Logic Locking for Secure Outsourced Chip Fabrication: A New Attack and
  Provably Secure Defense Mechanism by Massad, Mohamed El et al.
Logic Locking for Secure Outsourced Chip Fabrication: A New Attack and
Provably Secure Defense Mechanism
Mohamed El Massad
New York University
Jun Zhang
New York University
Siddharth Garg
New York University
Mahesh V. Tripunitara
University of Waterloo
Abstract
Chip designers outsource chip fabrication to external
foundries, but at the risk of IP theft. Logic locking, a promis-
ing solution to mitigate this threat, adds extra logic gates (key
gates) and inputs (key bits) to the chip so that it functions cor-
rectly only when the correct key, known only to the designer
but not the foundry, is applied. In this paper, we identify a
new vulnerability in all existing logic locking schemes. Prior
attacks on logic locking have assumed that, in addition to the
design of the locked chip, the attacker has access to a work-
ing copy of the chip. Our attack does not require a working
copy and yet we successfully recover a significant fraction
of key bits from the design of the locked chip only. Empiri-
cally, we demonstrate the success of our attack on eight large
benchmark circuits from a benchmark suite that has been tai-
lored specifically for logic synthesis research, for two differ-
ent logic locking schemes. Then, to address this vulnerability,
we initiate the study of provably secure logic locking mech-
anisms. We formalize, for the first time to our knowledge,
a precise notion of security for logic locking. We establish
that any locking procedure that is secure under our definition
is guaranteed to counter our desynthesis attack, and all other
such known attacks. We then devise a new logic locking pro-
cedure, Meerkat, that guarantees that the locked chip reveals
no information about the key or the designer’s intended func-
tionality. A main insight behind Meerkat is that canonical
representations of boolean functionality via Reduced Ordered
Binary Decision Diagrams (ROBDDs) can be leveraged ef-
fectively to provide security. We analyze Meerkat with re-
gards to its security properties and the overhead it incurs. As
such, our work is a contribution to both the foundations and
practice of securing digital ICs.
1 Introduction
The cost of setting up a semiconductor foundry has been in-
creasing with technology scaling, and is currently upwards
of $5 billion [42] for cutting-edge fabrication. As a result,
many semiconductor design companies have adopted the fab-
less model (foundries are also referred to as a fabs), i.e., they
outsource integrated circuit (IC) fabrication to one of a few
large commercial semiconductor foundries, often located off-
shore. As per a recent study [30], four out of the top five
semiconductor foundries by volume are located outside the
United States. Most other countries either do not have a com-
mercial foundry on-shore, and others that do only have access
to low-end manufacturing technology.
The fabless model comes with the risk of compromising
the designer’s intellectual property (IP), i.e., the chip’s de-
sign details. When a designer outsources a chip for manu-
facturing, the foundry obtains full access to the chip’s layout
(effectively a blue-print of the chip), from which it can re-
cover its netlist (a network of interconnected Boolean logic
gates) and, as a result, its Boolean functionality [34]. The
foundry can then sell the designer’s IP to its competitors. If
the chip implements proprietary protocols or algorithms the
designer stands to lose her competitive advantage. In addi-
tion, the foundry can also manufacture and sell extra copies
of the chip in the black market. For these reasons, the risk
of IP theft has become a serious concern both for commercial
IC design companies, as well as for state actors like national
defense agencies.
Logic locking, a technique first introduced by Roy et
al. [29], is a promising solution to protect the designer’s IP
from theft by an untrusted foundry1. Logic locking works
by inserting additional gates, referred to as key gates, in a
netlist with side-inputs that are referred to as key bits. The key
bits are stored in a key register. The netlist functions as in-
tended only for a certain key (which we call the correct key),
and provides incorrect outputs otherwise. The correct key is
known to the designer but not to the foundry. The logic lock-
ing procedure proposed by Roy et al. inserts XOR/XNOR
gates at randomly chosen locations in the netlist, as shown in
Figure 1. Several other logic locking techniques have been
subsequently proposed [2, 8, 11, 22, 24, 25, 28], and are all
premised on the same basic idea.
Once a netlist is locked, it is sent to the foundry for fab-
1Logic locking has also been referred to as logic obfuscation [25] and
logic encryption [11, 24, 28] in literature. Following the lead of Roy et al.,
we will use the term logic locking in our work.
1
ar
X
iv
:1
70
3.
10
18
7v
1 
 [c
s.C
R]
  2
9 M
ar 
20
17
Fabrication 
Key Bits 
B 
C 
f
=
(
~
A
 
|
~
B
)
 
&
 
(
B
 
|
 
C
)
;
 
Synthesized Netlist 
Synthesis 
A 
B 
C 
K1 
K2 
Key Gates 
f 
Locking 
A 
Designer Designer Designer` 
Activation 
Foundry 
(Untrusted) 
A 
B 
C 
Key register 
K1 K2 
Correct Key 
 K1 = 1, K2 = 0 
 
A 
B 
C 
Key register 
1 0 
Secure Assets 
V
er
ilo
g 
D
es
cr
ip
tio
n 
Working Chip 
Locked Netlist Locked Chip 
Potentially Secure Assets 
Figure 1: The XOR-based logic locking scheme proposed by Roy et al. [29]. Assets in green boxes are assumed to be secure,
i.e., known only to the defender. The working chip can be either secure or available to the attacker depending on the threat
scenario.
rication. The foundry manufactures the locked netlist and
ships manufactured chips to the designer. The designer ac-
tivates chips by loading the correct key into each chip’s key
register2. To ensure that the correct key cannot be read out
by destructive chip imaging, the key register is assumed to
be implemented using read-proof memory [10]. Figure 1 de-
picts Roy et al.’s logic locking scheme, which they refer to as
EPIC, with an example (Section 2 has more details on EPIC).
Attacks on logic locking The security of logic locking is
premised on the foundry not knowing the correct key. How-
ever, El Massad et al. [12] and Subramanyan et al. [31] have
demonstrated that the correct key can be compromised if the
foundry obtains a previously manufactured version of the
chip from the market that has already been activated by the
designer with the correct key. In this attack scenario, the
foundry has two assets: (1) a locked netlist; and (2) a work-
ing chip, i.e., one activated with the correct key. Note that
the foundry cannot directly probe the working chip for the
correct key — recall the key is stored in read-proof memory
— but can observe the chip’s input/output (I/O) functional-
ity. [12] and [31] leverage the chip’s I/O functionality to re-
verse engineer the correct key using SAT-based inference al-
gorithms. Empirically, these attacks demonstrate that only a
relatively small number of I/O observations are required to
recover the correct key, even for netlists locked with up to
128 key bits. The proposed attacks are effective against a
wide range of logic locking techniques proposed in literature,
including those proposed in [29], [2], [25], [28] and [11].
Our work The existing attacks on logic locking make a
strong assumption on the attacker’s assets. That is, the at-
tacker is assumed to have access to a working copy of the
chip (one that is previously manufactured and activated by
the designer). However, in several important use-cases of
logic locking, it is impractical for the attacker to obtain such a
2We note that the protocol proposed by Roy et al. also protects against a
related threat, that of unauthorized over-building of the chip, using an addi-
tional key that is unique for every chip. Section 6 discusses the role of the
unique key in more detail.
working copy. For one, a foundry is unlikely to obtain work-
ing copies of chips manufactured for non-commercial pur-
poses, for instance chips manufactured for government agen-
cies. These cannot be purchased in the market. Second, even
for consumer electronics, a foundry cannot acquire working
copies of a chip that is being manufactured for the first time.
In fact, the first manufacturing run is exactly when a designer
might be most interested in protecting the chip’s IP using
logic locking.
This leads us to our motivating question: is logic lock-
ing secure when the attacker cannot acquire a working copy
of the chip? The implicit assumption in literature has been
that logic locking is indeed secure under this constrained (but
more practical) attack scenario. In fact, Roy et al. explicitly
assert this claim in their paper that “[a locked netlist alone]
gives no criterion to check for possible [keys]” [29]. Deriva-
tive schemes based on Roy et al.’s mechanism, including the
ones proposed in [24] and [28], implicitly inherit Roy et al.’s
claim of security.
Paper contributions Our first contribution is to demon-
strate that logic locking is less secure than previously thought.
Specifically, we refute the assertion in prior work that the the
locked netlist alone provides no information about the cor-
rect key by demonstrating a new attack that reverse engineers
a significant fraction of key bits with access to the locked
netlist only, and not a working chip copy, as assumed by prior
attacks. Our attack builds on the observation that all existing
logic locking mechanisms attempt to lock the chip after syn-
thesis only3. As it turns out, information about the intended
Boolean functionality is already embedded in the synthesized
netlist and can be extracted by our attack. We therefore refer
to our attack as a desynthesis attack.
The vulnerability exposed by the desynthesis attack moti-
vates our second contribution: in Section 4.1 we formulate
the first formal notion of security for logic locking. Our secu-
rity notion captures the requirement that the locked netlist not
3Synthesis is the process that “compiles” a behavioral chip description to
a hardware implementation, i.e., an optimized netlist of Boolean logic gates.
2
provide any information to the attacker about the correct key
(and, correspondingly, the designer’s intended functionality).
Finally, we propose Meerkat, a new logic locking mech-
anism that is provably secure under our notion of security.
Instead of treating security as an after-thought, i.e., locking
a synthesized netlist, Meerkat is a joint synthesis and logic
locking algorithm. Meerkat directly outputs a locked netlist
from a behavioural specification of the chip’s functionality.
The key idea behind Meerkat is to lock a canonical,
reduced-ordered binary decision diagram (ROBDD) repre-
sentation of the desired Boolean functionality instead of lock-
ing a synthesized netlist. Meerkat then synthesizes the locked
ROBDD into a locked netlist. The canonical nature of an
ROBDD representation allows us to prove that netlists locked
with Meerkat do not reveal any information about the correct
key. The overheads of Meerkat are moderate, especially in
light of the fact that Meerkat is the only logic locking tool
that provides formal security guarantees.
2 Logic Locking Background
To lay the groundwork for our attack and proposed defense
mechanism, we begin by describing existing logic locking
schemes using the EPIC protocol as an exemplar. Although
logic locking is described somewhat informally in prior work,
we adopt a more formal treatment of the topic for rigor and
clarity.
Preliminaries A (combinational) Boolean function f : X→
Y where X = {0,1}n and Y = {0,1}m has n inputs and m
outputs. The function f can be implemented using a Boolean
netlist (or simply, netlist), C = {VC,EC}. C can be seen as
a directed acyclic graph in which each vertex corresponds to
a Boolean logic gate, one of the n inputs, or one of the m
outputs. We can think of C as a function as well, i.e., C: X →
Y such that for x ∈ {0,1}n, C(x) = f (x), where C(x) is the
output of the netlist for input x.
For a given Boolean function f : X → Y and a randomly
picked r-bit key k∗ ∈ K = {0,1}r, logic locking outputs a
netlist Clock : X ×K→ Y such that the following two require-
ments are satisfied:
1. Clock must agree with f on all inputs when k∗ (the correct
key) is applied, i.e.,
Clock(.,k∗) = f (.).
2. Clock must differ from f when a key other than the cor-
rect key is applied, i.e., for any key k 6= k∗,
Clock(.,k) 6= f (.).
That is, the netlist can only be unlocked with the correct
key. Note that, in theory, this requirement is satisfied
even if Clock differs from f on only one input for every
incorrect key. In practice, it might be desirable for Clock
to be substantially different from f for an incorrect key.
Rajendran et al. [24] quantify this property using a met-
ric, referred to as output corruptibility, that measures the
average fraction of inputs for which f differs from Clock
for any incorrect key. We report Meerkat’s output cor-
ruptibility in Section 5.
Note that neither of the two requirements above address the
security of the correct key itself. Indeed, there is no prior
work of which we are aware that articulates a precise notion
of security of the correct key in this context (other than an ab-
stract and unproven assertion that the locked netlist does not
reveal the correct key). This is one of our main contributions
(see Section 4).
The EPIC protocol We now describe the “Ending Piracy
of ICs” for logic locking (EPIC) protocol [29]. The first step
in EPIC, as in any conventional IC design process, is logic
synthesis.
A synthesis tool is a program that takes as input a Boolean
function f , and transforms it into a Boolean netlist, C, that im-
plements f . There may exist several netlists that implement
the function. Commercial synthesis tools attempt to output a
netlist that minimizes metrics such as power, delay and mea-
sures of area such as the gate count of the netlist. For exam-
ple, a synthesis tool that targets only the gate count metric
ideally outputs a netlist C that minimizes |VC|. We model the
synthesis tool as a function S where S( f ) =C.
EPIC’s locking procedure, LE , operates on the synthesized
netlist C, and the randomly generated r-bit key k∗, to pro-
duce a locked netlist Clock. That is, Clock = LE(C,k∗) =
LE(S( f ),k∗). As we discuss in Section 3, the manner in
which the locking procedure LE is composed with the syn-
thesis procedure S introduces a vulnerability.
EPIC’s locking procedure can be explained using the ex-
ample in Figure 1. The synthesized netlist in the figure is
locked with an r = 2 bit key, k∗ = 10. For each bit of the key,
EPIC selects either a wire or an inverter in C depending on
the value of the key bit. If the key bit is 0, EPIC selects a
wire; otherwise EPIC selects an inverter. The wire or inverter
is then replaced with an XOR gate, with the corresponding
bit of the key register as one of its inputs. Note that the EPIC
protocol adds both XOR and XNOR gates, the latter by com-
plementing the key value for which an inverter and wire are
selected.
In our example, as the first bit of the key is 1, EPIC picks an
inverter, i.e., the inverter that immediately follows the NAND
gate, and replaces the inverter with an XOR. The unconnected
input of the XOR gate is driven by the first key bit. As the
second key bit is 0, EPIC replaces the wire between the two
NOR gates with an XOR driven by the second key bit.
The functionality of the netlist remains unchanged when
the correct key is loaded into the key register. In our exam-
ple, if the correct key k∗ = 10 is applied, the first XOR gate
acts like an inverter while the second XOR gate acts like a
wire. Setting any key bit incorrectly causes a wire in the orig-
3
inal netlist to behave as an inverter, or vice-versa. Ideally,
this changes the functionality of the netlist, but the authors of
EPIC point out some pathological cases in which even incor-
rect keys result in correct functionality (in effect, because the
impact of two or more incorrect key bits cancels out).
Once a netlist has been locked, it is used as the basis for
all remaining steps in the design flow, such as gate placement
and wire routing. These steps are not pertinent to the security
of logic locking and are therefore omitted from Figure 1, as
well as the remainder of our discussions. The final result is a
chip layout file that is sent to the foundry for manufacturing.
The foundry manufactures the chip and ships the manufac-
tured parts to the designer, who can then activate the chips by
loading the correct key into the key register.
We note that like EPIC, all other logic locking schemes in
literature [2, 11, 25] first synthesize f to generate a netlist C
and then use different procedures to lock C.
3 Desynthesis Attack
In this section, we describe our new attack, the desynthesis
attack, on logic locking. We begin by describing our attack
scenario. Unlike previous attacks, we do not assume access to
a working copy of the chip (or, in general, to any I/O behav-
ioral information). We then illustrate the vulnerability that
our attack exploits using a simple example. Finally, we de-
scribe a concrete way that an attacker might make use of the
vulnerability.
3.1 Attack Scenario
The attacker in our scenario is a foundry that manufactures
a locked netlist, Clock. We assume that the foundry, as an
attacker, has access to: (a) the locked netlist, Clock, (b) knowl-
edge of which inputs in the netlist are regular inputs and
which are key bits, (c) knowledge of the synthesis tool, S,
that is used by the designer, and, (d) the locking procedure
that is used to generate Clock from C.
With regards to (a), the foundry obtains Clock by reverse-
engineering it from its layout, using a process called extrac-
tion. With regards to (b), the foundry can learn this separately
by exploiting implementation artifacts, for example, the key
bits are either read from read-proof memory or, in the full
EPIC protocol, are outputs of a decryption module. Regular
inputs, on the other hand, connect to chip I/O. With regards
to (c) and (d), we note that Kerchoffs’s principle [21] is rele-
vant in this context. It states that, “a (crypto)system should be
secure even if everything about the system, except the key, is
public knowledge.” On (c), however, the designer may have
used a closed-source commercial logic synthesis tool. An op-
tion then is to weaken the attacker by assuming that she has
only black-box access to S by purchasing it from the market.
Indeed, our attack (see Section 3) only requires such a weaker
attacker to be practical.
However, when considering a defense mechanism (see
Section 4), we adopt the stronger attacker that has open ac-
cess to our locking and synthesis procedures.
When compared to prior work, we assume that the attacker
does not have access to an activated and working copy of the
chip. We discuss our rationale for this under “our work” in
Section 1. We assume also that the attacker (the foundry)
does not have any prior information about f . That is, from
the foundry’s perspective, all different 2r functions that Clock
implements are equally likely.
Attacker’s goal. Under the attack scenario above, the at-
tacker’s goal is to compromise the correct key k∗. Compro-
mise, in this context, means that she discovers several of the
key bits. An explicit assertion in prior work (see the quote
from Roy et al.’s paper in Section 1) is that with access to
Clock only, the attacker can do no better than randomly guess-
ing k∗. We show that, unfortunately, existing locking mech-
anisms fail to provide this property. Meerkat provably ad-
dresses this vulnerability.
3.2 The Vulnerability
We now illustrate the vulnerability that our attack exploits
using the logic locking example design from Figure 1. The
function that the designer wishes to implement is f = (A¯+
B¯).(B+C). The synthesized netlist C corresponds to the low-
est area implementation of f using a technology library that
comprises two-input NAND, NOR and NOT (inverter) gates.
(In this example, we assume that the synthesis procedure S
aims to minimize area, but this is not necessary for our attack
to succeed.) As described in Section 2, C is then locked with
k∗ = {1,0}.
Now suppose the attacker wants to check if some key k ∈K
is the correct key. The attacker can determine the Boolean
function fk = Clock(.,k) that the locked netlist implements
with key k. For example, say k = 00. As shown in Figure 2,
the Boolean function corresponding to this key is f00 = A.B.
The attacker can now ask: could the locking procedure ap-
plied on f00 = A.B produce Clock?
As the first step in EPIC is synthesis, the attacker synthe-
sizes f00 = A.B. (Recall, from the previous section, that the
attacker has at least black-box access to the defender’s syn-
thesis procedure). Figure 2 shows the resulting synthesized
netlist, C00 = S( f00).
This netlist only has two gates — a NAND gate and an
inverter. Locking this netlist can introduce at most two ad-
ditional gates; the new gates must be either XOR or XNOR
gates. On the other hand, Clock has two NOR gates. There is
no way to lock C00 using the EPIC locking mechanism that
would result in Clock. The attacker can therefore eliminate
k = 00 as the correct key. Using similar reasoning, the at-
tacker eliminates k = 11 and k = 01 as correct keys.
In the example, the Boolean function that corresponds to
k = 01 is f01 = 0, a wire. And an attacker may use this as
a basis for eliminating k = 01 as a possibility, as a wire is
4
Figure 2: An illustration of the desynthesis attack on the
locked netlist from Figure 1.
unlikely to have been the designer’s intent. This is certainly
plausible. In our attack that we discuss in the next section, we
do not require such a priori knowledge.
Practical challenges The preceding example illustrates the
strength of desynthesis attacks, albeit in the idealized setting
that the attacker is able to brute-force the key. Implement-
ing this attack in a real-world setting introduces some chal-
lenges. (1) An attacker cannot exhaustively search over all
keys for large key sizes. And, (2) commercial synthesis tools
are imperfect. For the same f , the output of the synthesis tool
can depend on the manner in which f is described. Further-
more, existing synthesis tools are heuristic in nature — they
do not guarantee an optimal solution, for example, a netlist
with the lowest area, delay or power. We now discuss a prac-
tical desynthesis attack procedure that addresses these chal-
lenges.
3.3 Implementation of Desynthesis Attack
We now describe the implementation of our desynthesis at-
tack. The attack aims to find a k that results in a re-
synthesized netlist, Ck = S( fk), that is the most “similar” to
the locked netlist Clock (minus its key gates).
Because an exhaustive search for k∗ is computationally in-
feasible, we instead adopt a greedy search heuristic. We start
with a random guess for k∗, and we iteratively improve upon
the guess by exploring the immediate neighborhood of keys
that are one Hamming distance away from the current guess.
From this set of neighboring keys, we pick the one that results
in a re-synthesized netlist most similar to Clock. The itera-
tions terminate when all re-synthesized netlists in the neigh-
borhood of the current guess are less similar to Clock than
the re-synthesized netlist corresponding to the current guess.
To better explore the key space, we perform the local search
multiple times, each time starting with a different initial key
guess.
The description so far has assumed a metric to quantify
similarity (or, more precisely, dis-similarity) between netlists.
Measures of similarity between graphs have been studied
widely in literature [13]. However, many of these measures,
for instance graph edit-distance, are expensive to compute.
We found, empirically, that the following simple measure of
dis-similarity, ∆, not only works well in practice but is also
easy to compute. Specifically,
∆(C1,C2) =
l
∑
i=1
(ngi [C1]−ngi [C2])2
where C1 and C2 are the two netlists to be compared,
{g1, . . . ,gl} is the set of gate types in the standard cell li-
brary4, and nG[C] is the number of gates of type G in netlist
C.
Algorithm 1 describes our desynthesis attack. In Lines (1)–
(2) of the algorithm, we count the number of key bits in Clock,
and set abs min, a variable that holds smallest dis-similarity
value found so far, to a very large value, and in the “foreach”
loop, we perform a local search for the key that minimizes the
dis-similarity measure between the re-synthesized netlist and
Clock.
Inputs: (1) A locked netlist Clock, and, (2) restarts, the num-
ber of restarts for the local search.
Output: A guess for the correct key, k∗, that was used to
generate Clock.
1 r← number of key bits in Clock
2 abs min← ∞
3 foreach i from 1 to restarts do
4 k0← random r-bit string
5 while true do
6 k1← argmink:ham(k,k0)≤1∆
(
Clock,S
(
fk
))
7 if k1 = k0 then break
8 else k0← k1
9 min← ∆
(
Clock,S
(
fk1
))
10 if min < abs min then
11 best guess← k1
12 abs min← min
13 return best guess
Algorithm 1: Desynthesis Attack
Effectiveness of desynthesis attack While we defer a
comprehensive analysis of the results of our desynthesis at-
tack to Section 5, we plot in Figure 3 the results of our attack
on the styr benchmark from the MCNC benchmark set [41].
The benchmark is synthesized using the ABC synthesis tool,
and the netlist is locked using EPIC, with 32- and 64-bit keys.
4The library of Boolean logic gates the synthesis tool is allowed to pick
from
5
 0
 5
 10
 15
 20
 25
 30
 0  4  8  12  16  20  24  28  32
Fr
eq
ue
nc
y
# correctly deduced key bits
Desynthesis attack (32-bit key)
Random guess (32-bit key)
(a) Results for 32-bit key
 0
 5
 10
 15
 20
 25
 30
 0  8  16  24  32  40  48  56  64
Fr
eq
ue
nc
y
# correctly deduced key bits
Desynthesis attack (64-bit key)
Random guess (64-bit key)
(b) Results for 64-bit key
Figure 3: Attack results for styr benchmark from the MCNC benchmark suite.
Each histogram shows the number of bits of the correct key
that we correctly recover over 100 experiments (we select
the correct key and the locations of key gates independently
at random in each experiment). Also shown, for compari-
son, are histograms of the number of key bits that an attacker
would correctly guess if indeed the EPIC locking procedure
were as secure as claimed (recall that the claim is that the
locked netlist provides “no criteria” to guess the key bits).
Note that in every experiment, the desynthesis attack recov-
ered more than half the key bits correctly. On average, the
desynthesis attack recovers 23 (and up to 29) and 47 (and up
to 59) key bits correctly for 32- and 64-bit keys, respectively.
Based on these results, it is clear that the locked netlist
does indeed leak information about the designer’s correct key,
pointing to the insecurity of EPIC. In Section 5 we perform
statistical hypothesis tests of this assertion against the null hy-
pothesis, i.e., that the key and locked netlist are independent.
We also report results on a larger set of benchmark circuits,
two different synthesis tools and two different locking proce-
dures.
4 Provably Secure Logic Locking
We now discuss Meerkat, a new logic synthesis and locking
procedure that is provably secure in our attack scenario. We
begin by formalizing a notion of security for logic locking and
then describe Meerkat, a candidate logic locking procedure
that is provably secure under this notion of security.
4.1 Formal Notion of Security for Logic Lock-
ing
In this section, we describe a formal a notion of security for
logic locking under the threat scenario discussed in Section 3.
We re-iterate that, to the best of our knowledge, this is the
first time that a formal security definition has been proposed
for logic locking.
To begin, we generalize the definition of a logic locking
procedure, L, from Section 2. Recall that L was previously
defined to take a synthesized netlist as input, a vulnerability
that we exploited in our desynthesis attack. We generalize L
to take a Boolean function f as input, along with a designer’s
chosen key k∗. Second, we explicitly model non-determinism
in the locking procedure. We say that Pr[L( f ,k∗) =Clock] is
the probability thatL outputs locked netlist Clock ∈Clock with
inputs f and k∗.
We define the notion of security as follows.
Definition 1. A locking procedure L is secure for (family of)
function classes {Fr}r=1,2,... if the following condition holds
for every function f ∈ Fr , key k∗ ∈ {0,1}r and locked netlist
Clock ∈ Clock output by L for inputs f and k∗:
P[L( f ,k∗) =Clock] = P[L( fk,k) =Clock]∀k ∈ {0,1}r : k 6= k∗,
where fk = Clock(.,k) is the Boolean function that Clock im-
plements for (incorrect) key k. Note that by definition of a
locking procedure, fk is necessarily different from f , for all
k 6= k∗.
Proposition 1. If L is a secure locking procedure, then for
every function f , key k∗ and locked netlist Clock ∈Clock output
by L for inputs f and k∗:
fk1 6= fk2 ∀k1 6= k2,
where fk = Clock(.,k) is the Boolean function that Clock im-
plements for key k.
Proof. The proof for when k1 = k∗ follows from the definition
of a locking procedure. For k1 6= k∗, by definition of security,
it follows that Clock ∈ L( fk1 ,k1). Clock(.,k2) = fk2 must then
be different from fk1 , again, by definition of a correct locking
procedure.
Intuitively, Definition 1 can be understood as follows.
A locked netlist Clock implements a family of 2r different
Boolean functions (Proposition 1), i.e., function fk for each
key k ∈ K. Definition 1 guarantees that any function fk in
that family is as likely to have produced Clock (when fk is
locked with key k) as the correct function f = fk∗ locked with
correct key k∗. Thus, Clock itself provides no criteria on which
to distinguish an incorrect function from the correct one, i.e.,
6
it reveals no information about the correct function or the
correct key.
Note that in the special case that L is a deterministic pro-
cedure, Definition 1 simply says that each function fk when
locked with key k ∈ K should yield the same Clock.
The following remarks shed further light on our notion of
security.
Remark 1. A locking procedure that satisfies the security
notion in Definition 1 is immune to the de-synthesis attack.
As discussed above, any of the functions that Clock imple-
ments are equally likely to have produced Clock, providing the
attacker no criteria to distinguish between these functions.
(Note that immunity to the desynthesis attack is guaranteed
even for computationally unbounded attackers.)
Remark 2. Our attack scenario (see Section 3) assumes that
an attacker has no prior information (equivalently, a prior
distribution) on the function, f , that the designer intends to
implement. The security notion in Definition 1 does not pro-
tect against a (stronger) attacker who has such information,
specifically, one who has access to a non-uniform prior dis-
tribution on the chip’s intended functionality. For the sake of
argument, assume that the attacker’s prior distribution is con-
centrated on a single function f — here, the attacker knows
in advance exactly the function the designer intends to im-
plement. No locking scheme is secure in this (admittedly ex-
treme) setting. Provably secure logic locking under more gen-
eral prior distributions on the designer’s intended functional-
ity remains an open question.
Remark 3. Implicit in Definition 1 is invariance to the man-
ner in which the function f is described5. That is, an at-
tacker cannot exploit prior knowledge about the way in which
Boolean functionality is typically described to defeat logic
locking procedures that are secure as per Definition 1. In
fact, this is a vulnerability that our desynthesis attack exploits
— existing logic locking procedures operate on parsimonious
descriptions of Boolean functionality, i.e., synthesized netlist.
In addition to addressing this vulnerability, our security no-
tion buys immunity against attacks that exploit properties of
human-generated code (coding styles, for example).
4.2 Meerkat
We now describe Meerkat, the first logic locking scheme that
is provably secure as per Definition 1, and therefore guaran-
tees that the locked netlist does not reveal any information
about the correct key (see Section 3 for more details on the
attack scenario). Central to Meerkat are reduced ordered bi-
nary decision diagrams (ROBDDs) — canonical representa-
tions of Boolean functionality first introduced in a landmark
paper by Bryant [4]. ROBDDs have found wide applicability
in several areas of hardware design, particularly in the area
5The same function f can be described in a multitude of ways, for ex-
ample as a truth table, a netlist, or behavioral hardware description language
(HDL) code.
of formal verification [5,6], but have now largely been super-
seded by SAT/SMT solvers in industry. Meerkat revives the
use of ROBDDs in the hardware security context. We begin
our description of Meerkat with a short ROBDD primer.
4.2.1 An ROBDD Primer
An ROBDD is a special case of a binary decision diagram
(BDD), a data structure that allows a Boolean function to be
evaluated as essentially a branching program. All but the ter-
minal nodes of a BDD correspond to Boolean variables, and
each has two children — a high-child and a low-child. For
a given assignment of variables, a function can be evaluated
starting from the root, and branching to the high-child if the
corresponding variable is 1 and to the low-child otherwise.
This continues till a terminal node, either a 0 or a 1 is reached.
Bryant’s key observation was that if (a) certain reduction
rules are followed to ensure that there are no redundant nodes
in a BDD, and (b) variables in any path from root to a termi-
nal node only occur in a fixed order, then the resulting BDD,
called an R(educed)O(rdered)BDD, is a canonical represen-
tation of Boolean functionality. Importantly, Bryant observed
that ROBDD representations for many Boolean functions of
practical interest are compact, unlike other canonical repre-
sentations like truth tables (although ROBDDs can be expo-
nentially sized in the worst case.) As an example, an ROBDD
for representing the function f = x¯1x¯2x¯3 + x1x2 + x2x3 is
shown in Figure 4a.
More formally, an ROBDD for function f : X → {0,1} is
a rooted directed acyclic graph, G, with two sets of nodes:
a set of decision nodes, D, and two terminal nodes, 0 and
1. The ROBDD has three associated functions. Functions
hi : D→D∪{0}∪{1} and lo : D→D∪{0}∪{1} return the
high-child and low-child of each node, respectively. Function
var : D→ X returns the variable associated with each node.
Each node d ∈D implements a Boolean function fd which
can be expressed as follows:
fd = var(d) fhi(d)+ var(d) flo(d).
The terminal nodes implement f1 = 1 and f0 = 0, and the root
node implements f .
4.2.2 Meerkat Procedure
We now describe Meerkat’s locking procedure. Starting
with a behavioral description f , Meerkat first constructs its
ROBDD, G. Then, Meerkat locks G with key k∗ to output an
new locked ROBDD, Glock, as follows.
For each bit of the r-bit key, Meerkat picks a node of the
ROBDD G uniformly at random. Say for the ith key bit, node
d ∈ D is picked. We now add two new key nodes to the G, pi
and qi with the following properties:
• var(pi) = var(qi) = k∗i, that is, the variable correspond-
ing to both nodes is the ith key bit.
7
x1
x2
1
x2
0
0
0
1
1 x3
0
x3
1
10 01
(a) ROBBDD of f = x¯1x¯2x¯3+x1x2+x2x3.
High (low) children shown using solid
(dashed) lines.
x1
K1
0
K1
1
x2
0
0
1
1
x2
K2
1
K2
0
0 1 1 0
x3
10
0
x3
11 0
01
(b) Locked ROBDD generated using correct key
k∗ = 10. New key nodes are shown in grey.
0
1
x1
1
0
K
1
1
0
K
1
0
1
0
1
x2
1
0
x2
1
0
f
1
0
x3
1
0
x3
1
0
1
0
0
1
0
1
K
2
1
0
K
2
1
0
1
0
(c) Netlist of MUXes that implements the locked
ROBDD.
Figure 4: Meerkat’s locking technique illustrated with an example. In the figures, the high and low children of a decision node
are discriminated by using a solid (dashed) line to draw the edge leading to the high (low) child.
• If k∗i = 1 then lo(pi) = lo(d), hi(pi) = hi(d) and
lo(qi) = hi(d), hi(qi) = lo(d). The high and low chil-
dren are reversed if ki = 0.
• lo(d)= pi and hi(d)= qi, that is, the low-child and high-
child of d are redirected to pi and qi, respectively.
There is one exception to this step. If there exists another
node d′ in G such that var(d′) = var(d), hi(d′) = lo(d) and
lo(d′) = hi(d) then d is discarded and a new node is selected.
d and d′ are referred to as complementary nodes. We will see
why this is required shortly. Figure 4b shows the result of
locking the ROBDD in Figure 4a with a 2-bit key, k∗ = 10.
Finally, the locked ROBDD, Glock can be synthesized into
a netlist Clock using specialized BDD synthesis tools like
BDS [40] and FDD [17]. Alternatively, any ROBDD (in fact
any BDD) can be implemented using a network of multiplex-
ers (MUXes) by replacing each node with a MUX, as shown
in Figure 4c. This MUX-only netlist can then be fed into any
standard synthesis tool (for further optimization) and outputs
the final locked netlist. The astute reader might wonder if the
use of a standard synthesis tool in the back-end compromises
security. The answer is no: a striking feature of Meerkat
is that it enables any functionality-preserving transformation
to be applied on Glock without compromising security at all
(more details in Theorem 1).
4.2.3 Security Analysis of Meerkat
We now prove that Meerkat’s locking procedure meets the
security criterion prescribed in Definition 1. To begin, let Gk
be the resulting BDD when key k ∈ K is “applied” to Glock,
i.e., the key nodes in Glock are eliminated as follows. Let di
be the node that was randomly selected during the ith iteration
of the locking procedure (corresponding to the ith bit of the
key). For each di,
• if ki = k∗i, then the high-child (resp. low-child) of di in
Glock is set to the high-child (resp. low-child) of di in G,
else
• if ki 6= k∗i, then the high-child (resp. low-child) of di in
Glock is set to the low-child (resp. high-child) of di in G.
That is, the BDD Gk can be obtained from ROBDD G by
flipping the high and low children of a subset of its vertices.
(If the distinction between edges pointing to high versus low
children is ignored, G and Gk are isomorphic.)
Note that the BDD Gk represents the function fk =
Clock(.,k) that results when key k is applied to the locked
netlist. We now show that: (1) Gk is indeed an ROBDD and
(2) fk is different from f = fk∗ for k 6= k∗.
Lemma 1. Gk is an ROBDD.
Proof. We prove this assertion using induction on the num-
ber of key bits. For a single key bit, node d1 in G is selected
and its high- and low-children flipped to yield Gk. The high-
and low-children of d1 cannot be isomorphic (or G would not
be be an ROBDD). Furthermore, as long as d does not have
a complementary node in G, no two nodes in Gk are isomor-
phic (or again G would not be an ROBDD). However, if d
has a complementary node in d′ in G, then d and d′ would be
isomorphic in Gk and therefore Gk would not be an ROBDD.
This is illustrated in Figure 5 with an example. However, in
this case d would not have been picked in the first place as this
is explicitly forbidden in the Meerkat procedure. The induc-
tive step proceeds along similar lines. Here, Gk is assumed to
8
Table 1: Performance of desynthesis attack on eight large benchmarks from the MCNC benchmark set. Numbers are average
number of key bits correctly recovered by attack for 100 runs on each benchmark.
Locking Scheme
EPIC Interference-based Locking
Number of Key Bits Number of Key Bits Number of Key Bits Number of Key Bits
32 64 32 64
Correctly Recovered Correctly Recovered Correctly Recovered Correctly Recovered
Min Max Avg. Time (s) Min Max Avg. Time (s) Min Max Avg. Time (s) Min Max Avg. Time (s)
dk16 18 28 23.42 599.09 36 54 43.56 1831.11 14 26 21.03 495.46 37 56 45.57 1624.08
planet1 17 27 20.76 852.18 37 51 44.03 2932.52 17 27 21.82 771.42 38 56 46.3 2970.52
planet 15 27 20.53 839.09 37 52 43.58 2892.06 16 28 21.65 779.91 38 52 45.78 3204.6
s1 16 27 21.89 675.5 37 52 45.5 2471.49 14 25 19.74 675.5 39 51 44.77 2815.19
sand 16 27 22.71 762.18 38 57 47.15 2762.83 15 28 23.46 794.23 36 54 47.1 3223.11
scf 16 28 22.24 1057.85 38 53 45.95 5061.97 14 25 21.23 885.64 33 52 44.1 3691.53
styr 16 29 23.51 685.96 40 59 47 2544.62 16 23 21.11 612.64 34 52 44.68 2474.07
tbk 14 27 21.43 938.56 33 50 42.25 2892.59 14 23 20.62 788.41 36 52 43.81 3304.9
Figure 5: An example of an ROBDD with complementary
nodes corresponding to the variable x2. One of the two nodes
is locked with k= 0. Applying the locked ROBDD with k= 1
results in BDD that is not reduced.
be an ROBDD for an i-bit key and the high- and low-children
of di+1 are flipped.
Lemma 2. The Boolean function fk corresponding to
ROBDD Gk is different from f = fk∗ for all k 6= k∗.
Proof. Gk is an ROBDD that is distinct from G since at least
one node in G has its high and low children swapped. Be-
cause ROBDDs are canonical, the corresponding functions
fk and f must also be distinct.
Lemma 2 guarantees that applying an incorrect key to the
locked netlist results in incorrect functionality.
Theorem 1. The Meerkat locking procedure satisfies the con-
dition for secure logic locking prescribed in Definition 1, for
the class of functions with more than r nodes in their BDD
that are not part of a complementary pair.
Proof. Let f and r-bit key k∗ be the input function to Meerkat.
The ROBDD of f is G. Let Dlock = {d1,d2, . . . ,dr} be the
subset of nodes in D picked by the locking procedure, and
Glock be the corresponding locked ROBDD. The probability
of outputting Glock is 1(|D|r )
. Note that, for ease of exposition,
we have assumed that G has no complementary nodes but the
proof easily extends to the more general setting.
For any key k 6= k∗, let Gk be the corresponding ROBDD
(as per Lemma 1), and fk be the Boolean function that Gk
represents. As we have seen, for each node in G there is a
corresponding node in Gk. For all i such that k∗i 6= ki, the high-
and low-children of node di ∈Dlock of G and Gk are swapped;
every other node in Gk has the same high- and low-children
as in G.
Now, when fk is locked with key k, the first step is
to construct its ROBDD, which is Gk. The set Dlock =
{d1,d2, . . . ,dr} is picked in iterations 1 through r of the lock-
ing procedure with probability 1
(|D|r )
. Finally, for any i for
which the high- and low-children children of di in Gk and G
are the same (resp. swapped), the key bits ki and k∗i are also
the same (resp. complementary). As a consequence, lock-
ing fk with key k produces Glock with the same probability as
locking f with key k∗.
The final step in Meerkat is to synthesize Glock to a locked
netlist Clock. But since locking fk with key k produces Glock
with the same probability as locking f with key k∗, the same
holds true for the locked netlist Clock (regardless of the syn-
thesis approach used).
5 Experimental Evaluation and Results
In this section, we report results that demonstrate the effec-
tiveness of our desynthesis attack and the area and delay
overheads of Meerkat compared to previously proposed logic
locking schemes.
Our results are presented on eight large benchmark netlists
from the MCNC benchmark suite [41], which was specifi-
cally tailored for logic synthesis research. All the benchmarks
we use are finite-state machines (FSMs) (more specifically,
the combinational logic part of the FSMs) taken from real-life
9
industrial chips. Note that the trade secrets of a chip designer
are usually in the control units of a chip’s design, which are
FSM-based [8].
5.1 Desynthesis Attack Results
To test the effectiveness of the desynthesis attack we imple-
mented two logic locking schemes from literature: EPIC [29]
and the interference-based locking (IBL) scheme proposed
by Rajendran et al. [25]. Both schemes use XOR/XNOR key
gates but differ in the way locations to insert key gates are
selected. ABC [32], an academic synthesis tool was used to
generate synthesized netlists that are then locked.
Synthesized netlists were locked with r = 32 and r = 64 bit
keys. For each logic locking procedure, key size and bench-
mark combination we generate 100 locked netlists, using dif-
ferent placements of key gates and randomly generated keys.
Table 1 presents the results of our desynthesis attack on the
eight benchmark circuits. We report the average, minimum
and maximum number of bits of the key that we correctly
recover over 100 experiments. We also report the average
time the attack took on each benchmark.
From the data we can make the following observations.
(1) The success of our desynthesis attack is largely indepen-
dent of the locking procedure used. This is not surprising
— neither procedure was designed to protect against the de-
synthesis attack. (2) Doubling the key size roughly doubles
the number of key bits that are correctly recovered — increas-
ing key size does not seem to reduce the effectiveness of our
attack. (3) Although the benchmarks vary in terms of charac-
teristics (number of inputs, outputs and gates), the attack re-
sults are largely the same across benchmarks. (4) In the best
case across benchmarks, locking procedures and 100 runs, we
recovered 29 of 32 keys and 59 of 64 keys. The probability of
recovering these many bits in 100 runs if indeed the locking
schemes were secure (i.e., the key could at best be randomly
guessed) is overwhelmingly small.
Although not shown in Table 1, we conducted statistical
hypothesis tests to check whether the distribution of recov-
ered key bits is consistent with a random guess. For every
benchmark, locking procedure and for both 32- and 64-bit
keys we find a p-value of less than 0.0001, allowing us to re-
ject the null hypothesis. In other words, there is statistically
significant evidence to believe that existing locking mecha-
nisms are not secure.
To demonstrate that the desynthesis attack remains effec-
tive for a different synthesis tool, we synthesized one of the
benchmarks, dk16, using Cadence Encounter RTL Compiler
(a commercial synthesis tool), and locked the synthesized
netlist using EPIC and a 32-bit key. Figure 6 shows a his-
togram of the number of correctly guessed key bits over 100
runs versus the histogram for the number of correctly guessed
key bits if the attacker were randomly guessing the key. On
average, the desynthesis attack recovers 24.5 (and up to 31)
keys, which is similar to the attack’s success when ABC was
 0
 5
 10
 15
 20
 25
 30
 0  4  8  12  16  20  24  28  32
Fr
eq
ue
nc
y
# correctly deduced key bits
Desynthesis attack (32-bit key)
Random guess (32-bit key)
Figure 6: Performance of desynthesis attack on one bench-
mark from the MCNC set when the designer uses Encounter
RTL Compiler to synthesize the benchmark.
 0
 20
 40
 60
 80
 100
dk16 planet1 planet s1 sand scf styr tbk
Ar
ea
 O
ve
rh
ea
d 
(%
)
Benchmarks
Meerkat (32-bit key)
EPIC (32-bit key)
Meerkat (64-bit key)
EPIC (64-bit key)
Figure 7: Area overhead for EPIC and Meerkat for locking
with 32 and 64-bit keys.
used as a synthesis tool. Note that in 3 of the 100 runs, the
attack recovered all but one key bit correctly.
5.2 Meerkat
We have implemented Meerkat within the ABC synthesis en-
vironment (since ABC has an in-built BDD package) along
with some glue code. In Figure 7, we compare the area over-
head of logic locking using Meerkat with 32- and 64-bit keys
over the original unlocked netlist. We also show the area
overhead of EPIC. We observe that the Meerkat overheads
grow proportionally with key size and are modestly larger
than EPIC overheads. The overheads are obviously lower for
larger circuits — Meerkat’s overhead for 64 bit key for the
largest benchmark is 43%.
Figure 8 plots Meerkat’s delay overheads. Note that EPIC
explicitly recommends keeping key gates off critical paths
(paths in the netlist that impact delay) and therefore, ideally,
has no delay overhead. On the other hand, we cannot do this
in Meerkat because we insert key nodes before synthesis, i.e.,
before we know where the critical paths are.
While the overheads are greater than those of prior work,
10
 0
 10
 20
 30
 40
 50
 60
 70
 80
dk16 planet1 planet s1 sand scf styr
De
la
y 
Ov
er
he
ad
 (%
)
Benchmarks
Meerkat (32-bit key)
Meerkat (64-bit key)
Figure 8: Delay overhead for Meerkat for locking with 32 and
64-bit keys. The tbk benchmark has no overhead for locking
with 32 or 64-bit keys, and hence, is not shown.
 0
 20
 40
 60
 80
 100
dk16 planet1 planet s1 sand scf styr tbk
Ou
tp
ut
 C
or
ru
pt
ib
ili
ty
 (%
)
Benchmarks
Meerkat (32-bit key)
IBL (32-bit key)
Meerkat (64-bit key)
IBL (64-bit key)
Figure 9: Output Corruptibility for EPIC and Meerkat for
locking with 32 and 64-bit keys.
we note that Meerkat is the only approach that provides for-
mal security guarantees. Furthermore, as discussed in Sec-
tion 6, the area and delay overheads can be amortized, and
are significantly lower than the those incurred by alternative
approaches to trusted fabrication.
Finally, Figure 9 compares the output corruptibility (a mea-
sure of the average fraction of inputs that result in incor-
rect outputs for an incorrect key [24]) of netlists locked with
Meerkat versus those locked with EPIC. In some cases, 64-
bit keys are required to obtain high output corruptibility using
Meerkat.
6 Limitations and Discussion
Our desynthesis attack reveals a serious vulnerability in ex-
isting logic locking schemes. Meerkat, our proposed defense
mechanism, is the first provably secure logic locking mech-
anism. Certainly, our work has limitations, and in this sec-
tion, we discuss these, and ways of addressing them. We also
touch upon the distinction between the related threats of IC
over-production and IP theft as they relate to EPIC and this
work.
Desynthesis attack In our attack model (see Section 3),
we assume that the attacker has access to the designer’s lock-
ing procedure, including the synthesis tool. A question that
arises is, is such an attacker too strong? We first point out that
this is justified based on Kerchoffs’s principle [21], which,
applied to our context, states that the system needs to be se-
cure under the attacker we consider. Nonetheless, one may
ask whether the EPIC procedure can be made more secure if
the attacker does not know which synthesis tool the designer
uses, or if the designer uses a proprietary synthesis tool. We
believe that although this merits further quantitative investi-
gations (for example, the attacker could include the choice of
synthesis tool in the search space of the desynthesis attack),
we re-assert that the goal of our work is to provide logic lock-
ing with provable guarantees on security, which a “security-
via-obscurity” scheme does not provide.
A second possible issue regards the observation that our
desynthesis attack, for the cases we tried, does not appear
to correctly identify all key bits, but only comes very close in
several cases. Prior attacks on logic locking appear to recover
all key bits, but, those attacks assume that the attacker can
obtain inputs and outputs from a working copy of the chip.
Furthermore, we note that our attack can be further strength-
ened with access to more computational resources. A deter-
mined attacker can amplify the results by exploring a larger
portion of the key space. It bears mentioning that the turn-
around time on chip fabrication can be months; this gives the
attacker a significant window of time in which to run desyn-
thesis attacks. Further, it might be useful for an attacker to
apply divide and conquer; for instance, by attacking individ-
ual logic cones within the netlist. We plan to explore this in
future work.
Meerkat Understandably, security, particularly provable
security as Meerkat provides, comes at a cost. Meerkat in-
troduces both delay and area overheads. We note however
that in most cases, the trade secrets of a designer only com-
prise a small part of a chip’s overall design. The rest of
the design consists mostly of static random-access memory
(SRAM) (for example, a CPU’s cache), which contains no
trade secrets. As such, to protect a chip from piracy, a de-
signer can choose, for locking, a small part of the overall de-
sign only, thereby significantly amortizing any overhead that
is incurred. We locked the instruction decoder of a 32-bit
RISC processor [23] using Meerkat and found that the total
area of the processor core increased only by 37%.
Still, one might wonder if a designer would be willing to
incur such overhead in a highly competitive market, where
producing lower-performing chips might put the designer at
a disadvantage. To answer this question, we consider three
options that are available to the designer: (1) The designer
can forgo logic locking altogether, and instead send her IP
“in the clear” across design stages. This, of course, exposes
the designer’s IP to the risk of the theft. (2) The designer
11
can decide to carry out her fabrication at a trusted foundry
(for instance, a low-end foundry located on-shore), instead
of fabricating the chip at a high-end but untrusted foundry.
However, the technology gap between a low-end, on-shore
foundry and a high-end off-shore foundry can be significant.
As an example, the most advanced technology available in
India (an 800nm foundry) is 25 years older and at least 100×
worse (in terms of chip area alone) than the state-of-the-art
[37]. (3) A third option is for the designer to implement her
proprietary designs using reconfigurable logic. Aside from
the area overheads of reconfigurable logic (around 35× [16]),
the designer would need to store the configuration bits of the
reconfigurable logic in read-proof memory to protect the chip
from piracy. In contrast, locking requires far fewer bits to be
implemented using read-proof memory.
There are settings, however, in which it may be truly im-
practicable to lock a design (or even part of a design) using
Meerkat. In particular, it is known that ROBDDs for certain
types of hardware functions like multipliers and encryption
modules are inefficiently sized [39]. In part this is a conse-
quence of the strong security guarantees we aim to provide
— invariance to the function representation implied by Defi-
nition 1 necessitates the use of a canonical representation.
Yet, Meerkat inherits one of the appealing properties of
ROBDDs that has driven their popularity, i.e., they are com-
pact for a large class of Boolean functions of practical inter-
est [3]. An interesting avenue for further research is whether
netlist partitioning techniques can be used to mitigate the
scalability bottleneck for functions with large ROBDDs, per-
haps with some, known, loss in security. Also, we note that
the criterion in Definition 1 is a sufficient condition; an open
question is whether Definition 1 can be relaxed while still
guaranteeing security. We also note that Meerkat can be ap-
plied in a LUT-based locking context. The designer could im-
plement parts of the logic that key bits feed into with lookup
tables, although this possibly results in a larger key and func-
tion space. As the original family of functions is included in
the new key space, the security guarantees would remain.
Another point of note relates to the family of functions
within which Meerkat embeds the correct function f — we
have shown that the 2r− 1 alternate functions that Clock im-
plements, all have the same ROBDD structure as f with the
high and low children of r nodes swapped. Although we have
shown in Section 5 that these alternate functions have high
output corruptability (output corruptability measures how dif-
ferent two Boolean functions are), it is possible to investigate
broader families of functions within which f is embedded,
for example functions with ROBDDs of the same size.
Threats: IP theft vs. over-building Logic locking, as
a specific instance, has been proposed in two related attack
scenarios: (1) over-building of ICs, i.e., when the foundry
makes extra, unauthorized copies of the chip, and, (2) IP
theft, i.e., reverse engineering the IC’s (locked) netlist. De-
fenses against over-building are referred to as hardware me-
tering [15].
EPIC (and succeeding logic locking schemes) claim to pro-
tect against both since the protocol actually has two keys: a
key that is common to all chips and is an input to key gates
(this is the key we have been concerned with so far), and a
unique key for every chip. The unique per-chip key is gen-
erated by the designer as follows: upon power-up, a newly
fabricated chip generates a random number, using a hardware
true random number generator (TRNG). An on-chip RSA key
generation circuit then takes this random number, interprets
it as a private key, and generates the corresponding public
key. The public key is read-out by the foundry and sent to
the designer. The designer encrypts the common key using
this public key to generate the chip-specific unique key (note
that the unique key depends on the TRNG output which is
different for every chip). Finally, the unique key is entered
into the chip by the foundry, where it gets decrypted by an
RSA decryption circuit to its plain form, the common key,
that actually unlocks the netlist.
Although the unique key protects against over-building, it
offers no protection against IP theft. That is, our attack (and
indeed all attacks in prior work [24, 31]) focus on directly re-
verse engineering the common key (recall that unlike prior at-
tacks, however, we do not assume access to a working chip).
In fact, a compromise of the common key not only reveals
the designer’s intended netlist (accomplishing IP theft), but
also enables the foundry to generate new masks in which the
correct key is hardwired into the circuit. The foundry can
then mass produce functionally equivalent chips with this new
mask, thus effectively over-building the IC. Modifying an ex-
isting mask or creating a new one is easily within the realm
of capabilities of a foundry.
7 Related Work
We now discuss prior art on secure outsourced chip fabrica-
tion, and place it in the context of our work.
The EPIC protocol [29] was the first locking scheme pro-
posed to protect combinational logic from over-building and
IP theft. The EPIC protocol is described in detail in Sec-
tion 2. Succeeding work has attempted to improve upon the
EPIC locking procedure by using programmable logic [2] and
MUXes [22, 38] instead of XOR/XNOR gates, and smart se-
lection of locations for key-gate insertion [24, 28]. However,
all these techniques assume that locking is performed after
synthesis, the root of the vulnerability that we exploit in our
desynthesis attack.
In terms of attacks, Maes et al. [20] demonstrated a vulner-
ability in EPIC using a man-in-the-middle attack on the com-
munication protocol between the foundry and designer, thus
enabling the attacker to over-build the IC. Maes et al. [20]
also suggest a fix to the protocol to address this vulnerability.
Attacks on logic locking that aim to steal the chip’s IP have
all assumed that an attacker has at least partial access to the
chip’s I/O functionality. Rajendran et al. [24] show that an
attacker who has a working copy of the chip can quickly re-
12
cover the key if the location of key gates is picked at random
(as in EPIC). They describe an improved technique to insert
key gates that defends against this attack.
However, Rajendran et al.’s improvement to the EPIC pro-
cedure was recently defeated by Subramanyan et al. [31] us-
ing a sophisticated attack that relies on SAT-based inference.
Concurrently, El Massad et al. [12] devised the same attack
on IC camouflaging, a conceptually related hardware secu-
rity mechanism. Liu et al. [19] have proposed techniques to
further enhance the effectiveness of SAT-based attacks.
Defending against these sophisticated attacks on logic
locking still remains an open problem. Recently, a defense
mechanism using MUX-based logic locking was developed
for a more restricted attack scenario in which the attacker
only has access to a certain number of chip I/O pairs, but not
a working chip [22]. However, as we discussed in Section 1,
there are important settings in which the attacker has no I/O
access. Logic locking has so far been assumed to be secure in
this setting. Our attack is the first attack that shows that logic
locking is insecure even when the attacker has no I/O access.
A related line of research has been focused on hardware
metering and IP theft prevention for sequential logic (FSMs).
Alkabani et al. [1] were the first to propose an active metering
scheme for FSMs that modifies the FSM such that a certain
initial sequence of inputs needs to be applied to unlock the
chip. The sequence varies from chip-to-chip and depending
on randomness extracted from each chip. However, Alkabani
et al. only aim to protect against over-production and not di-
rectly against IP theft. Further work in this direction includes
schemes that seek to prevent IP theft by locking the (combi-
national) state-transition function of the FSM [7, 8]. These
techniques would also be vulnerable to our desynthesis at-
tack. A recent paper proposes to obfuscate an FSM using
structural transformations of the state-transition graph [18],
but these transformations cannot be used in the context of
combinational logic locking.
Besides IC locking, another technique that has been pro-
posed in literature for secure outsourced chip fabrication is
split maufacturing [14, 27, 35, 36]. The idea is to partition
a chip into two (or more) parts and fabricate each part at a
separate foundry. However, split manufacturing (a) requires
access to technology like like 3D integration [14] or split
fabrication [36] that is still experimental, (b) can have high
overhead [14] and (c) is susceptible to so-called proximity
attacks [27].
Other techniques to deter hardware IP theft that are or-
thogonal to our work include watermarking [9] (to detect IP
theft) and IC camouflaging [12, 26] (to defend against post-
fab “sand-and-scan” attacks). As a concluding note, besides
IP theft, another risk of outsourced chip fabrication is an un-
trusted foundry that maliciously modifies the chip. We do
not address this threat in our work and refer the reader to an
excellent survey paper on this topic [33].
8 Conclusion
In this paper, we have proposed a new attack on logic lock-
ing that, unlike prior attacks, does not require an attacker to
have access to a working copy of the chip. The attack exploits
the observation that all existing logic synthesis mechanisms
lock synthesized netlists, and that the synthesis step embeds
information about the true functionality of the chip into the
locked netlist. Using our attack, we were able to correctly
recover a significant number of bits, up to 30 and 59 bits,
for netlists locked with 32- and 64-bit keys, respectively. To
address the vulnerability posed by the attack, we present the
first formal notion of security for logic locking and develop
Meerkat, a new logic locking technique based on ROBDDs
that is provably secure under this notion. Meerkat’s area and
delay overheads, although greater than those of existing (in-
secure) techniques like EPIC, are still moderate, particularly
in light of the fact that they come with security guarantees.
References
[1] ALKABANI, Y., AND KOUSHANFAR, F. Active hardware metering
for intellectual property protection and security. In USENIX Security
(2007), pp. 291–306.
[2] BAUMGARTEN, A., TYAGI, A., AND ZAMBRENO, J. Preventing IC
piracy using reconfigurable logic barriers. IEEE Design and Test of
Computers 27, 1 (2010), 66–75.
[3] BRACE, K. S., RUDELL, R. L., AND BRYANT, R. E. Efficient imple-
mentation of a BDD package. In Proceedings of the 27th ACM/IEEE
design automation conference (1991), ACM, pp. 40–45.
[4] BRYANT, R. E. Graph-based algorithms for boolean function manipu-
lation. Computers, IEEE Transactions on 100, 8 (1986), 677–691.
[5] BRYANT, R. E. Binary decision diagrams and beyond: Enabling tech-
nologies for formal verification. In Computer-Aided Design, 1995.
ICCAD-95. Digest of Technical Papers., 1995 IEEE/ACM International
Conference on (1995), IEEE, pp. 236–243.
[6] BURCH, J. R., CLARKE, E. M., LONG, D. E., MCMILLAN, K. L.,
AND DILL, D. L. Symbolic model checking for sequential circuit ver-
ification. Computer-Aided Design of Integrated Circuits and Systems,
IEEE Transactions on 13, 4 (1994), 401–424.
[7] CHAKRABORTY, R. S., AND BHUNIA, S. Hardware protection and
authentication through netlist level obfuscation. In Proceedings of the
2008 IEEE/ACM International Conference on Computer-Aided Design
(2008), IEEE Press, pp. 674–677.
[8] CHAKRABORTY, R. S., AND BHUNIA, S. HARPOON: an
obfuscation-based SoC design methodology for hardware protection.
Computer-Aided Design of Integrated Circuits and Systems, IEEE
Transactions on 28, 10 (2009), 1493–1502.
[9] CHARBEN, E. Hierarchical watermarking in IC design. In Proceedings
of the IEEE Custom Integrated Circuits Conference (1998), Citeseer,
pp. 295–298.
[10] COMERFORD, L. D., LEDERMANN, P. G., LEVY, L. I., AND WHITE,
S. R. Tamper resistant packaging for information protection in elec-
tronic circuitry, May 26 1992. US Patent 5,117,457.
[11] DUPUIS, S., BA, P.-S., DI NATALE, G., FLOTTES, M.-L., AND
ROUZEYRE, B. A novel hardware logic encryption technique for
thwarting illegal overproduction and hardware trojans. In On-Line Test-
ing Symposium (IOLTS), 2014 IEEE 20th International (2014), IEEE,
pp. 49–54.
[12] EL MASSAD, M., GARG, S., AND TRIPUNITARA, M. V. Integrated
circuit (IC) decamouflaging: Reverse engineering camouflaged ICs
within minutes. In NDSS (2015).
13
[13] GAO, X., XIAO, B., TAO, D., AND LI, X. A survey of graph edit
distance. Pattern Analysis and applications 13, 1 (2010), 113–129.
[14] IMESON, F., EMTENAN, A., GARG, S., AND TRIPUNITARA, M. Se-
curing Computer Hardware Using 3D Integrated Circuit (IC) Technol-
ogy and Split Manufacturing for Obfuscation. in the Proceedings of
USENIX Security (2013), 495–510.
[15] KOUSHANFAR, F., AND QU, G. Hardware metering. In Proceed-
ings of the 38th annual Design Automation Conference (2001), ACM,
pp. 490–493.
[16] KUON, I., AND ROSE, J. Measuring the gap between FPGAs and
ASICs. IEEE Transactions on computer-aided design of integrated
circuits and systems 26, 2 (2007), 203–215.
[17] LEE, G. Logic synthesis for cellular architecture FPGAs using BDDs.
In Design Automation Conference, 1997. Proceedings of the ASP-
DAC’97 Asia and South Pacific (1997), IEEE, pp. 253–258.
[18] LI, L., AND ZHOU, H. Structural transformation for best-possible
obfuscation of sequential circuits. In Hardware-Oriented Security and
Trust (HOST), 2013 IEEE International Symposium on (2013), IEEE,
pp. 55–60.
[19] LIU, D., YU, C., ZHANG, X., AND HOLCOMB, D. Oracle-guided
incremental SAT solving to reverse engineer camouflaged logic cir-
cuits. In 2016 Design, Automation Test in Europe Conference Exhi-
bition (DATE) (March 2016), pp. 433–438.
[20] MAES, R., SCHELLEKENS, D., TUYLS, P., AND VERBAUWHEDE,
I. Analysis and design of active IC metering schemes. In Hardware-
Oriented Security and Trust, 2009. HOST’09. IEEE International
Workshop on (2009), IEEE, pp. 74–81.
[21] PETITCOLAS, F. A. Kerckhoffs’ principle. In Encyclopedia of cryp-
tography and security. Springer, 2011, pp. 675–675.
[22] PLAZA, S. M., AND MARKOV, I. L. Solving the third-shift problem
in IC piracy with test-aware logic locking. Computer-Aided Design of
Integrated Circuits and Systems, IEEE Transactions on 34, 6 (2015),
961–971.
[23] PMC-SIERRA-INC. 64-bit MIPS RISC microprocessor with inte-
grated l2 cache. http://pmcs.com/cgi-bin/download_p.pl?
res_id=9427&filename=2011604_009427.pdf, Aug. 2016.
[24] RAJENDRAN, J., PINO, Y., SINANOGLU, O., AND KARRI, R. Logic
encryption: A fault analysis perspective. In Proceedings of the Confer-
ence on Design, Automation and Test in Europe (2012), EDA Consor-
tium, pp. 953–958.
[25] RAJENDRAN, J., PINO, Y., SINANOGLU, O., AND KARRI, R. Secu-
rity analysis of logic obfuscation. In Proceedings of the 49th Annual
Design Automation Conference (2012), ACM, pp. 83–89.
[26] RAJENDRAN, J., SAM, M., SINANOGLU, O., AND KARRI, R. Se-
curity analysis of integrated circuit camouflaging. In Proceedings of
the 2013 ACM SIGSAC conference on Computer & communications
security (2013), ACM, pp. 709–720.
[27] RAJENDRAN, J., SINANOGLU, O., AND KARRI, R. Is split manufac-
turing secure? in the Proceedings of IEEE/ACM Conference on Design
Automation and Test in Europe (2013), 1259 – 1264.
[28] RAJENDRAN, J., ZHANG, H., ZHANG, C., ROSE, G. S., PINO, Y.,
SINANOGLU, O., AND KARRI, R. Fault analysis-based logic encryp-
tion. Computers, IEEE Transactions on 64, 2 (2015), 410–424.
[29] ROY, J. A., KOUSHANFAR, F., AND MARKOV, I. L. Epic: Ending
piracy of integrated circuits. In Proceedings of the conference on De-
sign, automation and test in Europe (2008), ACM, pp. 1069–1074.
[30] STAMFORD, C. Worldwide semiconductor foundry market grew
16.1 percent in 2014, according to final results by gartner. http:
//www.gartner.com/newsroom/id/3027717, April 2015.
[31] SUBRAMANYAN, P., RAY, S., AND MALIK, S. Evaluating the security
of logic encryption algorithms. In Hardware Oriented Security and
Trust (HOST), 2015 IEEE International Symposium on (2015), IEEE,
pp. 137–143.
[32] SYNTHESIS, B. L. Abc: A system for sequential synthesis and ver-
ification, release 61225, 2007.
[33] TEHRANIPOOR, M., AND KOUSHANFAR, F. A survey of hardware
trojan taxonomy and detection. IEEE Design and Test of Computers
27, 1 (2010), 10–25.
[34] TORRANCE, R., AND JAMES, D. The state-of-the-art in IC reverse en-
gineering. In Cryptographic Hardware and Embedded Systems-CHES
2009. Springer, 2009, pp. 363–381.
[35] VAIDYANATHAN, K., DAS, B. P., SUMBUL, E., LIU, R., AND PI-
LEGGI, L. Building trusted ICs using split fabrication. In Hardware-
Oriented Security and Trust (HOST), 2014 IEEE International Sympo-
sium on (2014), IEEE, pp. 1–6.
[36] VAIDYANATHAN, K., LIU, R., SUMBUL, E., ZHU, Q., FRANCHETTI,
F., AND PILEGGI, L. Efficient and secure intellectual property (ip)
design with split fabrication. In Hardware-Oriented Security and
Trust (HOST), 2014 IEEE International Symposium on (2014), IEEE,
pp. 13–18.
[37] WAHBY, R., HOWALD, M., AND GARG, S. abhi shelat, and m. Wal-
fish. Verifiable ASICs. Preprint (2015).
[38] WANG, X., JIA, X., ZHOU, Q., CAI, Y., YANG, J., GAO, M., AND
QU, G. Secure and low-overhead circuit obfuscation technique with
multiplexers. In Proceedings of the 26th edition on Great Lakes Sym-
posium on VLSI (2016), ACM, pp. 133–136.
[39] WEGENER, I., ET AL. The complexity of Boolean functions, vol. 1.
BG Teubner Stuttgart, 1987.
[40] YANG, C., AND CIESIELSKI, M. BDS: a BDD-based logic optimiza-
tion system. Computer-Aided Design of Integrated Circuits and Sys-
tems, IEEE Transactions on 21, 7 (2002), 866–876.
[41] YANG, S. Logic synthesis and optimization benchmarks. In 1989
MCNC International Workshop on Logic Synthesis (Dec. 1988).
[42] YANG, W. The new economics of semiconductor manufacturing. IEEE
Spectrum (2008).
14
