applying these patterns to the functional IC, the correct keybit can be observed. This attack is known as the key sensiti-zation attack because it is conceptually similar to the sensiti-zation of a fault allowing its observation on primary outputs.

A similar attack is proposed against camouflaging in [58].The two-step attack firstly finds the patterns needed at theinput of each camouflaged gate to determine its functionality.Then an ATPG tool is used to generate the input patterns thatproduce the appropriate patterns at the input of thecamouflaged gates and propagate the effect to the outputs.

In order to be resilient against the proposed attack,Rajendran and al. propose the Strong Logic Locking (SLL)method that prevents an attacker from searching for specificinput patterns that sensitize each of the key bits to an outputwithout being masked or corrupted by other key bits. In orderto prevent the propagation of one key bit to an output, theproposed idea is to insert key-gates with complex interfer-ences among them. XOR/XNOR gates are inserted by maxi-mizing non-mutable key-gates, i.e. key-gates inserted so thatneither of the key bit values can be muted to propagate theother one. Such key-gates placement therefore forces an

attacker to use a brute force attack. To do so, a first part ofthe key-gates is inserted, either randomly (referred as Stronglogic Locking with Random Initialization SLRI) or by choos-ing the outputs of gates that converge with many other gates(referred as Strong logic Locking with Judicious InitializationSLJI). Then, the remaining key-gates are inserted iterativelymaximizing non-mutable connections.

Note that a similar study attack/countermeasure is pro-posed in the case of camouflaging in [40].

Even with the previously proposed insertion method, key-gates may still be inserted in such a way that they form severallogic cones. In order to prevent an attacker from applying abrute force attack iteratively to each logic cone, it is proposedin [26] to improve logic cones overlap. To do so, MUXes areinserted to cut a signal (i.e. the signal is connected on oneinputs and the output) located in the logic cone with the fewestnumber of key bits. Then, the second input is connected to asignal with either a high number of gates in its logic cone or ina logic cone with the largest number of key bits.

Plaza and Markov proposed a second oracle-guided attack,called the hill-climbing attack [36, 37]. In this attack, a ran-dom key value is iteratively improved – a randomly selectedbit is toggled – using hill-climbing search in order to reducethe cumulative HD between the collected responses from sim-ulation and the expected ones known from the test sequence.This attack is successful on random key-gate insertion but noton insertion with interferences [39].

Plaza and Markov also propose so-called test-aware logiclocking to prevent this attack. The proposed method allowsperforming functional test on non-activated ICs. To do so, thelocked IC behaves correctly for the test patterns belonging tothe test sequence and behaves erroneously for all the otherpatterns. MUXes are inserted with a key bit as selectionallowing a choice between a signal and a signal that has thesame logic signature i.e. the same behavior with the test patternschosen, but not with random patterns. Such method generates avery low output corruption. Furthermore, as alreadymentioned,this method is of interest only in some activation scenario.

In [21], Karmakar et al. propose to take into account thetwo above-mentioned security criteria: output corruption andinterference. The proposed method is composed of twophases. First of all, a majority of the key-gates are insertedchoosing the ones with the highest fault impact. To prevent thesensitization of each key bit as described before, a second key-gate is inserted if no key-gate is present in the input cone of thesucceeding gate of each inserted key-gate. Second, a so-calleddependency block is inserted, which is fed with the keys, andthat produces highly dependent keys. The key-gates are con-sequently not fed by the actual key bits but by the highlyindependent key bits produced by the dependency block.However, the dependency block generates a large area over-head, increasing by a ratio of about three the method’soverhead.

J Electron Test (2019) 35:273–291 279

The same authors propose two variants in [19, 20]. In [19],the dependency block consists in a scrambling unit, two circu-lar registers and a key distribution unit. In [20], there is nodependency block. The three-step pruning process excludeskey-gates location. The first step aims to withstand the logiccone based attack, the second one ensures good output corrup-tion and the third one ensures dependency between key-gates.

Similarly with regard to camouflaging, it is proposed in[58] to camouflage gates that meet the two criteria. Firstly,the gates must be both hard-to-control and hard-to-observeto make the task of an ATPG-based attack more complicated.Second, the gates must span asmany outputs as possible. Suchgates are likely to produces high HD.

In [22], Karousos et al. propose so-called Weighted LogicLocking (WLL), in which each key-gate is controlled by twokey bits instead of one as usual. As a consequence, assuming arandom key value, each key-gate modifies the behavior of thecircuit for three of four possible values. The goal is to increasethe impact of the key-gates on the outputs. This concept can beextended to three or four key bits per key-gate to accentuatethe desired effect. To do so, AND/NAND gates are used alongwith XOR/XNOR gates. The location of each XOR/XNORgate is chosen according to an improvement of the fault im-pact [38, 41] in which checks are made not to affect the sameoutput several times and to avoid runs of key-gates. In addi-tion, in order to reduce the execution time, the simulationrequired to calculate the fault impact is made with fewer pat-terns. Then, AND/NAND gates are added upstream of theXOR/XNOR gate and connected to two key bits. The inser-tion algorithm inserts for each key-gate a new key bit andrandomly chooses the second key bit between already existingkey bits. This algorithm could be improved to ensure the in-terdependency between all key bits. If interdependency be-tween key bits equal to that of [21] can be reached, it couldbe done at a lower cost regarding extra cost in area. As in [39,68], this method prevents an attacker from sensitizing each ofthe key bits to an output without beingmasked or corrupted byother key bits. Since every key bit is used for at least two key-gates, key bits interfere with each other. However, the use ofAND/NAND gates makes this method non-resilient againstreverse engineering.

3.4 Resilience to Hardware Trojan Insertion

Several logic locking proposals have been proposed asDesign-for-Hardware-Trust methods. The goal is in that caseto counteract (also) Hardware Trojan insertion in an untrustedfoundry.

In [11], Dupuis et al. introduced the idea to use logiclocking to counteract Hardware Trojan insertion. SinceTrojans are supposed to be controlled by low controllablesignals to be triggered by a stealthy condition [59], the authors

use the key-gates to control low controllable signals and forcethem to their low controllable values. The goal is to make thetask much more difficult for an attacker who wants to create astealthy triggering condition. To do so, controllabilities arecomputed and AND/OR gates are inserted based on thesevalues.

Two improvements of [11] are proposed in [31, 47]. In[47], Samimi et al. insert iteratively XOR/XNORs gates, com-puting new controllabilities during each iteration. Marcelliet al. also insert XOR/XNORs gates in [31] using a multi-objective evolutionary algorithm to not only minimize lowcontrollable signals but also reach 50% HD.

Nejat et al. also propose to use logic locking againstHardware Trojan insertion in [33–35] by using it to improvedetection methods based on path-delay analysis. Based on thefact that the delays of shorter paths vary less than the ones oflong paths, XOR/XNOR gates and MUXes are inserted inorder to generate short paths for signals that belong to longpaths only.

3.5 Summary on Logic Locking Methods

In addition to the example of XOR/XNOR insertion presentedin Fig. 2, Fig. 9 summarizes several logic locking methods onthe same benchmark: using multiplexers (cf. Figure 9a.), apartial wire scrambling cell (cf. Fig. 9b) and finally, XOR/XNOR gates combinedwith AND/NANDgates to maximizesinterference between key bits (cf. Figure 9c).

The key sensitization attack on the locked circuit of Fig. 2operates as follows.

& To sensitize key bit k0 and observe its value on output o0,output of gate G1 must be set to 0 and output of gate G3must be set to 1. That way, o0 = not k0. To force G1’soutput to 0, both inputs i0 and i1 must be set to 1. To forceG3’s output to 1, either input i2 must be set to 0 or inputs i1and i3 must be set to 1. A possible input pattern is i4i3i2i1i0= 00011.

& To sensitize key bit k1 and observe its value on output o1,the output of the added XOR driven by key bit k2 must beset to 1, which is impossible without controlling k2. Thisexample therefore shows how so called strong logiclocking can be resilient against the key sensitizationattack.

The hill climbing attack on the same circuit operates asfollows. Consider the truth table in Table 2 of locked circuitof Fig. 2. In this table, all input combinations and key possiblevalues are presented. The highlighted columns in dark greyshow the correct output values and the corresponding goodvalue of the key (K = 5).

280 J Electron Test (2019) 35:273–291

& Assuming that the initial random key tried by the algo-rithm is K = 000. The corresponding HD between correctand erroneous outputs is 62%,

& A random bit of the key value is flipped, the second keyvalue to be tried is e.g. K = 100; leading to HD = 31%,

& Another random bit is flipped, leading to K = 110 andHD= 62%, the last flip is cancelled and K = 100,

& A last flip leads to K = 101 and HD = 0%. The right keyvalue is discovered.

Table 3 sums up logic locking methods main insertioncriteria along with their performance against evaluationmetrics.

To assess the quality of the output corruption, a widelychosen metric is the Hamming distance between the circuit’soutputs generated from the correct key and the ones producedfrom wrong keys. The most used insertion criteria to reach50% HD is the fault impact [22, 38, 41]. Variants are basedon simulation data [46] and the number of outputs spanned bya key-gate [9, 10], which are less expensive in terms of com-putation time but gives less accurate results. However, thetruth table of Table 2 shows that the average Hamming dis-tance over all outputs and all test patterns may not be a rele-vant metric. A 62% HD can e.g. be obtained (column K = 0 inTable 2), which can be considered good because it is close to50%, whereas, looking in more detail, each pattern affectseither no output or all, which is not desired. A more accuratemetric should ensure that the Hamming distance is close to50% for each pattern. One should notice that the fault impactcriterion seeks to maximize both the number of outputs im-pacted by a key-gate but also the number of patterns.

To assess resilience against oracle-guided attacks, a widelychosen metric is the interference between the key-gates [19, 21,22, 26, 39, 68]. To quantify this metric, the clique size can beused, a clique being a subset of key bits that cannot be sensi-tized individually. Three types of interference have been pro-posed. First, key-gates can be inserted to specific locations tomaximize the interferences among them (cf. key bits k1 and k2in Fig. 2) [39, 68]. Second, key-gates can be driven by severalkey bits instead of one and each key bit can drive several gates(cf. Figure 8c) [22]. Third, a block can be inserted upstream ofthe key-gates to maximize the interference between key bits[19, 21]. This solution has the disadvantage of being more

Table 2 Locked circuit’s behavior for different key values

(a) (b) (c)

i0o0

i4

i3

k1

k0

o1

i1

i2i2

i4

i3

i1 o0

k3k2k1k0

o1

i0

k2

i2

i0i1

i3

i4

o0

o1

k0k1

Fig. 9 Examples of logic locking mechanisms (dotted lines/gates): (a)circuit locked with multiplexers that behaves as expected iff (k1, k0) = 10,(b) circuit locked with a wire scrambling cell that behaves as expected iff

(k3, k2, k1, k0) = 1100, (c) circuit locked with XOR/XNOR/AND/NAND gates that behaves as expected iff (k2, k1, k0) = 111

J Electron Test (2019) 35:273–291 281

expensive and potentially susceptible to a structural attack; anadditional block may be identified and disabled/removed.

To assess resilience against key retrieval thanks to reverseengineering, XOR/XNOR gates or multiplexers have to beused, not AND/OR/NAND/NOR gates. Such gates indeedmake it possible to deduce the value of the key by knowingthe type of the gate.

Last, some methods may provide measures against otherthreats than overproduction. For example, to protect ICs againstHT insertion, signals’ controllabilities can be balanced.

Side-channel security is not mentioned in Table 3 since thistype of attack has hardly been examined so far. Yasin et al.evaluated for the first time in [66] the security of logic lockingtechniques against side-channel attacks. They proposed a dif-ferential power analysis attack that managed to reveal 70%(resp. 50%) of the key bits for 50% (resp. 25%) of the bench-marks locked with random insertion (resp. insertion maximiz-ing interference). More recently, Chakraborty et al. proposedthe template analysis attack [7] that produces better results.

4 Logic Locking Resilient to SAT-BasedAttacks

As presented in Subsection 3.3, the first proposed attacks canbe counteracted with appropriate countermeasures. In

contrast, the Boolean satisfiability-based attack presented inthis section, referred to as the SAT attack, does not have anyeffective countermeasure so far. While several attempts havebeen proposed to prevent such attack, SAT improvementshave been regularly proposed to counteract these proposalsas detailed in this section.

4.1 The SAT Attack

The SAT attack, proposed by Subramanyan et al. [56],uses a SAT solver to rule out wrong keys using so-called distinguish input patterns (DIPs) i.e. patterns thatresult in different outputs for two different keys. To doso, the attack needs a locked gate-level netlist, possiblyobtained by reverse-engineering, and an activated func-tional chip to use as an oracle. The netlist must firstlybe modeled as a boolean function. Note that the authorsassume that sequential circuits can be processed as longas all flip-flops are fully controllable and observable.The SAT attack solves a set of SAT formula to itera-tively find DIPs. Using the oracle, these DIPs then al-low to rule out a subset of wrong key values. Thealgorithm stops when no more DIP can be found.

Referring back to the locked circuit of Fig. 2 and the truthtable of Table 2, the SAT attack operates as follows:

Table 3 Logic locking methods / Metrics matrix

Logic Locking methods: key-gates type / Insertioncriteria

Metrics

Cost metrics Quality metrics

Computationtime

Area Delay Outputcorruption

Functionalsecurity*

Structuralsecurity

AdditionalThreat

XOR, XNOR / random [44, 45] ✓ ✓ ✗ ✗ ✓

XOR, XNOR / Fault impact [38, 41] ✗ ✗ ✓ ✗ ✓

MUX / Fault impact [38, 41] ✗ ✗ ✗ ✓ ✗ ✓

XOR, XNOR / Simulation data [46] ✓ ✗ ✓ ✗ ✓

WS-cells / Toggle rates [75–77] ✓ ✗ ✓ ✓

XOR, XNOR / Interference [39, 68] ✓ ✓ ✓ ✓

XOR, XNOR + dependency block / Fault impact[21]

✗ ✗ ✓ ✓ ✓ ✓

XOR, XNOR, AND, NAND / Improved Faultimpact [22]

✓ ✗ ✓ ✓ ✓

AND, OR / Output blocking [9, 10] ✓ ✗ ✓ ✗ ✗

AND, OR / Controllability [11] ✓ ✓ ✗ ✗ ✗ HT

XOR, XNOR / Controllability [47] ✗ ✓ ✗ ✗ ✓ HT

XOR, XNOR / Controllability [31] ✗ ✓ ✓ ✗ ✓ HT

XOR, XNOR, MUX / Long paths [33–35] ✓ ✓ ✓ ✗ ✓ HT

✓ Denotes that the metric is the primary goal of the insertion criterion

✗ Denotes that the insertion criterion has poor results regarding the metric

An empty case denotes that the metric is not taken into account* Against the oracle-guided attacks proposed initially

282 J Electron Test (2019) 35:273–291

& Assuming that the first iteration finds i4i3i2i1i0 = 00100 asthe first DIP, key values 6 and 7 are ruled out,

& Assuming that the second DIP is i4i3i2i1i0 = 11101, keyvalues 2 and 3 are ruled out,

& Assuming that the third DIP is i4i3i2i1i0 = 10011, keyvalues 0 and 4 are ruled out,

& Assuming that the fourth DIP is i4i3i2i1i0 = 11011, keyvalue 1 is ruled out,

& No more DIP is found, and the correct value K = 5 isfound.

Note that the attack could have been achievedmore quicklyif the first DIP had been i4i3i2i1i0 = 11011. In that case, onlyone iteration would have been sufficient.

In 2015, this attack broke all previously proposed logiclocking methods. Similar SAT-based attacks were concurrent-ly proposed to defeat camouflaging [12, 29, 74].

Since the release of this attack, numerous protections havebeen proposed. This trendwas accompanied by improvementsin the attack aimed at defeating proposed protections. Bothprotections and attacks are detailed in the following subsec-tions. The insight of the first kind of protections is to preventthe SAT solver from being launched by preventing to modelthe locked netlist as a combinational boolean acyclic function.The insight of the second kind of protection is to increase theSAT attack computation time, either by increasing the time tocompute each iteration (i.e. solve the SAT formulation to finda DIP) or the number of iterations needed (i.e. the number ofDIPs needed to rule out all wrong key values).

4.2 Preventing Circuit Modeling for the SAT Solver

To prevent the SAT attack from being launched, Shamsi et al.propose in [50] so-called cyclic obfuscation. Cyclic obfusca-tion consists in adding dummy paths in the locked netlist, inorder to create feedback cycles, as shown in Fig. 10. However,no experiment shows that the SAT attack is thwarted, only atheoretical analysis is proposed.

To counteract cyclic obfuscation, Zhou et al. propose avariant of the SAT attack in [78]. In CycSAT, a new conditionis added, postulated as a conjunctive normal form, which is

that there is no cycle in the circuit if the right key is applied.Experimental results show that CycSAT successfully breakscyclic obfuscation [50] whereas the SAT attack gets caught inan infinite loop for 19 out of 21 benchmarks. Note that theSAT attack succeeds for the other two benchmarks. As dem-onstrated in [78], there are several types of cyclic obfuscationsand the SAT attack can manage some of them.

One of the goals of the dependency block inserted in [19] isalso to prevent the SAT attack from being launched. To do so,the dependency block contains a sequential element – twocircular registers – that is created using other logic gates thanflip-flops. The insight is to prevent flip-flops from being re-placed by scan flip-flops and therefore to thwart the conver-sion of the sequential circuit into a combinational circuit.However, the area overhead of the dependency block is sig-nificant compared to the overhead of key-gates only.

An attempt at SAT attacks expansion to sequential circuitswithout scan chain access has recently been proposed to defeatcamouflaging [13]. The attack unrolls the sequential designand uses a model checker. However, the attack is extremelytime consuming (from a matter of minutes for 32-bit keys tomore than 3 h for 256-bit keys) and the attack does not suc-ceed for all benchmarks.

4.3 Increasing SAT Computation Time

As already mentioned, the first way to increase SAT compu-tation time is to increase the time to solve the SAT formulationat each iteration. To do so, Yasin et al. propose in [68] toconnect the inputs of the key-gates to the output of a one-way random function such as an AES (with a fixed key).However, not only an AES circuit results in a significant areaoverhead but also the AES may be found and removed.

The second way to increase SAT computation time is toincrease the number of iterations needed by SAT. To do so,two low output corruptibility blocks are proposed: Anti-SATby Xie and Srivastava [60] and SARLock by Yasin et al. [69].The insight is that the worst case for the attack is when everyDIP can rule out only one key i.e. for each input pattern, onlyone wrong key produces a faulty output. In that particularcase, the attack effort grows exponentially with the size ofthe key.

The Anti-SAT block [60] (cf. Figure 11a) is composed oftwo sub-blocks that share the same inputs (highly independentinternal signals of the circuit) and are locked with differentkeys. The output of the block is connected with a XOR gateto an internal signal of the circuit that impacts a lot the func-tionality of the circuit. That way, the block locks the circuitunless the correct keys are applied to both sub-blocks. Toprevent a removal attack, the block is locked with a secondkey. Furthermore, MUXes are used to increase the connectiv-ity between the block and the initial circuit. One input of eachMUX is connected to a signal in the circuit, the other input is

i4

i2

i1

i3

o0

o1

k1

i0

k0

Fig. 10 SAT protection (dotted lines/gates): Cyclic locking [50]

J Electron Test (2019) 35:273–291 283

connected to a signal in the block while the selection is a thirdkey. Experimental results show that, considering a timeout of10 h, the SAT attack is defeated.

The SARLock block [69] (cf. Figure 11b) consists in a maskthat allows a comparator to flip some outputs for specific inputpatterns and wrong key.

Both methods generate a very low Hamming distance be-tween wrong and correct outputs, it is therefore also proposedto couple them with a traditional logic locking technique. Inthat case, a first part of the key bits is dedicated to the protec-tion and a second part, to the locking technique. When the keybits dedicated to the locking technique are correct, the protec-tion technique operates as usual i.e. only one incorrect key canbe ruled out. On the contrary, when the key bits dedicated tothe locking technique are incorrect, multiple incorrect keyscan be ruled out. As a consequence, the key bits dedicated tothe locking technique add only a small numbers of necessaryDIPs. The protection depends on the number of bits in the keydedicated to it specifically.

The same type of protection was developed in parallel inthe case of camouflaging [57].

An example of Anti-SAT is shown in Fig. 12. One key bit(k0) is dedicated to a classical locking methodwhereas the twoother bits (k1 and k2) are dedicated to Anti-SAT. The two sub-blocks share the internal signal as input and the block is con-nected to another signal thanks to an added XOR gate. Table 4shows the corresponding truth table:

& The correct value of k0 is 1 and the k1 and k2 must be equalso that the Anti-SAT block has no effect. Two key valuesare therefore correct: K = 1 and K = 7 (highlighted col-umns in dark grey). In the case of n key bits associatedwith Anti-SAT, 2n/2 key values would be correct.

& For key values K = 3 and K = 5 (highlighted columns inlight grey), k0 –which is not part of the SAT protection – iscorrect and k1 and k2 are not since they are not equal. Forthese two values, only one of the two values can be ruledout at each iteration. In other words, there is no pattern thatrules out both values. In the case of n key bit associated

(a) (b) (c)

...

K1

K2/G(X, K2)

G(X, K1)

O...

Locked circuit

I

K0

...

Locked circuit

I

K0

K1mask

O

comparatorscrambler

O

Modified locked circuit

I

K0

restore logicK1

...

Fig. 11 SAT protections (dotted lines/gates): (a) Anti-SAT [60, 62], (b) SARLock [69], (c) TTLock [72]

k2

i3

i1i0

k0

o1

i4

i2

o0

k1

Fig. 12 Example of Anti-SAT protection (dotted lines/gates)

Table 4 Locked circuit’s behavior with Anti-SAT for different keyvalues

284 J Electron Test (2019) 35:273–291

with Anti-SAT, only 1 key value among all wrong keyvalues (2n-2n/2) could be ruled out at each iteration.

& Since k0 is not part of the SAT protection, all even keyvalues (the correct value of k0 is 1) are not correct and canbe ruled out by the SATattack in parallel to K = 3 or K = 5.

To counteract these low output corruptibility blocks, twonew types of attacks were developed: approximate attacks andremoval attacks [65].

Approximate attacks aim to find Ban almost correct key^i.e. a key value for which output corruption is very low. Thesemethods are based on the fact that the key is split into twoparts: some bits dedicated to the SAT protection and the otherbits dedicated to a traditional locking technique. Their goal isthen to discover the value of the key bits dedicated to the clas-sical locking technique used along with the protection tech-nique. The key bits dedicated to the protection technique gener-ate a very low output corruption when they are not correct, sothey are not taken into account. Therefore, an approximate keyis found, which is supposed to generate a low output corruption.

Shamsi et al. propose the Approximate deobfuscation at-tack based on the SAT attack (AppSAT) in [51] to counteractAnti-SAT. AppSAT returns an approximately correct keythanks to random queries and intermediate error estimation.Experimental results show that the key is discovered for 68out of 71 benchmarks.

Shen and Zhou propose in [52] the Double DIP SAT-basedattack to counteract SARLock. The method finds, during eachiteration, a DIP that differentiates at least two wrong keys (in-stead of one usually), in order to make sure to exclude wrongkeys concerning the traditional logic locking technique. It isbased on the fact that if a pattern excludes only one key value,this key value is wrong regarding the SAT protection only,which is not of interest to find and rule out.

Recent experimentations have shown that such kind of at-tacks was actually far from being effective [53]. These experi-mentations show that the output corruption when applying thekey returned by approximate attacks is not better (i.e. not lower)than that obtained when applying a random key. This is trueprovided there is a good chance that a random key valuematches a wrong value of the SAT protection. This type ofattack is therefore of interest in the opposite case, if there is littlechance that a random key value corresponds to a false key valueof the SAT protection, hence if the number of key bits dedicatedto the protection is very small with respect to the number of keybits dedicated to traditional locking. At the same time, the pro-tection is inefficient only a few key bits are dedicated to it.

Removal attacks aim to discover the SAT protection blockto remove or circumvent it.

The AppSAT Guided Removal attack (AGR) combinesAppSAT with a structural analysis of the locked netlist toremove Anti-SAT [70]. Firstly AppSAT is used to determine

the values of the key bits dedicated to the traditional lockingtechnique. Then, a structural analysis of the Anti-SAT block,from its inputs to its output allows discovering the last gate ofthe block.

The Signal Probability Skew [70, 71] (SPS) attack man-ages to identify the output of the Anti-SAT block and thereforeremove the block. To do so, the probability skew of a signal isdefined, based on the probabilities of the signal to be 1 or 0.The gate producing the output of the Anti-SAT block is found;this specific gate exhibits indeed its two inputs with the mostopposite skew values, which distinguishes it from the rest ofthe circuit. SPS manages also to find the SARLock block.However, SPS may be thwarted by the logic locking methodadded to the Anti-SAT block and the MUXes inserted forgreater connectivity.

Similarly regarding camouflaging, the same authors proposethe sensitization guided SAT (SGS) attack that breaks ATI.

The Bypass attack uses a bypass circuitry that enables thecircuit to function properly, even upon the application of awrong key [63]. The idea is to feed the circuit with a wrongkey while using the bypass circuitry to flip the outputs uponthe application of the DIPs that rule out this specific key. Thearea overhead of the added circuitry is linear to the number ofDIPs to bypass i.e. the DIPs that generate flips in the outputsfor the chosen wrong key, and to the number of outputs bitsflipped by these DIPs. This attack is efficient against Anti-SAT and SARLock, even coupled with a traditional logiclocking technique. In this last case, a preliminary phase con-sists in searching for a wrong key that is dedicated to the SATprotection. To do so, an approximate attack is performed. Oneshould notice that this attack does not remove the circuitrydedicated to the protection but rather adds circuitry. Unlikeother attacks, this attack modifies the masks of the circuit ina potentially significant way, which is time consuming, farfrom being trivial, and potentially visible to the designer.

The bit-flipping attack proposes a novel algorithm to sepa-rate the two types of key bits before applying SAT on the keybits that are dedicated to the traditional locking technique andthe by-pass attack on the key bits that are dedicated to the SATprotection [54]. Experimental results show that the attack man-age to discover the key bits dedicated to the locking procedurefor 81% of the benchmarks within a few minutes. However, noexperiment compares this new algorithm with the bypass at-tack, which already found the values of the key bits dedicatedto the locking technique before applying the bypass circuitry.

Anti-SAT is improved in [62] using design withholdingand wire entanglement to prevent AGR and SPS attacks.Withholding consists in replacing a portion of the design byLUT’s. The goal is to hide the functionality and implementa-tion detail of the added block. Entanglement uses a MUX-based network to entangle some signals interconnections.The goal is to obfuscate the interconnection between the blockand the circuit. These added features increase the overhead of

J Electron Test (2019) 35:273–291 285

the method and provides security against removal attacks, notapproximate attacks.

TTLock is an improvement of SARLock that prevents aremoval attack [72]. TTLock not only adds a comparator tomodify the outputs at the proper time, but also modifies thecircuit and adds restore logic (cf. Figure 11.c). The circuitbehaves exactly as with SARLock, i.e. for each pattern, onlyone wrong key can be ruled out. The difference withSARLock lies in one secret pattern (randomly chosen), forwhich all wrong keys generate a wrong output. The modifica-tion of the circuit results in the inversion of the output upon theapplication of the secret pattern, and the restore unit fixes theoutput for the correct key and introduces a second inversionfor a second pattern for wrong keys. Thanks to the modifica-tion of the circuit, even if the additional block is found andremoved, the circuit remaining is not the initial one and cannotfunction properly without this restore logic. Experimental re-sults show that, considering a 18-bit key and a timeout of 48 h,most SAT attacks are defeated.

TTLock is then extended in [73]. The method, calledStripped-Functionality Logic Locking (SFLL), not only han-dles multiple partially specified secret patterns but also allowsthe user to specify these input patterns. This comes with a cost:28% (resp. 8%) area overhead for midsize (resp. larger sized)circuits (~10 K gates, resp. >100 K gates).

The implementation cost of SFLL is reduced in [48] thanksto an automated framework that explore design options usingfault injection driven synthesis.

To the best of our knowledge, no counterattack has yetbeen proposed. However, SFLL could still be subjects to im-provements since it may be broken in certain cases, e.g. whenthe attacker is fortuitous enough to find one of the secretpatterns used by the method. The protection provided is pro-portional to the number of secret patterns. But at the sametime, the more secret patterns, the greater the chance that theattacker will find one (and thus break the attack).

The tree-based logic locking presented in [8] consists ofthree steps. Firstly, it detects AND (resp. OR) trees in thecircuit and adds a duplicated tree with key-gates to the leavesof the trees. Then, the two trees are connected to an OR (resp.AND) gate. This first step increases the number of DIPs re-quired because, with such a structure, each DIP can rule outonly one key. Second, XOR/XNOR gates are densely insertedinto the circuit to complicate SAT solving and thus to increasethe time to find one DIP. Last, OR (resp. AND) gates areinserted to add redundancy between the original and dupli-cates trees to prevent the removal attack. Experimental resultsshow that, with 5% (resp. 50%) of area overhead, 7 (resp. 11)benchmarks out of 21 are not successfully attacked by SATconsidering a time limit of 1 h.

Similarly in the case of camouflaging, Li et al. propose theATI technique that camouflages the inputs of AND-trees in thecircuit [28].

A study on the effects of SAT-based attacks parameterssuch as variable ordering, initial constraints and the phaseheuristics, has shown that a AND tree structure does not im-prove resilience against the attack in all cases [18].

4.4 Summary on SAT-Based Attacks and Protections

Table 5 sums up SAT protection methods along with theirresilience/vulnerability to attacks. Several directions havebeen explored: preventing the attack from being launched,increasing the number of iterations needed by the attack tosucceed and increasing the time to perform one iteration.

In order to prevent the attack from being launched, cyclicobfuscation creates loops [50]. However, not only SATcan beable to attack such circuit in particular cases, but also a variantof SAT has been proposed to counterattack the method. Thesequential dependency block inserted in [19] is also said toprevent the SAT attack from being launched. The SAT attackis indeed only applicable to combinational circuits. Sequentialcircuits can be handled only by being converted into combi-national circuits, by replacing flip-flops with scan flip-flops.The sequential dependency block is created using other logicgates than flip-flops for the element to remain undetected.However, this block has a significant cost in addition to key-gates.

Low output corruptibility blocks aim at increasing thenumber of iterations needed by SAT. This is the direction thathas been most studied. Almost all the proposed methods sharethe same flaws: the fact that they consist of an added blockmakes them susceptible to removal attacks and the fact thatthey produce low output corruption not only makes them sus-ceptible to approximate attacks, but does not meet the qualitycriterion that must have a logic locking method.

Increasing the computational effort of finding a DIP hasbeen less studied. The authors proposing the insertion ofWS-cells [75–77] claim that the method is secure against theSAT attack because the Boolean function of each output ofeach WS-cell is a combination of all input functions, whichleads to equation with many unknowns. However, no experi-ment proves this claim.

5 Conclusion

In this paper, logic locking was surveyed. In a nutshell,Figs. 13 and 14 show the publication trend since the introduc-tion of the first logic locking method, namely EPIC, ten yearsago. Figure 13 presents the number of publications to ourknowledge, year by year, categorized as: logic lockingmethods, oracle-guided attacks (other than SAT), SAT attackand improvements, protections against SAT attacks and moregeneral papers on the subject such as surveys, metrics pro-posals, which begin to appear. We can see that the subject

286 J Electron Test (2019) 35:273–291

has gained considerable attention since the SAT attack in2015. Figure 14 depicts a timeline about logic lockingmethods and attacks, playing an endless cat and mouse game.

In this paper, we have elaborated on logic locking andmetrics to evaluate locking’s quality. Figure 15 defines qualitymetrics. Concerning output corruption, a 50% Hammingdistance between outputs produced from the correct key anda wrong key is desirable, for all test patterns. In other words,#faulty patterns must be maximized. For additional resilienceto HT insertion, the number of low controllable signals mustbe as small as possible. For resilience against reverse engi-neering, the appropriate type of key-gates must be used.Resilience against oracle-guided attacks can be achievedthrough:

& Key size: the key must be long enough in terms of key bitssuch that the brute-force attack is impractical,

& Clique size: the subset of key bits that cannot be sensitizedindividually must be as high as possible to be resilientagainst the sensitization attack,

& Circuit modeling/T(DIP)/#DIPs: resilience against SAT-based attacks can be achieved through different means:by preventing circuit modeling necessary for a SATsolver,by increasing significantly the time T(DIP) to solve theSAT formula or the number of required iterations #DIPsneeded for ruling out all wrong key values.

In this paper we have also elaborated on the current state ofresearch in order to identify remaining shortcomings.

Most logic locking methods propose insertion criteria focus-ing on one quality metric, potentially to the detriment of otherquality metrics. Multi-objective algorithms are therefore of in-terest in order to meet all quality metrics. Furthermore, costmetrics are also rarely taken into account. Only the impact onperformance is usually mentioned; it is indeed trivial to avoidkey-gate insertion on critical paths. Area cost is usually not takeninto account by insertion heuristics. It is rather considered as aparameter that limits the number of key-gates that can beinserted. Furthermore, power consumption is never taken into

Table 5 Attacks / defenses matrix regarding SAT-based attacks

Attacks Protection against SAT

CyclicObfuscation [50]

Key generationunit [19]

Anti-SAT[60]/ [62] + SLRI

SARLock [69]+ SLRI

TTLock [72]+ SLRI

SFLL [73]SFLL-fault [48]

Tree-based [8]

SAT [56] ≈ ✓ ✓ ✓ ✓ ✓ ≈CycSAT [78] ✗

AppSAT [51] ✗ ✓

Double DIP [52] ✗ ✗ ✓

AGR [70] ✗ ✓

SPS [70, 71] ✗/✓ ✗ ✓ ✓

Bypass [63] ✗ ✗ ✓

Bit-flipping [54] ✗ ✗ ✗

✓ Denotes resilience to an attack

≈ Denotes partial resilience

✗ Denotes susceptibility

Fig. 13 Publication trend

J Electron Test (2019) 35:273–291 287

account by insertion algorithms, only mentioned sometimes inexperimental results. Last but not least, the methods should nothave any negative impact on manufacturing test, point that isalmost never addressed. Recently, the predominant quality met-ric taken into account is the thwarting of the SAT attack, still tothe detriment of other quality metrics, especially output corrup-tion. Finding a solution against SAT-based attacks is still a veryhot topic and protection improvements are still required tomeet all quality/cost criteria.

As detailed in this paper, three ideas were pursed to thwartthe SAT attack: increase of the number of required differentialinput patterns, increase of the time to find a differential inputpattern and prevention from modeling the circuitappropriately.

The most developed idea is to increase the number of DIPsrequired to rule out all wrong keys. In other words, each DIPshould rule out as few keys as possible, possibly only one.This type of approach has two major flaws. Firstly, it is mostof the time implemented by the addition of a recognizable andremovable structure, generally with a significant overhead.Methods that are not based on the addition of a structure areof interest. Second, it is inconsistent with the need to generatea good corruption. Solutions for forging an appropriate com-promise between output corruption requirements and SATslowdown are still needed. It may indeed not be necessary to

target 50% HD for all patterns. A minimal corruption metriccould be introduced instead.

The other two ideas - increase of the time to find a differ-ential input pattern and prevention from modeling the circuitappropriately - were less studied. The only attempt to ourknowledge to increase the time of the SAT formulation con-sists in the addition of an AES [68]. Circuit modeling preven-tion was proposed with the prevention frommodeling sequen-tial circuits as combinational ones, where flip-flops are con-trollable / observable through test infrastructures, the so-calledscan chains. [19] is an example of such solution. In our opin-ion, these two types of protection are promising and are worthexploring in more detail. Unlike methods increasing the num-ber of DIPs needed, these methods are not at odds with gen-erating a good output corruption.

Besides, it has been noticed in the literature that some cir-cuits are more resilient to SAT than others [8, 42, 56]. Metricsof susceptibility to SATwith respect to a circuit’s netlist char-acteristics are thus also of interest. To go further in that direc-tion, susceptibility driven design may be a new direction toexplore, prior to logic locking. To the best of our knowledge,such direction has not been investigated yet.

Recently, new concepts have been proposed: dynamiclocking [23], for which the ICs may randomly operate incor-rectly or correctly upon the application of a wrong key andparametric locking / delay locking [61, 72] which modifies acircuit’s performance instead of its functionality. This emerg-ing Bsecond generation^ of logic locking is worth investigat-ing. More work is still needed on the quality of these methodsfrom a corruption point of view, and on their potential resis-tance against SAT-based attacks.

Last but not least, all the SAT-based attacks and otheroracle-guided attacks need an oracle. The access to this oracleis to be studied. Let us consider two cases. Firstly, in the caseof pre-test activation, the manufacturer has access to activatedICs and has therefore no problem with the access to an oracle.Second, in the case of post-test activation, the manufacturermay not be the party in charge of the activation. In that case,

Fig. 14 Time line for logiclocking methods (left) and attacks(right)

Circuit modeling

# low controllable signals

Oracle−guided attacks

Resilience to attacks

Key size

Clique size

T(DIP)

# DIPs

Reverse engineering

Key−gate type

Output corruption

# faulty patterns

Hamming distance

Resilience to HT insertion

Fig. 15 Quality metrics detail to evaluate logic locking

288 J Electron Test (2019) 35:273–291

buying an activated IC once it is available on the open marketseems like his/her only option to get access to an oracle.However, today’s security issues have led designers to blockthe access to the scan chain of sequential circuits after produc-tion testing [27], or to protect the scan chains by variousmethods dedicated to design-for-security. Recent trend dedi-cated to the protection of sequential circuits against SAT-basedattacks is to protect the scan chain [16]. As mentioned insection 2.4, it is safer that the test is performed before activa-tion. It is all the more true, since, coupled with scan chainprotections, it prevents the use of an oracle, thereby preventingany oracle-guided attack.

Funding This work is funded by project MOOSIC ANR-18-CE39–0005of the French National Research Agency (ANR).

References

1. Alasad Q, Bi Y, Yuan J-S (2017) E2LEMI:energy-efficient logicencryption using multiplexer insertion. Electronics 6(1):1–20

2. Baumgarten A, Tyagi A, Zambreno J (2010) Preventing IC piracyusing reconfigurable logic barriers. IEEE Design & Test ofComputers 27(1):66–75

3. Bhunia S, Ray S, Sur-Kolay S (2017) Fundamentals of IP and SoCsecurity. Springer Publishing Company, Incorporated

4. Chakraborty RS, Bhunia S (2009) Security through obscurity: anapproach for protecting transfer level hardware. In Proc. of IEEEInternational Workshop on Hardware-Oriented Security and Trust(HOST), pp. 96–99

5. Chakraborty RS, Bhunia S (2009) HARPOON: an obfuscation-based soc design methodology for hardware protection. IEEETransactions on Computer-Aided Design of Integrated Circuitsand Systems 28(10):1493–1502

6. Chakraborty RS, Bhunia S (2010) RTL hardware IP protectionusing key-based control data flow obfuscation. In Proc. ofInternational Conference on VLSI Design (VLSID), pp. 405–410

7. Chakraborty A, Xie Y, Srivastava A (2017) Template attack baseddeobfuscation of integrated circuits. In: Proc. of IEEE InternationalConference on Computer Design (ICCD), pp 41–44

8. Chen Y (2017) Tree-based logic encryption for resisting SAT at-tack. In Proc. of IEEE Asian Test Symposium (ATS), pp. 42–47

9. Colombier B, Bossuet L, Hély D (2015) Reversible denial-of-service by locking gates insertion for IP cores design protection.In: Proc. of IEEE Computer Society Annual Symposium on VLSI(ISVLSI), pp 210–215

10. Colombier B, Bossuet L, Hély D (2016) From secured logic to IPprotection. Microprocess Microsyst 47(part A:44–54

11. Dupuis S, Ba P-S, Di Natale G, Flottes M-L, Rouzeyre B (2014) Anovel hardware logic encryption technique for thwarting illegaloverproduction and hardware Trojans. In: Proc. of InternationalSymposium on On-Line Testing and Robust System Design(IOLTS), pp 49–54

12. El Massad M, Garg S, Tripunitara MV (2015) Integrated circuit(IC) decamouflaging: reverse engineering camouflaged ICs withinminutes. In: Proc. of Network and Distributed System SecuritySymposium (NDSS), pp 1–14

13. El Massad M, Garg S, Tripunitara M (2017) Reverse engineeringcamouflaged sequential circuits without scan access. In: Proc. of

International Conference on Computer-Aided Design (ICCAD), pp33–40

14. D. Forte, S. Bhunia and M. Tehranipoor (2017) Hardware protec-tion through obfuscation. Springer Publishing Company,Incorporated

15. Guin U, Shi Q, Forte D, Tehranipoor MM (2016) FORTIS: a com-prehensive solution for establishing forward trust for protecting IPsand ICs. ACM Trans Des Autom Electron Syst (TODAES) 21(4):1–20

16. Guin U, Zhou Z, Singh A (2018) Robust design-for-security archi-tecture for enabling trust in ICmanufacturing and test. IEEE TVLSI26(15):818–830

17. Han J, Orshansky M (2013) Approximate computing: an emergingparadigm for energy-efficient design. In: Proc. of IEEE EuropeanTest Symposium (ETS), pp 1–6

18. Juterus K, Savidis I (2018) Importance of multi-parameter SATattack exploration for integrated circuit security. In Proc. of IEEEAsia Pacific Conference on Circuits and Systems (APCCAS), pp.366–369

19. Karmakar R, Chattopadhyay S, Kapur R (2017) Enhancing securityof logic encryption using embedded key generation unit. In: Proc.of Test Conference in Asia (ITC-Asia), pp 131–136

20. Karmakar R, Kumar H, Chattopadhyay S (2018) On finding suit-able key-gate locations in logic encryption. In: Proc. of IEEEInternational Symposium on Circuits and Systems (ISCAS), pp 1–5

21. Karmakar R, Prasad N, Chattopadhyay S, Kapur R, Sengupta IIndranil (2017) a new logic encryption strategy ensuring key inter-dependency. In: Proc. of International Conference on VLSI Designand International Conference on Emmedded Systems (VLSID), pp429–434

22. Karousos N, Pexaras K, Karybali IG, Kalligeros E (2017)Weightedlogic locking: a new approach for IC piracy protection. In: Proc. ofInternational Symposium on On-Line Testing and Robust SystemDesign (IOLTS), pp 221–226

23. Koteshwara S, Kim CH, Parhi KK (2018) Key-based dynamicfunctional obfuscationn of integrated circuits using sequentiallytriggered mode-based design. IEEE TIFS 13(1):79–93

24. Koushanfar F (2012) Provably secure active IC metering tech-niques for piracy avoidance and digital rights management. IEEETIFS 7(1):51–63

25. Koushanfar F, Qu G (2001) Hardware metering. In Proc. ofDesignAutomation Conference (DAC), pp. 490–493

26. Lee Y-W, Touba NA (2015) Improving logic obfuscation via logiccone analysis. In: Proc. of Latin-American Test Symposium (LATS),pp 1–6

27. Lee J, Tehranipoor M, Plusquellic J (2006) A low-cost solution forprotecting IPs against scan-based side-channel attacks. In Proc. ofIEEE VLSI Test Symposium (VTS), pp. 94–99

28. Li M, Shamsi K, Meade T, Zhao Z, Yu B, Jin Y, Pan DZ (2017)Provably secure camouflaging strategy for IC protection. IEEETCAD:1–8 (Early Acess)

29. Liu D, Yu C, Zhang X, Holcomb D (2016) Oracle-guided incre-mental SAT solving to reverse engineer camouflaged logic circuits.In: Proc. ofDesign, Automation & Test in Europe (DATE), pp 427–432

30. Malik S, Becker GT, Paar C, Burleson WP (2015) Development ofa layout-level hardware obfuscation tool. In: Proc. of IEEEComputer Society Annual Symposium on VLSI (ISVLSI), pp 204–209

31. A. Marcelli, , M. Restifo, E. Sanchez and G. Squillero (2017) Anevolutionary approach to hardware encryption and Trojan-horsemitigation. In Proc. of Design, Automation and Test in Europe(DATE), pp. 1593–1598

J Electron Test (2019) 35:273–291 289

32. Mishra P, Bhunia S, Tehranipoor M (2017) Hardware IP securityand trust. Springer Publishing Company, Incorporated

33. Nejat A, Hely D, Beroulle V (2015) Facilitating Side Channel anal-ysis by obfuscation for hardware Trojan detection. In: Proc. ofInternational Design & Test Symposium (IDT), pp 129–134

34. Nejat A, Hely D, Beroulle V (2016) How logic masking can im-prove path delay analysis for hardware Trojan detection. In: Proc. ofIEEE International Conference on Computer Design (ICCD), pp424–427

35. Nejat A, Hely D, Beroulle V (2018) ESCALATION: leveraginglogic masking to facilitate path-delay-based hardware trojan detec-tion methods. Journal of Hardware and Systems Security 2(1):83–96

36. Plaza SM, Markov IL (2014) Protecting integrated circuits frompiracy with test-aware logic locking. In Proc. of IEEE/ACMInternational Conference on Computer-Aided Design (ICCAD),pp. 262–269

37. Plaza SM, Markov IL (2015) Solving the third-shift problem in ICpiracy with test-aware logic locking. IEEE TCAD 34(6):961–971

38. J. Rajendran, Y. Pino, O. Sinanoglu and R. Karri (2012) Logicencryption: a fault analysis perspective. In Proc. of Design,Automation & Test in Europe (DATE), pp. 953–958

39. Rajendran J, Pino Y, Sinanoglu O, Karri R (2012) Security analysisof logic obfuscation. In: Proc. of ACM/IEEE Design AutomationConference (DAC), pp 83–89

40. Rajendran J, SamM, Sinagolu O, Karry R (2013) Security analysisof integrated circuit camouflaging. In Proc. of ACM SIGSACConference on Computer & Communications Security (CCS), pp.709–720

41. Rajendran J, Zhang H, Zhang C, Rose GS, Pino Y, Sinanoglu O,Karri R (2015) Fault analysis-based logic encryption. IEEE TransComput 64(2):410–424

42. Roshanisefat S, Thirumala HK, Gaj K, Homayoun H, Sasan A(2018) Benchmarking the capabilities and limitations of SATsolvers in defeating obfudcations schemes. In Proc. ofInternational Symposium on On-Line Testing and Robust SystemDesign (IOLTS), pp. 275–280

43. Rostami M, Koushanfar F, Karri R (2014) A primer on hardwaresecurity: models, methods, and metrics. Proceedings of the IEEE,Special Issue on Trustworthy Hardware 102(8):1283–1295

44. Roy JA, Koushanfar F, Markov IL (2008) EPIC: ending piracy ofintegrated circuits. In: Proc. of Design, Automation & Test inEurope (DATE), pp 1069–1074

45. Roy JA, Koushanfar F, Markov IL (2010) Ending piracy of inte-grated circuits. IEEE Computer 43(10):30–38

46. Samimi SMS, Aerabi E, Nejat A, Fazeli M, Hely D, Beroulle V(2016) High output hamming-distance achievement by a greedylogic masking approach. In: Proc. of IEEE East-West Design &Test Symposium (EWDTS), pp 1–4

47. Samimi MS, Aerabi E, Kazemi Z, Fazeli M, Patooghy A (2016)Hardware enlightening: no where to hide your hardware Trojans!In: Proc. of International Symposium on On-Line Testing andRobust System Design (IOLTS), pp 251–256

48. Sengupta A, Nabeel M, Yasin M, Sinagolu O (2018) ATPG-basedcost-effective, secure logic locking. In: Proc. of IEEE VLSI TestSymposium (VTS), pp 1592–1597

49. Shamsi K, Li M, Meade T, Zhao Z, Pan DZ, Jin Y (2017) Circuitobfuscation and oracle-guided attacks: who can prevail? In: Proc. ofGreat Lakes Symposium on VLSI (GLSVLSI), pp 357–362

50. Shamsi K, Li M, Meade T, Zhao Z, Pan DZ, Jin Y (2017) Cyclicobfuscation for creating SAT-unresolvable circuits. In: Proc. ofGreat Lakes Symposium on VLSI (GLSVLSI), pp 173–178

51. Shamsi K, Li M, Meade T, Zhao Z, Pan DZ, Jin Y (2017) AppSAT:approximately deobfuscating integrated circuits. In: Proc. of IEEEInternational Symposium on Hardware-Oriented Security andTrust (HOST), pp 95–100

52. Shen Y, Zhou H (2017) Double DIP: re-evaluating security of logicencryption algorithms. In: Proc. of Great Lakes Symposium onVLSI (GLSVLSI), pp 179–184

53. Shen Y, Rezaei A, Zhou H (2018) A comparative investigation ofapproximate attacks on logic encryptions. In: Proc. of Asia andSouth Pacific Automation Conference (ASP-DAC), pp 271–276

54. Shen Y, Rezaei A, Zhou H (2018) SAT-based bit-flipping attack onlogic encryptions. In Proc. ofDesign, Automation & Test in Europe(DATE), pp. 635–638

55. D. Sisejkovic, R. Leupers, G. Ascheid, and S. Metzner (2018) Aunifying logic encryption security metric. In Proc. of InternationalConference on Embedded Computer Systems: Architectures,Modeling and Simulation (SAMOS), pp. 179–186

56. P. Subramanyan, S. Ray and S. Malik (2015) Evaluating the secu-rity of logic encryption algorithms. In Proc. of IEEE InternationalSymposium on Hardware-Oriented Security and Trust (HOST), pp.137–143

57. Uasin M, Mazumdar B, Sinagolu O, Rajendran J (2016)CamoPerturb: secure IC camouflaging for minterme protection.In: Proc. of International Conference on Computer-Aided Design(ICCAD), pp 1–8

58. Vontela D, Ghosh S (2017) Methodologies to exploit ATPG toolsfor de-camouflaging. In: Proc. of International Symposium onQuality Electronic Design (ISQED), pp 250–256

59. Xiao K, Forte D, Jin Y, Karri R, Bhunia S, Tehranipoor M (2016)Hardware Trojans: lessons learned after one decade of research.ACM Trans Des Autom Electron Syst 22(1):1–23

60. Xie Y, Srivastava A (2016) Mitigating SATattack on logic locking.In: Proc. of Conference on Cryptographic Hardware andEmbedded Systems (CHES), pp 127–146

61. Xie Y, Srivastava A (2017) Delay locking: security enhancement oflogic locking against counterfeiting and overproduction. In Proc. ofACM/EDAC/IEEE Design Automation Conference (DAC), pp. 1–6

62. Xie X, Srivastava A (2019) Anti-SAT: mitigating SAT on logiclocking. IEEE TCAD 28(2):199–207

63. Xu X, Shakya B, Tehranipoor M, Forte D (2017) Novel bypassattack and BDD-based tradeoff analysis against all known logiclocking attacks. In Proc. of International Conference onCryptographic Hardware and Embedded Systems (CHES), pp.189–210

64. Yasin M, Sinagolu O (2015) Transforming between logic lockingand IC camouflaging. In Proc. ofDesign Test Symposium (IDT), pp.1–4

65. Yasin M, Sinagolu O (2017) Evolution of logic locking. In Proc. ofIFIP/IEEE International Conference on Very Large ScaleIntegration (VLSI-SoC), pp. 1–6

66. YasinM,Mazumdar B, Ali SS, Sinagolu O (2015) Security analysisof logic encryption against the most effective side-channel attack:DPA. In: Proc. of IEEE International Symposim on Defect andFault Tolerance in VLSI and Nanotechnology Systems (DFTS), pp97–102

67. Yasin M, Seed SM, Rajendran J, Sinanoglu O (2016) Activation oflogic encrypted chips : Pre-test or post-test?. In Proc. of Design,Automation & Test in Europe (DATE), pp. 139–144

68. Yasin M, Rajendran J, Sinanoglu O, Karri R (2016) On improvingthe security of logic locking. IEEE TCAD 35(9):1411–1424

69. Yasin M, Mazumdar B, Rajendran J, Sinanoglu O (2016)SARLock: SAT attack resistant logic locking. In: Proc. of IEEEInternational Symposium on Hardware-Oriented Security andTrust (HOST), pp 236–241

70. Yasin M, Mazumdar B, Sinagolu O, Rajendran J (2017) Removalattacks on logic locking and camouflaging techniques. IEEE TransEmerg Top Comput 99:1–14 Early access

290 J Electron Test (2019) 35:273–291

71. Yasin M, Mazumdar B, Sinagolu O, Rajendran J (2017) Securityanalysis of anti-SAT. In: Proc. of Asia and South PacificAutomation Conference (ASP-DAC), pp 342–347

72. Yasin M, Sengupta A, Carrion Schafer B, Makris Y, Sinagolu O,Rajendran J (2017) What to lock?: functional and parametriclocking. In Proc. of Great Lakes Symposium on VLSI (GLSVLSI),pp. 351–356

73. YasinM, Sengupta A, NabeelMT, AshrafM, Rajendran J, SinagoluO (2017) Provably-secure logic locking: from theory to practice. InProc . of ACM SIGSAC Conference on Computer &Communications Security (CCS), pp. 1601–1618

74. Yu C, Zhang X, Liu D, Ciesielski M, Holcomb D (2017)Incremental SAT-based reverse engineering of camouflaged logiccircuits. IEEE TCAD 36(10):1657–1659

75. Zamanzadeh S, Jahanian A (2013) Automatic netlist scramblingmethodology in ASIC design flow to hinder the reverse engineer-ing. In: Proc. of IFIP/IEEE International Conference on Very LargeScale Integration (VLSI-SOC), pp 52–53

76. Zamanzadeh S, Jahanian A (2016) Higher security of ASIC fabri-cation process against reverse engineering attack using automaticnetlist encryption methodology. Microprocess Microsyst 42:1–9

77. Zamanzadesh S, Jahanian A (2016) ASIC design protection againstreverse engineering during the fabrication process using automaticnetlist obfuscation design flow. ISC Int’l. J Inf Secur 8(2):93–104

78. Zhou H, Jiang R, Kong S (2017) CycSAT: SAT-based attack oncyclic logic encryptions. In: Proc. of International Conference onComputer-Aided Design (ICCAD), pp 1–8

Publisher’s Note Springer Nature remains neutral with regard to juris-dictional claims in published maps and institutional affiliations.

Sophie Dupuis received the Ph.D. degree from the Pierre & Marie CurieUniversity, Paris, France, in 2009. Since 2011, she has been an AssociateProfessor with the Institute of Computer Sciences, Roboticsand Microelectronics and Robotics of Montpellier (LIRMM), France.Her current research interests include design and test of integrated circuitsand hardware trust, including hardware Trojan detection/prevention, andlogic locking.

Marie-Lise Flottes received the Ph.D. degree in 1990 from the Universityof Montpellier. She is a researcher for the French National ResearchCenter (CNRS). Since 1990, she has been conducting research atLIRMM, France. Her interests include design for testability, test manage-ment for SoC and SiP, testability and dependability of secure circuits.

J Electron Test (2019) 35:273–291 291

Logic Locking: A Survey of Proposed Methods and Evaluation ...Title: Logic Locking: A Survey of...

Documents

Transcript of Logic Locking: A Survey of Proposed Methods and Evaluation ...Title: Logic Locking: A Survey of...