Toward Efficient Evaluation of Logic Encryption Schemes: Models and
  Metrics by Hu, Yinghua et al.
Toward Efficient Evaluation of Logic Encryption Schemes:
Models and Metrics
Yinghua Hu1 Vivek V. Menon2 Andrew Schmidt2 Joshua Monson2
Matthew French2 Pierluigi Nuzzo1
1 Department of Electrical and Computer Engineering, University of Southern California, Los Angeles, CA, USA, {yinghuah, nuzzo}@usc.edu
2 Information Sciences Institute, University of Southern California, Arlington, VA, USA, {vivekv, aschmidt, jmonson, mfrench}@isi.edu
ABSTRACT
Research in logic encryption over the last decade has resulted in
various techniques to prevent different security threats such as Tro-
jan insertion, intellectual property leakage, and reverse engineering.
However, there is little agreement on a uniform set of metrics and
models to efficiently assess the achieved security level and the
trade-offs between security and overhead. This paper addresses the
above challenges by relying on a general logic encryption model
that can encompass all the existing techniques, and a uniform set
of metrics that can capture multiple, possibly conflicting, security
concerns. We apply our modeling approach to four state-of-the-art
encryption techniques, showing that it enables fast and accurate
evaluation of design trade-offs, average prediction errors that are
at least 2× smaller than previous approaches, and the evaluation of
compound encryption methods.1
1 INTRODUCTION
Integrated circuits (ICs) often represent the ultimate root of trust
of modern computing systems. However, the decentralization of
the IC design and manufacturing process over the years, involving
multiple players in the supply chain, has increasingly raised the
risk of hardware security threats from untrusted third parties.
Logic encryption aims to counteract some of these threats by
appropriately modifying the logic of a circuit, that is, by adding
extra components and a set of key inputs such that the functionality
of the circuit cannot be revealed until the correct value of the key
is applied. Several logic encryption methods have been proposed
over the the last decade to protect the designs from threats such as
intellectual property (IP) piracy, reverse engineering, and hardware
Trojan insertion (see, e.g., [2–6]). However, existing techniques are
often tailored to specific attack models and security concerns, and
rely on different metrics to evaluate their effectiveness. It is then
difficult to quantify the security of different methods, rigorously
evaluate the inherent trade-offs between different security concerns,
and systematically contrast their strength with traditional area,
delay, and power metrics.
This paper introduces a formal modeling framework for the
evaluation of logic encryption schemes and the exploration of the
associated design space. We rely on a general functional model
for logic encryption that can encompass all the existing methods.
Based on this general model, we make the following contributions:
• We define a set of metrics that can formally capture multiple,
possibly conflicting, security concerns that are key to the
1This report is an extended version of [1].
design of logic encryption schemes, such as functional cor-
ruptibility and resilience to different attacks, thus providing
a common ground to compare different methods.
• We develop compact models to efficiently quantify the qual-
ity and resilience of four methods, including state-of-the-art
logic encryption techniques, and enable trade-off evaluation
between different security concerns.
Simulation results on a set of ISCAS benchmark circuits show the
effectiveness of our modeling framework for fast and accurate eval-
uation of the design trade-offs. Our models produce conservative
estimates of resilience with average prediction errors that are at
least twice as small as previous approaches and, in some cases,
improve by two orders of magnitude. Finally, our approach can pro-
vide quantitative support to inform system-level decisions across
multiple logic encryption strategies as well as the implementation
of compound strategies, which can be necessary for providing high
levels of protection against different threats with limited overhead.
The rest of the paper is organized as follows. Section 2 intro-
duces background concepts on logic encryption and recent efforts
toward the systematic analysis of their security properties. Sec-
tion 3 presents the general functional model for combinational logic
encryption and defines four security-driven evaluation metrics. Sec-
tion 4 applies the proposed model and metrics to the analysis of
the security properties of four encryption techniques. Our analysis
is validated in Section 5 and compared with state-of-the-art charac-
terizations of the existing techniques. Finally, Section 6 concludes
the paper.
2 BACKGROUND AND RELATEDWORK
Logic encryption techniques have originally focused mostly on a
subset of security concerns, and lacked methods to systematically
quantify the level of protection against different (and potentially
unknown) hardware attacks. A class of methods, such as fault
analysis-based logic locking (FLL) [3], mostly focuses on providing
high output error rates when applying a wrong key, for example,
by appropriately inserting key-controlled XOR and XNOR gates in
the circuit netlist. Another class of techniques, based on one-point
functions, such as SARLock [4], aims, instead, to provide resilience
to SAT-based attacks, a category of attacks using satisfiability (SAT)
solving to efficiently prune the space of possible keys [7]. These
methods require an exponential number of SAT-attack iterations
in the size of the key to unlock the circuit, but tend to expose a
close approximation of the correct circuit function. Efforts toward a
comprehensive encryption framework have only started to appear.
Stripped functionality logic locking (SFLL) [8] has been recently
proposed as a scheme for provably secure encryption with respect
to a broad set of quantifiable security concerns, including error
ar
X
iv
:1
90
9.
07
91
7v
2 
 [c
s.C
R]
  2
9 J
ul 
20
20
rate, resilience to SAT attacks, and resilience to removal attacks,
aiming to remove the encryption logic from the circuit. However,
while the average number of SAT-attack iterations is shown to grow
exponentially with the key size, the worst-case SAT-attack duration,
as discussed in Sec. 4, can become unacceptably low, which calls
for mechanisms to explore the combination of concepts from SFLL
with other schemes.
Zhou [9] provides a theoretical analysis of the contention be-
tween error rate and SAT-attack resilience in logic encryption,
drawing from concepts in learning theory [10]. Along the same
direction, Shamsi et al. [5] develop diversified tree logic (DTL) as a
scheme capable of increasing the error rate of SAT-resilient pro-
tection schemes in a tunable manner. A recent effort [11] adopts
a game-theoretic approach to formalize notions of secrecy and re-
silience that account for the impact of learnability of the encrypted
function and information leakage from the circuit structure.
While our approach builds on previous analyses [5, 9], it is com-
plementary, as it focuses on models and metrics that enable fast and
accurate evaluation across multiple encryption techniques and se-
curity concerns, eventually raising the level of abstraction at which
security-related design decisions can be made. We distinguish be-
tween logic encryption, which augments the circuit function via
additional components and key bits, and obfuscation [12, 13], which
is concerned with hiding the function of a circuit or program (with-
out altering it) to make it unintelligible from its structure. In this
paper, we focus on the functional aspects of logic encryption, and
leave the modeling of its interactions with obfuscation for future
work.
3 LOGIC ENCRYPTION: MODELS AND
METRICS
We denote by |S | the cardinality of a set S . We represent a combi-
national logic circuit with primary input (PI) ports I and primary
output (PO) ports O by its Boolean function f : Bn → Bm , where
n = |I | andm = |O |, and its netlist, modeled as a labelled directed
graph G. Both f and G may be parameterized by a set of configu-
ration parameters P , with values in P, related to both the circuit
function and implementation. Given a function f , logic encryption
creates a new function f ′ : Bn ×Bl → Bm , where l = |K | and K is
the set of key input ports added to the netlist. There exists k∗ ∈ Bl
such that ∀i ∈ Bn , f (i) ≡ f ′(i,k∗). We call k∗ the correct key. We
wish to express f ′ as a function of f and the encryption logic.
3.1 A General Functional Model
We build on the recent literature [8, 9, 14] to define a general model,
capable of representing the behavior of all the existing logic en-
cryption schemes, as shown in Fig. 1. The function д(i,k) maps an
input and key value to a flip signal, which is combined with the
output of f (i) via a XOR gate to produce the encrypted PO. The
value of the PO is inverted when the flip signal is one. We assume
that д is parameterized by a setQ of configuration parameters, with
values in Q related to a specific encryption technique.
3.2 Security-Driven Metrics
We can describe how the circuit output is affected by logic encryp-
tion via an error table, such as the ones shown in Tab. 1. Based on
Figure 1: General functional model for logic encryption.
Table 1: Error tables with n = l = 3 (✖ and ✔mark incorrect
and correct output values, respectively).
(a) SARLock
K0 K1 K2 K3 K4 K5 K6 K7
I0 ✖ ✔ ✔ ✔ ✔ ✔ ✔ ✔
I1 ✔ ✔ ✖ ✔ ✔ ✔ ✔ ✔
I2 ✔ ✖ ✔ ✔ ✔ ✔ ✔ ✔
I3 ✔ ✔ ✔ ✖ ✔ ✔ ✔ ✔
I4 ✔ ✔ ✔ ✔ ✖ ✔ ✔ ✔
I5 ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
I6 ✔ ✔ ✔ ✔ ✔ ✖ ✔ ✔
I7 ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✖
(b) SFLL-HD0
K0 K1 K2 K3 K4 K5 K6 K7
I0 ✖ ✔ ✔ ✔ ✔ ✔ ✔ ✔
I1 ✔ ✖ ✔ ✔ ✔ ✔ ✔ ✔
I2 ✔ ✔ ✖ ✔ ✔ ✔ ✔ ✔
I3 ✔ ✔ ✔ ✖ ✔ ✔ ✔ ✔
I4 ✔ ✔ ✔ ✔ ✖ ✔ ✔ ✔
I5 ✔ ✔ ✔ ✔ ✔ ✖ ✔ ✔
I6 ✖ ✖ ✖ ✖ ✖ ✖ ✔ ✖
I7 ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✖
the general functional model above and the associated error tables,
we define a set of security-driven metrics that capture the quality
and resilience of encryption.
Functional Corruptibility. Functional corruptibility quantifies
the amount of output error induced by logic encryption to protect
the circuit function. Consistently with the literature [5], we define
the functional corruptibility EFC as the ratio between the number
of corrupted output values and the total number of primary input
and key configurations (the entries in the error table), i.e.,
EFC =
1
2n+l
∑
i ∈Bn
∑
k ∈Bl
1(f (i) , f ′(i,k)),
where 1(A) is the indicator function, evaluating to 1 if and only if
event A occurs.
SAT Attack Resilience (tSAT ). A SAT attack [7] assumes that
the attacker has access to the encrypted netlist and an operational
(deobfuscated) circuit, used as an oracle, to query for correct in-
put/output pairs. The goal is to reconstruct the exact circuit function
by retrieving a correct key. At each iteration, the attack solves a SAT
problem to search for a distinguishing input pattern (DIP), that is,
an input pattern i that provides different output values for different
keys, i.e., such that ∃ k1 , k2, f ′(i,k1) , f ′(i,k2). The attack then
queries the oracle to find the correct output f (i) and incorporate
this information in the original SAT formula to constrain the search
space for the following iteration. Therefore, all the keys leading to
an incorrect output value for the current DIP will be pruned out
of the search. Once the SAT solver cannot find a new DIP, the SAT
attack terminates marking the remaining keys as correct.
Consistently with the literature [4, 8], we quantify the hardness
of this attack using the number of SAT queries, hence the num-
ber of DIPs, required to obtain the circuit function. Predicting this
number in closed form is challenging, since it relates to solving a
combinatorial search problem, in which the search space generally
depends on the circuit properties and the search heuristics on the
specific solver or algorithm adopted. Current approaches [8] adopt
probabilistic models, where the expected number of DIPs is com-
puted under the assumption that the input patterns are searched
according to a uniform distribution. We adopt, instead, a worst-
case conservative model and use the minimum number of DIPs
(a) (b) (c) (d)
Figure 2: Functional model for (a) SARLock, (b) DTL, (c) SFLL, and (d) FLL.
Table 2: Security metrics for four logic encryption tech-
niques (n = |I |,m = |O |, and l = |K |).
EFC tSAT EAPP EREM
SARLock ≈ 12l min
{
2l , 2n
}
1
2l 0
DTL ≈
(
2
(
22L−1
))N
2l min
{
2l
(2(22L−1))N , 2
n
} (2(22L−1))N
2l 0
SFLL
( lh)
[
2l−( lh)
]
22l−1 << exp(l)
2
[
( lh)−2( l−2h−1)
]
2n
( l
h
)/2l
FLL [0.3, 0.5] << exp(l) << EFC 0
to quantify the guarantees of an encryption technique in terms of
SAT-attack resilience. The duration of the attack also depends on
the circuit size and structure, since they affect the runtime of each
SAT query. In this paper, we regard the runtime of each SAT query
as a constant and leave a more accurate modeling of the duration
of the attack for future work.
Approximate SAT-Attack Resilience (EAPP ).Approximate SAT
attacks, such as AppSAT [15] and Double-DIP [16], perform a vari-
ant of a SAT attack but terminate earlier, when the error rate at
the PO is “low enough,” providing a sufficient approximation of the
circuit function. In this paper, we take a worst-case approach by
assuming that an approximate SAT attack terminates in negligi-
ble time, and define the approximate SAT-attack resilience (EAPP )
as the minimum residual error rate that can be obtained with an
incorrect key (different than k∗), i.e.,
EAPP = min
k ∈Bl \{k∗ }
ϵk
2n ,
where ϵk is the number of incorrect output values for key input k .
Removal Attack Resilience (EREM ). A removal attack consists
in directly removing all the added encryption logic to unlock a
circuit, e.g., by bypassing the flip signal [8] or the key-controlled
XOR/XNOR gates [17]. We make the worst-case assumption that
all the key-related components can be removed from the encrypted
netlist in negligible time. We then define the resilience metric as
the ratio of input patterns that are still protected after removal, i.e.,
EREM =
∑
i ∈Bn 1(fREM (i) , f (i))
2n
where fREM (.) is the Boolean function obtained after removing all
the key-related components.
4 ENCRYPTION METHODS
We apply the general model and metrics in Sec. 3 to four logic en-
cryption techniques, namely, SARLock, SFLL, DTL, and FLL, showing
that it encompasses existing methods, including state-of-the-art
techniques. Tab. 2 summarizes the security models with respect to
the four security metrics described in Sec. 3. The models, including
proofs for our results, are discussed in detail below.
SARLock. SARLock combines the output of the original circuit
f (i) with the one-point function 1(i = k). It can then be mapped
to the general functional model where д = 1(i = k), as shown in
Fig. 2a. The parameter set QSARLock includes the key size l = |K |.
Consistently with previous work [4], we derive the closed form
expressions in Tab. 2 as stated by the following result.
Theorem 4.1. For a circuit encrypted with SARLock, let l and n
be the key size and the primary input size, respectively. Let EFC be
the functional corruptibility, tSAT the SAT-attack resilience, EAPP
the approximate SAT-attack resilience, and EREM the removal attack
resilience. Then, the following equations hold: EFC = 12l , tSAT =
min
{
2l , 2n
}
, EAPP = 12l , and EREM = 0.
Proof. We observe that the key size l can be at most equal to
the primary input size n, i.e., l ≤ n holds. For an incorrect key k , the
output is corrupted only when the input i is equal to k . Therefore,
the number of corrupted output patterns is 2n−l for each incorrect
key. Because there are 2l − 1 incorrect keys, we can compute EFC
and EAPP as follows:
EFC =
2n−l · (2l − 1)
2n · 2l ≈
1
2l
, (1)
EAPP =
2n−l
2n =
1
2l
. (2)
By definition of SARLock, each input pattern can only exclude
one incorrect key at each iteration of a SAT attack (see, for example,
the error table in Tab. 1). Because there are 2l − 1 incorrect keys to
exclude, and the number of SAT attack iterations is bounded above
by 2n , the total number of primary input patterns, we can compute
tSAT as follows:
tSAT = min
{
2l , 2n
}
. (3)
Finally, by the definition of removal attack resilience, once the
flip signal of the one-point function is recognized and bypassed,
the original functionality of the circuit is fully restored, leading to
EREM = 0. □
The use of a one-point function, especially when the key size l
is very large, results in very low functional corruptibility EFC but
exponential SAT-attack resilience tSAT , as stated by Theorem 4.1.
A moderately high EFC can still be achieved, but this happens with
small key sizes. For example, EFC = 0.25 can be achieved for l = 2.
Diversified Tree Logic (DTL). The one-point functions used in
SARLock or Anti-SAT [18] are based on AND-tree structures. An
example of a four-input AND-tree is shown in Fig. 3. DTL borrows
such structures from SARLock or Anti-SAT and appropriately re-
places some of the AND gates with another type of gate, i.e., XOR,
OR, or NAND, to obtain a multi-point function дm (i .k), as shown
in Fig. 2b. The parameter set QDTL includes: (1) the key size |K |;
Figure 3: A four-input AND-tree structure.
(2) the type of point-function T , e.g., T ∈ {SARLock, Anti-SAT};
(3) the replacement tuple (X ,L,N ), where X ∈ {XOR, OR, NAND} is
a gate type for the replacement, and L and N denote the layer
and number of gates selected for replacement, respectively, with
0 ≤ L ≤ ⌈log2(|K |)⌉ − 1, 0 ≤ N ≤ 2 ⌈log2( |K |)⌉−L−1, and |K | ≥ 2.
DTL then modifies the AND-tree by replacing N gates from layer L
with gates of type X . Tab. 2 shows the expressions obtained when
T = SARLock, and X = XOR, as stated by the following theorem.
Theorem 4.2. For a circuit encrypted with DTL of typeT = SARLock
and replacement gate X = XOR, let l and n be the key size and the pri-
mary input size, respectively. Let EFC be the functional corruptibility,
tSAT the SAT-attack resilience, EAPP the approximate SAT-attack re-
silience, and EREM the removal attack resilience. Then, the following
equations hold: EFC =
(
2
(
22L−1
))N
2l , tSAT = min
{
2l
(2(22L−1))N , 2
n
}
,
EAPP =
(
2
(
22L−1
))N
2l , and EREM = 0.
Proof. According to the analysis by Shamsi et al. [5], replacing
an AND gate in the first layer (L = 0) of a SARLock block with a
XOR gate changes the onset size of the one-point function from 1
to 2. More generally, replacing N AND gates in layer L changes the
onset size to
(
2
(
22L − 1
))N
. As a result, for each incorrect key (an
incorrect column in the error table), there are 2n−l ·
(
2
(
22L − 1
))N
incorrect output patterns. EFC and EAPP can then be computed as
EFC =
(2l − 1) · 2n−l ·
(
2
(
22L − 1
))N
2n · 2l ≈
(
2
(
22L − 1
))N
2l
,
(4)
EAPP =
2n−l ·
(
2
(
22L − 1
))N
2n =
(
2
(
22L − 1
))N
2l
.
(5)
From the analysis by Shamsi et al. [5], the number of SAT queries
needed is 2l(2(22L−1))N . Because of the upper bound due to the maxi-
mum number of input patters 2n , we obtain:
tSAT = min
{
2l
(2(22L − 1))N , 2
n
}
. (6)
Finally, the flip signal of DTL can be recognized and bypassed,
which returns the full functionality of the original circuit and leads
to EREM = 0. □
In DTL, the error table has the same number of errors in each col-
umn, except for the correct key column, which makes EFC equal
to EAPP . N can be tuned to increase EAPP and EFC while tSAT
decreases. Analogous results as in Theorem 4.2 can be derived for
other configurations of T and X [5]. Specifically, for all X and T ,
we obtain:
EFC = EAPP = O
(
2N ·2L−l
)
(7)
tSAT = O
(
min
{
2l−N ·2L , 2n
})
. (8)
Based on the expressions above, the maximum EFC or EAPP can
be achieved when all the AND gates are replaced in a given layer.
The approximate security levels in this scenario show the following
behavior:
EFC,max = EAPP,max = O
(
2−
l
2
)
(9)
tSAT = O
(
min
{
2
l
2 , 2n
})
. (10)
SFLL. Fig. 2c shows the schematic of SFLL, where the value of
the primary output is given by f (i) ⊕ Strip(i) ⊕ Res(i,k). Both the
stripping circuit Strip(i) and the restore circuit Res(i,k) are point
functions. The stripping block corrupts part of the original function,
while the restore unit restores the correct value upon applying the
correct key. SFLL can be mapped to the general functional model
with д(i,k) = Strip(i) ⊕ Res(i,k). We focus on SFLL-HD where
Res(i,k) is a Hamming distance comparator. The parameter set
QSFLL includes |K | and h, representing the key size and the HD
parameter for the HD comparator, respectively. The comparator
output will evaluate to one if and only if the HD between its inputs
is h. The key size must be at most equal to the number of PI ports
in the fan-in cone of the protected PO port, i.e., 0 ≤ |K | ≤ |I |, while
h is at most equal to |K |.
SFLL is the only technique in Tab. 2 that is resilient to removal
attacks. In fact, at the implementation level, Strip(i) can be merged
with f (i) to form a monolithic block (e.g., via a re-synthesis step or
modification of internal signals of the original circuit) and, therefore,
it becomes hard to remove. On the other hand, unlike SARLock, it
does not guarantee exponential SAT-attack resilience. For example,
as shown in Tab. 1b for h = 0, selecting one input pattern, such
as I6, is enough to prune out all the incorrect keys and unlock the
circuit after one SAT-attack iteration. Previous work [8] proposes
a probabilistic model in terms of expected number of DIPs, based
on the following assumptions: (i) SAT solvers select input patterns
with a uniform distribution; (ii) the probability of terminating a
SAT attack is equal to the probability of finding one protected input
pattern, i.e., finding one protected input pattern is enough to prune
out all the incorrect keys and terminate a SAT attack. Based on
this model, the average SAT resilience of SFLL is shown to increase
exponentially with l .
We find that the existing probabilistic models tend to become
inaccurate when h is different than 0 or l , since, in these config-
urations, one protected input pattern is generally not enough to
terminate a SAT attack. Moreover, these models tend to ignore the
heuristics adopted by state-of-the-art SAT solver to accelerate the
Figure 4: The largest #DIPs over all possible values forhwith
different key size returned by the greedy algorithm.
search. In this paper, we adopt, instead, a conservative metric in
terms of minimum number of DIPs. The following results states the
hardness of finding the minimum number of DIPs.
Theorem 4.3. Given an encrypted Boolean function of the primary
and key inputs, computing the minimum number of distinguishing
input patterns (DIPs) for a SAT attack can be reduced to a min-set-
cover problem, which is NP-hard [19].
Proof. Given the error table associatedwith an encrypted Boolean
function f ′, letU be the set of all the incorrect keys, i.e.,
U = {k |∃ i ∈ B |I | , f (i) , f ′(i,k)}.
For each input pattern i , let Si be the set of the incorrect keys that
can be eliminated by a SAT-attack iteration using i as a DIP, i.e.,
Si = {k | f (i) , f ′(i,k)}.
Finally, let S the collection of all the sets corresponding to an input
pattern, i.e., S = {Si |i ∈ B |I |}. Finding the minimum number of
DIPs that are enough to prune out all the incorrect keys can then
be reduced to finding the minimum number of sets from S whose
union equalsU , which is a min-set-cover problem. □
Theorem 4.3 shows that finding the minimum number of DIPs is,
in general, a hard problem. We can, however, use greedy algorithms
in order to emulate worst-case SAT attacks and provide approximate
but conservative estimates for their duration, by searching and
prioritizing the input patterns that can eliminate the largest number
of incorrect keys. Fig. 4 shows the largest number of DIPs over all
possible values forh returned by the greedy algorithmwith different
key sizes from 1 to 17. By definition, tSAT should be less than or
equal to the results in Fig. 4, which exhibits a sub-exponential
behavior. Both the expressions of EFC and EAPP shown in Tab. 2
can be derived as stated by the following theorems.
Theorem 4.4. For a circuit encrypted with SFLL-HD with Ham-
ming distance parameter h, let l and n be the key size and the primary
input size, respectively, and EFC the functional corruptibility. We
obtain
EFC =
( l
h
) [
2l − ( lh) ]
22l−1
.
Proof. For the circuit in Figure 2c, the output is corrupted if and
only if 1(HD(i,k∗) = h) ⊕ 1(HD(i,k) = h) = 1. If i is a protected
input pattern, then we have HD(i,k∗) = h, while HD(i,k) must be
different from h in order to provide a corrupted output. Therefore,
the number of key patterns generating an incorrect output for each
protected input pattern is 2l − ( lh) . Similarly, we can derive the
number of key patterns generating an incorrect output for each
unprotected input pattern as
( l
h
)
. The total number of protected
input patterns and unprotected input patterns can be computed as
2n−l
( l
h
)
and 2n−l
[
2l − ( lh) ] , respectively [8]. By summing up all
the incorrect output values over all the input and key patterns, we
obtain the following expression for the functional corruptibility:
EFC =
2n−l
{( l
h
) [
2l − ( lh) ] + [2l − ( lh) ] ( lh)}
2n · 2l
=
( l
h
) [
2l − ( lh) ] + [2l − ( lh) ] ( lh)
22l
=
( l
h
) [
2l − ( lh) ]
22l−1
□
Theorem 4.5. For a circuit encrypted with SFLL-HD with Ham-
ming distance parameter h, let l and n be the key size and the primary
input size, respectively, and EAPP the approximate SAT-attack re-
silience. We obtain
EAPP =
2
[ ( l
h
) − 2( l−2h−1) ]
2n .
Proof. We denote by HD(a,b) the Hamming distance between
the words (bit strings) a and b and by Di f (a,b) the set of indexes
marking the bits that are different in a and b. We suppose that the
circuit output is corrupted (flipped) for input i and key k , and let
the HD between k∗ (the correct key) and k be HD(k∗,k) = x , with
x ∈ [1, l] ,x ∈ N. Then, by recalling the architecture in Figure 2c,
there can only be an odd number of output inversions and the
following equation holds:
1(HD(i,k∗) = h) ⊕ 1(HD(i,k) = h) = 1,
meaning that one and only one of the two HDs is h.
We first assume thatHD(i,k∗) = h and Di f (i,k∗)∩Di f (k∗,k) =
∅, i.e., i and k differ from k∗ on disjoint sets of indexes. We then
conclude that
HD(i,k) = h + x .
More generally, if the cardinality of the set Di f (i,k∗) ∩ Di f (k∗,k)
is y, we obtain
HD(i,k) = h + x − 2y.
We then consider the following two cases. If x is an odd number,
then HD(i,k) cannot be equal to h for any y, which provides a
number of corrupted outputs equal to
( l
h
)
. On the other hand, if x
is even, then HD(i,k) will evaluate to h whenever x = 2y. Since the
number of possible k values satisfying this condition is
( l−x
h−x/2
) ·( x
x/2
)
, we obtain a total number of corrupted output values equal
to
( l
h
) − ( l−xh−x/2) · ( xx/2) . Since we are interested in the minimum
number of these two cases, we choose
( l
h
) − ( l−xh−x/2) · ( xx/2) as the
minimum number of corrupted outputs when HD(i,k∗) = h.
Similar considerations can be applied for the casewhenHD(i,k) =
h, which leads to the same conclusion as above. Therefore, the over-
all number of corrupted outputs is doubled. The approximate SAT
resilience is given by the minimum EFC , i.e.,
EAPP = min

2
[ ( l
h
) − ( l−xh−x/2) · ( xx/2) ]
2n ,∀x ≥ 2,x/2 ∈ N
,
which is achieved for x = 2, finally leading to
EAPP =
2
[ ( l
h
) − 2( l−2h−1) ]
2n
□
FLL. FLL aims at creating high EFC with low overhead by appro-
priately adding key-gates in the circuit, as shown in Fig. 2d. While
the key-gates are not directly inserted at the primary output, their
combined effect can still be represented by an appropriate д func-
tion producing the same error pattern. While EFC depends on the
specific circuit and cannot be computed in closed form, FLL can
achieve higher values than the other three methods, based on em-
pirical results. However, it cannot guarantee exponential tSAT with
the key size. Moreover, the XOR/XNOR-based key-gates may be
easy to identify, leading to negligible resilience to removal attacks.
5 RESULTS AND DISCUSSION
We evaluated models and metrics on a 2.9-GHz Core-i9 processor
with 16-GB memory. We first investigated the effectiveness of our
models for fast trade-off evaluation on a set of ISCAS benchmark
circuits. The blue areas in Fig. 5a-c pictorially represent, as a con-
tinuum, the feasible encryption space for different methods and
user requirements. For example, Fig. 5a shows that a funtional cor-
ruptibility (EFC ) as high as 0.25 can still be achieved with SARLock;
however, it can only be implemented for very low, and therefore im-
practical, key sizes. Fig. 5b highlights the trade-off between SAT at-
tack resilience (tSAT ) and approximate SAT attack resilience (EAPP )
in DTL. As expected, DTL is able to increase EAPP and EFC at the
cost of decreasing tSAT . The highest possible EFC achieved by DTL
is higher than that of SARLock in Fig. 5a over the same range of
keys. Finally, Fig. 5c exposes a trade-off between EFC and EAPP in
SFLL. It shows that increasing EFC adversely impacts EAPP , pos-
sibly due to the fact that, as EFC increases, the error distribution
is not uniform; while the peak error rate increases, the error can
become significantly low for some of the incorrect keys.
We further implemented all the encryption configurations ex-
plored in Fig. 5a-c on four ISCAS benchmark circuits, generating
1473 netlists in 15 minutes, to compare the model predictions with
the measurements. We used open-source libraries to simulate SAT
attacks [7] and report the actual value of tSAT . We empirically esti-
mated EFC by averaging the functional corruptibility over 500 logic
simulations on the encrypted netlists. By using a similar procedure,
an empirical estimate for EAPP was obtained by taking the average
over 500 logic simulations for each key pattern, and then the min-
imum corruptibility value over 100 incorrect key patterns. Fig. 8
reports the results for four ISCAS benchmark circuits, showing that
the empirical resilience would always exceed the one predicted by
our model (blue bar) for both tSAT and EAPP . For 26% of the design
(red bar) the empirical EFC proved to be smaller than the predicted
one by a negligible margin (4 × 10−3), which is within the error
affecting our simulation-based empirical estimates.
To compare our SAT resiliencemodel for SFLLwith themeasured
number of DIPs, we simulate SAT attacks on the encrypted netlists
of four ISCAS circuits using SFLL-HD. For each combination of
key size |K | and HD value h, we generate 10 netlists, by randomly
permuting the order of the gates, and compute the average number
of DIPs over 10 SAT attacks. As shown in Fig. 6, when h is close
to zero, the predictions of the probabilistic model [8] exhibit an
exponential behavior that significantly differ from the simulated
results, and the maximum error can be as high as 20, 000%. Instead,
the greedy algorithm predicts the simulated number of DIPs for
all key sizes and h values with relative errors that are less than
or equal to 97%, two orders of magnitude smaller than previous
approaches. For h > 0, the average prediction error of the greedy
algorithm becomes twice as small as the one of the probabilistic
model.
Fig. 7a-d show the relation between the number of DIPs and the
key size |K | when h = 0, 1, 2, and |K |2 , respectively. In Fig. 7a and
Fig. 7b, when h is close to zero, the probabilistic model offers an
estimate of the number of DIPs which deviates from the simulated
result, while the greedy algorithm always returns a closer, more
conservative prediction. In Fig. 7c, the greedy algorithm shows
better accuracy than the probabilistic model when |K | ≤ 7. For
the other key sizes, the probabilistic model outperforms the greedy
algorithm. However, the prediction provided by the probabilistic
model grows faster than in simulation and tend to overestimate
the number of DIPs when |K | ≥ 13. In Fig. 7d, when h = |K |2 , the
prediction from the probabilistic model becomes more conservative.
Conversely, the greedy algorithm estimates an average error twice
as small as the probabilistic model.
Overall, the aforementioned results reveal the inherent difficulty
of achieving high security levels against multiple threats using a
single technique. However, this challenge may be addressed by com-
bining multiple techniques. To test this hypothesis, we encrypted
the ISCAS circuit C880 with both SARLock and DTL, by using a
logic OR gate to combine their output (flip) signals. We then com-
bined the output of the OR gate with the output of the original
circuit via a XOR gate. Fig. 5d shows that the compound strategy
significantly alleviates the trade-offs posed by SARLock alone, mak-
ing it possible to achieve both high functional corruptibility and
SAT-attack resilience. For example, the topmost configuration in
Fig. 5d achieves tSAT ≥ 214 and EFC ≥ 0.48, which cannot be ob-
tained with SARLock or DTL alone. The compound scheme, where
the SARLock block has key size 13 and the DTL block has key size 4,
with two AND gates being replaced by one XOR gate in the first
layer, is able to provide both high tSAT and EFC . Simulation re-
sults are, again, in agreement with our model predictions, showing
that our models can indeed be used to capture the performance of
compound encryption schemes.
6 CONCLUSIONS
Simulation results show the effectiveness of the proposed models
and metrics for fast and accurate evaluation of the design trade-offs
as well as the exploration of compound logic encryption strategies,
which may be required for protecting against different threats with
small overhead. Future extension of this work include the incor-
poration of overhead models as well as support for structural and
(a) (b) (c) (d)
Figure 5: Trade-off analysis of (a) SARLock, (b) DTL, (c) SFLL, and (d) SARLock and DTL.
(a) (b) (c) (d)
Figure 6: Average #DIPs on SFLL encrypted circuits when key size is (a) 10, (b) 11, (c) 12, and (d) 13.
(a) (b) (c) (d)
Figure 7: Average #DIPs on SFLL encrypted circuits when h = (a) 0, (b) 1, (c) 2, and (d) |K |2 .
Figure 8: Verification pass rate on different security con-
cerns.
learning-based attacks. We plan to also investigate the extension
of our framework to sequential logic encryption methods. Finally,
we plan to further develop an automated design and verification
environment [20] leveraging our models and methods to perform
design space exploration and inform system-level design decisions
across multiple encryption schemes.
ACKNOWLEDGMENTS
This work was partially sponsored by the Air Force Research Labo-
ratory (AFRL) and the Defense Advanced Research Projects Agency
(DARPA) under agreement number FA8560-18-1-7817.
REFERENCES
[1] Y. Hu, V. V. Menon, A. Schmidt, J. Monson, M. French, and P. Nuzzo, “Security-
driven metrics and models for efficient evaluation of logic encryption schemes,” in
ACM-IEEE Int. Conf. Formal Methods and Models for System Design (MEMOCODE),
2019.
[2] J. A. Roy, F. Koushanfar, and I. L. Markov, “EPIC: Ending piracy of integrated
circuits,” in Proc. Conf. Design, automation and test in Europe (DATE), pp. 1069–
1074, 2008.
[3] J. Rajendran, H. Zhang, C. Zhang, G. S. Rose, Y. Pino, O. Sinanoglu, and R. Karri,
“Fault analysis-based logic encryption,” IEEE Trans. Computers, vol. 64, no. 2,
pp. 410–424, 2013.
[4] M. Yasin, B. Mazumdar, J. Rajendran, and O. Sinanoglu, “SARLock: SAT attack
resistant logic locking,” in IEEE Int. Symp. Hardware Oriented Security and Trust
(HOST), pp. 236–241, 2016.
[5] K. Shamsi, T. Meade, M. Li, D. Z. Pan, and Y. Jin, “On the approximation resiliency
of logic locking and IC camouflaging schemes,” IEEE Trans. Information Forensics
and Security, vol. 14, no. 2, pp. 347–359, 2019.
[6] M. Tehranipoor and F. Koushanfar, “A survey of hardware trojan taxonomy and
detection,” IEEE Design & Test of Computers, vol. 27, no. 1, pp. 10–25, 2010.
[7] P. Subramanyan, S. Ray, and S. Malik, “Evaluating the security of logic encryption
algorithms,” in IEEE Int. Symp. Hardware Oriented Security and Trust (HOST),
pp. 137–143, 2015.
[8] M. Yasin, A. Sengupta, M. T. Nabeel, M. Ashraf, J. Rajendran, and O. Sinanoglu,
“Provably-secure logic locking: From theory to practice,” in Proc. ACM SIGSAC
Conf. Computer and Communications Security, pp. 1601–1618, 2017.
[9] H. Zhou, “A humble theory and application for logic encryption.,” IACR Cryptol-
ogy ePrint Archive, vol. 2017, p. 696, 2017.
[10] L. G. Valiant, “A theory of the learnable,” in Proc. ACM Symp. Theory of Computing,
pp. 436–445, 1984.
[11] K. Shamsi, D. Z. Pan, and Y. Jin, “On the impossibility of approximation-resilient
circuit locking,” in IEEE Int. Symp. Hardware Oriented Security and Trust (HOST),
pp. 161–170, 2019.
[12] B. Barak, O. Goldreich, R. Impagliazzo, S. Rudich, A. Sahai, S. Vadhan, and K. Yang,
“On the (im)possibility of obfuscating programs,” in Int. Cryptology Conf., pp. 1–18,
Springer, 2001.
[13] S. Goldwasser and G. N. Rothblum, “On best-possible obfuscation,” in Theory of
Cryptography Conf., pp. 194–213, Springer, 2007.
[14] M. Yasin, B. Mazumdar, J. Rajendran, and O. Sinanoglu, “TTLock: Tenacious and
traceless logic locking,” in IEEE Int. Symp. Hardware Oriented Security and Trust
(HOST), pp. 166–166, 2017.
[15] K. Shamsi, M. Li, T. Meade, Z. Zhao, D. Z. Pan, and Y. Jin, “AppSAT: Approximately
deobfuscating integrated circuits,” in IEEE Int. Symp. Hardware Oriented Security
and Trust (HOST), pp. 95–100, 2017.
[16] Y. Shen and H. Zhou, “Double DIP: Re-evaluating security of logic encryption
algorithms,” in ACM Proc. Great Lakes Symp. VLSI, pp. 179–184, 2017.
[17] P. Chakraborty, J. Cruz, and S. Bhunia, “SAIL: Machine learning guided struc-
tural analysis attack on hardware obfuscation,” in IEEE Asian Hardware Oriented
Security and Trust Symp. (AsianHOST), pp. 56–61, 2018.
[18] Y. Xie and A. Srivastava, “Anti-SAT: Mitigating SAT attack on logic locking,” IEEE
Trans. Computer-Aided Design of Integrated Circuits and Systems, vol. 38, no. 2,
pp. 199–207, 2018.
[19] B. Korte and J. Vygen, Combinatorial Optimization, vol. 2. Springer, 2012.
[20] V. V. Menon, G. Kolhe, A. Schmidt, J. Monson, M. French, Y. Hu, P. A. Beerel, and
P. Nuzzo, “System-level framework for logic obfuscation with quantified metrics
for evaluation,” in IEEE Secure Development Conference (SecDev), 2019.
