Generalized SAT-Attack-Resistant Logic Locking by Zhou, Jingbo & Zhang, Xinmiao
ar
X
iv
:1
91
0.
12
14
2v
1 
 [c
s.C
R]
  2
6 O
ct 
20
19
1
Generalized SAT-Attack-Resistant
Logic Locking
Jingbo Zhou and Xinmiao Zhang, Senior Member, IEEE
Abstract—Logic locking is used to protect integrated circuits (ICs) from piracy and counterfeiting. An encrypted IC implements correct
function only when the right key is input. Many existing logic locking methods are subject to the powerful satisfiability (SAT)-based
attack. Recently, an Anti-SAT scheme has been developed. By adopting two complementary logic blocks that consist of AND/NAND
trees, it makes the number of iterations needed by the SAT attack exponential to the number of input bits. Nevertheless, the Anti-SAT
scheme is vulnerable to the later AppSAT and removal attacks. This paper proposes a generalized (G-)Anti-SAT scheme. Different from
the Anti-SAT scheme, a variety of complementary or non-complementary functions can be adopted for the two blocks in our G-Anti-SAT
scheme. Pairs of functions that consist of similar number of minterms can be chosen to resist the AppSAT and removal attacks.
Meanwhile, our design requires the same number of iterations in the SAT attack as the Anti-SAT scheme, and hence is always resistant
to the SAT attack. The Anti-SAT scheme is just a special case of our proposed design.
Index Terms—Anti-SAT, AppSAT attack, Hardware security, Logic locking, Removal attack, SAT attack
✦
1 INTRODUCTION
NOWADAYS, integrated circuits (ICs) are designed andproduced in a multi-vendor environment, which
makes the designs face various security threats. In par-
ticular, nestlists of the ICs may be obtained from reverse
engineering or untrusted foundries. IP piracy and counter-
feiting cause severe economic loss to the IC designers [1],
[2]. IC camouflaging [3] [4] resists reverse engineering [5]
by making functionally different logic gates look alike in
layout. However, unlike logic encryption/locking [6], it is
ineffective when the netlist is available. The basic idea of
logic locking is to insert key-controlled logic gates into the
chip so that the chip does not function correctly without the
right key.
Many logic locking schemes have been developed pre-
viously by inserting XOR/XNOR gates [7]–[9], MUX gates
[10], [11], or look-up tables (LUTs) [12], [13] controlled by
keys. However, these designs can be easily decrypted by
the satisfiability (SAT)-based attack [14], which uses Boolean
SAT solvers to iteratively update and solve the conjunctive
normal form (CNF) formula of the target circuit. In each
iteration, a distinguishing input pattern (DIP) is found and
it is utilized to identify wrong keys. For many logic locking
schemes, only a small number of DIPs are needed to identify
all wrong keys. As a result, the SAT attack can be done
within a few hours even if the key size is not very large.
Several schemes have been proposed to resist the SAT
attack in recent years [15], [16]. The main idea is to adopt
functional blocks that make the number of iterations in
the SAT attack exponential. The Anti-SAT design [15] con-
sists of two complementary function blocks implementing
NAND/AND trees. The SAT attack excludes a disjoint set
of wrong keys in each iteration and needs to go through
all possible input patterns as DIPs before the right key is
derived. In SarLock [16], the function blocks are designed
The authors are with the The Ohio State University, Columbus, OH 43210,
USA. Emails: {zhou.2955, zhang.8952}@osu.edu.
so that each DIP can only exclude at most one wrong key.
When the number of key bits is larger than the number
of input bits, the SAT attack has to enumerate all input
patterns. The ideas in the Anti-SAT and SarLock schemes
are quite similar, and the following discussions focus on the
Anti-SAT scheme.
The Anti-SAT scheme is vulnerable to more recent at-
tacks. AND/NAND functions are adopted in the two blocks
of the Anti-SAT scheme to make the number of iterations
needed in the SAT attack exponential. On the other hand,
such functions lead to large skew in the output signal, which
makes the Anti-SAT design subject to the removal attack
[17]. Additionally, for a randomly selected wrong key, only
a small number of input patterns make the Anti-SAT output
incorrect. As a result, it can be decrypted by the AppSAT
attack [18].
This paper proposes a generalized (G-) Anti-SAT
scheme. The proposed scheme is resistant to not only the
SAT attack like the Anti-SAT design in [15], but also the
AppSAT and removal attacks. The Anti-SAT design is just a
special case of the proposed G-Anti-SAT scheme. From our
analysis, it was discovered that the wrong key sets that can
be identified by the DIPs do not have to be disjoint as in
the Anti-SAT and SarLock designs in order to make the SAT
attack run through exponentially large number of iterations.
From this key observation, a variety of logic functions can
be used for the two function blocks and they do not have
to be complementary. As a result, proper functions can be
chosen to effectively reduce the skews of the signals to be
resistant to the removal attack and increase the corruptibility
of the output signals to be immune to the AppSAT attack.
The major contributions of this paper are as follows.
1) Generalized constraints on the two blocks of func-
tions that make the number of the SAT attack itera-
tions exponential to the key size are derived.
2) Generalization is made in a second dimension to
2allow the two functions to be non-complementary.
Constraints on the existence of correct keys for this
case are derived.
3) Methodologies are developed to design functions
satisfying the generalized constraints using K-maps.
4) Guidelines are provided to develop designs that are
resistant to AppSAT and removal attacks and have
reduced logic complexity.
This paper is organized as follows. Section 2 provides
background of the attacks and Anti-SAT design. Section
3 proposes our G-Anti-SAT constraints. Section 4 presents
methodologies for developing functions satisfying the G-
Anti-SAT constraints using K-maps. Guidelines for resisting
removal and AppSAT attacks and reducing logic complexity
are also discussed in this section. Analysis and experimental
results showing the resistance of our design to various
attacks are given in Section 5. Discussions and conclusions
follow in Section 6 and Section 7, respectively.
2 BACKGROUND
This section introduces basic knowledge about the SAT
attack, Anti-SAT block, AppSAT and removal attack.
2.1 SAT attack
The SAT attack [14] is a powerful technique against logic
locking. The attack model assumes that the attacker has
access to the locked gate-level netlist, which can be obtained
by reverse engineering or from an un-trusted foundry. De-
fine the locked netlist as ~Y = fe( ~X, ~K) with primary inputs
~X , key inputs ~K, and primary outputs ~Y . Its CNF formula
is represented as Ce( ~X, ~K, ~Y ). It is also assumed that the
attacker has an activated chip. Its netlist is represented as
~Y = fo( ~X), and its CNF formula is Co( ~X, ~Y )
The SAT attack finds the right key by excluding all
wrong keys through utilizing DIPs. Initially, a SAT solver
is applied to the following formula
F0 := Ce( ~X, ~K1, ~Y1) ∧ Ce( ~X, ~K2, ~Y2) ∧ (~Y1 6= ~Y2) (1)
to solve for an ~X that leads to different outputs, ~Y1 and ~Y2,
under two different keys, ~K1 and ~K2. This ~X is referred to
as the DIP and is denoted by ~Xd1 . Then the logic function
of the activated circuit is utilized to get the corresponding
correct output ~Y d1 = fo(
~Xd1 ). After that, new constraints
corresponding to ~Xd1 and
~Y d1 are added and the original SAT
formula in (1) is updated as F1 = F0 ∧ Ce( ~X
d
1 ,
~K1, ~Y
d
1 ) ∧
Ce( ~X
d
1 ,
~K2, ~Y
d
1 ). Then the updated SAT formula is solved
for DIPs and the DIPs are utilized to update the SAT formula
iteratively. In the ith iteration, the SAT formula is
Fi = F0
j=i∧
j=1
(Ce( ~X
d
j ,
~K1, ~Y
d
j ) ∧ Ce( ~X
d
j ,
~K1, ~Y
d
j )).
If Fi is satisfiable, then there exist at least one pair of keys
~K1, ~K2, and ~X
d
i+1 such that fe(
~Xdi+1,
~K1) 6= fe( ~X
d
i+1,
~K2),
which means not all wrong keys have been excluded from
the key space. When the SAT formula is no longer satisfiable
in an iteration, say λ, the algorithm stops. At this time, the
k1
kn
kn+1
k2n
x1
xn
...... 
...... 
...... 
G
Y
(a)
g 
g 
k1
kn
kn+1
k2n
x1
xn
...... 
...... 
...... 
G
(b)
g 
Y
g 
Fig. 1. Anti-SAT block. (a) Type-0 block; (b) Type-1 block
correct key can be derived by solving the following SAT
formula
F :=
λ∧
i=1
Ce( ~X
d
i ,
~K, ~Y di ). (2)
2.2 Anti-SAT block
AnAnti-SAT block is proposed in [15]. It is composed of two
complementary functions g and g¯ as shown in Fig. 1. These
two functions share the same input ~X but have different
keys. The outputs of the two functions can be ANDed or
ORed to generate the output as shown in Fig. 1 (a) and
(b), respectively. They are referred to as the type-0 and
type-1 blocks, respectively. Let ~K1 = [k1, k2, · · · , kn] and
~K2 = [kn+1, kn+2, · · · , k2n]. Any ~K1 = ~K2 are correct keys
for the Anti-SAT scheme. Since g and g¯ are complementary
functions, the correct output of the type-0 block in Fig. 1(a)
is ’0’, and that of the type-1 block in Fig. 1(b) is ’1’.
Let ~X = [x1, x2, · · · , xn]. The input to the g function in
Fig. 1(a) is ~L = ~X ⊕ ~K1. Define
LT = {~L|g(~L) = 1}, (|LT | = p)
LF = {~L|g(~L) = 0}, (|LF | = 2n − p)
(3)
In the remainder of this paper, LT is referred to as the true
set. In [15], it has been derived that the total number of
iterations needed by the SAT attack on the structure shown
in Fig. 1 is lower bounded by
λ ≥
22n − 2n
p× (2n − p)
. (4)
When p = 1 or 2n − 1, λ ≥ 2n. Since there are 2n input
combinations, this means that all possible input patterns
need to be gone through as DIPs to reveal the correct
keys and the SAT attack is effectively resisted. A natural
candidate for g that satisfies p = 1 or p = 2n− 1 is the AND
or NAND of all inputs.
Two methods have been proposed in [15] to integrate
the Anti-SAT block into a circuit: random integration and
secure integration. They use random signals in the circuit
and primary inputs of the circuit, respectively, as the inputs
to the Anti-SAT block. Unlike the random integration, the
secure integration guarantees that the number of iterations
needed by the SAT attack is maximized.
2.3 AppSAT attack
In the AppSAT attack [18], the corruptibility of the output
signal is defined as
Cr = Pr
~X∈X , ~K∈K
[Ce( ~X, ~K) 6= Co( ~X)], (5)
3where X and K are the sets of all possible input and key
patterns, respectively. The Anti-SAT block in Fig. 1 has one
output signal. This signal is connected to the circuit to be
locked and the locked circuit functions correctly if this signal
has the correct value. Since g and g are n-input AND and
NAND gates, respectively, for every wrong key, there is
only one input pattern that makes the output of the Anti-
SAT block wrong. Accordingly, the Anti-SAT design has low
corruptibility.
The AppSAT attack avoids exponential number of itera-
tions by introducing random query reinforcement and stop-
ping the query process early. After every certain number
of iterations, random input query patterns are inserted and
additional constraints from the random queries are added
to the CNF formula. If the output has low corruptibility,
the portion of the input queries that generate the wrong
output falls below a threshold. If this happens for a number
of rounds, the algorithm terminates and returns an approx-
imate key.
2.4 Removal attack
The removal attack [17] can be utilized to identify the last
gate, G, in the Anti-SAT block. Then the output of this
gate is replaced by the correct signal, which is ‘0’ and ‘1’
for the type-0 and type-1 blocks, respectively, in the circuit
adopting the Anti-SAT block.
The removal attack is carried out using signal probability
skew (SPS). The SPS value of a signal, x, is defined as
sx = Pr[x = 1]− 0.5. (6)
Since 0 ≤ Pr[x = 1] ≤ 1, the range of sx is [−0.5, 0.5]. For a
logic gate with two inputs whose SPS values are s1 and s2,
its absolute difference (ADS) value is defined as
ADS = |s1 − s2|. (7)
Assuming that ~X, ~K1, ~K2 are random. Then the SPS
values of the inputs to the XOR gates in the Anti-SAT block
are zero. According to (6), the outputs of the XOR gates have
zero SPS values. The SPS value for the output of an n-input
AND gate is calculated as sn−AND =
∏n
i=1(0.5 + si)− 0.5,
where si is the SPS of the i
th input. Since si = 0 for the AND
gate in the g function, s
g( ~X, ~K1)
= 0.5n − 0.5. As n → ∞,
s
g( ~X, ~K1)
≈ −0.5. Similarly, for the n-input NAND gate out-
put from g, the SPS is s
g( ~X, ~K2)
= 0.5 − 0.5n. It approaches
0.5 for large n. As a result, for the last gate, G, of the Anti-
SAT block in Fig. 1(a), the output SPS value is -0.5 and ADS
value of final gate G is ADSG = |sg( ~X, ~K1) − sg( ~X, ~K2)| ≈ 1,
if the number of inputs to the Anti-SAT block is large.
It was found in [17] that the ADS values for the gates
in a circuit are rarely very high. Hence the G gate may
be identified by first sorting out the gates with the highest
ADS values. In the case that there are multiple candidates
whose ADS values are very close, the transitive fan-in (TFI)
of the candidate gates are analyzed. The TFI traces back the
inputs of the candidate gates and finds how many key bits
contribute to the inputs. The G gate should have all 2n key
bits as contributors. To remove the G gate, its output signal
is replaced by 0 or 1 in the circuit when the SPS of G is
negative or positive, respectively.
It was also mentioned in [17] that the removal and
AppSAT attack can be combined. The combined attack can
return an exact unlocked netlist, instead of an approximate
key when using the AppSAT attack alone.
3 GENERALIZED ANTI-SAT CONSTRAINTS
The main reason that the Anti-SAT block is subject to the
AppSAT and removal attacks is that, p, the cardinality of
the true set as defined in (3), is either too small or too big.
On the other hand, such p is needed in the Anti-SAT design
to maximize the number of iterations in the SAT attack. To
solve this dilemma, true sets that have medium cardinality
and at the same time lead to maximum SAT attack iterations
are necessary. In this section, generalized constraints on the
true sets for resisting the SAT attack are proposed. Our
generalization allows a wide range of true set cardinality,
which enables our design to be effectively resistant to the
AppSAT and removal attacks at the same time.
3.1 Wrong key sets analysis
Define WK ~Xi as the wrong key set that input
~Xi can
exclude. In other words, WK ~Xi = {
−−→
WK|fe(
−−→
WK, ~Xi) 6=
fo( ~Xi)}. If there exist ~Xi, ~Xj such that WK ~Xi = WK ~Xj ,
and the algorithm has already selected one of them as a
DIP, then the other one will not be a DIP in the rest of the
SAT attack. Therefore, if a circuit can be decrypted by the
SAT attack in a limited number of iterations, there must be
many inputs that have the same wrong key sets and are not
selected as DIPs.
Consider a circuit that has n inputs and requires λ
iterations in the SAT attack. Denote the set of DIPs by XDIP .
Accordingly, λ = |XDIP |. If a block needs to be resistant to
the SAT attack, λ needs to be as big as possible, which is
2n. This means that each possible n-bit input combination
can exclude some unique wrong keys that the other inputs
cannot exclude. Take a 4-bit-input type-0 Anti-SAT block
as an example. When p in (3) is 1, for each possible input
~X , |WK ~X | = 15. The key input has 8 bits and hence 2
8
different combinations. From [15], 16 of the keys are correct.
Hence, the total number of wrong keys is 28 − 16 = 240.
Therefore, the number of DIPs and the number of iterations
carried out by the SAT attack should be λ ≥ 24015 = 16. On
the other hand, for 4-bit input, there are 24 combinations.
Hence, λ = 16. Apparently, for this Anti-SAT scheme, the
wrong key sets for different input combinations do not have
any overlap. In other words,
∀ ~Xi 6= ~Xj ∈ Xn, WK ~Xi ∩WK ~Xj = ∅, (8)
where Xn is the set of all possible inputs of n bits.
λmay still be made equal to 2n to be resistant to the SAT
attack even if there are overlaps among the wrong key sets.
The Anti-SAT block is a special case. In addition, the func-
tions of the two blocks do not have to be complementary of
each other as in the Anti-SAT block.
3.2 Highlights of proposed generalized Anti-SAT block
The proposed G-Anti-SAT block generalizes the previous
approach by allowing the wrong key sets of different input
4f
k1
kn
kn+1
x1
xn
...... 
...... 
...... 
Y
g
k2n
Fig. 2. Architecture of the proposed type-0 G-Anti-SAT block
combinations to have overlaps. In general, instead of (8), our
design requires that
∀ ~Xi 6= ~Xj ∈ Xn, ∃~L ∈ WK ~Xi&
~L /∈WK ~Xj (9)
In other words, each wrong key set has at least one dis-
tinct element. Adopting the above relaxation, there are still
λ = 2n DIPs. Hence, our generalized design is still resistant
to the SAT attack. In order to allow overlapping wrong key
sets, the cardinality of the true set |LT | is relaxed so that it
can be integers other than 1 or 2n − 1. A second dimension
of generalization is done by allowing the two functions to be
f and g, which are not necessarily complementary of each
other. By choosing true sets with medium cardinality, our
design leads to output with high corruptibility and hence
is resistant to the AppSAT attack. Also the ADS value of
the final gate in our scheme can be tuned by changing
the cardinalities of the true sets of f and g. By using two
functions whose true set cardinalities are as close to each
other as possible, our design is immune to the removal
attack, which is not addressable by the previous Anti-SAT
block. Similarly, our proposed design can be also integrated
into circuits using the methods in [15].
In the following, subsection 3.3.1 analyzes the con-
straints on the true sets to satisfy (9). When non-
complementary blocks are adopted, it is non-trivial to iden-
tify the right keys. The constraint to ensure the existence of
right keys is provided in Subsection 3.3.2. Section 4 presents
construction methods for the true sets by using K-maps. K-
maps help to not only highlight the constraints need to be
satisfied but also identify the truth sets leading to lower
hardware implementation complexity for the proposed G-
Anti-SAT block.
3.3 Constraints for SAT attack resistance and correct
key existence
3.3.1 Constraints for resisting SAT attacks
Fig. 2 shows our proposed G-Anti-SAT block for type-0
design. Different from the previous design, the functions
of the two blocks do not have to be complementary of each
other. Similarly, the last gate can be replaced by an OR gate
to be a type-1 design. In the following, analysis is carried
out on the type-0 design shown in Fig. 2. All the proposed
analysis and constraints can be extended easily for the type-
1 design.
Define
LfT = {~L|f(~L) = 1} LfF = {~L|f(~L) = 0}
LgT = {~L|g(~L) = 1} LgF = {~L|g(~L) = 0}.
(10)
Following the convention in [15], ‘1’ is considered as the
incorrect output for a type-0 block. For the architecture in
Fig. 2, the output function is y = f( ~X ⊕ ~Kf ) ∧ g( ~X ⊕ ~Kg),
where ~Kf and ~Kg are the key inputs of block f and g,
respectively. y =′ 1′ only if
−−→
LfTi ,
~X ⊕ ~Kf ∈ Lf
T and
−−→
LgTj ,
~X ⊕ ~Kg ∈ Lg
T . Therefore, the wrong key combi-
nations inWK ~X are in the format of [
~X ⊕
−−→
LfTi ||
~X ⊕
−−→
LgTj ],
where || means concatenation. Accordingly, (9) can be inter-
preted as
∀ ~Xi 6= ~Xj ∈ Xn, ∃
−−→
LfTi 6=
−−→
LfTj ∈ Lf
T ,
−−→
LgTi 6=
−−→
LgTj ∈ Lg
T
s.t. [
−−→
LfTi ⊕ ~Xi ||
−−→
LgTi ⊕ ~Xi] 6= [
−−→
LfTj ⊕ ~Xj ||
−−→
LgTj ⊕ ~Xj ].
(11)
Since Xn includes all n-bit vectors, for any
−−→
LfTi 6=
−−→
LfTj ,
there must exist ~X ∈ Xn, such that
−−→
LfTi ⊕
−−→
LfTj =
~X . ~X
can be also rewritten as the sum of two elements in Xn, i.e.
~X = ~Xi⊕ ~Xj . Hence the constraint ∀ ~Xi 6= ~Xj , Lf
T
i ⊕
~Xi 6=
−−→
LfTj ⊕
~Xj can never be satisfied. Similarly, Lg
T
i ⊕
~Xi 6=
−−→
LgTj ⊕
~Xj for ∀ ~Xi 6= ~Xj is not true. Therefore, to satisfy the
constraints in (11), LfT and LgT need to be designed jointly
so that
−−→
LfTi ⊕
~Xi =
−−→
LfTj ⊕
~Xj and
−−→
LgTi ⊕
~Xi =
−−→
LgTj ⊕
~Xj
are not true at the same time.
Define the binary distance between two vectors ~X1 and
~X2 as ~d = ~X1 ⊕ ~X2. Let D~e−S be a set consisting of binary
distances between an element ~e ∈ S and all the other
elements in S. In other words,
D~e−S = {~d = ~e⊕ ~ei|~ei 6= ~e, ~ei ∈ S}. (12)
Then D−−→
LfTi −Lf
T
is the set of vectors consisting of
−−→
LfTi ⊕
−−→
LfTj for every
−−→
LfTj ∈ Lf
T and
−−→
LfTj 6=
−−→
LfTi . If
−−→
LfTi ⊕
~Xi =
−−→
LfTj ⊕
~Xj is satisfied,
−−→
LfTi ⊕
−−→
LfTj =
~Xi⊕ ~Xj . Hence, ~Xi⊕ ~Xj
is also in the setD−−→
LfTi −Lf
T
. Similarly, the ~Xi⊕ ~Xj of the ~Xi
and ~Xj satisfying the constraint that
−−→
LgTi ⊕
~Xi =
−−→
LgTj ⊕
~Xj
is in the set D−−→
LgTi −Lg
T
. Accordingly, the constraints in (11)
are translated to
Constraint 1: D−−→
LfTi −Lf
T
∩D−−→
LgTj −Lg
T
= ∅. (13)
The above equation gives constraints equivalent to (9). On
the other hand, these constraints can be utilized to construct
LfT and LgT more easily. They are referred to as Constraint
1 in the reminder of this paper.
FromConstraint 1, it is clear that the functions f and g do
not have to be complementary, and |LfT |, |LgT | do not need
to be 1 or 2n−1. Therefore, the f and g blocks do not need to
be AND and NAND gates, respectively, as in the Anti-SAT
block [15]. The Anti-SAT block is just a special case of our
proposed design. Many different functions can be chosen
for f and g. In the design of f and g, an arbitrary set can be
chosen as LfT first. For the selected LfT , the choice of LgT
may not be unique. Any LgT satisfying Constraint 1 can be
utilized to be resistant to the SAT attack.
Example 1 Take the structure in Fig. 2 with 4-bit input
as an example. Different from the previous design, the f
and g functions are allowed to be non-complementary. First,
5let LfT = [0, 1, 2, 3]. To simplify the notations, decimal
numbers are used to represent vectors here. It turns out
[0, 8, 9, 11, 10] is one of the possible sets for LgT that makes
Constraint 1 satisfied. When
−−→
LfTi =
−−→
LgTj = 0, the two
sets in Constraint 1 are disjoint. For a given LfT , the
corresponding LgT ,
−−→
LfTi , and
−−→
LgTj satisfying Constraint 1
can be found easily using K-maps, which will be detailed
in Section 4. LfT and LgT are the minterms of the f and
g functions, respectively. The logic formula for f and g can
be derived easily. For the above choice of LfT and LgT ,
f(~L) = l3 ∧ l2 and g(~L) = (l3 ∧ l2) ∨ (l2 ∧ l1 ∧ l0), where
~L = [l3, l2, l1, l0] is the 4-bit input to f and g.
Example 2 The f and g in our design can be com-
plementary as well. Select LgT = [0, 1, 2, 3, 4, 5, 7] and
LfT = [6, 8, 9, 10, 11, 12, 13, 14, 15]. It can be found that
LfTi = 5 and Lg
T
j = 6 satisfy Constraint 1. Accordingly,
the functions f and g are derived as f(~L) = l3∨ (l2∧ l1∧ l0)
and g(~L) = f(~L).
Example 3 Constrain 1 is not sufficient to guarantee the
existence of correct keys. For example, takeLfT = [0, 1, 3, 2]
and LgT = [0, 4, 12, 8]. Constraint 1 is also satisfied by
taking
−−→
LfTi =
−−→
LgTj = 0. Accordingly, f(
~L) = l3 ∧ l2 and
g(~L) = l1 ∧ l0. However in this case, from exhaustive
search, there does not exist a correct key ~K∗ such that
fe( ~X, ~K
∗) = fo( ~X) for every possible ~X .
3.3.2 Constraints for existence of correct keys
When f and g are not complementary, additional constraints
need to be introduced to guarantee the existence of correct
keys.
For a type-0 structure like that in Fig. 2, the final gate
is an AND gate and the correct output is ‘0’. Hence, correct
keys are [ ~Kf || ~Kg] such that for every ~X ∈ Xn, f( ~X⊕ ~Kf) =
0 or g( ~X ⊕ ~Kg) = 0. Define Lf
F
Kf
= { ~X| ~X =
−−→
LfFi ⊕
~Kf , ∀
−−→
LfFi ∈ Lf
F }, which means that LfFKf is the set of
~X that makes f( ~X ⊕ ~Kf ) = 0. Similarly, Lg
F
Kg
= { ~X| ~X =
−−→
LgFi ⊕
~Kg, ∀
−−→
LgFi ∈ Lg
F } is the set of ~X that makes g( ~X ⊕
~Kg) = 0. Therefore, correct keys [ ~Kf || ~Kg] should satisfy
(LfFKf ∪ Lg
F
Kg
) = Xn. (14)
There are two cases to consider for functions f and g:
1) LfF ∪ LgF = Xn
2) LfF ∪ LgF ⊂ Xn
For the first case, if ~Kf = ~Kg, then (Lg
F
Kg
∪LfFKf ) = (Lf
F ∪
LgF ) ⊕ Kf = Xn. Hence, any ~Kf = ~Kg are correct keys.
In the second case, for a selected function f , a function g
can be designed to satisfy (14). From the definition, LfT ∪
LfF = Xn and Lf
T ∩LfF = ∅. Hence, for any ~Kf , Lf
F
Kf
∪
LfTKf = Xn. In the case that f and g are not complementary,
if LgFKg ⊇ Lf
T
Kf
, then (14) would be satisfied. Define the
binary distance structure of a set S as
DS = {d|d = ~S1 ⊕ ~S2, ∀~S1 6= ~S2 ∈ S}. (15)
It was found that to make LgFKg ⊇ Lf
T
Kf
, LgF should have
a subset with the same binary distance structure as LfT . In
other words,
Constraint 2: ∃S ⊂ LgF , s.t. DS = DLfT (16)
The proof is detailed in the appendix.
Let us use Constraint 2 to check whether correct keys
exist for Example 1 and 3 in the last subsection.
1) In Example 1, LfT = [0, 1, 2, 3] and LgT =
[0, 8, 9, 11, 10]. From (15), it can be computed
that DLfT = [1, 2, 3, 3, 2, 1, 1, 2, 3, 3, 2, 1]. The sub-
set S of LgF that have the same binary struc-
ture with LfT can be [12, 13, 14, 15]. DS =
[1, 2, 3, 3, 2, 1, 1, 2, 3, 3, 2, 1]. Hence, this block has
right keys. The method to find the right keys will be
presented in Section 4. It can be found that one of
the right keys is ~Kf = [0, 0, 0, 0] and ~Kg = [0, 0, 0, 1]
2) In Example 3, f(~L) = l0 ∧ l1 and g(~L) =
l2 ∧ l3. It can be calculated that DLfT =
[1, 2, 3, 3, 2, 1, 1, 2, 3, 3, 2, 1]. However, there is no
subset of DLgF having the same binary structure
as LfT . Hence correct key does not exist.
The proposed constraints for type-0 block can be easily
extended to design type-1 G-Anti-SAT blocks. For type-1
blocks, Constraint 1 and 2 should be modified as
∃LfFi , Lg
F
j s.t. DLfFi −LfF ∩DLgFj −LgF = ∅,
∃S ⊂ LgT s.t. DS = DLfF
4 GENERALIZED ANTI-SAT BLOCK DESIGN USING
K-MAPS
This section proposesmethods for designing the true sets for
type-0 blocks that satisfy Constraint 1, 2 and finding correct
keys. The proposed methods are developed using K-maps.
The elements in the true sets are mapped to the cells in the
K-map. Accordingly, designing the true sets is translated to
grouping the cells in the K-map. Whether the constraints
are satisfied can be easily observed from the K-map. Also
K-maps help to design blocks with lower logic complexity.
The proposed design approaches can be extended similarly
for type-1 blocks.
4.1 K-map cell selection for non-complementary func-
tions
Let us first focus on the case that the functions f and g are
non-complementary. Consider the G-Anti-SAT block in Fig.
2 with 4-bit input ~L = [l3, l2, l1, l0] to f and g as an example.
The corresponding K-map has 16 cells represented as a 4×4
array. l3l2 and l1l0 are used to label the columns and rows,
respectively, as shown in Fig. 3.
Constraint 1 requires that there exist
−−→
LfTi and
−−→
LgTj
satisfying D−−→
LfTi −Lf
T
∩ D−−→
LgTj −Lg
T
= ∅. When LfT and
LgT are non-complementary, the groups of cells for LfT
and LgT can have overlaps in the K-map and a common cell
can be used as both
−−→
LfTi and
−−→
LgTj . In a K-map, the column
and row labels for each cell are distinct. Hence, adding the
600 01 11 10
0
0
0
1
1
1
1
0
l3l2
l1l0 00 01 11 10
0
0
0
1
1
1
1
0
l3l2
l1l0
00 01 11 10
0
0
0
1
1
1
1
0
l3l2
l1l0 00 01 11 10
0
0
0
1
1
1
1
0
l3l2
l1l0
(a)
(d)(c)
(b)
Fig. 3. (a) Randomly selected cells forming LfT ; (b) Symmetric group
of cells with the same binary distance structure as those in (a); (c) Cells
that should be covered by LgF at least; (d) Cells for corresponding LgT
label of a cell to the labels of each of the other cells leads
to a set of distinct labels. Accordingly, a random cell, such
as the dark gray one in Fig. 3(a), can be chosen as the cell
representing both
−−→
LfTi and
−−→
LgTj . Then Lf
T and LgT can be
formed by including non-overlapping cells among the rest
cells. Also LfT and LgT do not need to cover all the cells.
When f and g are non-complementary, additional con-
straints need to be added to K-map cell selection in order
to satisfy Constraint 2 and hence have correct keys. Without
loss of generality, consider that LfT consists of at most half
of the cells in the K-map. For the common cell shown in
Fig. 3(a), randomly select cells in the left half of the K-
map to be LfT , such as those shown in Fig. 3(a). Two
symmetric groups of cells in the K-map always have the
same binary distance structure defined in (12). One example
of the group of cells that is symmetric to those for the LfT
in Fig. 3(a) is shown in Fig. 3(b). HavingLgF include at least
the symmetric cells in Fig. 3(b) would satisfy Constraint 2.
On the other hand, LgT covers all the other cells not covered
by LgF and can only share one common cell with LfT .
Therefore, LgF also needs to cover every cell in LfT except
the common cell. For the LfT selected in Fig. 3(a), Fig. 3(c)
shows the LgF satisfying these requirements. The rest cells,
as shown in Fig. 3(d), form LgT satisfying Constraint 1 and
2. It should be noted that there may exist other choices of
LfT and LgT satisfying Constraint 1 and 2 besides the ones
can be located by using the above method.
The correct keys ~Kf and ~Kg can be easily decided from
the cells for LfF and LgF in the K-map. Constraint 2 is
equivalent to (14). In the K-map, the group of cells for
LfFKf has the same shape as that for Lf
F , except that
it is shifted and/or flipped according to the ~Kf vector.
Similarly, the group of cells for LgFKg is that for Lg
F shifted
and/or flipped according to ~Kg. Then (14) is translated to
that the shifted and/or flipped groups for LfF and LgF
00 01 11 10
0
0
0
1
1
1
1
0
l3l2
l1l0
(a) (b)
00 01 11 10
0
0
0
1
1
1
1
0
l3l2
l1l0
Fig. 4. (a) cells of LfF ; (b) cells of LfFKf
with ~Kf = [1000]
00 01 11 10
0
0
0
1
1
1
1
0
l3l2
l1l0 00 01 11 10
0
0
0
1
1
1
1
0
l3l2
l1l0
(a) (b)
00 01 11 10
0
0
0
1
1
1
1
0
l3l2
l1l0
(c)
Fig. 5. (a) The column circled in dashed line is the dividing column; (b)
Splitting the other columns between LfT (light gray) and LgT (dark
gray); (c) Splitting the cells in the dividing column between LfT and
LgT
need to cover every cell in the K-map. The vectors leading
to such shifting/flipping are the correct keys ~Kf and ~Kg.
For the LfT in Fig. 3(a), Fig. 4(a) shows the cells for the
corresponding LfF . The cells for LgF are illustrated in
Fig. 3(c). It can be seen that the union of such LgF and
LfF covers every cell in the K-map except the one with
[l3, l2, l1, l0] = [0, 1, 1, 1], which is the common cell. One
way to cover each cell in the K-map is to keep the cells
for LgF unchanged, which means ~Kg = [0, 0, 0, 0], and use
~Kf = [1, 0, 0, 0], which leads to the group of cells of Lf
F
Kf
shown in Fig. 4(b). The gray cells in Fig. 3(c) and Fig. 4(b) are
LgFKg with
~Kg = [0, 0, 0, 0] and Lf
F
Kf
with ~Kf = [1, 0, 0, 0],
respectively. They cover all cells in the K-map. There are
many choices of ~Kf and ~Kg that satisfy (14). Another
example is that ~Kg = [1, 0, 0, 0] and ~Kf = [0, 0, 0, 0]. It
corresponds to that the LfF in Fig. 4(a) is unchanged and
the LgF in Fig. 3(c) is flipped horizontally in the K-map.
74.2 K-map cell selection for complementary functions
When f and g are complementary, LfT and LgT should
not have any common cells and should cover all the cells
in the K-map. First pick a random column as shown in Fig.
5(a). This column is referred to as the dividing column in
this paper. The labels for each column in the K-map are
distinct. Hence, adding the column label of the dividing
column to the labels of the other columns results in a set of
distinct nonzero vectors. This means that splitting the other
columns between LfT , LgT and picking
−−→
LfTi ,
−−→
LgTj from
the dividing column would satisfy Constraint 1. To reduce
the logic complexity of f and g, adjacent columns should be
put into LfT and LgT , and the numbers of columns in LfT
and LgT should be as close as possible. For example, in Fig.
5(b), the first column is put in LfT and the third and fourth
columns are put in LgT .
Next, the cells in the dividing column should be split
between LfT and LgT . Put one cell of this column in one
set and the others in the other set. Without loss of generality,
the one cell is put in LgT and the other cells are put in LfT ,
as shown by the example in Fig. 5(c). The cell of LgT in the
dividing column can be used as
−−→
LgTj and any other cells
in the dividing column can be used as
−−→
LfTi . The sum of
the column labels of any two cells in the same column is
zero. Hence, adding
−−→
LfTi to any other cells in the dividing
column would result in a zero column label, and any vector
in D−−→
LgTj −Lg
T
is different from those in D−−→
LfTi −Lf
T
. As a
result, LfT and LgT from such K-map cells splitting satisfy
Constraint 1.
When f and g are complementary, any ~Kf = ~Kg can
be used as a correct key. Constraint 2 does not need to be
considered in this case.
4.3 True sets design for complexity reduction and at-
tack resistance
To reduce the implementation complexity, adjacent cells
should be put into the two true sets LfT and LgT . The
larger the number of adjacent cell groups and the smaller
the number of groups in the K-map that can be used to
cover LfT and LgT , the simpler the logic functions f and
g.
To increase the corruptibility for App-SAT attack resis-
tance as defined in (5) for a type-0 G-Anti-SAT block, |LfT |
and |LgT | should not be either very small, such as 1, or
very large, such as 2n − 1. On the other hand, to make the
ADS value defined in (7) for the last gate in Fig. 2 close to
‘0’, which is needed to resist the removal attack, LfT and
LgT should have similar cardinality. These guidelines can
be followed to design the f and g blocks. In addition, the
ADS of the last gate can be tuned to any value in our design
by changing the relative cardinalities of LfT and LgT .
5 EXPERIMENTS AND RESULTS
This section evaluates the achievable security level of the
proposed G-Anti-SAT scheme. Experiments and analyses
are carried out to show that the proposed design is resistant
to the SAT, AppSAT, and removal attacks. The SAT attack
tool in [14] based on Lingeling SAT solver is used in our
experiments. The CPU time is limited to 10 hours as in
[14], and the experiments are run over an Intel Core i7 with
4GB RAM. Analysis on the query process of the AppSAT
is carried out to show that it is ineffective on our design.
The evaluation for the removal attack resistance is done by
calculating the ADS values as in [17].
5.1 G-Anti-SAT block example
To compare with the Anti-SAT scheme [15], inputs with 16
bits are adopted in our G-Anti-SAT block. Two type-0 block
examples are evaluated in our experiments.
G-Anti-SAT Block m1. This example has non-
complementary f and g. For 16-bit input, the K-map has
28 columns and 28 rows. The cell in the 64th column and
170th row is randomly selected to be the common cell. To
minimize the logic complexity and the ADS value for the
last gate, all the cells in the first 64 columns are chosen
to form LfT . The last 64 columns have the same binary
distance structure as LfT . Hence LgF should include at
least the first and last 64 columns, except the common
cell, in order to satisfy Constraint 2. To make the ADS
value of the last gate as close to 0 as possible, LgT should
have about the same number of cells as LfT . Hence,
form LgF by all the cells in the first 64 columns and last
128 columns except the common cell. Accordingly, LgT
consists of the second 64 columns in the K-map and the
common cell. Denote the inputs to the f and g blocks by
[l15, l14, · · · , l0]. It can be derived that f(~L) = l15 ∧ l14,
g(~L) = (l15 ∧ l14) ∨ (l15 ∧ l13 ∧ l12 ∧ l11 ∧ l10 ∧ l9 ∧ l8 ∧
l7∧ l6 ∧ l5∧ l4∧ l3 ∧ l2∧ l1 ∧ l0). Lf
F includes all cells in the
K-map except the first 64 columns and LgF contains all cells
except the second 64 columns and the common cell. In order
to make LfFKf and Lg
F
Kg
cover every cells in the K-map,
one method is to keep the cells of LgF unchanged, which
means ~Kg = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], and use
~Kf = [1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0] so that the cells
in LgFKg cover the forth, first, and second groups of 64
columns.
G-Anti-SAT Block m2. Complementary f and g func-
tions are considered in this example. First, pick the 128th
column in the K-map as the dividing column. To reduce the
logic complexity, put the first 127 columns into LfT and
the 128 columns on the right side into LgT . One cell in the
dividing column should be put into one true set and the
rest cells should be put into the other set. Without loss of
generality, the last cell in this column is separated from the
others. To make the cardinalities of LfT and LgT as close
as possible in order to resist the removal attack, the last cell
of the dividing column is put into LgT and the other cells
in this column are included in LfT . Accordingly, g(~L) =
l15∨(l14∧l13∧l12∧l11∧l10∧l9∧l8∧l7∧l6∧l5∧l4∧l3∧l2∧l1∧l0)
and f(~L) = g(~L).
5.2 SAT attack resistance analysis
The SAT attack is applied to decrypt the proposed G-Anti-
SAT blocks, and the number of iterations and time are listed
in Table 1 for the designs with different numbers of input
bits. For comparison, the Anti-SAT block is also simulated
8TABLE 1
Number of iterations and time needed by the SAT attack to decrypt the
G-Anti-SAT and Anti-SAT blocks
n = 8 n = 12 n = 16
non-complementary
G-Anti-SAT
# of iterations 255 4095 -
time (second) 0.44 66.21 timeout
complementary
G-Anti-SAT
# of iterations 255 4095 -
time (second) 0.80 166.42 timeout
Anti-SAT block [15]
# of iterations 255 4095 -
time (second) 0.82 175.74 timeout
g_5
g_7
g_9
g_11
g_13
g_15
g_17
g_19
g_20
g_21
g_22
g_23
g_24
g_25
g_26
g_27
G
Or
x_in
key_in
out
14
13
7
6
5
4
3
2
1
0
15
12
11
10
9
8
15
14
0:15
16:31
Fig. 6. The logic diagram of blockm1
in the same hardware environment and the results are in-
cluded in Table 1. It can be seen that our design achieves the
same resistance to the SAT attack in terms of the number of
iterations. The reason that the time consumed by the attack
on the non-complementary G-Anti-SAT block is less than
those of complementary G-Anti-SAT and Anti-SAT blocks
is because that the non-complementary design has less
complicated logic. As a result, the complexity to construct
and solve the corresponding CNF formula is lower.
5.3 Removal attack resistance analysis
Fig. 6 shows the logic diagram of block m1. Assume that
each input is equal to ’1’ with probability 0.5. Using (6) and
(7), the ADS value for each gate in Fig. 6 can be computed.
The ADS value for the last gate, G, is 0.00001. Hence, our
design is resistant to the removal attack. The five gates
with the largest ADS values in block m1 are listed in Table
2 and they are around 0.5. When the Anti-SAT block is
incorporated into circuits, there are many gates with ADS
values in a wide range and many of them are larger than
0.5. Hence, the gates in Table 2 can not be identified by
examining the ADS values either.
The logic diagram of block m2 is shown in Fig. 7. The
largest ADS values of all gates in Fig. 7 are listed in Table
3. Similar to block m1, the ADS value of the last gate is
around 0 and the largest five ADS values are also around
0.5 in block m2. As a result, block m2 is also resistant to the
removal attack.
Unlike the Anti-SAT design in [15], our proposed G-
Anti-SAT block does not rely on additional measures, such
TABLE 2
The largest ADS values of the gates in blockm1 shown in Fig. 6
Gate g 27 g 26 g 25 g 24 g 23
ADS 0.4999 0.4999 0.4999 0.4998 0.4997
g_10
g_4
g_6
g_8
g_12
g_14
g_15
g_17
g_19
g_21
g_23
g_25
g_27
g_29
g_32
g_34
g_36
g_38
g_40
g_42
g_43
g_45
g_47
g_49
g_51
g_53
g_55
g_57
G
o_1
o_2
x_in
key_in
out
14
7
13
12
11
10
9
8
6
5
4
3
2
1
0
15
14
7
13
12
11
10
9
8
6
5
4
3
2
1
0
15
0:15
16:31
Fig. 7. The logic diagram of blockm2
TABLE 3
The largest ADS values of the gates in blockm2 shown in Fig. 7
Gate g 29 g 57 g 55 g 27 g 25
ADS 0.4999 0.4999 0.4999 0.4999 0.4998
as the withholding and entanglement obfuscation tech-
niques [12] to resist the removal attack.
5.4 AppSAT attack resistance analysis
The reason that the AppSAT attack can effectively decrypt
the Anti-SAT block is that for any randomly selected wrong
key, there is only one input that can make the block output
wrong. The corruptibility as defined in (5) is very low.
For blockm1 with 16-bit input, |Lf
T | = 214 and |LgT | =
214 + 1. Since the total number of keys is 232, testing every
key can not be finished in practical time. Hence 500 keys
are randomly selected in our test. Among these keys, there
are 127 keys each of which has 16384 input patterns leading
to the wrong output. For block m2, |Lf
T | = 215 − 1 and
|LgT | = 215+1. Among the 500 random keys, there are 253
keys each of which has 32767 input patterns leading to the
wrong output.
In order for the AppSAT to be successful, the portion
of input queries leading to the wrong output needs to fall
under a very small threshold in the order of 12n . In blockm1
and m2, for a large portion of keys, the probability that an
input query leads to the wrong output is much higher. As
a result, our proposed designs are resistant to the AppSAT
attack.
6 DISCUSSIONS
Our proposed G-Anti-SAT schemes enjoy great flexibility on
the allowing f and g functions. In the two examples given
in the previous section, the two functions are chosen so that
their true set cardinalities are about the same in order to
make the ADS value of the last gate close to zero, which
is needed to resist the removal attack according to [17]. By
9changing the relative cardinalities of the two true sets, the
ADS can be also tuned to other values.
For a given number of input bits, the larger the cardi-
nalities of the two true sets, the higher corruptibility the
output of the G-Anti-SAT block. In the case that the two
functions are non-complementary, in order to guarantee the
existence of right keys and lower complicated functions, the
cardinalities of the two true sets can be at most around
2n−2 for n-bit input G-Anti-SAT blocks. The block m1 in
the previous section is an example for this case. When the
two functions are complementary, their cardinalities can
be made equal to around 2n−1, as shown by block m2.
Although the G-Anti-SAT designs with non-complementary
functions have smaller true set cardinalities compared to
those with complementary functions, both of them have
a high percentage of inputs leading to high probability of
getting the wrong output, which makes the AppSAT attack
unsuccessful.
There is another attack scheme called the bypass attack
[20]. The main idea of this attack is to construct a bypass
circuit that inverts the wrong output and nullifies the effect
of the wrong key. The complexity of the bypass circuit
increases linearly with the number of DIPs that can exclude
a wrong key. Our proposed G-Anti-SAT block can be in-
serted into existing circuits using the same two integration
methods as for the Anti-SAT design. It was pointed out
in [15] that the secure integration is better at resisting the
SAT attack. However, in the Anti-SAT design, each key can
be ruled out by one and exactly one DIP in the secure
integration. This makes the Anti-SAT design vulnerable to
the bypass attack. On the contrary, for a large portion of
wrong keys, there are multiple DIPs that can exclude them
in our G-Anti-SAT design. As a result, unlike the Anti-SAT
block, our design is also resistant to the bypass attack.
7 CONCLUSIONS
In this paper, novel G-Anti-SAT schemes have been pro-
posed by relaxing the constraints on the wrong key sets.
Compared to prior designs, our schemes allow not only
great flexibility on the two function blocks, but also non-
complementary functions. As a result, proper functions can
be adopted to resist various attacks. In addition, method-
ologies using K-maps have been proposed to design the
functions and finding the right keys. Experiments and anal-
yses showed that the proposed designs with true sets of
moderate and about equal cardinalities are immune to all
existing attacks. Future work will monitor new attacks and
extend our proposed designs.
APPENDIX A
In the case of LfF ∪LgF ⊂ Xn, Lf
T
Kf
needs to be a subset of
LgFKg in order to satisfy (14). Let C be a subset of Lg
F
Kg
that
equals LfTKf . Assume |C| = |Lf
T
Kf
| = m, and for elements
~Ci ∈ C and
−−−→
LfTKf i ∈ Lf
T
Kf
(i = 1, 2, · · · ,m)
~C1 =
−−−−→
LfTKf1
...
~Cn =
−−−−→
LfTKfm.
Since C ⊂ LgFKg , according to the definition of Lg
F
Kg
, ~Ci =
−−−→
LgFKgi =
−−→
LgFi ⊕
~Kg. Similarly,
−−−→
LfTKf i =
−−→
LfTi ⊕
~Kf . Then the
above equations can be rewritten as
−−→
LgF1 ⊕
~Kg =
−−→
LfT1 ⊕
~Kf
...
−−→
LgFm ⊕ ~Kg =
−−→
LfTm ⊕ ~Kf .
Moving ~Kg from the left side to the right side of the
equations, it can be derived that
−−→
LgF1 =
−−→
LfT1 ⊕ ~K
...
−−→
LgFm =
−−→
LfTm ⊕ ~K,
(17)
where ~K = ~Kf ⊕ ~Kg. Adding any two equations listed
in (17) leads to
−−→
LgFi ⊕
−−→
LgFj =
−−→
LfTi ⊕
−−→
LfTj . Let S =
{LgF1 , Lg
F
2 , · · · , Lg
F
m}. Apparently, S ⊂ Lg
F . Therefore,
∃S ⊂ LgF , s.t. ∀~Si, ~Sj , ~Si ⊕ ~Sj =
−−→
LfTi ⊕
−−→
LfTj . (18)
According to the definition of binary distance structure
in (15), (18) can be translated to Constraint 2.
REFERENCES
[1] M. Rostami, F. Koushanfar and R. Karri, “A primer on hardware
security: models, methods, and metrics,” Proc. of the IEEE, vol. 102,
no. 8, pp. 1283-1295, Aug. 2014.
[2] U. Guin, et. al., “Counterfeit integrated circuits: a rising threat in
the global semiconductor supply chain,” Proc. of the IEEE, vol. 102,
no. 8, pp. 1207-1228, Aug. 2014.
[3] R. P. Cocchi, et. al., “Circuit camouflage integration for hardware IP
protection,” Proc. of ACM/EDAC/IEEE Design Automation Conf., pp.
1-5, San Francisco, CA, U.S.A., 2014.
[4] J. Rajendran, et. al., “Security analysis of integrated circuit camou-
flaging,” Proc. ACM SIGSAC Conf. on Computer & Commun. Security,
pp. 709-720, New York, U.S.A, 2013.
[5] R. Torrance and D. James, “The state-of-the-art in semiconductor
reverse engineering,” Proc. of ACM/EDAC/IEEE Design Automation
Conf., pp. 333-338, New York, NY, U.S.A., 2011.
[6] J. A. Roy, F. Koushanfar, and I. L. Markov, “EPIC: Ending piracy
of integrated circuits,” Proc. Conf. on Design, Automation and Test in
Europe, pp. 1069-1074, Munich, Germany, 2008.
[7] J. Rajendran et. al., “Fault analysis-based logic encryption,” IEEE
Trans. on Computers, vol. 64, no. 2, pp. 410-424, Feb. 2015.
[8] M. Yasin, et. al., “On improving the security of logic locking,” IEEE
Trans. on Computer-Aided Design of Integrated Circuits and Syst., vol.
35, no. 9, pp. 1411-1424, Sept. 2016.
[9] J. Rajendran, et. al., “Security analysis of logic obfuscation,” Proc. of
ACM/EDAC/IEEE Design Automation Conf., pp. 83-89, San Francisco,
CA, U.S.A, 2012.
[10] J. B. Wendt and M. Potkonjak, “Hardware obfuscation using PUF-
based logic,” IEEE/ACM Intl. Conf. on Computer-Aided Design, pp.
270-271, San Jose, CA, U.S.A., 2014.
[11] Y. Lee and N. A. Touba, “Improving logic obfuscation via logic
cone analysis,” Latin-American Test Symposium, pp. 1-6, Puerto Val-
larta, Mexico, 2015.
[12] S. Khaleghi, K. Zhao and W. Rao, “IC piracy prevention via design
withholding and entanglement,” Asia and South Pacific Design Auto.
Conf., pp. 821-826, Chiba, Japan, 2015.
[13] B. Liu and B. Wang, “Embedded reconfigurable logic for ASIC
design obfuscation against supply chain attacks,” Proc. Conf. on
Design, Automation and Test in Europe, pp. 1-6, Dresden, Germany,
2014.
10
[14] P. Subramanyan, S. Ray, and S. Malik, “Evaluating the security
of logic encryption algorithms,” Proc. IEEE Intl. Symp. on Hardware
Oriented Security and Trust, pp. 137-143, Washington DC, U.S.A.,
2015.
[15] Y. Xie and A. Srivastava, “Anti-SAT: mitigating SAT attack on logic
locking,” IEEE Trans. on Computer-Aided Design of Integrated Circuits
and Syst., vol. 38, no. 2, pp. 199-207, Feb. 2019.
[16] M. Yasin, et. al., “Sarlock: SAT attack resistant logic locking,” Proc.
IEEE Intl. Symp. on Hardware Oriented Security and Trust, pp. 236-241,
McLean, VA, U.S.A., 2016.
[17] M. Yasin, et. al., “Removal attacks on logic locking and camouflag-
ing techniques,” IEEE Trans. on Emerging Topics in Computing, pp.
1-1.
[18] K. Shamsi, et. al., “AppSAT: approximately deobfuscating inte-
grated circuits,” IEEE Intl. Symp. on Hardware Oriented Security and
Trust,pp. 95-100, McLean, VA, U.S.A., 2017.
[19] M. Tehranipoor and F. Koushanfar, “A survey of hardware trojan
taxonomy and detection,” IEEE Design & Test of Computers, vol. 27,
no. 1, pp. 10-25, Jan.-Feb. 2010.
[20] X. Xu, et. al., “Novel bypass attack and BDD-based tradeoff analy-
sis against all known logic locking attacks,” IACR Cryptology ePrint
Archive, 2017.
PLACE
PHOTO
HERE
Jingbo Zhou received the B.S. degree in
telecommunication engineering from Beijing
University of Post and Telecommunication, Bei-
jing, China. He is currently pursuing the Ph.D.
degree in the Electrical and Computer Engineer-
ing Department, The Ohio State University, OH,
USA.
His current research interest is hardware se-
curity and cryptography.
PLACE
PHOTO
HERE
Xinmiao Zhang received her Ph.D. degree in
Electrical Engineering from the University of Min-
nesota. She joined The Ohio State University as
an Associate Professor in 2017. Prior to that,
she was a Timothy E. and Allison L. Schroeder
Assistant Professor 2005-2010 and Associate
Professor 2010-2013 at Case Western Reserve
University. Between her academic positions, she
was a Senior Technologist at Western Digi-
tal/SanDisk Corporation. Dr. Zhang’s research
spans the areas of VLSI architecture design,
digital storage and communications, security, and signal processing.
Dr. Zhang received an NSF CAREER Award in January 2009. She
is also the recipient of the Best Paper Award at 2004 ACM Great
Lakes Symposium on VLSI and 2016 International SanDisk Technology
Conference. She authored the book “VLSI Architectures for Modern
Error-Correcting Codes” (CRC Press, 2015), and co-edited “Wireless
Security and Cryptography: Specifications and Implementations” (CRC
Press, 2007). She was elected to serve on the Board of Governers of
the IEEE Circuits and Systems Society for the 2019-2021 term. She
is a Co-Chair of the Data Storage Technical Committee (2017-2020),
and a member of the CASCOM and VSA technical committees and
DISPS technical committee advisory board of IEEE. She served on the
technical program and organization committees of many conferences,
including ISCAS, SiPS, ICC, GLOBECOM, GlobalSIP, and GLSVLSI.
She has been an associate editor for the IEEE Transactions on Circuits
and Systems-I since 2010.
