DLockout: A Design Lockout Technique for Key Obfuscated RTL IP Designs by Islam, Sheikh Ariful et al.
ar
X
iv
:2
00
1.
01
07
1v
1 
 [c
s.C
R]
  4
 Ja
n 2
02
0
IEEE Copyright Notice
c©2019 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any
current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new
collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.
Accepted to be Published in: Proceedings of the 2019 5th IEEE International Symposium on Smart
Electronic Systems (IEEE-iSES), Dec. 16-18, 2019, Rourkela, India.
DLockout: A Design Lockout Technique for Key
Obfuscated RTL IP Designs
Sheikh Ariful Islam, Love Kumar Sah and Srinivas Katkoori
Department of Computer Science and Engineering
University of South Florida
Tampa, FL 33620
Email: {sheikhariful, lsah, katkoori}@mail.usf.edu
Abstract—Intellectual Property (IP) infringement including
piracy and over production have emerged as significant threats in
the semiconductor supply chain. Key based obfuscation techniques
(i.e., logic locking) are widely applied to secure legacy IP from such
attacks. However, the fundamental question remains open whether
an attacker is allowed an exponential amount of time to seek correct
key or could it be useful to lock out the design in a non-destructive
manner after several incorrect attempts. In this paper, we address
this question with a robust design lockout technique. Specifically,
we perform comparisons on obfuscation logic output that reflects
the condition (correct or incorrect) of the applied key without
changing the system behaviour. The proposed approach, when
combined with key obfuscation (logic locking) technique, increases
the difficulty of reverse engineering key obfuscated RTL module.
We provide security evaluation of DLockout against three common
side channel attacks followed by a quantitative assessment of the
resilience. We conducted a set of experiments on four datapath
intensive IPs and one crypto core for three different key lengths
(32-, 64-, and 128-bit) under typical design corner. On average,
DLockout incurs negligible area, power, and delay overheads.
I. INTRODUCTION
In recent decades, horizontal IC business model and vertical
disintegration of the design have proven themselves to manu-
facturing and testing of fabless design houses’ IP/IC in foreign
foundries [1]. This trend becomes attractive for a system integra-
tor to integrate Commercial Off the Shelf (COTS) components
to meet a strict requirement for time to market. In the heart of
this design ecosystem, original IP owners face several security
challenges. Frequent IP handover in the supply chain could
pose the IP to be vulnerable to unauthorized duplication and
piracy. Reverse engineering is commonly employed to execute
the variants of IP theft. To reduce the risk of IP theft, the promise
of obfuscation transforms the original IP into an equivalent
design with a greater barrier to uncover functional semantics
without the correct key.
The use of hardware obfuscation approaches [2], [3] in recent
years is becoming common practice to protect the legacy RTL IP.
These approaches perform transformations to the original FSM
by embedding additional states and depending on key value,
they control modes of operation. At the same time, state-of-the-
art obfuscation methods have been found to protect only RTL
Hardware Description Language and lacks flexibility in securing
both the datapath and controller of an RTL design. Furthermore,
existing obfuscation solutions at RT-level incur substantial per-
formance overhead while building the security into hardware.
Despite the major objective of key-based obfuscation or logic
locking, one important question remains unanswered: is the
brute-force attempt something that can be complemented with
early locking out the design for finite but incorrect attempts?
Motivated by the software IP licensing scheme, we present a
low-cost lockable obfuscation framework, DLockout, for hard-
ware IP. In software regime, a software owner favors a user
(attacker) to a finite number of attempts for legal use of the
software. After a finite number of incorrect tries, the user is
requested to provide another form of verification to regain
access to locked software IP. We do this in obfuscated RTL
IP by embedding comparators (XORs) to the obfuscation logic
(MUXes) in non-critical paths. Following that, we introduce a
counter to be compared with a preset threshold. This threshold
determines to what extent (number of attempts) the (in)correct
key can be applied. For each incorrect key retrieval attempt, the
counter value is incremented and when it reaches the threshold,
obfuscated IP is locked out. We then introduce a checker FSM in
obfuscated datapath that signals the controller during the lockout
to enter into a blackhole state. It ensures that all accesses to the
design by the legitimate users are valid as long as the correct key
is applied, thus maintaining the design for security. The design
lockout approach runs together with the original functionality
of the design and requires minimal changes in the obfuscated
RTL IP. To the best of our knowledge, DLockout is the first
comprehensive technique that enhances traditional key hardware
obfuscation with lockout mechanism. In summary, the novelty
of DLockout includes: (i) no storage of the key within the
obfuscated design; (ii) stealthy key propagation and comparison
through non-critical path(s); and (iii) minimal modifications
to an existing obfuscated RTL design with lightweight, low-
overhead comparators and checker FSM.
The remainder of the paper is organized as follows. Section II
reviews the necessary background and previous RTL obfuscation
schemes. Section III presents the attack model followed by
proposed DLockout architecture in Section IV. We provide the
security evaluations and experimental results in Section V and
VI respectively. Section VII concludes the paper.
II. BACKGROUND AND RELATED WORK
In this section, we review state-of-the-art literature on key-
based hardware obfuscation and obfuscating transformations at
RTL against IP piracy. Mode-based RTL obfuscation has been
studied in [4]. The technique works by extending the bit-length
of host registers for appropriate mode selection with moderate
overhead. The authors in [5] constructed the Control Flow Graph
(CFG) of the RTL description from gate-level designs. In this
obfuscation model, extra decision nodes depending on boolean
computations of state elements are inserted. ObfusFlow [2]
performs the XOR operation to a subset of internal nodes with
an additional FSM. The Boosted Finite State Machine (BFSM)
[6] hardens the original FSM by additional states. The technique
powers up the design with additional states such that a random
unique block is entered before going into working mode else
blackhole state mode is entered. The authors in [7] utilized
mobility of input operands during HLS to increase stealthiness
of RTL obfuscation. Although the technique introduces the
obfuscation during the early design, it does not include the abuse
case when an attacker may want to retrieve the key for a finite
number of times. The published RTL obfuscation works did not
consider key management block built in to prevent unauthorized
execution of RTL IP. We distinguish our work as follows: (a)
the key propagation is as stealthily as possible and locks out
the design for incorrect key when certain number of attempts
are made and (b) we provide the security evaluation of an RTL
design against state-of-the-art side channel analysis.
Input Operands with 
fixed and unknown key 
Incorrect attempts 
exceed threshold?
Design Lockout
Yes
Algorithm Description
(C,C++)
Obfuscated RTL Design 
(datapath + controller)
Insert DLockout 
Architecture
1. Find obfuscation points
2. Embed comparators
3. Embed checker FSM to
enable design lockout
Obfuscated RTL with 
DLockout
High-level Synthesis
No
Brute-force attack/
Key guessing attack
Fig. 1: DLockout integration in key obfuscated RTL design
III. THREAT MODEL
To reverse engineer the correct key, we assume an attacker
has access to a logic-level locked but flattened netlist and an
oracle black-box IC. We also assume that the design cannot
be subjected to sophisticated micro-probing attack (e.g. circuit
edit [8]). The published works in [9], [10] made the similar
assumptions for the threat model where the deobfuscation intent
was effective either on fully combinational or sequential design
at the gate-level. In addition, we assume that the attacker’s
objective is to reveal the key to enabling the true functionality
of the obfuscated RTL design. We also assume that the attacker
does not have access to internal nets except primary input(s) and
output(s). Under these assumptions, the adversary can apply any
input sequence, observe the output, and analyze the input-output
behavior.
IV. PROPOSED DLOCKOUT ARCHITECTURE
Our proposed technique, DLockout, in Fig. 1 defends against
counterfeiting and fights against reverse engineering aiming at
obtaining design data of IP. We ensure this by by embedding
comparators at the output of obfuscation logic after regular key
obfuscation is performed. As shown, it contains three major
steps for key verification. First, given a key obfuscated RTL
IP, the designer would incorporate DLockout using the method
proposed in Sections IV-A and IV-B. Secondly, an attacker (user)
during the post-synthesis stage of RTL in the supply chain would
apply regular input(s) and key bit(s) of a particular length. As
the extraction of the key is the most frequent target in any
obfuscation scheme, one can apply brute-force or intelligent key
inference techniques. A check between the allowed attempts
and the number of times (in)correct key applied will enable
or disable DLockout. Finally, when unsuccessful key extraction
trials end, the design is self-locked out permanently in a non-
destructive manner.
A. Design Lockout in RTL Datapath
DLockout relies on the observation that obfuscated RTL IP is
available after the designer performs scheduling, allocation, and
binding according to cost-speed trade-off during HLS [7], [11].
we follow the works in [7] to determine the place of insertion of
MUXes once the multiplexer based key at suitable obfuscation
points in an RTL datapath are performed. We then annotate
these obfuscating points with XORs to verify the applied key
are correct for the successful execution of the design. These
annotations are followed by a counter to ensure that the number
of the times the incorrect key can be applied does not exceed
the designer specified threshold, thus (semi)blocking the brute-
force approach. To ensure that an attacker would not utilize
“cold-reboot” to reset counter value and be benefited from
brute-force attempt, we assume the counter would be stored in
non-volatile storage. We augment the datapath with a 3-bit, 2-
input comparator. The annotated XORs’ output determines the
comparator output and introduces two variants (partial lockout
and full lockout) of DLockout architecture. Even though it is
possible for an attacker to find this regular structural pattern
(MUX with XOR) inside an obfuscated RTL netlist, it is not
possible to use this pattern to reveal the key. Moreover, attackers
cannot bypass the correct key enforcement as the existing
obfuscation logic is used during both regular operation and key
propagation for maximum flexibility and key interference during
datapath synthesis.
Fig. 2 shows the proposed modifications to Glushkovian
model of an obfuscated RTL design. Each obfuscation logic in
the datapath is annotated with a 2-input XOR. The output (=0)
of XOR determines the correctness of key bit to a multiplexer
selector input. The checker FSM would check all available
XORs’ output and increment the counter for any annotated XOR
output signal being equal to ‘1’. When such number of ‘1’s reach
the threshold for incorrect attempts, DLockout will be active in
place. Partial lockout is active when a wrong key is applied to the
obfuscation logic for the first time. Design_lockout determines
all allowed trials have been made. In both cases, an exception
will be raised and datapath will send out the output of the
checker FSM (dp_comp) to the controller.
B. Design Lockout in RTL Controller
We integrate DLockout architecture into the RTL controller
as shown in Fig. 3. We modify parts of state transitions to
make it difficult for the attacker to correctly reconstruct the
state transitions. The next state of the current state will change
dynamically depending on the key bit and dp_comp signal
from the obfuscated RTL datapath. So, the period in which
the modified controller is the same as the original controller
is during when the design starts execution (i.e. Reset is high).
After the primary input being latched into available registers and
key checking at the first control step (S1), the next state could
be the truly original state (S2) for correct key or it would revert
to initial state (S0) for partial lockout. In the design lockout
Primary Inputs
R
0
R
m
R
p
R
x
0
0
1
Checker
FSM
Next-state
logic
S
ta
te
 
R
e
g
iste
r
M
U
X
0
M
U
X
m
M
U
X
x
k0
km
kx
XOR0
XORm
XORx
Start
Finish
Clock
Reset
Datapath
Controller
Status Signals
Control Signals
A
LU
A
LU
constant allowed_attempts := <integer>
signal counter : std_logic_vector (2 downto 0);
signal dp_comp : std_logic_vector (2 downto 0); 
process (Dlockout)
 for I in 0 to allowed_attempts loop
 if (XOR0 = ”1" or ….or XORx = ”1") then
 counter <= counter + 1;
 if (dp_comp = “100”) then
 continue; -- partial lockout
 elsif (dp_comp = “001”) then
 design lockout;
 exit;
 end if;
 end if;
   end loop;
end process; 
Lockout Circuitry
dp_comp
Fig. 2: Glushkovian model of key obfuscated RTL design with design lockout circuitry
state enum (S0,S1,……,Sn);
process (curr_state, start)
begin
 case curr_state is
 when S0 =>
   next_state <= S1;
 when S1 =>      
 if (dp_comp = “100”) then
next_state <= S0 ;  -- partial lockout
   elseif (dp_comp = “001”):
next-state <= blackhole state; -- lockout
 else:
next_state <= S2;
…………………...
 when Sn =>
 next_state <= S0;
     end case;
end process;
Datapath 
(ALU, Register, MUXs,
XOR, Comparator etc.)
Controller
Status Signals
Control Signals
Start
Finish
Reset
S0
S1
S2
Sn
Clock
dp_comp
Blackhole 
state
Partial 
lockout
dp_comp
dp_comp
dp_comp
Fig. 3: RTL Controller with DLockout Architecture
phase, any true valid state is stripped from becoming the next
state and the controller would enter into a permanent blackhole
state as introduced. This adds more confusion to the attacker.
V. SECURITY EVALUATIONS
Power Analysis (PA) Attack: We provide a methodology
to mount simulated Differential Power Analysis (DPA) attack
on DLockout as follows. If the total number of switching bit
is p in a given q bit MUX, we can measure the correlation
coefficient,ro, between input data and dynamic power consump-
tion of an obfuscation logic.
r0 ≃
√
p
q
; p ≤ q (1)
Similarly, the relation between MTD (Measurements to Dis-
closure) and ro is given by:
MTD ∝
1
r2
0
(2)
If there are N control steps and M obfuscation logic are non-
uniformly distributed across N, Eqn. 2 will become:
MTD1 ≃
MN
r2
1
∗MTD0 ≃
MN
r2
1
∗
C
r2
0
(3)
where C is the success rate dependent constant [12] and r1 is
the correlation coefficient of the dynamic power consumption
between MUX and other RTL components. To de-correlate
power traces with the applied key, a random mask bit is XORed
with the key bit to implement key-independent MUX output as
shown in Fig. 5. In other words, MUX output exhibits the same
probability distribution independent of key and mask bit. The
KnÅMaskn
IncorrectCorrect
XORn
Fig. 5: Masked Obfuscation
logic with comparator
TABLE I: Truth Table of
Masked Obfuscation logic
Kn Maskn MUXn XORn
0 0 Correct 0
0 1 Incorrect 1
1 0 Incorrect 1
1 1 Correct 0
TABLE II: Operation of Error Detection Unit (EDU)
SAF at Multiplexer XOR Expected EDU Comment
XOR Output Output Output
0 0 (Correct) 0 0 Ineffective fault & lockout-free
0 1 (Incorrect) 1 1 Fault detected & lockout-free
1 0 (Correct) 0 1 Fault detected & lockout
1 1 (Incorrect) 1 0 Ineffective fault & lockout
XOR output is also uncorrelated to individual key and mask bit
as shown in Table I.
Fault Attack (FA): In DLockout, the comparators’ output
exhibits the highest sensitivity to deliberate fault injection. To
detect stuck-at-fault (SAF), we propose to incorporate an Error
Detection Unit (EDU) in the datapath that checks the output of
MUXs and XORs in Table II. Even with the incorrect key, the
lockout architecture is susceptible to FA when the SAF at XOR
is 0. For example, if an attacker owns n copies of the device
where the number of attempts is X for each copy, he can try
out different keys on each one. If each device is locked with
key bit of size m, still an attacker has to try 2m/(n ∗ (X − 1))
Obfuscation Area Overhead (typical-case)
32
b
64
b
12
8b 32
b
64
b
12
8b 32
b
64
b
12
8b 32
b
64
b
12
8b 32
b
64
b
12
8b
 
0
5
10
Obfuscation (comparator-free)
Obfuscation (comparator)
Obfuscation (lockout)
Average Overhead
Ellip FFT FIR Latt Cam
Obfuscation Delay Overhead (typical-case)
32
b
64
b
12
8b 32
b
64
b
12
8b 32
b
64
b
12
8b 32
b
64
b
12
8b 32
b
64
b
12
8b
 
0
5
10
15
Obfuscation (comparator-free)
Obfuscation (comparator)
Obfuscation (lockout)
Average Overhead
Ellip CamLattFFT FIR
Obfuscation Power Overhead (typical-case)
32
b
64
b
12
8b 32
b
64
b
12
8b 32
b
64
b
12
8b 32
b
64
b
12
8b 32
b
64
b
12
8b
 
0
10
20
30
40
50
Obfuscation (comparator-free)
Obfuscation (comparator)
Obfuscation (lockout)
Average Overhead
Ellip FFT FIR Latt Cam
Total Number of Nets (typical-case)
32
b
64
b
12
8b 32
b
64
b
12
8b 32
b
64
b
12
8b 32
b
64
b
12
8b 32
b
64
b
12
8b
 
1
2
3
104
No Obfuscation
Obfuscation (comparator-free)
Obfuscation (comparator)
Obfuscation (lockout)
Ellip FFT FIR Latt Cam
(a) (b) (c) (d)
Fig. 4: Comparison of benchmark parameters for three key length in typical design corner
TABLE III: Number of traces to retrieve a single key in DPA
attack for key size(=32bit)
M N q p MTD0 r
2
1
MTD1
32
4 32
8 4 0.060 8533
16 2 0.028 9142
32 1 0.011 12800
5 32
8 4 0.055 11636
16 2 0.022 14545
32 1 0.009 17777
6 32
8 4 0.051 15058
16 2 0.020 19200
32 1 0.007 27428
M : key size; N : number of control steps; q: bit width of a MUX input; p:
number of bits that switch in a MUX input; C = 1.
trials for all copies. Here, during (X-1)th attempt, an attacker
would apply fault technique as crossing Xth trial would lead to
permanent locking.
Key Extraction Probability: If n and m denote the total
number of obfuscation logic and the key size respectively, the
probability of mapping a key from 2m combinations to n!
permutations of MUXs is given by:
P (m,n) =
1
n! ∗ 2m
(4)
If the total number of allowed attempt is X , the probability of
guessing the correct key bit at Kth attempt (K≤ X):
f(K,X,P (m,n)) =
(
X
K
)
∗ P (m,n) ∗ (1 − P (m,n)) (5)
VI. EXPERIMENTAL RESULTS
We evaluate DLockout performance with the gate-level sim-
ulations for target clock period of 10ns and three different key
length on four datapath intensive benchmarks (Elliptic, FFT,
FIR, and Lattice) and one crypto core (Camellia) [13]. Table
III lists the number of traces required to leak a single key in
Elliptic design. As we increase the control steps of a design
to meet latency requirement, we see a decreasing correlation
coefficient (r2
1
) resulting in higher MTD1. As more number of
bits (p) switch, the value of MTD0 decreases. However, it would
also increase the switching power excessively and may damage
the IP core before an attacker can retrieve the key. We report
the key extraction probability in a design lockout architecture in
Table IV. For finite control steps and larger key size, DLockout
provides a negligible probability that a key bit can be leaked and
it is independent of any RTL obfuscation technique and key size.
Across all benchmarks, we see an average area overhead in Fig.
4 increase from 1.50% to 7.78%. The average delay overhead
ranges in between 0.1% to 9.59%. With the increase in key
length, the number of nets increases as well in Fig. 4 (d) which
makes the probability of finding the nets responsible for key
propagation small.
VII. CONCLUSIONS
In this paper, we propose DLockout, that can provide an add-
on to the existing obfuscated RTL IP to increase the difficulty in
TABLE IV: Key extraction probability for three key length and
five attempts
(m,n) P (m,n) X K f(K,X, P (m,n))
(32,32) 0.08e-44 5
1 0.4e-44
2 0.8e-44
3 0.8e-44
4 0.4e-44
5 0.08e-44
(64,64) 0.43e-108 5
1 2.15e-108
2 4.3e-108
3 4.3e-108
4 2.15e-108
5 0.43e-108
(128,128) 0.07e-253 5
1 0.35e-253
2 0.7e-253
3 0.7e-253
4 0.35e-253
5 0.07e-253
m: key size; n: number of obfuscation logic; X: Allowed attempts; K:
Attempt index
reverse engineering. Once the number of key recovery attempts
exceeds the preset threshold, the design is self-locked out to
provide strong security guarantee against brute force attacks. In
future, we plan to extend the work to provide technique for
genuine user to recover after circuit locking. The effects of
DLockout architecture on design parameters are minimal and
modifications on DLockout architecture are presented against
side channel attacks.
REFERENCES
[1] R. Kumar. Simply fabless! IEEE Solid-State Circuits Magazine, 3(4):8–14,
Fall 2011.
[2] R. S. Chakraborty and S. Bhunia. Hardware protection and authentication
through netlist level obfuscation. In 2008 IEEE/ACM ICCAD, pages 674–
677, Nov 2008.
[3] A. R. Desai et. al. Interlocking Obfuscation for Anti-tamper Hardware.
CSIIRW ’13, pages 8:1–8:4, New York, NY, USA, 2013. ACM.
[4] R. S. Chakraborty and S. Bhunia. RTL Hardware IP Protection Using Key-
Based Control and Data Flow Obfuscation. VLSID ’10, pages 405–410,
Washington, DC, USA, 2010.
[5] R. S. Chakraborty and S. Bhunia. Security through obscurity: An approach
for protecting Register Transfer Level hardware IP. In 2009 IEEE HOST,
pages 96–99, July 2009.
[6] Y. M. Alkabani and F. Koushanfar. Active Hardware Metering for
Intellectual Property Protection and Security. In 16th USENIX Security
07, Boston, MA, 2007. USENIX Association.
[7] S. A. Islam and S. Katkoori. High-level synthesis of key based obfuscated
RTL datapaths. In 2018 ISQED, pages 407–412, March 2018.
[8] H. Wang et. al. Probing attacks on integrated circuits: Challenges and
research opportunities. IEEE Design Test, 34(5):63–71, Oct 2017.
[9] J. Rajendran, Y. Pino, O. Sinanoglu, and R. Karri. Security analysis of
logic obfuscation. In DAC Design Automation Conference 2012, pages
83–89, June 2012.
[10] T. Meade, S. Zhang, and Y. Jin. Netlist reverse engineering for high-level
functionality reconstruction. In 2016 ASP-DAC, pages 655–660, Jan 2016.
[11] C. Pilato et. al. TaintHLS: High-Level Synthesis for Dynamic Information
Flow Tracking. IEEE TCAD, 38(5):798–808, May 2019.
[12] O. -. Standaert et. al. An Overview of Power Analysis Attacks Against
Field Programmable Gate Arrays. Proceedings of the IEEE, 94(2):383–
394, Feb 2006.
[13] OpenCores. https://opencores.org/.
