Is Robust Design-for-Security Robust Enough? Attack on Locked Circuits
  with Restricted Scan Chain Access by Limaye, Nimisha et al.
Is Robust Design-for-Security Robust Enough?
Attack on Locked Circuits
with Restricted Scan Chain Access
Nimisha Limaye, Abhrajit Sengupta, Mohammed Nabeel, and Ozgur Sinanoglu
Tandon School of Engineering, New York University, New York, USA
Division of Engineering, New York University Abu Dhabi, United Arab Emirates
{nsl278, as9397, mtn2, ozgursin}@nyu.edu
Abstract—The security of logic locking has been called into
question by various attacks, especially a Boolean satisfiability
(SAT) based attack, that exploits scan access in a working
chip. Among other techniques, a robust design-for-security (DFS)
architecture was presented to restrict any unauthorized scan
access, thereby, thwarting the SAT attack (or any other attack
that relies on scan access). Nevertheless, in this work, we
successfully break this technique by recovering the secret key
despite the lack of scan access. Our security analysis on a few
benchmark circuits protected by the robust DFS architecture
demonstrates the effectiveness of our attack; on average ∼95%
of the key bits are correctly recovered, and almost 100% in
most cases. To overcome this and other prevailing attacks, we
propose a defense by making fundamental changes to the robust
DFS technique; the new defense can withstand all logic locking
attacks. We observe, on average, lower area overhead (∼1.65%)
than the robust DFS design (∼5.15%), and similar test coverage
(∼99.88%).
I. INTRODUCTION
The changing landscape of the semiconductor industry has
led to many security threats such as intellectual property (IP)
piracy [1], counterfeiting [2], and insertion of hardware Tro-
jans [3]. The prohibitive cost of owning a fabrication facility,
which can be up to several billions of dollars, has forced
many companies to go fabless over the years. As this trend
consolidates, design companies rely on external, untrusted
foundries for cost-effective access to advanced technology
nodes. Due to the lack of any monitoring in this scenario,
the trust in the Integrated Circuit (IC) supply chain has been
called into question [3].
To enable trust in the supply chain, several design-for-
security (DFS) techniques were developed such as logic lock-
ing, split manufacturing, IC metering, camouflaging, etc. [3].
Among these techniques, logic locking is perceived as a holis-
tic solution due to its ability to protect against a rogue element
at any stage in the supply chain. Logic locking involves the
insertion of key gates in the circuit, obfuscating the function-
ality based on a secret key known only to the designers. The
success of logic locking in protecting a circuit relies on how
well the secret key can be protected. Early attempts at breaking
logic locking include sensitization attack [4], test data mining
attack [5], etc., by retrieving the secret key. However, later
a lethal Boolean satisfiability (SAT) based attack completely
undermined the security of the existing locking techniques [6].
The post-SAT era saw the research community embarking
on two separate directions. On the one hand, several SAT-
resilient locking techniques were proposed [7], [8], [9], [10],
[11]. However, these techniques suffer from various struc-
tural vulnerabilities that were eventually exploited to break
them [12], [13], [14], [15], [16], [17], [18]. Further, all
SAT-resilient techniques suffer from low corruptibility/error
rate, still allowing an attacker to approximately recover a
circuit [19].
On the other hand, attempts at thwarting SAT attack focused
on restricting unauthorized scan access. This branches down to
either obfuscating the scan chains [20], [21], or blocking the
scan chain access entirely [22], [23], [24]. In [20], Karmakar
et al. proposed obfuscating the stimuli and test patterns by
inserting key gates into the scan chain. Nevertheless, it was
broken by Alrahis et al. by transforming the locked scan chains
into a combinational circuit, and thereby launching the well-
known SAT attack against it [25]. Recently, a cost-effective
robust design-for-security (DFS) architecture was proposed
to protect the key of a logic-locked circuit while enabling
secure test and debug operations, where a new secure scan
cell design, called secure cell (SC), was introduced [22].1 The
logic locking key is held in the SCs securely and its leakage
is prevented by blocking the scan read-out operations upon a
switch from functional to test mode, thereby, thwarting all the
attacks that require scan access. Further, they also block scan
read-out in the functional mode, restricting chip response to
be observed only at the primary outputs.
Contribution. The robust DFS architecture has tremendous
potential for thwarting all the existing logic locking attacks,
as it blocks scan read-out access. In this work, we propose
a shift-and-leak attack to break a circuit secured through this
important defense. The attack does not require access to scan
read-out; it rather observes the chip responses through chip
pin-outs and is applicable even in the restricted scan access
setting. Thus, our proposed attack can be contrasted from all
the existing attacks which cannot be launched against the DFS
architecture. The contributions of this work are as follows.
• We propose a new shift-and-leak attack that first judi-
ciously moves the circuit from the capture state (which
protects the key as per the design of DFS architecture)
1Throughout this paper, we will refer to this defense architecture as DFS.
c© 2019 IEEE. This is the author’s version of the work. It is posted here for your personal use. Not for redistribution.
The definitive Version of Record is published in Proc. International Conference on Computer-Aided Design (ICCAD), 2019.
ar
X
iv
:1
90
6.
07
80
6v
1 
 [c
s.C
R]
  1
8 J
un
 20
19
TABLE I: Comparison between defenses and attacks. 3 means
the defense is resilient to the attack, and 7 means the defense is
vulnerable to the attack.
Defense
Attack (App)SAT[6], [19] Removal[13] ScanSAT[25] Shift&leak
SSTC [24], [23] 3 7 3 3
EFF + RLL [20] 3 3 7 3
DFS + SLL [22] 3 3 3 7
MSSD + RLL 3 3 3 3
into a key-leaking state by leveraging shift operations.
The attack framework utilizes synthesis and automatic
test pattern generation (ATPG) tools to leak key bits one
at a time.
• We propose a pre-processing step to boost our shift-and-
leak attack. This involves launching a SAT attack in a
restricted scan access setting.
• Our experimental results show that on average, our attack
can retrieve almost all the key bits (∼95%).
• We propose a countermeasure, mode switch shift disable
(MSSD), to thwart our proposed attack as well as existing
attacks, and give a rigorous security analysis comparing
against different attacks and defenses. As shown in Ta-
ble I, our proposed defense is resilient against all the
mentioned attacks including our proposed shift-and-leak
attack. Essentially, the proposed defense technique can
be utilized in conjunction with a basic SAT-vulnerable
but high-corruptibility logic locking technique to defend
against all existing attacks. Note that AppSAT [19] cannot
decompose these defenses in the absence of scan access.
• We achieve lower area overhead (on average 1.65%)
compared to DFS architecture (on average 5.15%). Test
coverage is observed to be almost the same for both the
proposed and DFS architectures.
II. BACKGROUND
The design-for-security (DFS) architecture, proposed
in [22], has two goals in mind: 1) protecting scan interface
of a logic locked circuit from unauthorized access to thwart
SAT, sensitization, etc. attacks on logic locking, and 2) yet
preserving the full testability and debug of the chip. The
architecture ensures no leakage of key bits through the use of
secure cells and blocked scan read-out, while supporting struc-
tural/manufacturing tests, post-silicon validation and debug,
and full in-system test capability. Next, we briefly describe
the architecture that is presented in [22].
Architecture. The key component is a new scan cell, called
a secure cell (SC); one instance of SC is added to the design
for each key bit. The SCs are stitched together with regular
scan cells (RCs). As illustrated in Fig. 1(a), the key gate K is
driven by the SC holding the correct key bit. SC supports three
modes of operation: M0, M1, and M2, determined by two
select signals, namely, Test and scan enable (SE). The working
of the three modes is shown in Table II. Mode M0 denotes the
functional mode; the SC captures the correct key bit coming
from the tamper-proof memory. In M1, the SC is bypassed,
retaining its content, while the RCs shift or capture based on
the value of SE. Finally, in mode M2, the SC becomes a part
of the scan chain along with the other RCs; the key bits inside
(a)
(b)
Fig. 1: (a) Secure Cell (SC) design. (b) Architecture with restricted
scan access. SRB stands for scan read-out block. Scan read-out is
blocked whenever Test signal is low or has a positive transition. Scan
load has no restrictions. Source: [22].
the SCs are overwritten by the shifted stimuli (consisting
of dummy key bits) and responses, enabling structural tests
securely.
Apart from the above three modes, an integral part of this
architecture is that the scan read-out is blocked upon a switch
from a mode where the key is held in the SCs, into a mode
that supports shift operation. More specifically, scan read-out
is blocked upon a positive transition on the Test pin or while
the Test signal is 0.
The overview of the architecture is presented in Fig. 1(b).
SIs and SOs indicate the scan inputs and outputs, respectively.
A masking unit with an array of OR gates blocks the scan read-
out operations as explained above. Stimulus shift-in through
scan inputs can still be performed without any restriction; this
capability is preserved in the DFS architecture to support test
and debug operations. We later show that our attack exploits
this capability.
Test/debug operations. Structural testing is performed (by
untrusted parties) by holding Test signal at 1; shift and capture
operations are performed in M2 and M1b, respectively, with
unrestricted scan access, but by loading dummy key bits into
SCs. Functional testing is performed by first loading the secret
key from the memory into SCs in M0, and then loading the
initial state into the RCs in M1a while holding the key value
in SCs. The response is then observed at the primary outputs
in M0.
Security properties. In [22], the authors claim that any
attack that aims at leaking the key bits through the scan
c© 2019 IEEE. This is the author’s version of the work. It is posted here for your personal use. Not for redistribution.
The definitive Version of Record is published in Proc. International Conference on Computer-Aided Design (ICCAD), 2019.
TABLE II: The three modes of operation for the secure cell.
Test SE Mode Description Testing/Debugging
0 0 M0
The chip is in functional mode.
The secure cell captures and applies key to the logic. Functional testing.
0 1 M1a The secure cell holds its previous value. The rest of the
circuit is in shift/functional mode depending on the SE value.
Shift (M1a) to support functional tests.
Capture (M1b) to support structural tests.1 0 M1b
1 1 M2 The secure cell becomes a part of the scan chain(s). Shift in/shift out to support structural tests.
Fig. 2: Logic locking applied (a) standalone and (b) in conjunction
with DFS. Path shown in red is the key path; path shown in green
is the scan path. TPM is the tamper-proof memory where the key is
stored.
chains, such as SAT and sensitization attacks, is thwarted. The
underlying reason is that any mode transition that involves the
leakage of the secret key into the RCs triggers a scan read-
out block operation. Moreover, the authors recommend using
strong logic locking (SLL) [4], so as to prevent leakage of
key bits by any sensitization attack. This way, they secure
the mode that the circuit moves into right after the capture
operation; the key bits maximally interfere with each other in
the post-capture state. Figures 2(a) and 2(b) show how logic
locking can be applied standalone and in conjunction with
DFS, respectively.
By manipulating the state through shift operations and
leveraging the fact that primary outputs can (and should) still
be observed on the chip pin-outs in the functional mode, our
attack can circumvent this defense.
III. PROPOSED ATTACK
In the DFS architecture, any unauthorized access to the scan
chain is restricted by the scan read-out block. This naturally
raises the question is it possible to launch an attack even in
the scan read-out block setting?
In this section, we answer the above question affirmatively,
where we present an attack on the robust DFS architecture;
our approach is to leak key bits through the primary outputs
(POs) of a working chip even with the restricted scan access.
Threat model. Note that our attack is performed assuming
the traditional threat model for logic locking [6], [4], where:
1) The attacker has all the structural information from a
reverse-engineered locked netlist, including the knowl-
edge of the secure cells, but is missing the correct key
bit values, and
2) The attacker has access to a working chip that embeds
the correct key in its secure memory. Note that our
attack is carried out with scan read-out block, which is a
departure from the traditional setting where the attacker
has unrestricted access to scan chains.
A. Shift-and-leak attack
1) Idea.: As per the architecture, key gates are driven by
the secure cells (SCs) containing the key, which are stitched
together with regular cells (RCs) into scan chains. The attack
first identifies scan cells (mainly RCs but sometimes SCs as
well) that can leak information onto a primary output; we call
such cells as leaky cells (LCs). The secret key bit in a SC is
moved into a LC via shift operations (the shift part of Shift-
and-Leak) for as many cycles as the scan distance between
the SC and the LC.2 The LC is then propagated to one of the
primary outputs through the combinational logic (the leak part
of Shift-and-Leak). For this, a leak condition needs to hold;
the content of the scan chains should fulfill the leak condition
during that clock cycle.
2) Methodology.: The challenge lies in applying the attack
in the scan read-out block setting. As the scan read-out is
blocked in the M1a mode and upon a switch from M0 to
M2, the authors of [22] argue that the content of the SCs
cannot be leaked. However, the architecture still allows for the
scan load in an unrestricted manner to support test and debug
operations. Furthermore, the primary output ports of the chip
are still observable.3 The attack is launched as follows.
1) Identify LC candidates by extracting the combinational
fan-in cones of POs.
2) Insert a stuck-at-fault at the chosen LC candidate.
3) Run automatic test pattern generation (ATPG) tool to
observe this fault with all SCs set to unknown x’s during
this process. The ATPG tool returns a test pattern, if it
can identify one. This pattern is the leak condition that
the scan chain content must meet to leak LC onto a
PO. If the ATPG tool cannot identify a test pattern, then
rule out this candidate as an LC and target another LC
candidate; repeat steps 2 and 3.
4) Boot the chip in M0 to load the secret key in the SCs.
5) Let d denote the scan distance between the SC and the
LC. Now, change the mode to M1a and start shifting the
2Scan distance is the difference in the position of two scan cells in a scan
chain.
3As will be explained later in more detail, our attack can bypass the
boundary scan cells that normally control and observe the logic that drives
the POs; we simply perform a clock-less switch from M1a back to M0,
i.e., the functional mode, where the primary output ports are driven by the
combinational logic directly.
c© 2019 IEEE. This is the author’s version of the work. It is posted here for your personal use. Not for redistribution.
The definitive Version of Record is published in Proc. International Conference on Computer-Aided Design (ICCAD), 2019.
Fig. 3: Flow chart for our methodology. (a) Pre-processing and (b)
Shift-and-leak attack.
d-bit reverse-shifted version of the leak condition into
the scan chains while SCs hold their values.4
6) Post M1a, switch to M2, and the SCs become part of
the scan chain. Now, perform a d-bit shift to have the
leak condition formed in the scan chains, while the target
key bit in the SC gets shifted to LC.
7) Lastly, clocklessly switch to M0 and observe the PO to
leak the content of the LC, i.e., the target key bit.
The methodology is shown in Fig 3(b). We start from the
LCs at the rightmost position in the scan chain as they can
leak the highest number of SCs. This process is reiterated for
all the scan chains in the design.
Example. Consider the example shown in Fig. 4. The
combinational fan-in cone of the primary output out0 includes
five RCs (in2, in3, in4, in5, and in6), out of which we
identify in5 as the LC. Using an ATPG tool, we insert a stuck-
at-fault at the output of this LC and obtain the leak condition
(in4 = 1 and in6 = 0) required to propagate this value to out0.
From Fig. 4, we observe that SC is of scan distance 2 to the
LC; d = 2. Next, we boot the chip in M0 and load the secret
key from the secure memory into the SC. Then, we switch to
M1a and load in the RCs the two-bit reverse-shifted version
of the leak condition, while SCs hold their values; post M1a,
4Attacker has access to the Test and SE pins, and hence, switching between
modes can easily be carried out.
Fig. 4: Example of a shift-and-leak attack on the DFS architecture.
in5 is LC, which can be propagated to the output out0 by setting two
other bits in the scan chain (leak condition). The propagation path is
marked in red and indicated by the dashed line. Post-M1a content
required is a two-bit reverse-shifted version of the leak condition as
d = 2. In M1a, SC is not a part of the scan chain and thus, retains
its content; in M2, SC becomes a part of the scan chain.
in3 should be 1 and in4 should be 0. Now, we switch to
M2 and perform a two-bit shift such that the leak condition
reaches the correct RCs and SC reaches the LC; in4 becomes
1, in6 becomes 0, and in5 holds the key bit. Finally, we make
a clockless switch to M0 to leak the LC content to out0.
The same LC can be re-used to retrieve the content of other
SCs in the same scan chain to the left of LC; the process
above is repeated but with a different d value this time.
3) Limitations.: Identifying viable LCs may become chal-
lenging if the fan-in cones of the primary outputs include a
large number of SCs. As they contain unknown key bits, the
ATPG tool may fail to find a leak condition for a LC candidate
in the presence of many SCs, limiting the number of viable
LCs, and thus, the attack success as well. To circumvent this
issue, we propose a pre-processing step that is described in
the next section.
B. Pre-process: Deciphering leaky secure cells
1) Idea.: We can directly retrieve the content (key bits)
of a group of SCs that are in the fan-in cone of a PO. This
logic cone can be treated as a locked combinational circuit, on
which SAT attack [6] can be applied without relying on scan-
out reads. SAT attack can then produce distinguishing input
patterns (DIPs) that need to be loaded in the scan chains in
M1a mode; as the secret key held in SCs is overwritten with
the stimulus in M2 mode, our attack rather relies on the shift
operations in M1a mode. The working chip used as an oracle
is only accessed on the PO under consideration; the scan-out
c© 2019 IEEE. This is the author’s version of the work. It is posted here for your personal use. Not for redistribution.
The definitive Version of Record is published in Proc. International Conference on Computer-Aided Design (ICCAD), 2019.
Fig. 5: The fan-in cone of the PO consists of three SCs as three key
inputs and one RC as a primary input. Identifying a leak condition for
three unknown input values is challenging. Hence, the pre-processing
step uses a SAT tool and tries to resolve these SCs prior to the shift-
and-leak attack.
ports are ignored. The response on the PO is used to eliminate
incorrect keys that correspond to the group of SCs in the fan-
in cone. DIP generation and key elimination are repeated until
the correct key is found.
2) Methodology.: We follow a similar strategy to the pre-
vious attack where we exploit the primary output ports of the
chip that are always observable. The attack is launched as
follows.
1) Extract the fan-in cones of the POs.
2) Obtain the DIP from the SAT tool.
3) Boot the IC in M0 mode, where SCs capture the secret
key.
4) Switch to M1a to shift in the DIP obtained from the
SAT tool into the RCs, while SCs retain their content,
i.e., the secret key.
5) Clocklessly switch to M0 to obtain the response at the
POs of the circuit. Feed the PO values to the SAT attack
tool for key elimination, and go to step 2.
The complete methodology is depicted in the flowchart in
Fig. 3(a).
Example. Consider the combinational circuit controlled by
three SCs and one RC, as shown in Fig. 5. These three SCs
are part of the 128 SCs holding the complete key. Identifying
a leak condition is challenging with three unknowns in a four-
input circuit. However, we can obtain the values of these
SCs using the SAT tool. Once these values are identified in
the pre-processing step, we launch our shift-and-leak attack
which successfully leaks the content of the remaining SCs as
discussed earlier.
Hence, the presence of SCs in the fan-in cone no longer
poses any problem for the ATPG tool, as the content of these
otherwise problematic SCs is already deciphered in the pre-
processing phase.
IV. PROPOSED COUNTERMEASURE
A. Idea
In our shift-and-leak attack, we exploit the M1a mode,
made available in the DFS architecture. This mode was only
used during the functional testing of the chip, but it was useful
to shift-in the known patterns to apply our attack. Now, in
order to thwart the proposed attack, it only makes sense to
block the shift-in operation in M1a mode.
With such a defense in place, RCs can no longer be
controlled to desired (leak condition or DIP) values, effectively
becoming no different than SCs that have unknown content.
(a)
(b)
Fig. 6: Mode switch shift disable (MSSD) countermeasure to prevent
the proposed shift-and-leak attack. (a) When the Test pin is 0 or
undergoes a positive transition, the output of the NOR gate goes low,
and therefore, shift disable (SD) pin goes low. (b) SD pin instead of
the SE pin controls the scan MUXes. During a positive transition on
the Test pin, or when the Test pin is low, SD will become 0, thereby
disabling the shift operation in the RCs and SCs.
The proposed shift-and-leak attack that used to be able to
resolve only SCs will then have to resolve both RCs and
SCs. Only the primary output fan-in cones that are mainly
controlled by primary inputs and very few RCs and SCs
will possibly reveal some information about the key, but that
would be quite rare in typical designs. We revisit this point
quantitatively in Section V.
B. Architecture
Figure 6 shows the new secure architecture, mode switch
shift disable (MSSD), which blocks all the shift operations
when Test pin is not asserted (Test = 0) or when there is a
positive transition on the Test pin (M0 → M1b or M0 →
M2). We assume 10 inverters in the delay unit, and the DFF
sets to 0 on reset.5 After reset, when Test=1, the output of the
single inverter will be 0. As the output of DFF will also be
0, the NOR output will go high, thereby, shift disable (SD)
signal will follow the SE pin. The SC will now either be in
M1b mode or in M2 mode.
In Table III, we see NOR output and SD signal values for
four cases where Test and SE can take on different values.
When Test = 1, we observe that SD follows SE. This is correct
only when the Test pin is high during power ON. However,
when there is a positive transition on the Test pin or when
the Test signal is low, NOR output goes low, and hence SD
becomes 0, thereby restricting the shift operation. To conclude,
we block the shift operation on both the SCs and RCs in M1a
mode. There is no longer a mode where SCs can be bypassed,
retaining their values, while RCs can be loaded/unloaded.
C. Test/debug operations
M1a mode was used earlier for functional testing or in-field
testing. We now have to analyze the impact of our MSSD
defense on these tests. For functional or in-field testing, we
may need to bring the circuit to a known state and check
5All the flip flops set to 0 on reset, unless otherwise mentioned.
c© 2019 IEEE. This is the author’s version of the work. It is posted here for your personal use. Not for redistribution.
The definitive Version of Record is published in Proc. International Conference on Computer-Aided Design (ICCAD), 2019.
TABLE III: Shift disable (SD) values for different modes.
Mode Test SE NOR SD
M0 0 0 0 0
M1a 0 1 0 0
M1b 1 0 1 0
M2 1 1 1 1
its response. Earlier, this was made possible in mode M1a,
where the SCs hold the correct key, and the test pattern is
shifted in the RCs to bring the circuit to a known state. Now,
by restricting the shift operation in M1a, we are creating
hindrance in the functional testing of the chip. To solve this
issue, we create a workaround by utilizing other modes.
As we no longer have the M1a mode, we rely on mode
M2 to load the desired initial state into the RCs. The problem,
however, is that the shift operations in M2 mode overwrites
the SC content. A proper functional test requires that we bring
the actual secret key from the tamper-proof memory into the
SCs, which can only be done in mode M0, but that would
overwrite the content of the RCs (initial state) as well. We
thus use clock gating in M0 to suppress the first clock pulse
feeding the RCs; this way, SCs are updated with the secret key
while RCs maintain the desired initial state loaded in mode
M2 prior to M0. Then in the next clock cycle, we resume the
clock feeding these RCs which now operate in the presence
of the correct key value. Figure 7(a) explains how the clock
is gated for one cycle for RCs, while the correct key is being
loaded in the SCs. The clock gating (CG) circuit senses the
switch from mode M2 to M0, and delays the clock feeding
the RCs for one cycle; the clock feeding the SCs is untouched.
Figure 7(b) shows the internal structure of the CG circuit and
is explained in detail below. Figure 7(c) shows the clock clk
and the gated clock gclk signals along with the modes.
Clock gating. After reset, both D1 and D2 are set to 1,
therefore, the gclk signal follows the clk signal. When the
circuit is in M2 mode, the output of the NOR gate becomes
0, and hence, the output of the OR gate becomes 1. Thus, the
output of D2 remains 1 and gclk signal follows clk signal.
Now, when the mode is changed to M0, the output of the
NOR gate becomes 1, therefore the output of the OR gate
becomes 0 until D1 is updated. This OR output gets latched
on to D2 when the clock signal is low. Hence, for one clock
cycle, gclk goes low, as expected. After one clock cycle, the
output of D1 is updated, and the OR output goes high again.
Thus, gclk follows the clk signal once again. Further, when
the circuit is booted in any mode, gclk follows the clk signal.
Although we block the shift operation on the SI pin in mode
M1a, our defense, just like DFS, allows a debugger (without
the knowledge of the correct key) to perform functional testing
by observing the POs without any significant loss of coverage.6
Further, if the debugger is trusted and knows the correct key,
then s/he can directly load this key along with the pattern in
mode M2 and capture its response in mode M1b, as in the
DFS technique.
6On average, we observed 0.03% loss in test coverage w.r.t. the original
design.
(a)
(b)
(c)
Fig. 7: (a) Architecture for gclk signal using clock gating (CG)
circuitry. (b) The internal structure of the CG circuitry. D1 is a DFF
which sets to 1 on reset, and D2 is a latch with a negative enable
signal which also sets to 1 on reset. (c) Waveforms showing clk going
to SCs and gclk going to RCs, along with the modes.
D. Security comparison
Upon unveiling and fixing the vulnerability of the robust
DFS architecture, we now enable a scan access restriction
based solution, MSSD, which when used with a very basic
logic locking solution (say, Random Logic Locking (RLL)
[26]), provides protection against all logic locking attacks.
This would in turn deliver a much more comprehensive protec-
tion against not only scan attacks but also reverse engineering,
IP piracy, Trojan insertion, etc.
The techniques in [23], [24] aim at protecting the scan
access into the crypto cores based on a weaker threat model
that assumes access to a working chip only; however, they
are easily breakable in the threat model defined in this and
all other logic locking papers where the locked netlist is also
assumed to be available to an attacker.
Prior logic locking defenses are either vulnerable to the SAT
attack or fall short in delivering sufficient output corruption
(e.g., [9], [27], [8]), and thus are vulnerable to attacks such as
AppSAT [19].
Robust DFS in [22] is vulnerable to our shift-and-leak
attack; thus, it cannot protect the scan access of a logic-locked
circuit. Our defense, on the contrary, disables both scan-in and
scan-out access, preventing an attacker from launching any
logic locking attack (e.g., SAT, AppSAT, etc.) that requires
generating and applying input-output pairs by relying on scan
access.
c© 2019 IEEE. This is the author’s version of the work. It is posted here for your personal use. Not for redistribution.
The definitive Version of Record is published in Proc. International Conference on Computer-Aided Design (ICCAD), 2019.
V. EXPERIMENTAL RESULTS
For our attack, we analyzed eight different IWLS 2005
benchmarks [28] for five scan chain configurations, locked
via DFS using 128 key bits. Note that we apply strong logic
locking [4] to lock these circuits as recommended by the
authors [22]. Further, for our proposed defense, we imple-
mented shift-blocking and CG circuitry from Figs. 6(a) and
7(b) respectively, on six benchmarks to obtain secure locked
netlists.7 All the experiments have been carried out on a 128-
core Intel Xeon processor running at 2.2 GHz with 256 GB
of RAM, using Synopsys Design Compiler v16, Tetramax
v16, and VCS v17 tools along with the 32nm SAED32 EDK
Generic Library [29].
A. Attack results
1) Pre-processing: Although the DFS technique claims to
thwart the SAT attack by blocking scan read-out access, we
still leverage the primary outputs to leak valuable information
about the secret key. The attack results are shown in Table IV.
Note that as the success of pre-processing is dictated by
the underlying structure of the locked circuit, it could only
recover a few key bits for s35932, s38417, and s38584,
and none for b17, b18, and b19 benchmarks. However, it
could recover 47 and 120 key bits for s13207 and s15850,
respectively (irrespective of the scan chain configuration, i.e.,
the number of scan chains). For these two designs, the fan-
in cones of the primary output ports contain a large number
of SCs, i.e., 47 and 120, respectively, thereby allowing SAT
solvers to directly access these key bits from the POs and
decipher them. Further, test compressor and decompressor
have no effect on our attack since we leverage primary outputs
to leak the keys.
Run-time. We present the run-time for pre-processing
which consists of creating the combinational fan-in cones of
the primary outputs of the circuit using the Synopsys Design
Compiler tool and running the SAT solver. For all the cases,
the analysis time is minimal, taking around one hundred
seconds even for large designs (>10K gates) such as s38584.
2) Shift-and-leak attack: After pre-processing, we launch
our shift-and-leak attack, whose results are presented in Ta-
ble IV as well. On average, it recovers ∼95% of the key-bits,
sometimes reaching up to 100%, completely undermining the
security of the DFS architecture. The remaining key bits, if
any, can be easily recovered via a brute-force attack.
Effect of the number of scan chains. Unlike the pre-
processing step, the success of the shift-and-leak attack de-
pends on the number of scan chains. For a larger number
of scan chains, we see a monotonic decrease in the attack
success. This can be attributed to the fact that the identified
LCs can leak the content of a smaller number of SCs from
their shorter scan chains. For example, there is a sharp drop in
the number of deciphered key bits for b17 with sixteen scan
chains. However, we observe that for s15850 we recover
the complete key even for sixteen scan chains. This is mainly
because, we had deciphered most of the secure cells in the
7We consider the same benchmarks mentioned in [22] for uniform com-
parison.
TABLE IV: Results of the pre-processing step and shift-and-leak
attack launched on eight different IWLS-2005 benchmarks locked
with a 128-bit key for different scan chain configurations: number of
key bits recovered and analysis run-time.
Benchmark #Scanchains
Pre-process Shift-and-leak
Key bits
recovered
Run-time
(secs)
Key bits
recovered
Run-time
(secs)
s13207
1
47 28
128
17
2 128
4 128
8 122
16 101
s15850
1
120 36
128
22
2 128
4 128
8 128
16 128
s35932
1
3 146
127
124
2 127
4 127
8 127
16 100
s38417
1
3 120
128
117
2 128
4 128
8 128
16 80
s38584
1
8 83
128
87
2 128
4 128
8 128
16 115
b17
1
0 -
127
178
2 127
4 127
8 127
16 36
b18
1
0 -
126
1183
2 126
4 126
8 126
16 126
b19
1
0 -
127
4301
2 127
4 127
8 127
16 127
pre-processing step and those became the LCs to leak the rest
of the key bits.
Run-time. The run-time is dominated by the process of
identifying LCs along with their leak conditions by executing
the Tetramax tool. As can be seen from Table IV, the attack
takes only around 72 minutes even for the b19 benchmark
which has >100K gates.
3) Attack analysis:
Is our attack successful on DFS? We are able to retrieve
at least 80 out of 128 key bits for 97.5% of the circuits. This
essentially leaves the attacker to decipher <48 key bits, which
can be simply achieved by applying a brute-force attack.8
Therefore, barring b17 (for sixteen scan chains configuration),
8In today’s computational standards, a key size of at least 80 bits is
considered secure [30].
c© 2019 IEEE. This is the author’s version of the work. It is posted here for your personal use. Not for redistribution.
The definitive Version of Record is published in Proc. International Conference on Computer-Aided Design (ICCAD), 2019.
Fig. 8: Boundary scan cell design. Our attack utilizes the path marked
in red when leaking the key value to a primary output in M0 mode.
Source: [31]
we can confidently consider most of the circuits (39 out of 40)
broken.
Scalability. Our attack terminates within a few minutes
even for large designs such as b19, which contains >100K
gates. Even for much larger circuits, we expect short attack
run-times as ATPG is executed for a single fault per LC;
to generate manufacturing test patterns for a chip, ATPG is
executed for millions of faults! Moreover, the success rate of
our shift-and-leak attack is independent of the design size. As
the identification of LCs and the associated leak conditions are
linked to the testability of the design, we can expect a better
success rate in highly testable designs.
Attack in the presence of boundary scan. The boundary
scan technique is used to control and observe the primary
output signal at the chip boundaries by placing shift-registers
adjacent to the chip pins. The boundary scan cell design is
shown in Fig. 8. Note that the presence of boundary scan cells
(which cannot be read-out) has no effect on the applicability
of our attack. Our attack includes a clock-less switch into
the functional (M0) mode, where the primary output must
be observable on the chip pin to allow for functional debug;
the signal path that enables our attack is illustrated (marked
in red) in Fig. 8.
Comparison with prior attacks. Previously, there has
been an attack launched on camouflaged sequential circuits
with restricted scan access [32]. To circumvent the blocked
scan access, El Massad et al. rely on model checker tools
to find discriminating input sequences that can be applied
through multiple capture cycles to observe the primary output.
However, their attack runs into scalability issues as it relies on
two sub-routines which are in PSPACE and NP. As a result,
their attack fails to terminate for fairly small designs such
as s5378 and s9234, which contain only a few thousand
gates. Recently, a faster sequential deobfuscation approach
was presented, which reduces the run-time of sequential SAT
attacks by two orders of magnitude [33]. However, their
approach takes around two hours to deobfuscate the s35932
benchmark; our attack takes only 10 minutes to leak 127 key
bits. Table V shows the attack success rate and average time
taken by [32], [33], and our shift-and-leak attack for various
circuits [28]. Further, our attack takes lesser time to break
larger circuits than what previous techniques take to break
smaller circuits. While the scalability of the prior approaches
is questionable, our attack can be applied in a straight-forward
manner by running the ATPG tool to generate a single pattern
(leak condition) per LC without any scalability issues.
TABLE V: Comparison between [32], [33], and our shift-and-leak
attack in terms of time taken (in seconds) to recover the whole key.
Time taken for our attack includes the pre-processing step as well.
Results for the larger circuits were not provided by the previous
techniques, hinting at scalability issues.
Benchmark Capacity(# Gates)
Time taken (secs)
NuSMV [32] nuXmv [33] Int [33] Proposed
s15850 9772 - - 54 58
s35932 16065 - 8268 3885 270
b17 32326 - - - 178
b18 114621 - - - 1183
b19 231320 - - - 4301
B. Defense results
Our proposed architecture consists of shift-blocking and CG
circuitry to thwart the shift-and-leak attack and yet enables
functional testing. We computed area overhead for DFS and
MSSD with respect to original designs, for identical timing
constraints. We also computed test coverage for the original,
DFS, and proposed designs.
Security analysis. When our MSSD defense is applied with
RLL, we observe that no key bits are recovered when the
shift-and-leak attack is applied on it, as shown in Table VI
column 8. As we restrict the shifting of scan patterns in M1a,
the shift-and-leak attack recovers no key bits, irrespective of
benchmarks and scan configurations. As expected, there are
no PO fan-in cones in these benchmark circuits that are fed
by mainly PIs and only a few RCs and SCs, resulting in no
viable LCs.
Area overhead. Area overhead for six benchmarks for
DFS and MSSD is presented in Table VI, columns 3 and
6. Most of the area overhead comes from the secure cell
components. On average, we obtain ∼5.15% area overhead for
the DFS technique and ∼1.65% for our proposed technique.
As observed, our proposed technique has lower area overhead
than DFS; our method implements only one instance of CG
circuitry in place of a series of scan read blocking OR gates
that the DFS architecture uses. Further, we observe that our
proposed design has a lower area than the original design
for benchmarks b18 and b19. This is because the Synopsys
Design Compiler tool optimizes the circuit with the added
gates.
Test coverage. Test coverage is calculated when the chip is
in test mode, and hence the clock signal is implicitly tested.
On average, we observe that test coverage for DFS and our
proposed architectures are almost the same (∼99.88%) and
only 0.03% less than that of the original design.
VI. CONCLUSION
A cost-effective robust DFS technique presented in [22]
aims at thwarting all existing logic locking attacks, including
the powerful SAT attack, by restricting the scan access.
In this work, we propose an attack that exploits the offered
capabilities in leaking the key bits despite the restricted scan
access. Our technique first identifies leaky cells and then uses
the shift-and-leak attack to leak the key values to primary
output ports. We demonstrated our attack on eight different
IWLS-2005 benchmarks for five scan chain configurations.
On average ∼95% of the key bits are leaked, and 100% in
c© 2019 IEEE. This is the author’s version of the work. It is posted here for your personal use. Not for redistribution.
The definitive Version of Record is published in Proc. International Conference on Computer-Aided Design (ICCAD), 2019.
TABLE VI: Area overhead along with test coverage comparison between original, DFS, and MSSD designs for identical timing constraints.
Number of key bits (out of 128) recovered in DFS and MSSD architectures are presented for a single scan chain (best case scenario for the
attack). We re-synthesized the DFS designs in our setup for uniform comparison.
Benchmark Original DFS Proposed (MSSD)Test coverage
(%)
Area overhead
(%)
Test coverage
(%)
Key bits
recovered
Area overhead
(%)
Test coverage
(%)
Key bits
recovered
s35932 100 6.98 100 127 3.01 100 0
s38417 100 7.73 100 128 3.74 100 0
s38584 100 9.07 100 128 5.48 100 0
b17 99.91 4.78 99.72 127 1.49 99.69 0
b18 99.77 1.38 99.78 126 -1.34 99.77 0
b19 99.8 0.97 99.78 127 -2.51 99.79 0
most cases. To thwart this attack, we propose a defense, which
maintains the same testability as the DFS architecture but
with lower area, while delivering resilience against all other
attacks. We compared our attack and defense with prior works
and showed how we significantly advance the state of the art
through our novel attack and defense. A comprehensive set
of attacks ranging from scan attacks to reverse engineering,
IP piracy, and Trojan insertion can all be thwarted by our
defense.
REFERENCES
[1] Chipworks, “Reverse Engineering Software,” http://www.
chipworks.com/en/technical-competitive-analysis/resources/
reerse-engineering-software, 2016.
[2] U. Guin et al., “Counterfeit integrated circuits: detection, avoidance, and
the challenges ahead,” Journal of Electronic Testing, vol. 30, no. 1, pp.
9–23, 2014.
[3] M. Rostami et al., “A primer on hardware security: Models, methods,
and metrics,” Proceedings of the IEEE, vol. 102, no. 8, pp. 1283–1295,
2014.
[4] J. Rajendran et al., “Security analysis of logic obfuscation,” in DAC.
ACM, 2012, pp. 83–89.
[5] M. Yasin et al., “Activation of logic encrypted chips: Pre-test or post-
test?” in DATE. IEEE, 2016, pp. 139–144.
[6] P. Subramanyan et al., “Evaluating the security of logic encryption
algorithms,” in HOST. IEEE, 2015, pp. 137–143.
[7] M. Yasin et al., “SARLock: SAT attack resistant logic locking,” in
HOST. IEEE, 2016, pp. 236–241.
[8] Y. Xie and A. Srivastava, “Anti-sat: Mitigating sat attack on logic
locking,” TCAD, vol. 38, no. 2, pp. 199–207, 2019.
[9] A. Sengupta et al., “ATPG-based cost-effective, secure logic locking,”
in VTS. IEEE, 2018, pp. 1–6.
[10] Y. Xie and A. Srivastava, “Delay locking: Security enhancement of logic
locking against ic counterfeiting and overproduction,” in DAC. ACM,
2017, p. 9.
[11] K. Shamsi et al., “Cyclic obfuscation for creating sat-unresolvable
circuits,” in GLSVLSI. ACM, 2017, pp. 173–178.
[12] X. Xu et al., “Novel bypass attack and BDD-based tradeoff analysis
against all known logic locking attacks,” in CHES. Springer, 2017, pp.
189–210.
[13] M. Yasin et al., “Removal attacks on logic locking and camouflaging
techniques,” TETC, 2017.
[14] D. Sirone and P. Subramanyan, “Functional Analysis Attacks on Logic
Locking,” arXiv preprint arXiv:1811.12088, 2018.
[15] A. Chakraborty et al., “TimingSAT: timing profile embedded SAT
attack,” in ICCAD. ACM, 2018, p. 6.
[16] K. Z. Azar et al., “SMT Attack: Next Generation Attack on Obfuscated
Circuits with Capabilities and Performance Beyond the SAT Attacks,”
CHES, pp. 97–122, 2019.
[17] H. Zhou et al., “CycSAT: SAT-based attack on cyclic logic encryptions,”
in ICCAD. IEEE Press, 2017, pp. 49–56.
[18] F. Yang et al., “Stripped Functionality Logic Locking with Hamming
Distance Based Restore Unit (SFLL-hd)–Unlocked,” TIFS, 2019.
[19] K. Shamsi et al., “AppSAT: Approximately deobfuscating integrated
circuits,” in HOST. IEEE, 2017, pp. 95–100.
[20] R. Karmakar et al., “Encrypt Flip-Flop: A Novel Logic Encryption
Technique For Sequential Circuits,” arXiv preprint arXiv:1801.04961,
2018.
[21] X. Wang et al., “Secure scan and test using obfuscation throughout
supply chain,” TCAD, vol. 37, no. 9, pp. 1867–1880, 2018.
[22] U. Guin et al., “Robust Design-for-Security Architecture for Enabling
Trust in IC Manufacturing and Test,” TVLSI, vol. 26, no. 5, pp. 818–830,
2018.
[23] W. Wang et al., “A Secure DFT Architecture Protecting Crypto Chips
Against Scan-Based Attacks,” IEEE Access, vol. 7, pp. 22 206–22 213,
2019.
[24] S. Ahlawat et al., “Preventing scan-based side-channel attacks through
key masking,” in DFT. IEEE, 2017, pp. 1–4.
[25] L. Alrahis et al., “ScanSAT: Unlocking Obfuscated Scan Chains,” in
ASP-DAC. ACM, 2019, pp. 352–357.
[26] J. A. Roy et al., “Ending piracy of integrated circuits,” Computer,
vol. 43, no. 10, pp. 30–38, 2010.
[27] M. Yasin et al., “Provably-secure logic locking: From theory to practice,”
in ACM CCS, 2017, pp. 1601–1618.
[28] C. Albrecht, “IWLS 2005 benchmarks,” in International Workshop for
Logic Synthesis (IWLS), 2005, p. 9.
[29] Synopsys, “32/28 nm Generic Library for Teaching IC
Design.” https://www.synopsys.com/community/university-program/
teaching-resources.html, 2017.
[30] N. Smart, “ECRYPT II Yearly Report on Algorithms and Keysizes
(2011-2012),” 2012.
[31] IEEE, IEEE Standard Test Access Port and Boundary-scan Architecture:
Approved February 15, 1990, IEEE Standards Board; Approved June 17,
1990, American National Standards Institute. IEEE, 1990.
[32] M. El Massad et al., “Reverse engineering camouflaged sequential
circuits without scan access,” in ICCAD. IEEE, 2017, pp. 33–40.
[33] K. Shamsi et al., “KC2: Key-Condition Crunching for Fast Sequential
Circuit Deobfuscation,” in DATE. IEEE, 2019, pp. 534–539.
c© 2019 IEEE. This is the author’s version of the work. It is posted here for your personal use. Not for redistribution.
The definitive Version of Record is published in Proc. International Conference on Computer-Aided Design (ICCAD), 2019.
