Algorithmic Obfuscation over GF($2^m$) by Yu, Cunxi & Holcomb, Daniel
Algorithmic Obfuscation over GF(2m)
Cunxi Yu1, Daniel Holcomb2
Cornell University 1
University of Massachusetts Amherst2
cunxi.yu@cornell.edu
September 18, 2018
Abstract -
Galois Field arithmetic blocks are the key components in many security ap-
plications, such as Elliptic Curve Cryptography (ECC) and the S-Boxes of the
Advanced Encryption Standard (AES) cipher. This paper introduces a novel
hardware intellectual property (IP) protection technique by obfuscating arith-
metic functions over Galois Field (GF), specifically, focusing on obfuscation
of GF multiplication that underpins complex GF arithmetic and elliptic curve
point arithmetic functions. Obfuscating GF multiplication circuits is important
because the choice of irreducible polynomials in GF multiplication has the great
impact on the performance of the hardware designs, and because the significant
effort is spent on finding an optimum irreducible polynomial for a given field,
which can provide one company a competitive advantage over another.
1 Introduction
Due to the increasing cost of integrated circuit (IC) design and manufacturing,
it becomes more important to protect the intellectual property (IP) of an IC
against reverse engineering (RE). Despite the complexity of modern ICs, the
implementation details can be extracted by RE techniques once a circuit is fab-
ricated and released to market [1]. This has given rise to a number of academic
works and commercial products focused on using obfuscation to make designs
more difficult to reverse engineer. In this work, we focus on protecting the IP
of Galois Field arithmetic circuits that are commonly used in cryptography.
Galois field (GF) is a number system with a finite number of elements.
Galois Field arithmetic is used extensively in many security applications such
as Elliptic Curve Cryptography (ECC) and the Advanced Encryption Standard
(AES). The basic arithmetic functions include GF addition and multiplication,
and more advanced GF arithmetic functions are derived from those two [2],
such as GF division, and elliptic curve point addition and multiplication [3].
An irreducible polynomial P (x) is required for constructing GF multiplication,
and the choice of polynomial has a significant impact on the performance of the
GF multiplier.
1
ar
X
iv
:1
80
9.
06
20
7v
1 
 [c
s.C
R]
  1
7 S
ep
 20
18
Intel Research showed that GF(24) (4-bit) GF multipliers implemented in
the same 22nm CMOS technology with two different P (x) differ by 40% and
9% in area and delay respectively, on their nanoAES chip[4]. The costs vary
with the choice of polynomial because different polynomials require different
numbers of XOR operations in the critical path and the entire design; as the
bit-width increases, the performance of the multipliers varies even more strongly
across different polynomials [5]. Moreover, recent work shows that it is possible
to reverse engineer the irreducible polynomial of a post-synthesized GF(2m)
multiplier up to 571-bit [5] by analyzing the algebraic signatures extracted from
the gate-level netlist. This shows that the choice of polynomial should not be
considered secret by default unless steps are taken to obfuscate it. Due to the
significant efforts spent on finding the optimum P (x) in industrial designs [4],
preventing the P (x) from being reverse engineered becomes important1.
This work introduces the first obfuscation methodology over Galois Field
that obfuscates the GF multiplication with multiple irreducible polynomials,
and furthermore shows that there is a small performance overhead per obfus-
cated function. The obfuscation approach is based on analyzing the mathemat-
ical properties of finite field arithmetic to identify the maximum common logic
between multiplications of different P (x). The resulting multiplier performs
multiplication with a certain P (x), denoted the true function, which is known
by the designers only. An attacker should be unable to use reverse engineering
to distinguish the true function from the obfuscated functions which are all valid
GF multiplications in the same finite field as the true function.
2 Background
2.1 Galois Field Principle
Galois field (GF) is a number system with a finite number of elements and
two main arithmetic operations, addition and multiplication; other operations
such as division can be derived from those two [2]. Galois field with p elements
is denoted as GF(p). Prime field, denoted GF(p), is a finite field consisting
of a finite number of integers {1, 2, ...., p − 1}, where p is a prime number,
with additions and multiplication performed modulo p. Binary extension field,
denoted GF(2m) (or F2m), is a finite field with 2m elements. Unlike in prime
fields, however, the operations in extension fields are not computed modulo 2m.
Instead, in one possible representation (called polynomial basis), each element
of GF(2m) is a polynomial ring with m terms with coefficients in GF(2) and
modulo an irreducible polynomial P (x). The addition of finite field elements is
the addition of polynomials, with coefficients computed in GF(2). Multiplication
of field elements is performed modulo irreducible polynomial P (x) of degree m
and coefficients in GF(2). The irreducible polynomial P (x) is analogous to
the prime number p in prime fields GF (p). Extension fields are used in many
cryptography applications, such as AES and ECC.
1We specifically refer to Section IV in [4] and Section II-D in [5].
2
a3 a2 a1 a0
b3 b2 b1 b0
a3b0 a2b0 a1b0 a0b0
a3b1 a2b1 a1b1 a0b1
a3b2 a2b2 a1b2 a0b2
a3b3 a2b3 a1b3 a0b3
s6 s5 s4 s3 s2 s1 s0
sq =
⊕
aibj , ∀ i+j=q, 0 ≤ q ≤ 6
s3 s2 s1 s0
s4 0 0 s4
s5 0 s5 s5
s6 s6 s6 s6
z3 z2 z1 z0
z0 = s0 ⊕ s4 ⊕ s5 ⊕ s6
z1 = s1 ⊕ s5 ⊕ s6
z2 = s2 ⊕ s6
z3 = s3 ⊕ s4 ⊕ s5 ⊕ s6
Figure 1: GF(24) multiplication Z mod P (x) = A · B mod P (x), where
P (x)=x4 + x3 + 1. A=a3x
3+a2x
2+a1x
1+a0, B=b3x
3+b2x
2+b1x
1+b0, etc. Z
are the output of the multiplication.
In an extension field with p = 2, a polynomial representation is alternatively
represented by a unique binary expression. This binary expression is the co-
efficients of each term in the polynomial. For example, the binary expression
of x3+x2+x1 is [1110]. The linear arithmetic operations in the finite field, i.e.,
addition and subtraction over GF(2m), are performed by adding or subtracting
two of those polynomials. The result is reduced by modulo p, where p = 2
in GF(2m). In such a finite field, addition, subtraction modulo 2, and bit-
vector XOR perform the same function. Thus, GF addition and subtraction at
Boolean level are implemented with bit-vector XOR operations. For example,
(x3+x2+x)+(x3+x2+1) = 2x3+2x2+x+1 mod 2 = x+1, which is performed
by [1110] ⊕ [1101] = [0011], which represents the polynomial x+1.
Galois Field multiplication is performed by multiplication modulo an irre-
ducible polynomial that defines the finite field. An irreducible polynomial is a
polynomial that cannot be factored into nontrivial polynomials over the same
field [6]. For example, in GF(2), x2+x+1 is an irreducible polynomial but x2+1
is not, since x2+1=(x+1)(x+1). An example of GF(24) (4-bit) multiplication
is shown in Figure 1, with irreducible polynomial P (x)=x4+x3+1. Similar to
addition and subtraction, the inputs and outputs in multiplication are binary
expressions. For example, A = [a3 a2 a1 a0], where a0 is the least significant
bit and a3 is the most significant bit. The multiplication is performed in two
stages: 1) adding the partial products and 2) reducing over GF(24) with P (x).
The partial products are generated similarly to the integer multiplication using
AND operations. Since additions in the field are XOR operations, the sum of
the partial products (sq in Figure 1) is generated using a series of XORs.
The sum of partial products will then be reduced modulo the irreducible
polynomial. As mentioned previously, the binary expression corresponds to the
coefficients of polynomial expression. Thus, si is the coefficient of x
i in its
polynomial representation. According to the modulo addition rule, s0+s1+...s6
mod P (x) = [(s0 mod P (x))+(s1 mod P (x))+...(s6 mod P (x))] mod P (x). The
GF multiplication can be constructed as follows:
3
• s2x0 mod P (x) = s0; s1x mod P (x) = s1x;
s2x
2 mod P (x) = s1x
2; s3x
3 mod P (x) = s3x
3.
Hence,
∑3
i=0 si mod P (x) = s0+s1x+s2x
2+s3x
3, denoted as P0.
• P1 = s4x4 mod P (x) = s4+s4x3 mod P(x).
• P2 = s5x5 mod P (x) = s5+s5x+s4x3 mod P(x).
• P3 = s6x6 mod P (x) = s6+s6x+s6x2+s6x3 mod P(x).
• Hence, ∑6i=0 si mod P (x) = P0+P1+P2+P3 mod P (x), which is per-
formed by GF additions.
Since GF additions are the same as XOR in the binary expressions of the
polynomials, the final results [z3 z2 z1 z0] are produced by: [s3 s2 s1 s0]P0 ⊕
[s4 0 0 s0]P1 ⊕ [s5 0 s5 s5]P2 ⊕ [s6 s6 s6 s6]P3 , as shown in Figure 1. Ga-
lois Field addition and multiplication are the basic GF arithmetic operations
that are used to implement the advanced arithmetic functions such as divi-
sion, and elliptic-curve point addition and multiplication [3] for cryptography
applications. However, GF addition is performed with one bit-vector XOR re-
gardless of the irreducible polynomial, which means that obfuscating multiple
irreducible polynomials cannot be applied to a stand-alone GF adder. Thus,
this work focuses on multiplication obfuscation over GF(2m).
2.2 Irreducible Polynomials
Table 1: Irreducible polynomials with degree m.
m Irreducible polynomial(s)
2 x2+x+1
3 x3+x+1; x3+x2+1
4 x4+x+1; x4+x3+1; x4+x3+x2+x1+1
5
x5+x2+1; x5+x3+x2+1; x5+x3+1;
x5+x4+x3+1; x5+x4+x3+x2+1; x5+x4+x2+x+1
In general, there are various irreducible polynomials that can be used for a
given field size, each resulting in a different multiplication result. The number of
irreducible polynomials increases as m increasing. The list of irreducible polyno-
mials that exist for degrees m={2,3,4,5} are shown in Table 1. For constructing
efficient arithmetic functions over GF(2m), the irreducible polynomial is typi-
cally chosen to be a trinomial, xm+xa+1, or a pentanomial xm+xa+xb+xc+1
[7]. It is furthermore required that coefficients m, a be chosen such that m - a
≥ m/2 [8].
Given degreem, the multiplications constructed by different irreducible poly-
nomials are functionally different but are in the same field. For example, given
degree m=4, in contrast to using P0(x)=x
4+x3+1, using P1(x)=x
4+x+1 pro-
duces a different GF multiplication function in GF(24). The difference appears
4
A⋅B
mod P0 (x)
mod Pn (x)
mod P1(x)…
P
A⋅Bmod P1(x)
Figure 2: Illustrative example of implementing GF multiplication with irre-
ducible polynomial obfuscated.
in the process of reducing the sum of the partial products modulo the irreducible
polynomial. For example, when using polynomial P0, s
6 is required for all the
output bits since x6 mod P0(x) is equal to x
3+x2+x1+1, which needs four XOR
operations. However, when using polynomial P1(x), s
6 is only required for z2
and z3 since x
6 mod P1(x) is equal to x
3+x2, which needs only two XOR oper-
ations. This explains why the choice of irreducible polynomials effects the delay
and area of GF multipliers.
The goal of our approach is implementing a multiplier with multiple func-
tions obfuscated, such that only designers and authorized users know the true
function (Figure 2). P are the switches that will be physically implemented as
constant inputs using camouflaged standard cells. One important observation
is that most logic of the GF multipliers using different irreducible polynomials
remain the same. The main differences are the logic of reducing the sum of
the partial products. This means that the overhead of implementing such an
obfuscated GF(2m) multiplier is much smaller than synthesizing the model in
Figure 2, which offers the main motivation for this work.
2.3 Camouflaged Standard Cell
Gate-level camouflaging techniques rely on using camouflaged standard cells
in the fabricated integrated circuits. The camouflaged standard cells are de-
signed as independent standard cells in the technology library. Mostly, the
camouflaged cells are used to introduce dummy functionalities. During tech-
nology mapping in the design flow, the original functionality of the circuit is
camouflaged by partially mapping the circuit with the camouflaged standard
cells. These camouflaged cells are designed by changing the layout of the cell
with dummy contacts [9], or by changing doping of the transistors [10]. With
such camouflaged cells, designing circuits with constant inputs camouflaged be-
comes possible. For example, a 2-NAND is proposed to implement camouflaged
constant one/zero by modifying the doping of different transistors [11]. A vari-
ant of dopant-programmable cells is to build components in a dual-Vt process
technology such that inferring the correct component functions would require
identification of which devices use high and low thresholds [12]. To minimize
cost, it is often desirable to protect a circuit by camouflaging only a small subset
of the gates [13]. However, in emerging technologies, it can be more difficult
to infer function from structure [14], and a reverse engineer may thus need to
5
consider all gates as camouflaged. An overview of physical mechanisms for ob-
fuscation is given by Vijayakumar et al. [15]. In this work, the switches P
shown in Figure 2 are mapped with such camouflaged standard cells.
2.4 Attacker Model
The attacher model in this work is similar to the attacker model for reverse engi-
neering circuits with camouflaged gates, which is firstly given by Rajendran [16].
The logic function implemented by a camouflaged circuit should remain hard to
discover when the attacker has knowledge of all non-camouflaged gates and can
apply inputs to the circuit and observe outputs. Techniques from oracle-guided
synthesis [17] have recently been used in SAT-based attacks to reverse engineer
gate camouflaging [18] and logic encryption [19], and improved with incremental
SAT solving [20] and approximate deobfuscation by relaxing the conjunctions
of SAT formulas [21]. With the knowledge of capabilities and limitations of
oracle-guided SAT-based attacks, there are several countermeasure techniques
developed, such as introducing AND-tree [22], protecting the minterms of the
specification [23], introducing dummy combinational loops [24], etc. Moreover,
formal verification technique based on computer algebraic methods [25, 26] is
shown to be able to reverse engineer the irreducible polynomials while the GF
circuit is considered as a black box and the encodings of primary inputs and
outputs are unknown [27].
We assume that the attackers know all the irreducible polynomials of a
given field GF(2m). The attackers also have access to the physical implemen-
tation. We assume that they can obtain the gate-level netlist and identify the
camouflaged standard cells that implement the constant inputs using reverse
engineering techniques. The attackers aim to find the true irreducible polyno-
mial used in the multiplier blocks in a large design. Using this knowledge to
reverse engineer the true irreducible polynomial, the attackers have to do the
following: 1) the attackers have to guess the value of the camouflaged signals
implemented with the camouflaged standard cells; 2) prove the equivalence be-
tween the implementation and the reverse engineered version. The results of
evaluating the obfuscation strength are shown in Section 4.3, with SAT-based
attack techniques, and the recently proposed Binary Decision Diagrams (BDDs)
based approach [28].
3 Approach
The flow of the proposed obfuscation approach is shown in Figure 3. The
inputs include 1) the degree (bit-width) m of the GF multiplier, 2) a set of
irreducible polynomials in GF(2m), 3) the indication of the true function, and 4)
the irreducible polynomials will be obfuscated in resulting multiplier. In Figure
3, the true function will be multiplication modulo P0(x), and multiplications
modulo {P1(x), P2(x), ..., Pn(x)} are the obfuscated functions. The designer
and authorized users know which irreducible polynomial is used for constructing
6
P0 (x)
P1(x)
P2 (x)
...
...
Pn (x)
Degree m
Initialize multiplier
Generate extra logic 
for obfuscation
Produce obfuscated
multiplier
Obfuscated 
GF(2m) multiplier
A•B mod P0(x)
OBF logic of 
{P1(x),…, Pn(x)}
P0 (x)
P0 (x),P1(x),..., Pn (x){ }
P0(x)
Designer Attacker
P??(x)
Figure 3: Designing an obfuscated GF(2m) multiplier with n+ 1 functions.
the field. This approach is processed in three steps:
• Initialize a GF(2m) multiplier with the irreducible polynomial
that the designer wants to implement in the design. This requires
a function that generates the multiplication structure (e.g., Figure 1) with
any irreducible polynomial. Since the partial products and the sum of
partial products are identical for the irreducible polynomials with the
same degree, this function is reduced to produce the structure of reducing
the addition of the partial products.
• Generate and minimize the extra logic for adding obfuscated
functions, i.e., multiplications modulo {P1(x), P2(x), ..., Pn(x)}.
Based on our observation, the only changes needed to add obfuscated
functions are in the logic that reduces the sum of partial products modulo
different irreducible polynomials. Thus, these logic can be produced by
comparing the reduction structures. The output is an updated reduction
structure. This function is applied iteratively for generating the obfusca-
tion logic for n polynomials.
• Produce the obfuscated multiplier. This process generates the obfus-
cated multiplier by combining the partial product generator, the addition
of partial products, and the reduction structure created by the previous
step. The output of this process will be the input of the design flow, which
produces the gate-level netlist and layouts.
3.1 Multiplication Structure Generation
The algorithm of generating GF multiplication structure is shown in Algorithm
1, including partial products, addition of partial products, and reduction struc-
ture. Algorithm 1 is illustrated using another multiplication of GF(24) using
polynomial x4+x+1. The first two functions are trivial and produce the same
result as multiplication using x4+x3+1 (see Figure 1).
7
s3 s2 s1 s0
s4 0 0 s4
s5 0 s5 s5
s6 s6 s6 s6
z03 z
0
2 z
0
1 z
0
0
(a) P0(x)=x
4+x3+1.
s3 s2 s1 s0
0 0 s4 s4
0 s5 s5 0
s6 s6 0 0
z13 z
1
2 z
1
1 z
1
0
(b) P1(x)=x
4+x+1.
s3 s2 s1 s0
δ21 0 δ
2
3 s4
δ31 δ
3
2 s5 δ
3
4
s6 s6 δ
4
3 δ
4
4
z013 z
01
2 z
01
1 z
01
0
(c) Obfuscated multiplication
structure M ′.
Figure 4: a, b) GF(24) multiplication structures M0,M1, with irreducible poly-
nomials P0 and P1, generated by structureGen; c) obfuscated multiplication
structure, in which the true function is implemented with P0.
Algorithm 1 structureGen(P(x)): Generate Mult Structure
Input: Irreducible polynomial P (x) with degree m
Output: Galois Field Multiplication Structure
1: for all r and c, 0 ≤ r, c ≤ m-1 do
2: ppr,c = ar · bc
3: end for
4: for i=0;i ≤ 2m-2; i++ do
5: for each ppr,c, 0 ≤ r, c ≤ m-1 do
6: if i == r+c then
7: si = si ⊕ ppr,c
8: end if
9: end for
10: end for
11: Initialize an m-by-m matrix M
12: for i1=0; i1 ≤ m− 1, i1++ do
13: M(1, i1) = s(m−1)−i1
14: end for
15: for i2=m; i2 ≤ 2m− 2, i2++ do
16: R mod P (x) = xi2 mod P (x)
17: if xq exists in R, 0 ≤ q ≤m-1 then
18: M(i2 −m, q)=si2
19: end if
20: end for
21: return {ppr,c, 0 ≤ r, c ≤ m-1 }, {si, 0 ≤ i ≤ 2m-2 } and M
The reduction structure is modeled as a matrix in this work. Thus, an m-
by-m matrix will initialized with all 0s (line 11). The first row of the matrix is
filled with {si, 0 ≤ i ≤ m-1}. Note that the polynomial modulo function is not
applied to those terms. This is because the result of xi modulo a polynomial
with degree m is always xi if i<m is true (lines 2-4). To determine the rest
of the structure, {xi, m ≤ i ≤ 2m-2} modulo P (x) is then processed (line 16).
The results are shown in Equations 1-3. The rth row of the matrix (2 ≤ r ≤m)
is filled with sm−2+r by checking the existing terms in the remainder R of xi
mod x4+x+1 (lines 7-9).
x4 mod x4 + x+ 1 ≡ x+ 1 mod x4 + x+ 1 (1)
x5 mod x4 + x+ 1 ≡ x2 + x mod x4 + x+ 1 (2)
x6 mod x4 + x+ 1 ≡ x3 + x2 mod x4 + x+ 1 (3)
For example (Eq. 1-3), according to lines 7-9 in Algorithm 1, qth position at
2nd row is filled with s4 if x
q appears in the remainder. In Equation 1, x1
and x0 appear in the remainder. Thus, M(2, 0) and M(2, 1) are filled with s4.
Similarly, M(3, 1) and M(3, 2) are filled with s5, and M(4, 2) and M(4, 3) are
8
Table 2: Evaluation of our obfuscation approach for GF(2m) multipliers where
m=8, 64, 128, and 256, with 4, 8, and 16 functions obfuscated. *The area and
delay results have been normalized.
# of
Functions
GF(28) GF(264) GF(2128) GF(2256)
Area Delay Area Delay Area Delay Area Delay
1 971 111.13 4.74e+04 175.01 1.89e+05 198.24 7.32e+05 224.14
4 1735 139.07 5.46e+04 208.25 1.97e+05 246.65 7.57e+05 272.10
8 2786 148.64 6.20e+04 225.33 2.13e+05 250.31 7.90e+05 274.92
16 - - 7.60e+04 240.09 2.48e+05 259.37 8.50e+05 281.87
filled with s6. The rest of the elements in M remain as 0. Applying Algorithm
1 with two irreducible polynomials P0(x) and P1(x) over GF(2
4) produces the
results denoted as M0 and M1 in Figure 4 (a) and (b)
2.
3.2 Obfuscation
This section introduces our approach to generating the obfuscation logic for
producing the obfuscated multiplier. This procedure identifies the different
logic between the original reduction structures, and producing a new one with
minimum extra logic introduced. The notations used in this section are as
follows:
• zmn is the nth output bit of the multiplier implemented with Pm(x).
• zm0,m1n is the nth output bit of the obfuscated multiplier, obfuscated with
functions of Pm0(x) and Pm1(x). The true polynomial of this multiplier
is implemented with Pm0(x).
• δrc is the obfuscation term in the obfuscated reduction structure at the rth
row and cth column.
To obtain the difference between the reduction structures, vector-wise XOR
is applied to the two matrices, M0 and M1 generated by structureGen. The
resulting matrix is denoted as M ′. The positions of the non-zero element in
M ′, {(r′i,c′j), 1 ≤ i, j ≤ m}, indicate the differences. The obfuscated reduction
structure is first created by copying M0. The elements at positions (r
′
i,c
′
j) are
replaced by δ
r′i
c′j
. The function of δ is defined by Equation 4. In the actual
hardware implementation, p is a known constant to the designers and authorized
users, namely dummy switch. The dummy switch is implemented by introducing
camouflaged standard cell introduced in Section 2.3 during technology mapping
process.
δ
r′i
c′j
= M0(r
′
i, c
′
j) · p+M1(r′i, c′j) · p¯ (4)
Example 1: We illustrate the obfuscation process using the two GF(24)
multiplications shown in Figure 4. The resulting multiplier performs multipli-
cation with P0(x) and is obfuscated with the multiplication with P1(x). M
′
2The partial products and sum of the partial products structures are not included in this
figure.
9
is created by XORing M0 and M1, which includes seven non-zero elements at
positions (r′i, c
′
j) = {(2,1), (3,1), (3,2), (2,3), (4,3), (3,4), (4,4)}. Thus, seven
δ
r′i
c′j
are required for this obfuscation. The obfuscation terms of Figure 4-(c) are
shown in Equation 4. The obfuscated multiplication structure is first created
by copying M0, and then is updated by replacing the elements at (r
′
i, c
′
j) =
{(2,1), (3,1), (3,2), (2,3), (4,3), (3,4), (4,4)} with δr′ic′j in Equation 5. The output
function is XORing all the terms at each column in the final step. For example,
the MSB in the obfuscated multiplier (z013 ) is computed as s3 ⊕ δ21 ⊕ δ31 ⊕ s6.
The rest of the logic in the obfuscated multiplier remains the same as in any
GF(24) multiplier.
δ21 = s4 · p+ 0 · p¯; δ31 = s5 · p+ 0 · p¯;
δ32 = 0 · p+ s5 · p¯; δ23 = 0 · p+ s4 · p¯;
δ43 = s6 · p+ 0 · p¯; δ34 = s5 · p+ 0 · p¯;
δ44 = s6 · p+ 0 · p¯;
(5)
An iterative obfuscation approach is applied to generate obfuscated multi-
plier with more than two functions. With performing obfuscation with three
or more functions, the designer must choose the irreducible polynomial for the
true function (e.g. P0(x)), and also choose the order of obfuscation among the
other functions. For example, consider a scenario in which the designer wants
to design an obfuscated GF(24) multiplier with three functions to replace the
multiplier block in the ECC hardware, with one more irreducible polynomial
P2(x)=x
4+x3+x2+x1+1 (c.f. Table 1). The true polynomial is P0(x). Let M0,
M1, and M2 be the multiplication structures of P0(x),P1(x), and P2(x). If the
order is P1(x)→P2(x), our approach first generates the intermediate obfuscated
structure M ′ with inputs M0 and M1, and the generates the finalized design
by obfuscating M ′ with M2. We can see that 1) in order to obfuscate n + 1
functions, the number of obfuscation iterations is n; 2) the maximum number of
functions in one GF(2m) multiplier is limited by the total number of irreducible
polynomials that have degree m. For this iterative approach, the size of the
final multipliers are effected by the order of obfuscations. This occurs because
the total number and complexity of the obfuscation terms (δ) vary with across
the different orders. This has been further explored in Section 4.2.
3.3 Optimization
Two optimization techniques are introduced to reduce the overhead of the ob-
fuscation approach, 1) early constant propagation and 2) obfuscation term re-
duction.
3.3.1 Early constant propagation
It turns out that there could exist a large number of obfuscation terms generated
have zero entries. For example, in Equation 5, all δ
r′i
c′j
have constant zero. In
10
Number of obfuscated functions
1 5 10 15 20 25 30 32
Pe
rc
en
ta
ge
 o
f A
re
a 
O
ve
rh
ea
d 
(%
)
0
20
40
60
80
100
120
140
160
180
200
GF(28)
GF(264)
GF(2128)
GF(2256)
(a) Area overhead vs. number of ob-
fuscated functions. Number of obfuscated functions1 5 10 15 20 25 30 32
Pe
rc
en
ta
ge
 o
f D
el
ay
 O
ve
rh
ea
d 
(%
)
0
5
10
15
20
25
30
35
40
45
50
GF(28)
GF(264)
GF(2128)
GF(2256)(b) Delay overhead vs. number of
obfuscated f nctions.
Figure 5: Area and Delay overhead analysis with m = 8, 64, 128, 256, up to 32
functions obfuscated.
Area
1800 2000 2200 2400 2600 2800 3000 3200 3400
N
um
be
r o
f D
es
ig
ns
0
200
400
600
800
1000
1200
1400
1600
1800
2000 Table 1
(a) Distribution of area cost.
Delay
120 130 140 150 160 170 180
N
um
be
r o
f D
es
ig
ns
0
200
400
600
800
1000
1200
1400
1600
1800
Table 1
(b) Distribution of delay.
Figure 6: Design cost of the GF(28) multipliers with eight function obfuscated
with exhaustive permutations of the obfuscation orders, i.e., 40320 designs in
total.
which case, those terms can be reduced from AND-OR logic into simple AND
functions.
3.3.2 Obfuscation term reduction
Two types of reduction are introduced: a) merging the equivalent δ terms. For
example, δ31 and δ
3
4 will be merged since they have the same functionality; b)
reducing non-equivalent δ terms. Two δ in the same column can be merged
if one δ is sx·p, and the other is sy·p¯, x 6=y. For example, in Figure 4-(c), in
the third column (z1), δ
2
3 and δ
4
3 can be replaced by δreduce=s6·p+s4·p¯. This
removes one term in the third column, which reduces one XOR function for
z1 by introducing one OR function. This is because XOR is a more complex
Boolean function than OR.
4 Experimental results
The proposed approach is evaluated by creating obfuscated Galois Field mul-
tipliers with various numbers of viable GF (2m) multiplications. The designs
generated by our approach are mapped using the open source synthesis tool
ABC [29], with a 14nm technology library. The bit-width m varies from 8 to
256. The irreducible polynomials are obtained from [30]. The runtime of gener-
ating obfuscated multipliers is not included in this section because all runtimes
are less than one second. In Table 2, we can see that obfuscating 16 functions for
m={64,128,256} requires 60%×, 30%×, and 20%× area overhead. The delay
overheads are 36%, 30%, and 25%. On average, the cost of adding an extra ob-
fuscated function is 1.8% area and delay. The number of obfuscated functions
for GF(28) is limited to 8 because there are only eight primitive irreducible
polynomials in this field.
11
4.1 Design Cost Analysis
To further analyze the design cost, we evaluate the total area and delay overhead
with the number of obfuscated functions from 2 to 32, with m=8, 64, 128, and
256. The x-axis shows the number of obfuscated functions, and the y-axis
represents the overhead of area/delay. In Figure 5, we can see that:
• the area overhead increases almost linearly with the number of functions
increasing; on average, the cost of adding an extra obfuscated function is
1.8% area and delay.
• given the same number of obfuscated functions, the area overhead and the
delay overhead decrease as m (bit-width of the multiplier) increasing. For
example, the area and delay overhead of obfuscating eight functions for
GF(28) multiplier are 186% and 33%; for GF(2256), they are 8% and 22%.
This shows that our approach advances in obfuscating large Galois Field
arithmetic applications.
• the overheads occasionally decrease when the number of obfuscated func-
tions increases. This is because the obfuscation terms δ introduced may
become the don’t care logic, which helps the technology mapping process
to improve the results [31].
4.2 Order of Obfuscations
As mentioned in Section 3.2, the size of the obfuscated multipliers are affected
by the orders of the iterative obfuscations. The main reason is that using dif-
ferent orders, the number of δ and the complexity of these δ can be very dif-
ferent. An exhaustive permutation study over GF(28) is shown in Figure 6 to
demonstrate the impact of the obfuscation order. All possible eight-function
obfuscated GF(28) multipliers are generated by the proposed approach, while
each order corresponds to one permutation of {P0, P1, ..., P7}. Thus, the total
number of designs in Figure 6 is 8!=40320. The results are collected by ABC
with 14nm technology library. The x-axis shows the area/delay, and the y-axis
shows the number of designs in a given range of area/delay. The area varies
from 1800-3300, and the delay ranges from 125-170. We can see that the order
of obfuscations has great impact on the design cost of the obfuscated multipli-
ers. Comparing the result to the order used in Table 2 (Table 1 in Figure 6),
area=2786 and delay=148.64, that design can be further improved by exploring
the choice of orders. The future work will focus on finding the good orders for
efficient obfuscation using machine learning.
4.3 Evaluation of Attacks
We apply the SAT-based attack technique using the two tools released pub-
licly [19][32]. The inputs to the tools are Verilog design with extra syntax for
defining the de-camouflaging problems. We develop a set of camouflaged GF
12
circuits using the proposed approach, including 8-bit, 12-bit,16-bit and 32-bit
GF functions. Each of these circuits includes four camouflaged GF functions.
Regarding the BDD approach [28], we measure the performance of constructing
the BDDs of the camouflaged circuit using the same CUDD package [33]. The
results are shown in Table 3. The SAT-based attack techniques cannot obtain
the true function with only three dummy functions after 16-bit within 12 hours.
BDD construction fails at 16-bit as well due to the memory explosion. Note
that the cryptograph applications such as ECC could have large GF operators.
Table 3: Evaluations of the attack techniques [19][32][33] in reverse engineering
the true functionality of the camouflaged GF multipliers. Time out limit is 12
hours.
bit-width [19] [32] BDD [34]
8 4 s 6 s 1 s 4 s
12 33 s 29 s 4 s MO
16 >12 hrs >12 hrs >16 GB MO
5 Conclusion
In this paper, we introduce an obfuscation approach over Galois Field, mainly
focusing on obfuscation GF multiplications. Our approach generates GF mul-
tipliers with multiple irreducible polynomials obfuscated, to prevent the actual
irreducible polynomial being reverse engineered. A complete design method-
ology is developed and evaluated with a set of GF multipliers, with up to 32
functions obfuscated. The results show that our approach can obfuscate the
GF multipliers with low overhead in design performance. We also evaluate the
strength of obfuscation over Galois Field using SAT-based and BDD-based tech-
niques. The future work will focus on leveraging machine learning algorithms
in searching the best obfuscation order(s).
References
[1] R. Torrance and D. James, “The state-of-the-art in semiconductor reverse
engineering,” in Proceedings of the 48th Design Automation Conference,
DAC 2011, San Diego, California, USA, June 5-10, 2011, 2011, pp. 333–
338.
[2] C. Paar and J. Pelzl, Understanding cryptography: a textbook for students
and practitioners. Springer Science & Business Media, 2009.
[3] N. Koblitz, “Elliptic curve cryptosystems,” Mathematics of computation,
vol. 48, no. 177, pp. 203–209, 1987.
[4] S. Mathew, S. Satpathy, V. Suresh, M. Anders, H. Kaul, A. Agar-
wal, S. Hsu, G. Chen, and R. Krishnamurthy, “340 mV–1.1 V, 289
13
Gbps/W, 2090-gate nanoAES hardware accelerator with area-optimized
encrypt/decrypt GF (2 4) 2 polynomials in 22 nm tri-gate CMOS,” IEEE
Journal of Solid-State Circuits, vol. 50, no. 4, pp. 1048–1058, 2015.
[5] C. Yu, D. E. Holcomb, and M. J. Ciesielski, “Reverse engineering of ir-
reducible polynomials in GF(2m) arithmetic,” in DATE 2017, Lausanne,
Switzerland, March 27-31., 2017, pp. 1558–1563.
[6] T. Nagell, Introduction to number theory. Almqvist & Wiksell Stockholm,
1951.
[7] NIST, “Recommended elliptic curves for federal government use,” 1999.
[8] M. Scott, “Optimal irreducible polynomials for GF (2m) arithmetic.” IACR
Cryptology ePrint Archive, vol. 2007, p. 192, 2007.
[9] J. Rajendran, M. Sam, O. Sinanoglu, and R. Karri, “Security analysis of
integrated circuit camouflaging,” in CCS’13, Berlin, Germany, November
4-8, 2013, 2013, pp. 709–720.
[10] G. T. Becker, F. Regazzoni, C. Paar, and W. P. Burleson, “Stealthy dopant-
level hardware trojans,” in CHES 2013, Santa Barbara, CA, USA, August
20-23., 2013, pp. 197–214.
[11] S. Keshavarz, C. Paar, and D. E. Holcomb, “Design automation for obfus-
cated circuits with multiple viable functions,” in DATE 2017, Lausanne,
Switzerland, March 27-31, 2017, 2017, pp. 886–889.
[12] M. I. M. Collantes, M. E. Massad, and S. Garg, “Threshold-dependent
camouflaged cells to secure circuits against reverse engineering attacks,”
2016. [Online]. Available: http://arxiv.org/abs/1605.00684
[13] J. Rajendran, M. Sam, O. Sinanoglu, and R. Karri, “Security analysis of
integrated circuit camouflaging,” in Proceedings of the 2013 ACM SIGSAC
conference on Computer & communications security. ACM, 2013, pp.
709–720.
[14] Y. Bi, K. Shamsi, J.-S. Yuan, P.-E. Gaillardon, G. D. Micheli, X. Yin,
X. S. Hu, M. Niemier, and Y. Jin, “Emerging technology-based design of
primitives for hardware security,” ACM Journal on Emerging Technologies
in Computing Systems (JETC), vol. 13, no. 1, p. 3, 2016.
[15] A. Vijayakumar, V. C. Patil, D. E. Holcomb, C. Paar, and S. Kundu,
“Physical design obfuscation of hardware: A comprehensive investigation
of device and logic-level techniques,” IEEE Transactions on Information
Forensics and Security, vol. 12, no. 1, pp. 64–77, 2017.
[16] J. Rajendran, Y. Pino, O. Sinanoglu, and R. Karri, “Logic encryption: A
fault analysis perspective,” in Proceedings of the Conference on Design,
Automation and Test in Europe, ser. DATE ’12, 2012, pp. 953–958.
14
[17] S. Jha, S. Gulwani, S. A. Seshia, and A. Tiwari, “Oracle-guided component-
based program synthesis,” in Software Engineering, 2010 ACM/IEEE 32nd
International Conference on, vol. 1. IEEE, 2010, pp. 215–224.
[18] M. E. Massad, S. Garg, and M. V. Tripunitara, “Integrated circuit (IC)
decamouflaging: Reverse engineering camouflaged ics within minutes,” in
22nd Annual Network and Distributed System Security Symposium, NDSS
2015, San Diego, California, USA, February 8-11, 2014, 2015.
[19] P. Subramanyan, S. Ray, and S. Malik, “Evaluating the security of logic
encryption algorithms,” in Hardware-Oriented Security and Trust (HOST),
2015.
[20] D. Liu, C. Yu, X. Zhang, and D. E. Holcomb, “Oracle-guided incremental
SAT solving to reverse engineer camouflaged logic circuits,” in 2016 De-
sign, Automation & Test in Europe Conference & Exhibition, DATE 2016,
Dresden, Germany, March 14-18, 2016, 2016, pp. 433–438.
[21] K. Shamsi, M. Li, T. Meade, Z. Zhao, D. Z. Pan, and Y. Jin, “Appsat: Ap-
proximately deobfuscating integrated circuits,” in Hardware Oriented Secu-
rity and Trust (HOST), 2017 IEEE International Symposium on. IEEE,
2017, pp. 95–100.
[22] M. Li, K. Shamsi, T. Meade, Z. Zhao, B. Yu, Y. Jin, and D. Z. Pan,
“Provably secure camouflaging strategy for IC protection,” in Proceedings
of the 35th International Conference on Computer-Aided Design, ICCAD
2016, Austin, TX, USA, November 7-10, 2016, 2016, p. 28.
[23] M. Yasin, B. Mazumdar, O. Sinanoglu, and J. Rajendran, “Camoper-
turb: secure IC camouflaging for minterm protection,” in Proceedings of the
35th International Conference on Computer-Aided Design, ICCAD 2016,
Austin, TX, USA, November 7-10, 2016, 2016, p. 29.
[24] K. Shamsi, M. Li, T. Meade, Z. Zhao, D. Z. Pan, and Y. Jin, “Cyclic
obfuscation for creating sat-unresolvable circuits,” in Proceedings of the on
Great Lakes Symposium on VLSI 2017. ACM, 2017, pp. 173–178.
[25] M. Ciesielski, C. Yu, W. Brown, D. Liu, and A. Rossi, “Verification of Gate-
level Arithmetic Circuits by Function Extraction,” in 52nd DAC. ACM,
2015, pp. 52–57.
[26] C. Yu and M. J. Ciesielski, “Efficient parallel verification of galois field mul-
tipliers,” in 22nd Asia and South Pacific Design Automation Conference,
ASP-DAC 2017, Chiba, Japan, January 16-19, 2017, 2017, pp. 238–243.
[27] C. Yu, D. E. Holcomb, and M. J. Ciesielski, “Reverse engineering of irre-
ducible polynomials in gf(2m) arithmetic,” in Design, Automation & Test
in Europe Conference & Exhibition, DATE 2017, Lausanne, Switzerland,
March 27-31, 2017, 2017, pp. 1558–1563.
15
[28] X. Xu, B. Shakya, M. M. Tehranipoor, and D. Forte, “Novel bypass attack
and bdd-based tradeoff analysis against all known logic locking attacks,” in
International Conference on Cryptographic Hardware and Embedded Sys-
tems. Springer, 2017, pp. 189–210.
[29] A. Mishchenko et al., “Abc: A system for sequential synthesis and verifi-
cation,” URL http://www. eecs. berkeley. edu/˜ alanmi/abc, 2007.
[30] J. Arndt, “Tables of mathematical data - binary primitive polynomials,”
http://www.jjj.de/mathdata/, 2003.
[31] A. Mishchenko, R. K. Brayton, J. R. Jiang, and S. Jang, “Scalable don’t-
care-based logic optimization and resynthesis,” in FPGA’2009, Monterey,
California, USA, February 22-24., 2009, pp. 151–160.
[32] C. Yu, X. Zhang, D. Liu, M. Ciesielski, and D. Holcomb, “Incremental sat-
based reverse engineering of camouflaged logic circuits,” IEEE Transactions
on Computer-Aided Design of Integrated Circuits and Systems, 2017.
[33] F. Somenzi, “CUDD: CU Decision Diagram Package-release 2.4. 0,” Uni-
versity of Colorado at Boulder, 2009.
[34] C. Yu, W. Brown, D. Liu, A. Rossi, and M. J. Ciesielski, “Formal veri-
fication of arithmetic circuits using function extraction,” IEEE Trans. on
CAD of Integrated Circuits and Systems, vol. 35, no. 12, pp. 2131–2142,
2016.
16
