See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/336104215

Deep State Encryption for Sequential Logic Circuits

Preprint · September 2019

CITATIONS READS
0 242

3 authors, including:

Yasaswy Kasarabada Ranga Vemuri

University of Cincinnati University of Cincinnati
7 PUBLICATIONS   22 CITATIONS    367 PUBLICATIONS   3,710 CITATIONS   

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Secure Finite State Machine Synthesis View project

Side Channel Attack Resistance (SCAR) View project

All content following this page was uploaded by Yasaswy Kasarabada on 27 September 2019.

The user has requested enhancement of the downloaded file.

Deep State Encryption for Sequential Logic Circuits
Yasaswy Kasarabada, Sudheer Ram Thulasi Raman and Ranga Vemuri
Digital Design Environments Laboratory, University of Cincinnati, Cincinnati, OH U.S.A.
kasarayv@mail.uc.edu, thulassm@mail.uc.edu and ranga.vemuri@uc.edu
Abstract—Logic encryption has been proposed as a poten-
tial solution to the hardware IP piracy problem. Naive logic
encryption methods were shown to be susceptible to Boolean
satisfiability (SAT) based attacks. In addition, the recently pro-
posed Sequential SAT attack is able to decrypt many encrypted
sequential logic circuits. This paper introduces a new logic
encryption scheme that encrypts a sequential circuit on the
occurrence of a chosen deep state. Two novel techniques to select
a suitable deep state from the gate-level netlist of the design have
been introduced. The attack resiliency of the proposed encryption
technique against the sequential SAT attack is demonstrated
using several standard benchmark circuits.
Index Terms—Logic Encryption, SAT attack, Sequential Cir-
cuits, Model Checking, Signal Probability Analysis, Circuit Sim-
ulation
I. I NTRODUCTION
Recent trend towards outsourcing of IC fabrication has
led to the development of hardware IP protection techniques
against overproduction, counterfeiting and reverse engineering
[1], [2]. IC camouflaging [3], split manufacturing [4] and logic
encryption [5] are among the most promising techniques to
protect the design from potential threats. Logic encryption
methods add additional inputs called key inputs to the circuit
such that the outputs are corrupted for some or all of the input
vectors when incorrect key values are applied [5]–[8].
Early logic encryption techniques proposed the insertion of
key-controlled XOR/XNOR gates either at random signals in
the circuit [5] or at signals selected based on fault analysis
[6]. However, these methods were evaluated to be ineffective
by the introduction of the Satisfiability (SAT) based attack
[9]. This SAT attack assumed that the attacker has access
to a decrypted IC and used distinguishing input patterns to
iteratively eliminate equivalence classes of keys to obtain
the correct key assignment. Subsequently, many encryption
techniques to make the SAT attack infeasible were proposed
[7], [8], [10]. However, most of them proved unsuccessful at
thwarting improved SAT [11] and removal attacks [12].
Many logic encryption methods assumed that the SAT-based
attack was ineffective against sequential circuits if the scan-
chain is absent or corrupted [13] [14]. However an effective
Sequential SAT attack was recently proposed [15]. Therefore,
a strong encryption method for sequential designs without scan
chains that is able to thwart the Sequential SAT attack is
required. This paper aims to present such a robust scheme.
The contributions of this paper are as follows :
• Two novel techniques to extract deep state information
from the gate level netlist of a sequential circuit are
proposed.
• An effective encryption method that is triggered by the
occurrence of the extracted deep state is proposed.
• The effectiveness of the encryption scheme against the
Sequential SAT attack is evaluated using benchmark
circuits that have been used in related research on this
topic [13]–[17].
Section II summarizes previous research in logic encryption
for sequential circuits. New techniques to discover deep states
are discussed in Section III. Section IV details the encryption
method. The experimental results are presented in Section V.
II. BACKGROUND
HARPOON [16] is a logic encryption scheme that modifies
the sequential circuit such that the finite state machine (FSM)
transitions from the initial ‘obfuscation mode’ to the normal
mode only after the correct key sequence is applied. This
method was enhanced in [17] by adding key dependency
to each state of the FSM. On application of a wrong key
during normal operation, the system is deflected into a black
hole cluster. [16] and [17] require an explicit FSM while the
proposed methods in this paper begin with a gate level netlist.
The Sequential SAT attack algorithm proposed in [15],
begins by unrolling the sequential design for unr (=2) clock
cycles and attacking the unrolled combinational equivalent
with the SAT attack algorithm [9]. If the obtained key is
determined to be incorrect using the oracle or the unlocked
IC, the attack continues by unrolling the design for unr + 1
clock cycles. This continues till a satisfiable key assignment
is obtained. The authors have shown that the proposed at-
tack method is able to successfully decrypt ISCAS ’89 and
ITC’99 benchmark circuits encrypted using random key-gate
insertions and the Encrypt Flip-flop techniques [14].
III. D EEP S TATE I DENTIFICATION
Prior research on logic encryption for sequential circuits
has shown the potential of logic encryption techniques to
exponentially increase the SAT attack time by leveraging
states or state transitions that occur rarely [18]. With the
use of such techniques, the SAT attack needs to force the
sequential design to reach the chosen deep state or undergo the
chosen transition before it can decrypt the correct key value.
Therefore, states embedded deep into the state machine are
considered suitable for encryption. In this section we describe
two novel techniques to discover potential deep states from a
gate-level netlist.
A. Circuit Simulation Method
Circuit simulation can be used as a method to obtain
information regarding the states and transitions of a sequential
circuit. We use simulation to construct a partial state transition
Algorithm 1 Deep State Identification using Circuit Simula- Algorithm 1 show the partial STG construction process.
tion (DESIDE-SIM) Typically, most sequential designs start from a reset state
Inputs: Sequential design S(X, ~ Y ~ ); Simulation parameters Vr . We set the first input vector in all T sets of input vector
T, Q; BMC bound b sequences such that the first state in V Q is the reset state Vr .
Outputs: Candidate State Vdeep Deep states in the STG are a set of nodes with maximum
1: ST GP (V P , E P ) ← (φ, φ), t ← 1 depth. Depth of a state Vi is defined as the number of states
2: while t ≤ T do in the shortest path from the reset state Vr to the state Vi .
3: (V Q , E Q ) ← simulate(S, Q, Vr ) Finding deep states can be accomplished by using a depth
4: V P ← V P ∪ V Q, EP ← EP ∪ EQ first search (DFS) algorithm, after breaking the cycles in the
5: t←t+1 partial STG (line 7), to yield the set of states V deepest (line 8).
6: end while It is important to note that although V deepest contains all the
7: ST GP N C ← break cycles(ST G )
P deepest states in ST GP , there is no assurance that the states
8: V deepest ← DFS(ST GP NC , Vr ) in V deepest are also the deepest states in the complete STG
9: Vdeep ← Vr , CEXdeep ← φ of the sequential design.
10: for j ← 1 to |V deepest | do To pick a single state from the set V deepest , a G(¬Vj )2
11: if BM C(S, G(¬Vj ), b) then call for each state Vj ∈ V deepest is given to a bounded model
12: Vdeep ← Vj checker (BMC) with a pre-determined bound b. If the BMC
13: break returns true for a specific state, it is considered to have a depth
14: end if of at least b states in the complete STG and hence can be set
15: CEXj ← counter example(BM C(S, G(¬Vj ), b)) as the state Vdeep chosen for encryption. If BMC returns false
16: if len(CEXdeep ) < len(CEXj ) then for all states in V deepest , the state Vj with the longest length
17: Vdeep ← Vj , CEXdeep ← CEXj of a counter example CEXj from the BMC call is chosen for
18: end if encryption. Lines 9-19 in Algorithm 1 show this process.
19: end for
B. Signal Probability Analysis Method
20: return Vdeep
Signal probability analysis (SPA) [19] is the technique
graph (STG)1 of the design as described below. The algorithm for calculating the probability that a given signal achieves
for the simulation based deep state identification (DESIDE- a specific logic value. We use signal probability analysis
SIM) technique is shown in Algorithm 1. to calculate the probabilities of the state register flip-flops.
If the entire gate level netlist of a sequential circuit is Algorithm 2 describes the signal probability analysis based
accessible, a large vector sequence X Q ={X ~ 1, X
~ 2 , ..., X
~ Q} deep state identification technique (DESIDE-SPA).
can be applied to the primary inputs of the design and the Typically, signal probability (SP) calculation begins with
data values of all signals in the netlist can be monitored over assumed probability values for the primary inputs. SP values
Q clock cycles to generate a set of signal value sequences. are propagated till the signal probabilities of the required
The logic value at the output of each state-register flip-flop Li nets are computed. Although this technique is straightforward
(∈L) can be extracted from the generated set of signal values. when applied to combinational circuits, sequential feedback
Since the extracted signal values relate to the set of states loops hinder such a straightforward approach when used for
V Q ={V1 , V2 , ..., VQ } reached by the design when the input sequential designs. We assume that there are no scan chains
sequence X Q is applied, an STG can be constructed from the in the circuit.
set of state transitions E Q ={E1 , E2 , ..., EQ−1 } where Ei = Our process begins by unrolling the sequential circuit S for
(Vi →Vi+1 ). Since the states in V Q are achieved by the design u = 2 clock cycles and the probability analysis approach in
using the specific input sequence X Q , the resultant STG is not [19] is applied to the unrolled combinational equivalent S u .
the complete STG of the design. To improve the accuracy of The SP values at the outputs of the state register flip-flops
the partial STG, the simulation process can be repeated using from the final copy of S in S u are recorded. Subsequently,
multiple distinct input vector sequences. We use T sets of the SP values at the outputs of the flip-flops from the final
pseudo-random vector sequences to obtain T unique sets of copy of S u+1 are stored. The differences in the SP values
states and state transitions. Iteratively, the T sets are added obtained from S u and S u+1 are computed. If the difference
to the set of states V P and the set of state transitions E P in any SP value exceeds a pre-determined limit problimit , the
to produce the partial STG, ST GP . Our experimental testing process is repeated with u = 3. If the differences in all SP
has shown that each simulation run adds a large number of values stay under the limit for a particular value u, the process
new states and state transitions to ST GP , thus significantly exits returning the SP values of the flip-flops obtained from the
improving the accuracy of the partial STG. Lines 2-6 in last copy of S u+1 . These values are classified as the desired
signal probability (SP) values of the state register flip-flops.
1 Partial STG construction is discussed for the ease of analyzing the
This process is summarized in lines 1-7 in Algorithm 2.
technique. During experimentation, a state vs. depth metric is generated for
all states reached by the design which is used to determine the deep state.
Explicit STG construction is not necessary. 2 G(p) call checks whether an atomic property p holds globally.
Algorithm 2 Deep State Identification using Signal Probability
Analysis (DESIDE-SPA)
Inputs: Sequential design S(X, ~ Y~ ), Probability limit
problimit , Depth limit depthlimit
Outputs: Candidate State Vdeep
1: u ← 1
2: do
3: u←u+1
4: S u ← unroll(S, u), S u+1 ← unroll(S, u + 1)
5: SP u ← state prob(S u ), SP u+1 ← state prob(S u+1 )
u+1 u A. Payload Selection
6: while |SPLi − SPL i
| > problimit ∀ Li ∈ L
7: SP ← SP u+1
8: Vdeep ← φ, InvalidStates ← φ, CEX ← φ
9: while len(CEX) < depthlimit do
10: InvalidStates ← InvalidStates ∪ {Vdeep }
11: Vdeep ← least probable state(SP, InvalidStates)
12: while U M C(S, G(¬Vdeep )) do
13: InvalidStates ← InvalidStates ∪ {Vdeep }
14: Vdeep ← least probable state(SP, InvalidStates)
15: end while
16: CEX ← counter example(U M C(S, G(¬Vdeep ))
17: end while
18: return Vdeep
From the signal probability values, the logic value for
each flip-flop with the lowest probability is selected. Selecting
these flip-flop values yields the state Vdeep that has the least
probability of occurring. However, caution must be taken
before declaring Vdeep as the chosen deep state. There exists
a possibility that Vdeep never actually occurs, i.e. Vdeep is
unreachable. In this case, if Vdeep is chosen for encryption,
the system will offer virtually no protection. Therefore, it is
critical to determine if the sequential design is able to reach the
chosen state Vdeep . This can be achieved by using a G(¬Vdeep )
call to an unbounded model checking tool as shown in line
11 of the algorithm. If the model checker returns false and
the length of the counter-example CEX exceeds a chosen
limit depthlimit (line 10), Vdeep is selected as the deep state
for encryption. If any of these two conditions fail, Vdeep is
classified as an InvalidState (line 12). The state with the next
lowest probability of occurrence is selected and checked by the
model checker. This process is repeated till a suitable deep
state Vdeep that occurs in the STG is obtained. The obtained
deep state is chosen for encryption.
IV. D EEP S TATE E NCRYPTION
In this section, we describe a novel encryption scheme that
uses the deep state information obtained from the DESIDE
techniques to effectively encrypt the design for maximum
protection. The encryption logic consists of a Camouflaged
Detection block, a Key Detection block, a c-bit counter,
a payload Corruption block and a payload Recovery block
as shown in Figure 1. For the purpose of illustration, the
encryption scheme applied to the s27 ISCAS ’89 benchmark
circuit is shown in Figure 2.
Fig. 1. Overview of the Encryption Scheme
Sequential Controllability (SC0, SC1) and Sequential Ob-
servability (So) are important attributes related to testability
of a design. SC<x> of a signal s is defined as the minimum
number of clock cycles required to set the signal s to a logic
value x where x ∈ {0, 1} whereas So of a signal s is defined
as the minimum number of clock cycles required to observe
the value on signal s at an output pin. To ensure that the
corruption of a payload signal is observable while keeping its
controllability low, the SC<x> and So values are computed
(using the Sandia Controllability and Observability Analysis
Program (SCOAP) [20]) and used to devise a new method to
select the payload signals.
The payload selection algorithm begins by identifying a set
of all signals in the netlist, out of which signals lying on the
critical path as well as signals in the transitive fan-in (TFI)
of any state register flip-flop are removed to obtain a set of
candidate signals Csig . Using SCOAP, the SC0, SC1 and So
values for each candidate
√ signal are determined. Using So and
the metric SC (= SC02 + SC12 ), all signals in Csig are
ordered first on the basis of maximum observability (low So
values) and then on the basis of minimum controllability (high
SC values) for signals with equal So values. From the set of
ordered candidate signals, a set of payload signals is chosen
on the basis of maximum number of primary outputs in the
combined transitive fan-out (TFO) of all signals in the set. It
is ensured that there is minimal overlap between the TFO of
each individual signal in the set. This selection process ensures
that any corruption on the payload signals will be observed at
a primary output (due to high observability) while keeping
the probability of the effect of one corrupted payload signal
negating the effect of corruption of a different payload signal
low (due to the minimal amount of overlap in the TFO). In
Figure 2, output of gate G17 is selected as the payload for
illustration purposes.
B. Camouflaged Detection Block Generation
By design, the selected payload must be corrupted only
when the chosen deep state Vdeep occurs. Therefore, the
encryption logic must be able to detect the occurrence of state
Vdeep , i.e. when each state register flip-flop Li attains the logic
value corresponding to its value in Vdeep . To accomplish this,
the state register outputs are fed to a NAND/AND-tree based
detection logic. The output of the detection logic becomes
high when the state Vdeep occurs; else it stays low. Due
to the highly recognizable structure of typical NAND/AND-
tree based detection logic blocks, they may be susceptible to

Fig. 2. Encrypted Circuit for benchmark s27
structural analysis attacks where the attacker can identify the
detection block and extract information about the state Vdeep .
To prevent such attacks, the detection logic is camouflaged3 .
In the Camouflaged Detection Block, the state register outputs
are fed to camouflaged inverter/buffer gates [3] which are
connected to the detection logic to form the output of the
Camouflaged Detection Block, CamoOut. Now, the attacker
cannot use structural analysis to directly identify the state bit
values that set CamoOut to a logic value 1 and hence the
complexity of the attack process is greatly increased with min-
imal overhead4 . For successful decryption, the attacker must
either correctly identify the logic for all camouflaged gates
(usually through a destructive delayering process [22]) before
attacking the encryption block or model the camouflaged gates
as additional encryption gates [21] and significantly increase
the key space needed to be explored by SAT to find the correct
key assignment. Figure 2 shows the Camouflaged Detection
Block in blue. When the state Vdeep occurs, the outputs of all
camouflaged gates CG (in blue) turn high, in turn setting the
logic at the output of the AND-tree to a logic value 1.
C. Counter Insertion
Corrupting the payload on each occurrence of Vdeep can
cause the SAT attack to successfully decrypt the circuit with
true depth + 1 unrolls, where true depth is the depth of the
state in the complete STG. Since the DESIDE techniques are
inherently probabilistic and are unaware of the complete STG,
guaranteeing a very large true depth value for Vdeep is difficult.
Therefore, a Counter Block with a c-bit counter is added to
the circuit. The output of the Camouflaged Detection Block,
CamoOut is connected to the input of the Counter Block,
highlighted grey in Figure 2. This block is designed such that
the counter value increments only when the signal CamoOut
goes high, i.e. state Vdeep occurs. When the counter value
reaches a certain pre-determined value CV , known only to
the designer, the output of the Counter Block, CountOut
connected to the Corruption Block goes high. This activates
the Corruption Block, shown in red, and corrupts the selected
payload signals (output of gate G17 in Figure 2). This scheme
ensures that the state Vdeep needs to occur at least CV times
3 Camouflaging is a layout-level technique of adding dummy contacts to
standard gates to prevent the attacker from correctly resolving the functionality
of the camouflaged gate [6], [21].
4 In our design, each camouflaged inverter adds 2 transistors whereas a
camouflaged buffer has an overhead of 4 transistors.
before the effect of encryption is visible at the outputs. Using
a c-bit counter, the value of CV can range from 0 to 2c −1.
The value of c and CV can be chosen by the IP designer on
the basis of the amount of protection needed and the amount
of area overhead that can be tolerated. Since neither c nor CV
is known to the attacker, counter insertion adds another level
of protection to the encrypted design. An important point to
note is that due to the fact that Vdeep is estimated to occur
rarely, the occurrence of a logic 1 on CountOut is even more
rare, leading to a scenario where the error rate might become
too low. Such a scenario causes a decrease in security offered
by the encryption block [6]. To avoid this, combinational logic
is added to the Counter block to ensure that CountOut stays
high once it attains a logic 1. This ensures that once Vdeep
occurs CV times, a wrong key applied to the key inputs will
corrupt the payload forever forcing the circuit into a permanent
corrupted state.
D. Key Detection Block
If the correct key value is applied to the key inputs,
encrypted payload signals must hold the same values as the
respective unencrypted payload signals. As discussed in the
previous section, the Corruption block corrupts the payload
when the state Vdeep occurs CV times, i.e. when CountOut
goes high. At this point, if the correct key value is applied
to the key inputs, the corrupted payload must be corrected
to yield the correct payload values. However, if a wrong key
is applied, the payload must stay corrupted. To ensure this
behavior, the Key Detection Block and the Recovery Block are
designed, shown in Figure 2 in green and purple respectively.
The output of the Key Detection Block KeyOut goes high
when the correct key is applied and the state Vdeep occurs.
For the example shown in Figure 2, the correct key value is
chosen to be the same as the state value Vdeep . This can be
changed by changing the appropriate XNOR gates (in green) to
XOR gates. If either the correct key is not applied or the state
Vdeep does not occur, KeyOut remains low. The KeyOut
signal is ANDed with the CountOut signal (output of the
grey block) and fed to the Recovery block to ensure that the
corrupted signal values will be recovered when both KeyOut
and CountOut become high.
V. R ESULTS
To evaluate the effectiveness of the DESENC-SIM
(DESENC with DESIDE-SIM) and DESENC-SPA (DESENC
with DESIDE-SPA) techniques against the Sequential SAT at-
tack, 20 benchmarks from the ISCAS ’89 suite, shown in Table
I, are encrypted using both techniques. These benchmarks have
been used in related works in logic encryption [13]–[17]. The
following sections describe the encryption methodology, attack
setup and results of the experimentation. All experiments were
run on a ThreadRipper 1950x 4GHz with 64GB memory.
A. Encryption Methodology
We first classify the benchmarks from Table I into two
groups - Group A (all benchmarks with less than 25 flip-
flops) and Group B (all benchmarks not included in Group
 TABLE I If the SAT attack returns fewer keys than asked for, the attack
B ENCHMARK CIRCUITS DESCRIPTION is considered a success for the particular value of unr. This
BENCH PI PO DFF GATES BENCH PI PO DFF GATES follows from the fact that the correct key is guaranteed to
s298 3 6 14 121 s838 34 1 32 422 be returned by the SAT attack and the attacker can obtain this
s400 3 6 21 155 s953 16 23 29 371 key by testing the encrypted netlist against the unlocked oracle
s349 9 11 15 168 s1423 17 5 74 624
s526 3 6 21 193 s5378 35 49 179 1393 circuit using all returned keys [15]. If the SAT attack returns
s444 3 6 21 202 s9234 19 22 228 2014 as many keys as asked by the algorithm, the decryption is
s420 18 1 16 208 s13207 31 121 669 3777 assumed to have failed for the particular value of unr due
s820 18 19 5 236 s15850 14 87 597 4267 to the impracticality of assuming that the attacker can test all
s510 19 7 6 253 s35932 35 320 1728 9331
s1196 14 14 18 461 s38584 12 278 1452 12202 keys for all unroll counts. Therefore, in this scenario unr is
s1488 8 19 6 521 s38417 28 106 1636 13713 incremented by 1 and the attack process is repeated. During
any of the above scenarios, if unr is found to reach a value
A). Benchmarks in both groups are encrypted using DESENC-
greater than the upper limit (=64) the decryption algorithm is
SIM. To contain the area overhead, if the number of flip-
stopped and the benchmark is considered to be SAT attack
flops in the design is greater than 32, top 32 flip-flops from
resilient. The attack methodology is adapted from [15].
V deepest are chosen to build the state Vj checked by the
For Group B, the attack method is similar to the attack
BMC. Similarly, the key size is limited to 32. Camouflaged
method of Group A with two changes. As described in [15],
gates are modelled as additional key-controlled XOR gates,
the value of the number of flip-flops on the largest flip-flop
effectively increasing the key size. T =25 sets of simulations
chain with no sneak paths determines the lower bound for
are performed for Q=100, 1,000 or 10,000 clock cycles based
unrolling the sequential design. Therefore, the attack is started
on the size of the circuit. All simulation are started from
by setting unr to the calculated lower bound value. Secondly,
the reset state Vr . For the BMC step, a bound of 50 is set
when the SAT attack returns as many keys as asked by the
for benchmarks in Group A and a bound of 100 is set for
algorithm, unr value is doubled instead of incrementing by
benchmarks in Group B. The maximum time taken to encrypt a
1. Since, for large benchmarks each unrolled copy adds a
benchmark circuit using DESENC-SIM was under 25 minutes.
large number of states explored by the SAT attack, doubling
The DESIDE-SPA algorithm starts from the least probable
the circuit copy size will allow the SAT attack to explore
state and traverses the state space in increasing order of
significantly larger number of states in the next iteration, thus
probability to determine a deep state which actually occurs.
allowing for faster decryption times.
Since the state space needed to be pruned increases expo-
nentially with a linear increase in the number of flip-flops, C. Experimental Results
the DESIDE-SPA algorithm does not scale well for large
Table II presents the results of applying the Sequential
benchmarks. Additionally, during experimentation, the UMC
SAT attack on all the benchmarks encrypted using DESENC-
step in DESIDE-SPA is performed by NUSMV [23], an open
SIM and all benchmarks from Group A (column 1) encrypted
source model checker which has limited capacity due to state
with DESENC-SPA (columns 8-13). The column unr shows
space explosion. Due to these limitations, evaluation of the
the total number of unrolls needed by the attack method
DESIDE-SPA encryption technique is performed using bench-
to successfully decrypt the benchmark. A ‘-’ in the unr
marks from Group A only. All probability values for primary
column indicates that the SAT attack was unable to find the
inputs are set to 0.5. Encryption on the largest benchmark
correct key for any value of unr less than the set maximum
circuit using DESENC-SPA was completed under 40 minutes.
value (=64). Therefore, the benchmark is considered to be
To evaluate the effectiveness of the Camouflaged Detection
SAT attack resilient. As expected, for each benchmark cir-
Block and the Counter Block, the benchmarks are encrypted
cuit, the unroll count for the CamoCount variation of the
using two variations of DESENC - (1) Naive - no counter
encrypted design is much higher than the unroll count for the
(c=0) and no camouflaged gates, and (2) CamoCount - counter
Naive variation. For almost all benchmarks, the CamoCount
width 4 (c = 4) with added camouflaged gates. For Camo-
design is SAT attack resilient. The respective tao columns
Count, the value of CV is set to the maximum value of 15.
that list the total area overhead measured in terms of the
B. Decryption Methodology percentage of gates added to the design, show that with a
For Group A, the Sequential SAT attack method [15] starts minimal increase in area overhead a significantly higher level
by unrolling the sequential design for unr(= 2) unrolls and of protection is achieved using the Camouflaged Detection
the combinational SAT attack [9] is applied on the unrolled Block and the Counter Block. Additionally, for most large
combinational equivalent circuit using the corresponding soft- benchmarks, encrypting with DESENC-SIM technique using
ware [24]. If the key size is less than 10, SAT attack is asked the Naive scheme is sufficient to make the circuit SAT attack
to return 8 keys; if key size is less than 20, 64 keys are asked resilient. This shows the ability of the DESIDE-SIM technique
from the SAT attack; else the SAT attack is asked to return in accurately finding a deep state from the design for larger
512 keys. The SAT attack is run for 12 hours for each unrolled circuits. Similar to DESENC-SIM, CamoCount scheme using
copy. If the SAT attack takes more than 12 hours to decrypt DESENC-SPA provided better attack resiliency than the Naive
the circuit, unr is doubled and the attack process is repeated. scheme. For some benchmarks, namely s400 and s526, the
 TABLE II
DESENC RESILIENCY AGAINST SAT ATTACK

DESIDE-SIM DESIDE-SPA DESIDE-SIM

BENCH Naive CamoCount Naive CamoCount BENCH Naive CamoCount
unr tao ext unr tao ext unr tao ext unr tao ext unr tao ext unr tao ext
s298 15 35.5 21s - 52.9 54s 11 34.7 6s - 52.9 13m s838 - 19.9 2m - 23.7 3m
s400 17 38 2m - 52.9 2m - 35.4 5h - 52.9 16m s953 11 37.7 24s - 43.3 21h
s349 8 30.9 3m - 45.2 76h 7 30.9 2m - 45.2 26h s1423 12 10.4 5h - 16.6 7h
s526 20 31.6 4m - 42.5 28m - 29 6h - 42.5 34m s5378 8 9.8 1s - 10.7 48h
s444 18 35.9 3m - 50.0 24m - 32.9 12h - 50.0 4h s9234 - 4.3 2h - 5.5 1h
s420 - 19.2 40s - 27.4 5s - 19.7 46s - 27.4 2m s13207 - 3.8 8h - 4.3 2m
s820 6 8.4 0.5s - 15.2 1h 9 7.2 1s - 15.2 58m s15850 - 1.8 8h - 2.8 2m
s510 48 9.4 2m - 16.6 46m 32 11 37s - 17.4 45m s35932 - 4.1 - - 4.4 -
s1196 4 13.4 40s 34 18.8 24h 4 14.3 37s - 18.8 26h s38584 - 0.8 - - 1.1 -
s1488 15 8.6 30s - 12.3 5h 16 8.6 39s - 11.9 17h s38417 - 1.3 - - 1.5 -

Naive DESENC-SPA scheme is SAT attack resilient whereas
the Naive DESENC-SIM scheme is not. This can be attributed
to the probabilistic nature of the DESENC-SIM technique. The
execution times for decrypting each encrypted circuit are listed
in the ext column. A ‘-’ in the ext column indicates that the
SAT attack was unable to handle the benchmark after a certain
unr value.
VI. C ONCLUSION
This paper introduced two novel techniques to obtain deep
state information from the gate-level netlist of a sequential
design. The first technique uses simulation to build a partial
STG of the design from which the deepest state is chosen. The
second method involves using signal probabilities of the state
register flip-flops along with a model checker to find the least
probable occurring state. Additionally, a unique encryption
scheme that utilizes sequential controllability/observability
values while incorporating key-state dependence and camou-
flaging gates to efficiently encrypt the design for maximum
resiliency against the Sequential SAT attack is proposed.
Results from decrypting various benchmarks encrypted using
the described techniques demonstrated the effectiveness of the
proposed schemes.
R EFERENCES
[1] J. Villasenor and M. Tehranipoor, “The hidden dangers of chop-shop
electronics: Clever counterfeiters sell old components as new threatening
both military and commercial systems,” IEEE Spectrum (cover story),
October 2013.
[2] M. M. Tehranipoor, U. Guin, and D. Forte, “Counterfeit integrated
circuits,” in Counterfeit Integrated Circuits. Springer, 2015, pp. 15–36.
[3] J. Rajendran, M. Sam, O. Sinanoglu, and R. Karri, “Security analysis
of integrated circuit camouflaging,” in Proceedings of the 2013 ACM
SIGSAC conference on Computer & communications security. ACM,
2013, pp. 709–720.
[4] S. Chen and R. Vemuri, “Improving the security of split manufacturing
using a novel beol signal selection method,” in Proceedings of the 2018
on Great Lakes Symposium on VLSI. ACM, 2018, pp. 135–140.
[5] J. A. Roy, F. Koushanfar, and I. L. Markov, “Ending piracy of integrated
circuits,” Computer, vol. 43, no. 10, pp. 30–38, 2010.
[6] J. Rajendran, H. Zhang, C. Zhang, G. S. Rose, Y. Pino, O. Sinanoglu,
and R. Karri, “Fault analysis-based logic encryption,” IEEE Transactions
on computers, vol. 64, no. 2, pp. 410–424, 2015.
[7] Y. Xie and A. Srivastava, “Mitigating SAT attack on logic locking,” in
International Conference on Cryptographic Hardware and Embedded
Systems. Springer, 2016, pp. 127–146.
[8] M. Yasin, B. Mazumdar, J. J. Rajendran, and O. Sinanoglu, “SARLock:
SAT attack resistant logic locking,” in Hardware Oriented Security and
Trust (HOST), 2016 IEEE International Symposium on. IEEE, 2016,
pp. 236–241.
[9] P. Subramanyan, S. Ray, and S. Malik, “Evaluating the security of
logic encryption algorithms,” in Hardware Oriented Security and Trust
(HOST), 2015 IEEE International Symposium on. IEEE, 2015, pp.
137–143.
[10] M. Yasin, B. Mazumdar, O. Sinanoglu, and J. Rajendran, “CamoPerturb:
Secure IC camouflaging for minterm protection,” in Computer-Aided
Design (ICCAD), 2016 IEEE/ACM International Conference on. IEEE,
2016, pp. 1–8.
[11] K. Shamsi, M. Li, T. Meade, Z. Zhao, D. Z. Pan, and Y. Jin, “AppSAT:
Approximately deobfuscating integrated circuits,” in Hardware Oriented
Security and Trust (HOST), 2017 IEEE International Symposium on.
IEEE, 2017, pp. 95–100.
[12] M. Yasin, B. Mazumdar, O. Sinanoglu, and J. Rajendran, “Removal at-
tacks on logic locking and camouflaging techniques,” IEEE Transactions
on Emerging Topics in Computing, no. 1, pp. 1–1, 2017.
[13] M. El Massad, S. Garg, and M. Tripunitara, “Reverse engineering cam-
ouflaged sequential circuits without scan access,” in 2017 IEEE/ACM
International Conference on Computer-Aided Design (ICCAD). IEEE,
2017, pp. 33–40.
[14] R. Karmakar, S. Chatopadhyay, and R. Kapur, “Encrypt flip-flop: A
novel logic encryption technique for sequential circuits,” arXiv preprint
arXiv:1801.04961, 2018.
[15] Y. Kasarabada, S. Chen, and R. Vemuri, “On SAT-based attacks on en-
crypted sequential logic circuits,” in Quality Electronic Design (ISQED),
2019 20th International Symposium on. IEEE, 2019.
[16] R. S. Chakraborty and S. Bhunia, “Harpoon: an obfuscation-based soc
design methodology for hardware protection,” IEEE Transactions on
Computer-Aided Design of Integrated Circuits and Systems, vol. 28,
no. 10, pp. 1493–1502, 2009.
[17] J. Dofe and Q. Yu, “Novel dynamic state-deflection method for gate-level
design obfuscation,” IEEE Transactions on Computer-Aided Design of
Integrated Circuits and Systems, vol. 37, no. 2, pp. 273–285, 2018.
[18] T. Meade, Z. Zhao, S. Zhang, D. Pan, and Y. Jin, “Revisit sequential
logic obfuscation: Attacks and defenses,” in Circuits and Systems
(ISCAS), 2017 IEEE International Symposium on. IEEE, 2017, pp.
1–4.
[19] V. D. Agrawal, “Mutually disjoint signals and probability calculation in
digital circuits,” in Proceedings of the 8th Great Lakes Symposium on
VLSI (Cat. No. 98TB100222). IEEE, 1998, pp. 307–312.
[20] L. H. Goldstein and E. L. Thigpen, “SCOAP: Sandia controllabil-
ity/observability analysis program,” in 17th Design Automation Con-
ference. IEEE, 1980, pp. 190–196.
[21] M. El Massad, S. Garg, and M. V. Tripunitara, “Integrated circuit (ic)
decamouflaging: Reverse engineering camouflaged ics within minutes.”
in NDSS, 2015, pp. 1–14.
[22] R. Torrance and D. James, “The state-of-the-art in semiconductor
reverse engineering,” in 2011 48th ACM/EDAC/IEEE Design Automation
Conference (DAC). IEEE, 2011, pp. 333–338.
[23] A. Cimatti, E. Clarke, E. Giunchiglia, F. Giunchiglia, M. Pistore,
M. Roveri, R. Sebastiani, and A. Tacchella, “Nusmv 2: An opensource
tool for symbolic model checking,” in International Conference on
Computer Aided Verification. Springer, 2002, pp. 359–364.
[24] P. Subramanyan, “Decryption tool binaries and benchmark circuits,”
https://bitbucket.org/spramod/host15-logic-encryption, 2015, 2015.

View publication stats