IEEE TRANSACTIONS ON VERY LARGE SCALE INTEGRATION (VLSI) SYSTEMS, VOL. 24, NO.
3, MARCH 2016 1193
A Practical Logic Obfuscation Technique for Hardware Security
Jiliang Zhang
Abstract— A number of studies of hardware security aim to thwart
piracy, overbuilding, and reverse engineering (RE) by obfuscating and/or
camouflaging. However, these techniques incur high overheads, and
integrated circuit (IC) camouflaging cannot provide any protection for
the gate-level netlist of the third party intellectual property (IP) core or
the single large monolithic IC. In order to circumvent these weaknesses,
this brief elaborately analyzes these hardware security techniques and
proposes a practical logic obfuscation method with low overheads to
prevent an adversary from RE both the gate-level netlist and the
layout-level geometry of IP/IC and protect IP/IC from piracy and
overbuilding. Experimental evaluations demonstrate the low area, power,
and zero performance overhead of the proposed obfuscation technique.
Index Terms— Hardware security, intellectual property (IP)
protection, logic obfuscation, overbuilding, physical unclonable
function (PUF), piracy, reverse engineering (RE).
I. I NTRODUCTION
With globalization of integrated circuit (IC) design, IC piracy,
overbuilding, and reverse engineering (RE) have become major
challenges for the electronics and defense industries. It was estimated
that the cost of counterfeiting and piracy for G20 nations was
U.S. $450–650 billion in 2008 and will grow to U.S. $1.2–1.7 trillion
in 2015 [1]. In general, pirated ICs not only have a negative impact
on brand reputation and research and development efforts but also
might have serious impact on systems and operations. Particularly, an
untrusted manufacturer can also produce more chips than authorized
chips, at a marginal cost, and sell them illegally (overbuilding), and
an untrusted party can also extract a gate-level netlist by RE the
design to steal the valuable intellectual property (IP)/IC information,
even illegally integrate it into his own IC or directly sell it as an
IP core.
Recent works in the hardware security aim to thwart the piracy,
overbuilding, and RE by obfuscating and/or camouflaging. However,
they suffer from several issues. Below we will introduce these
techniques in detail and analyze the limitations of them.
II. R ECENT W ORKS IN H ARDWARE S ECURITY
A. Combinational Logic Obfuscation
The logic obfuscation technique is one of the most popular
IC protection techniques. Roy et al. [3] proposed a classical com-
binatorial logic obfuscation method that obfuscates the IC designs
by randomly inserting additional key gates (XOR or XNOR). One of
the inputs to a key gate is the functional input in the design and the
other is 1-bit key input. The correct key will be stored in a tamper-
evident memory inside the design to prevent access to attackers. Upon
applying the correct key, the obfuscated design will exhibit a correct
function. The logic obfuscation can protect the IC from piracy and
overbuilding. However, if the gate-level netlist is extracted from the
Manuscript received September 16, 2014; revised January 4, 2015 and
March 4, 2015; accepted April 26, 2015. Date of publication June 18, 2015;
date of current version February 23, 2016.
The author is with Software College, Northeastern University,
Shenyang 110819, China (e-mail: zhangjl@swc.neu.edu.cn).
Color versions of one or more of the figures in this paper are available
online at http://ieeexplore.ieee.org.
Digital Object Identifier 10.1109/TVLSI.2015.2437996
1063-8210 © 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: K.L. University(F.K.A. Koneru Lakshmaiah College of Engineering). Downloaded on October 21,2021 at 03:53:07 UTC from IEEE Xplore. Restrictions apply.
purchased IC by image processing-based RE [4], an adversary would
infer the key according to the type of inserted gates. In order to
avoid this problem, the authors proposed to replace an XOR gate with
an XNOR gate and an inverter and, similarly, replace XNOR gates
with XOR gates and inverters, and move inversions further up or
down using de Morgan’s law [3]. However, this approach incurs
high area and power overheads due to the logic redesign caused by
de Morgan’s rules. The experimental results show that when the
number of key gates inserted is 5% of the number of gates in
the original ISCAS-85 combinational benchmarks, the area overhead
and the power-delay product overhead for random insertion yields
an average overhead of about 26% and 25%, respectively [12].
Our proposed obfuscation structure bypasses the need for expen-
sive redesign. In addition, some sequential logic obfuscation
methods [2], [8], [11], [16], [17] are also proposed.
B. IC Camouflaging
IC camouflaging can resist the image processing-based extraction
of a gate-level netlist from an IC using dummy contacts [5] or
building lookalike standard cells designed with the same physical
layout to implement different logic gates [6] or filling unused spaces
in an IC with filler cells [7]. IC camouflaging is a layout technique
hence can provide an additional layout layer of defense beyond
the logic obfuscation. However, the ever increasing complexity of
IC designs asks for a modular design model, where IPs are
integrated into a system-on-chip (SoC). To enable the model,
the availability of IP protection for third party IPs (3PIPs)
is also imperative. IC camouflaging cannot provide the secu-
rity protection for the gate-level netlist of 3PIP/IC since it
is a layout technique. The experimental results show that
IC camouflaging also brings high overheads [13].
C. PC-Based Obfuscation
Koushanfar and Qu [9] proposed the first passive hardware
metering method that assigns a unique signature to each
IC’s functionality by integrating a small programmable part to the
ASIC to prevent IC overbuilding. Baumgarten et al. [10] proposed
to replace a part of logic gates in a design with some programmable
components (PC) such as RAMs to prevent IC piracy, and the content
of RAMs will be configured after manufacturing of the chips, which
does not disclose the entire schematic to the foundry. Therefore, the
PC-based obfuscation can prevent attackers to RE the IC. However,
the use of PC will incur significant performance overhead because
of the additional mask layer requirements [11].
D. Summary
In order to prevent the key from being inferred according to the
type of inserted gates if the gate-level netlist is extracted by RE,
the combinational logic obfuscation technique needs to redesign the
logic of design and hence brings high area and power overheads.
PC-based obfuscation techniques incur significant performance over-
head and need to modify traditional electronic design automation
flow to support their design method due to the use of RAMs. IC
camouflaging also incurs high overheads and cannot prevent IC from
 1194 IEEE TRANSACTIONS ON VERY LARGE SCALE INTEGRATION (VLSI) SYSTEMS, VOL. 24, NO. 3, MARCH 2016
Fig. 1. Combinational logic obfuscation. (a) Structure of an OC.
(b) An example of obfuscating a gate-level netlist with two OCs. An OC
is used to replace an inverter or inserted into any wires in gate-level netlist.
overbuilding and piracy and provide security protections for the netlist
of monolithic IC and/or IP cores integrating by system developers.
Our goal is to develop a practical obfuscation-based IP protection
technique to circumvent all of these issues.
E. Our Contributions
The contributions of this brief are as follows.
1) Elaborate the analysis of current anti-piracy, anti-overbuilding,
and anti-RE techniques.
2) A practical logic obfuscation technique with low area, power,
and zero performance overheads is proposed to thwart the
image processing-based RE and also protect the third party
IP cores.
3) Experimental evaluations and the low overhead of the combi-
national logic obfuscation method is demonstrated on standard
benchmark circuits.
III. P ROPOSED O BFUSCATION T ECHNIQUE
Traditionally, the IC design is written without any concern of
obfuscation, and hence IC design is vulnerable to RE, piracy, and
overbuilding. Given a gate-level netlist of the design, our goal
is to modify the original netlist to produce an obfuscated netlist,
which is functionally equivalent to the former when correct key
is given. An obfuscated gate-level netlist is synthesized into the
layout geometry for manufacturing. An adversary buys the obfuscated
IC on the open market and then obtains the gate-level netlist by
image processing-based RE. However, the functionality of obfuscated
cells cannot be identified. The modified netlist reacts with a silicon
physical unclonable function (PUF) [14], and it can exactly perform
the same as that of the design as long as the correct license is issued
by the IP/IC designer. This means that only the chips authorized
by the designer can guarantee the correct functionalities. Hence, the
proposed obfuscation framework can prevent IC from RE, piracy, and
overbuilding.
A. Obfuscation Structure
The proposed obfuscation cell (OC) is composed of an inverter
and a multiplexer. The structure is shown in Fig. 1(a), where the key
is a select input of the multiplexer (because of the key’s importance,
a distribution framework must be established so that the IP designer
can securely unlock each IC [10]). We proposed to replace an inverter
with the OC or insert the OC into any wire of gate-level netlist.
As shown in Fig. 1(b), a simple circuit is obfuscated by two OCs.
The security of this OC will be analyzed as follows.
B. Image Processing-Based RE
RE can be misused to steal the valuable IP/IC information and
illegally pirate and/or fabricate a design. Some techniques and tools
Authorized licensed use limited to: K.L. University(F.K.A. Koneru Lakshmaiah College of Engineering). Downloaded on October 21,2021 at 03:53:07 UTC from IEEE Xplore. Restrictions apply.
Fig. 2. (a) Circuit obfuscated with the combinational logic obfuscation
method [3]. (b) Circuit obfuscated with the camouflaging method [13].
have been developed to RE ICs [15]. This brief assumes the attackers
have the following abilities.
1) The attacker can directly steal the obfuscated gate-level netlist
or extract the obfuscated gate-level netlist using the circuit-
extraction-based IC RE technique in [4].
2) The attacker can modify and simulate the obfuscated gate-level
netlist.
3) The attacker can legally purchase unlocked ICs from the open
market.
4) The attacker knows the possible logic functions that a OC can
implement.
In this brief, any inverters can be replaced or any wires can be
inserted with an OC at the gate level. After the obfuscated design is
synthesized into layout geometry and then manufactured, an attacker
buys the obfuscated IC on the open market and then obtains the
gate-level netlist by the image processing-based RE. Although
adversaries will know the structure of each OC, the functionality
of OCs cannot be inferred due to the volatility of key in OCs,
i.e., the adversaries cannot extract the key of OCs by RE to infer
the functionality of OCs. However, the previous combinatorial logic
obfuscation method [3] incurs high overheads in order to prevent
an adversary from inferring the key according to the type of inserted
gates. To show this, we give a simple example. As shown in Fig. 2(a),
a circuit obfuscated with the combinational logic obfuscation method
in [3] by inserting a XOR gate and a XNOR gate. It obviously shows
that if an adversary extracts this gate-level netlist by RE, the secret
key bits of inserted gates would be leaked: if the inserted gate
is XOR, key bit would be 0; if is XNOR, the key bit would be 1.
In order to avoid this problem, we must replace some XOR gates
with XNOR gates and inverters and, similarly, replace some XNOR
gates with XOR gates and inverters [3], however, which incurs very
high area and power overheads due to the redesign of the logic. The
obfuscation structure proposed in this brief does not need to redesign
the logic and the low overhead of the structure is demonstrated on
standard benchmark circuit.
In our proposed obfuscation structure [see Fig. 1(a)], the secret
key information is not leaked by the structure of OC even if the
gate-level netlist was extracted by the image processing-based RE,
so the attackers do not know the logic function of OCs. They have
to perform the following brute force:
1) buy two target chips from the open market;
2) extract the obfuscated netlist from the first chip by RE [4];
3) generate random input patterns for each possible truth value of
all OCs;
4) simulate the input patterns and obtain the outputs O1;
5) apply these patterns on the second chip and obtains the
outputs O2;
6) repeat Steps 3–5 until O1 = O2, the attacker would be
successful to unlock the chip.
An OC is inserted into any wires or used to replace any inverters.
The complexity of above brute-force attack is 2n , where n is the
 IEEE TRANSACTIONS ON VERY LARGE SCALE INTEGRATION (VLSI) SYSTEMS, VOL. 24, NO. 3, MARCH 2016 1195

number of OCs. Therefore, the proposed obfuscation method in

this brief can effectively resist the brute-force attack even if the gate
level has been extracted by RE.

C. Gate-Level Netlist RE
As shown in Fig. 2(b), a circuit obfuscated with the camouflaging
method [13], which is a layout-level obfuscation technique that can
resist the circuit extraction-based RE. However, it fails to protect the
gate-level netlist from RE. In practice, the ever increasing complexity
Fig. 3. PUF-based obfuscation and the generation of the licenses.
of IC designs asks for the protection of gate-level netlist of 3PIPs,
which are integrated into an SoC by system developers. The proposed
obfuscation technique in this brief can be automatically performed
in gate-level netlist. Therefore, the gate-level netlist and all the
following levels of gate level including the layout-level netlists and
the manufactured chips would be protected.

D. Justifying and Sensitizing Test Attacks

Rajendran et al. [12], [13] analyze the security of the logic
obfuscation and IC camouflage technique using the justifying and
sensitizing test technique, respectively. Take the combinational logic
obfuscation method [3], for example, the attacker can locate key gates
and then deduce the primary input pattern to justify the inputs of
isolated key gates so that the key can be propagated to the primary
output. Therefore, the combinational logic obfuscation method is
vulnerable to the justifying and sensitizing test attack. As shown
in Fig. 2(a), G1 and G4 are the two key gates; an attacker can
sensitize the key bits K 1 and K 2 to the outputs O1 and O2 to obtain
the key values by applying a specific input pattern. For example,
K 1 should be 1 if the output O1 is 0 when we justify the input b
of G1 into 1 and meantime justify the input b of G6 into 0 by
applying I1 I2 I3 I4 = 00XX. The same test attack is also suitable for
IC camouflage techniques. Likewise, the proposed OC in this brief
is also vulnerable to thus attack. Fortunately, this vulnerability can
be fixed using interference graph method proposed in [12] and [13]
to insert OCs.
IV. A NTI -P IRACY AND A NTI -OVERBUILDING
S ECURITY F RAMEWORK
We use the configuration of OCs of obfuscated design to interact
with the PUF response in order to generate a chip-dependent
license to prevent piracy and overbuilding attacks and provide the
pay-per-device licensing service. An attacker with no information
about the key of the OCs cannot compute the correct license to unlock
the pirated/overproduced chips. Hence, the designer is the only one
who can issue the license to activate the chip. When the chip is
powered on, the PUF response will XOR with the license to generate
the correct configuration for OCs, then the generated configuration is
stored in the flip-flops to unlock the chip. When the chip is
powered on, the PUF response will XOR with the license to generate
the correct key bits for OCs, then the generated key bits are stored
in the flip-flops to unlock the chip. The attackers can extract the
obfuscated gate-level netlist by RE, but the extracted netlist does not
contain the key bits.
We use the PUF response to unlock the function of the chip. The
designer often computes the error correcting code (ECC) to adjust for
any bit flips to the PUF output (response) because the PUF output is
hard to maintain absolutely stable due to the noise or other sources
of physical uncertainty. Note that, we do not report the overhead of
implementing PUFs and ECC methods in this brief. The overhead for
implementing PUF and ECC are readily available in contemporary
literatures summarized in [14]. The error corrected PUF response
Fig. 4. Area overhead on benchmark circuits with different numbers of OCs.
is used to unlock the function of the chip; without the correct
PUF response, the function would not perform correctly. There-
fore, the circuit is kept locked until the correct license unlocks it.
It should be noted that the issued licenses can also be public and
different PUF responses can be used to calculate different licenses.
To illustrate the key idea of our approach, we give an example
for generating the license in Fig. 3. Considering four OCs in
Fig. 3, OC1 –OC4 and K 1 –K 4 are the key bits of the OCs. Assume
K 1 –K 4 = 1010, the OC can be used to replace any inverters or insert
any wires. Assume that the PUF output value is 0110. To possibly
active the chip, the 4-bit PUF output 0110 should be XOR’d with a
4-bit license that is able to generate the result of 1010 (in this case,
the license should be 1100). The chip can be correctly unlocked with
the calculated license and the PUF response. The nonvolatile on-chip
memories would be used to store the PUF challenges, the license,
and the relevant ECC bits on each pertinent activated IC. From this
point on, every time the IC starts up, it would automatically read the
PUF challenge and ECCs and use them to unlock the chip.
V. E XPERIMENTAL R ESULTS
A. Experimental Setup
We performed a set of experiments to evaluate the overhead
of implementing the obfuscation technique. The experiments are
performed on the circuits, which are described in Verilog format,
from the ISCAS benchmark. The synthesis was performed using
Synopsis dc with 45-nm Nangate open cell library. The OCs are
automatically inserted at gate-level netlist by the program coded
in the C language. We selected the inverters for replacement with
OCs and inserted OCs with wires using timing-driven algorithm. The
timing-driven algorithm is to select the inverters for replacement and
inserting OCs in the wires in the noncritical path in the original
netlist. We obfuscated 5% of the number of cells in the original
benchmarks. The OCs used to replace inverters are 50% of the total.
B. Experimental Analysis
Table I gives the synthesis summary conducted on ISCAS
benchmark circuits. The columns area, delay, and power are the

Authorized licensed use limited to: K.L. University(F.K.A. Koneru Lakshmaiah College of Engineering). Downloaded on October 21,2021 at 03:53:07 UTC from IEEE Xplore. Restrictions apply.
 1196 IEEE TRANSACTIONS ON VERY LARGE SCALE INTEGRATION (VLSI) SYSTEMS, VOL. 24, NO. 3, MARCH 2016
TABLE I
A REA , D ELAY, AND P OWER OVERHEAD FOR O UR P ROPOSED O BFUSCATION M ETHOD
Fig. 5. Timing overhead on benchmark circuits with different numbers
of OCs.
Fig. 6. Power overhead on benchmark circuits with different numbers of OCs.
estimated area, the arrival time for the critical path and the estimated
power, respectively, of the design with the original design and
obfuscated design as reported by the Synopsys dc. A, D, and P
are the percentage area, delay, and power overheads, respectively.
We can see from Table I that area and power overhead due to
obfuscation are only on average 0.63% and 2.6%, respectively. The
delay overhead is 0%, which means that the proposed method in this
brief can obfuscate the design without performance degradation.
And finally, we discuss the impact of the numbers of OCs on
area, timing, and power overhead for benchmarks. Figs. 4–6 show
the impact of various OCs on area, timing, and power overhead
for benchmarks, respectively. It can be seen that the area is roughly
Authorized licensed use limited to: K.L. University(F.K.A. Koneru Lakshmaiah College of Engineering). Downloaded on October 21,2021 at 03:53:07 UTC from IEEE Xplore. Restrictions apply.
positive correlated to the increase in OCs, and the timing maintains
zero overhead with OCs increasing. The power overhead is not
positive correlated to the number of OCs.
VI. C ONCLUSION
In this brief, we have comprehensively analyzed the current
hardware security techniques and developed a practical and very
efficient combinational logic obfuscation technique to thwart piracy,
overbuilding, and RE attacks. Although the attackers can extract the
gate-level netlist by circuit-extraction-based RE, they cannot infer
the obfuscated logic functions. The only way is to exhaustively
test all configurations of OCs by the infeasible brute-force attack.
Hence, our proposed obfuscation technique in this brief not only
resists image processing-based RE but also incurs low area and power
overheads. A PUF response can be used to XOR with the configuration
of OCs to generate a device-dependent license to prevent piracy
and overbuilding attacks. The experiment shows that our proposed
obfuscation technique incurs only an average of 0.63% area overhead
and a 2.6% power overhead on ISCAS benchmark circuits, and
especially, there are no performance penalties for it.
R EFERENCES
[1] “Estimating the global economic and social impacts of
counterfeiting and piracy,” Int. Chamber Commerce, Paris, France,
Tech. Rep., 2011. [Online]. Available: http://www.illicittrademonitor.
com/reports/article/estimating-the-global-economic-and-social-impacts-
of-counterfeiting-and-piracy/
[2] Y. Alkabani, F. Koushanfar, and M. Potkonjak, “Remote activation of ICs
for piracy prevention and digital right management,” in Proc. IEEE/ACM
Int. Conf. Comput.-Aided Design, Nov. 2007, pp. 674–677.
[3] J. A. Roy, F. Koushanfar, and I. L. Markov, “EPIC: Ending piracy
of integrated circuits,” in Proc. Design, Autom. Test Eur., 2008,
pp. 1069–1074.
[4] R. Torrance and D. James, “The state-of-the-art in semiconductor
reverse engineering,” in Proc. 48th ACM/EDAC/IEEE Design Autom.
Conf. (DAC), Jun. 2011, pp. 333–338.
[5] L. W. Chow, J. P. Baukus, and W. M. Clark, “Integrated circuits protected
against reverse engineering and method for fabricating the same using
an apparent metal contact line terminating on field oxide,” U.S. Patent
7 294 935, Jul. 25, 2002.
[6] R. P. Cocchi, J. P. Baukus, B. J. Wang, L. W. Chow, and P.Ouyang,
“Building block for a secure CMOS logic cell library,” U.S. Patent
8 111 089, Feb. 7, 2012.
[7] L.W. Chow, J. P. Baukus, B. J. Wang, and R. P. Cocchi, “Camou-
flaging a standard cell based integrated circuit,” U.S. Patent 8 151 235,
Apr. 3, 2012.
 IEEE TRANSACTIONS ON VERY LARGE SCALE INTEGRATION (VLSI) SYSTEMS, VOL. 24, NO. 3, MARCH 2016 1197

[8] J. Zhang, Y. Lin, Y. Lyu, and G. Qu, “A PUF-FSM binding
scheme for FPGA IP protection and pay-per-device licensing,” IEEE
Trans. Inf. Forensics Security, vol. 10, no. 6, pp. 1137–1150,
Jun. 2015.
[9] F. Koushanfar and G. Qu, “Hardware metering,” in Proc. 38th Annu.
Design Autom. Conf., 2001, pp. 490–493.
[10] A. Baumgarten, A. Tyagi, and J. Zambreno, “Preventing IC piracy using
reconfigurable logic barriers,” IEEE Des. Test Comput., vol. 27, no. 1,
pp. 66–75, Feb. 2010.
[11] F. Koushanfar, “Provably secure active IC metering techniques for piracy
avoidance and digital rights management,” IEEE Trans. Inf. Forensics
Security, vol. 7, no. 1, pp. 51–63, Feb. 2012.
[12] J. Rajendran, Y. Pino, O. Sinanoglu, and R. Karri, “Security analysis
of logic obfuscation,” in Proc. 49th ACM/EDAC/IEEE Design Autom.
Conf., Jun. 2012, pp. 83–89.
[13] J. Rajendran, M. Sam, O. Sinanoglu, and R. Karri, “Security analysis of
integrated circuit camouflaging,” in Proc. ACM/SIGSAC Conf. Comput.
Commun. Secur., 2013, pp. 709–720.
[14] J.-L. Zhang, G. Qu, Y.-Q. Lyu, and Q. Zhou, “A survey on silicon PUFs
and recent advances in ring oscillator PUFs,” J. Comput. Sci. Technol.,
vol. 29, no. 4, pp. 664–678, Jul. 2014.
[15] Degate. [Online]. Available: http://www.degate.org/documentation,
accessed Jun. 5, 2015.
[16] Y. Lao and K. K. Parhi, “Obfuscating DSP circuits via high-level
transformations,” IEEE Trans. Very Large Scale Integr. (VLSI) Syst.,
vol. 23, no. 5, pp. 819–830, May 2015.
[17] R. S. Chakraborty and S. Bhunia, “HARPOON: An obfuscation-
based SoC design methodology for hardware protection,” IEEE
Trans. Comput.-Aided Design Integr. Circuits Syst., vol. 28, no. 10,
pp. 1493–1502, Oct. 2009.

Authorized licensed use limited to: K.L. University(F.K.A. Koneru Lakshmaiah College of Engineering). Downloaded on October 21,2021 at 03:53:07 UTC from IEEE Xplore. Restrictions apply.