Threshold Voltage-Defined Switches for Programmable Gates by Iyengar, Anirudh & Ghosh, Swaroop
Threshold Voltage-Defined Switches for Programmable Gates 
Anirudh Iyengar and Swaroop Ghosh  
Computer Science and Engineering, University of South Florida, Tampa, FL-33620 
(December 4, 2015) 
Abstract 
Semiconductor supply chain is increasingly getting exposed to variety of 
security attacks such as Trojan insertion, cloning, counterfeiting, reverse 
engineering (RE), piracy of Intellectual Property (IP) or Integrated Circuit 
(IC) and side-channel analysis due to involvement of untrusted parties. In 
this paper, we propose transistor threshold voltage-defined switches to 
camouflage the logic gate both logically and physically to resist against 
RE and IP piracy. The proposed gate can function as NAND, AND, NOR, 
OR, XOR, XNOR, INV and BUF robustly using threshold-defined 
switches. The camouflaged design operates at nominal voltage and obeys 
conventional reliability limits. The proposed gate can also be used to 
personalize the design during manufacturing. 
Introduction 
Camouflaging is a technique of hiding the circuit functionality of a few 
chosen gates to make RE/piracy impossible or extremely hard [1-6]. 
Camouflaging of gates using dummy contacts [1-2] can realize 3 
functions at the cost of ~5X area and power overhead. Although dummy 
contacts hide the functionality it requires process change (hollow via) and 
fails to force exhaustive RE by attacker. Programmable standard cells 
using control signals [3] require signal routing for each camouflaged gate.  
Techniques to deceive the attacker using filler cells [4] and dummy 
transistors [5] are also proposed. Unlike the proposed threshold voltage 
(VT) programmable technique the existing art is either process costly 
(extra mask costs), leave layout clues (increases design overhead) or 
offers limited RE resistance. The proposed camouflaging is 
complementary to existing obfuscation techniques that hide the 
functionality of a design by inserting additional components. For 
sequential circuits, additional logic (black) states are introduced in the 
finite state machine [7-10], which allow the design to reach a valid state 
only using the correct key. In combinational logic, XOR/XNOR gates are 
introduced to conceal the functionality [11-12]. Watermarking and 
passive metering techniques are also proposed to detect IC piracy [13-14].  
The proposed technology addresses the attack model where an adversary 
can perform invasive RE of a chip to compromise sensitive/classified 
information, reproduce or sell the pirated copy of the design. The 
adversary can still create a partial netlist with known gates and RE the 
missing gate functionalities recursively through carefully selected test 
patterns. In order to increase the RE difficulty, the camouflaging 
technique is achieved through VT modulation (implemented by changing 
channel doping concentration during manufacturing) of switches which 
leaves no layout trace. The proposed camouflaged gate can assume 8 
functions to obscure the design and force the attacker to launch brute force 
at least (or nullify the attack in some cases). It must be noted that, 
camouflaging is associated with area, power and delay overheads. 
Therefore it is critical to realize the many functionalities with a minimal 
design overhead.  
Proposed Approach 
We propose a novel switch that turns ON/OFF based on threshold voltage 
(VT) asserted on it. The switch is realized by using conventional NMOS 
and PMOS transistors with the gate biased at mid-point between nominal 
N and P threshold voltage i.e., 0.5(VTN+VTP). Therefore, the switch 
conducts when low VT (LVT) is assigned and stops conducting when high 
VT (HVT) is assigned during manufacturing (Fig. 1). The proposed switch 
can be used in conjunction with nominal VT (NVT) transistors to 
camouflage the gate. Although the switches are easy to identify in the 
layout, the VT of the switch is opaque to the attacker thus, making the 
configuration secure. The switch configures the functional transistors to 
serve as NAND, AND, NOR, OR, 
XOR XNOR, INV or BUF. Thus 
forcing the adversary to resort to a 
brute-force attack. It is notable that due 
to high overheads, the camouflaged 
gates should be used judiciously. The 
choice of gates should be guided by 
metrics that maximize RE effort while 
lowering overhead and maintaining 
robustness.  
VT modulation is a well-known 
technique used extensively in 
semiconductor industry for trade-off 
between power, performance and robustness. Therefore, the proposed VT 
based camouflaging comes without process cost adder. Since VT 
programming can be achieved by channel doping during manufacturing 
(no layout clues) the RE effort will increase. Due to 8 hidden functions 
the proposed camouflaging will require brute force RE at the least. By 
camouflaging certain gate sequences (arbitrary gate followed by 
XOR/XNOR) the design can be obscured. Considering 10K design with 
50-inputs camouflaging 1% gates will require at least 250 RE trials which 
is 105 years at 1GHz test frequency. Limited usage of camouflaged gates 
especially in critical paths can keep the timing, area and power impact 
below 2-3%. Apart from main stream electronics and services, the 
proposed technology can find applications in military electronics 
(satellite, radar, guided-missile, unmanned vehicle, rockets etc.), used in 
mission critical systems and intelligence agencies.     
The novelty of this work lies in (i) VT programmable switch; (ii) 
camouflaging without any process cost adder; (iii) camouflaged gate that 
can hide 8 functions; and, (iv) novel attack models such as RE using 
heating/cooling and side channel analysis. 
Design and Analysis of VT Defined Switch and Camouflaged 
Gate 
There are three aspects of camouflaged gate design: (i) switch; (ii) number 
of functionalities offered; and, (iii) optimized and robust implementation. 
The design objective of the switch is to achieve high ION/IOFF ratio 
whereas the gate is expected to provide many functionalities at low 
overhead and high robustness.  
A. Threshold programmable switch design 
The switch design is quantified using ION/IOFF ratio, wherein the gate 
voltage, HVT, LVT values and transistor sizes are tuned to maximize the 
ION/IOFF ratio. For N-switch, higher HVT and lower gate voltage is good 
for leakage whereas lower LVT and higher gate voltage is good for 
performance and, vice-versa is true for P-switch (Fig. 3(a)). Initial results 
using predictive 22nm tech [15] at 1V shows (Fig. 3(b),(c)) that HVT 
(LVT) target should be ~0.35-0.4V above (below) NVT for best 
performance. Switch gate voltage can also be tuned to improve speed 
(Fig. 3(d)).  
B. Camouflaged gate design 
Fig. 2(a) shows a conceptual schematic of the camouflaged gate that can 
assume multiple functionalities. The switches of selected (unselected) 
function are programmed to LVT (HVT) whereas the function can be 
implemented using NVT. An example schematic and layout that 
implements NAND, AND, NOR, OR, XOR and XNOR depending on the 
VT of switch 1-10 is shown (Fig. 2(b)-(c)). The ON switches for different 
functions is also displayed. The proposed gate ensures brute-force for RE 
(00/11 is needed to identify XOR/XNOR and 01/10 is needed for 
 
Fig. 1 VT programmable 
switch. HVT: OFF, LVT: ON. 
PMOS switch works similarly. 
 
HVT
LVT
HVT= 
NVT+Δ
LVT= 
NVT-Δ
VDD
VDD
NAND/NOR/AND/OR). The gate contains extra switches 11-14 to 
disconnect the inputs and connect to GND. This feature will fake the 
inverter (buffer) as a 2-input gate. A redundant signal is connected to 1st 
input which is floating and the 2nd input is connected to the signal to be 
inverted (buffered) and, the gate is programmed as XNOR (XOR). 
Redundant switches can also be added to increase obscurity. The 
overheads of the proposed gate (Fig. 3(e)) indicate that it should be used 
judiciously in the design. Simulations on supply voltage variation indicate 
that both high and low voltage can worsen the delay as it weakens ON 
switches and strengthens OFF switches to create contention between P 
and N network. The impact of VT variation due to temperature or process 
variation shows similar effect (Fig. 3(f)). The design is optimized to lower 
delay overhead by (i) tuning the VT of HVT and LVT transistors; and, (ii) 
separating the P and N switch gate voltages and biasing them to improve 
the robustness. Fig. 3(d) shows +/-100mV biasing of switch gate voltage 
in addition to +/-100mV VT biasing of HVT and LVT improves the delay 
by 20%.  
The proposed camouflaged gate (Fig. 2(b)) can suffer from area, power 
and delay overheads. Three options can be pursued for mitigation: (i) 
simplify the design by eliminating few switches to realize less functions; 
(ii) considering full CMOS gate structure (Fig. 2(d)); and,(iii) creating 
two flavors of camouflaged gate to realize {NAND,NOR,XOR} and 
{AND,OR,XNOR}. To mitigate delay overhead HVT can be used for off-
critical path and LVT for critical paths. 
Vulnerabilities, attack models and countermeasures 
The leakage and delay of proposed design will change with temperature 
(due to VT variation). Adversary can exploit this to perform a side channel 
analysis to crack the camouflaging. The LVT programmed switches can 
also be identified using backside probing techniques like LIVA [16].  
One model is to heat/cool the chip that will lower/increase the HVT 
switch VT and create sneak path from VDD (Fig. 2(d)). The leakage 
sensitivity of NAND compared to NOR for 2’b11 input will also 
increase/decrease. Temperature impact on gate delay can be used to 
obtain different gate delay sensitivities. One possible countermeasure is 
balancing all flavors of camouflaged gates to contaminate the leakage and 
delay signature. Another possible countermeasure is to use thermal sensor 
and dynamically modulate the switch gate voltage to kill the leakage.  
Conclusions 
We propose a novel threshold voltage-defined switches to camouflage the 
logic gate both logically and physically to resist against RE and IP piracy. 
The proposed transmission gate-based camouflaged gate can assume the 
role of wide variety of gates including NAND, AND, NOR, OR, XOR, 
XNOR, INV and BUF robustly using threshold defined switches. The 
camouflaged design operates at nominal voltage and obeys conventional 
reliability limits. We also proposed novel attack models such as 
heating/cooling-assisted RE with side channel analysis. 
References 
[1] Imeson et al, "Securing Computer Hardware Using 3D Integrated Circuit 
(IC) Technology and Split Manufacturing for Obfuscation." USENIX 
Security, 2013. 
[2] Rajendran et al, "Security analysis of integrated circuit camouflaging." In 
Proceedings of the 2013 ACM SIGSAC, 2013. 
 [3] Cocchi et al, "Building block for a secure CMOS logic cell library." U.S. 
Patent 8,111,089, issued February 7, 2012. 
[4] Chow et al. "Camouflaging a standard cell based integrated circuit." U.S. 
Patent 8,151,235, issued April 3, 2012. 
[5] Baukus et al. "Method and apparatus using silicide layer for protecting 
integrated circuits from reverse engineering." U.S. Patent 6,117,762, issued 
September 12, 2000. 
[6] Chow et.al. "Integrated circuits protected against reverse engineering and 
method for fabricating the same using an apparent metal contact line 
terminating on field oxide." U.S. Patent 7,294,935, 2007. 
[7] Chakraborty et al. "Hardware protection and authentication through netlist 
level obfuscation." In ICCAD, pp. 674-677. IEEE Press, 2008. 
[8] Chakraborty et al. "Security against hardware Trojan attacks using key-
based design obfuscation." Journal of Electronic Testing, 2011. 
[9] Chakraborty et al. "Security against hardware Trojan through a novel 
application of design obfuscation." In ICCAD, pp. 113-116. ACM, 2009. 
[10] Chakraborty et al. "HARPOON: an obfuscation-based SoC design 
methodology for hardware protection." Computer-Aided Design of Integrated 
Circuits and Systems, IEEE Transactions on 28, no. 10 (2009): 1493-1502. 
[11] Rostami et al. "A Primer on Hardware Security: Models, Methods, and 
Metrics." Proceedings of the IEEE 102, no. 8 (2014): 1283-1295. 
[12] Rajendran et al. "Security analysis of logic obfuscation." In Proceedings 
of the 49th Annual Design Automation Conference, pp. 83-89. ACM, 2012. 
[13] Baumgarten et al. "Preventing IC piracy using reconfigurable logic 
barriers." IEEE Design and Test of Computers 27, no. 1 (2010): 66-75. 
[14] Kahng et al. "Watermarking techniques for intellectual property 
protection." In DAC, pp. 776-781. ACM, 1998. 
[15] Predictive technology model, http://ptm.asu.edu/ 
[16] Falk, R. Aaron. "Advanced LIVA/TIVA Techniques." In International 
symposium for testing and failure analysis, pp. 59-68. 1998, 2001. 
 (d)  
Fig. 2 (a) Conceptual example of camouflaged gate with threshold programmable switch. Only selected gate is connected to power rail; (b) pass 
transistor-based camouflaged gate to hide 8 functionalities; (c) layout; and, (d) CMOS implementation (supports 3 functions) for risk mitigation. 
 
Fig. 3 (a) VT and switch voltage design window; (b) VT design window for HVT and LVT of switch for good ION/IOFF ratio; (c) HVT/LVT window 
for delay. Mean value of +/-0.25VDD than NVT is used; (d) P and N switch voltage biasing for robustness; (e) design overheads of proposed gate; 
and (f) impact of supply voltage variation. 
 
 
V
T
p
ro
g
ra
m
m
e
d
Vswp
Vswn
Gate ON Switch Gate ON Switch
NAND 3,2,9,11,12 AND 1,3,10,11,12
NOR 3,7,4,11,12 OR 5,6,7,11,12
XOR 3,7,9,11,12 XNOR 3,8,10,11,12
INV 3,7,9,14,12 BUF 3,8,10,14,12
(a) (b) (c) (d)
In1 In2Out
s1
s2
s3
s4
s5
s6
LVT:S1,S4
HVT:S2,S3,S
5,S6
LVT:S1, S2, 
S3, S4,S6
HVT: S5
LVT:S1, S3, 
S5, S6
HVT: S2, S4
Vdd
variation
Lower delay
(a)
(f)
5X 
overhead
(d)0
VDD
NVT
HVT
LVT
0
VDD
(VTN+VTP)/2
Vswn
Vswp
Lower delay
(b)
HVT/LVT Design window
(c) (e)
