A Novel Topology-Guided Attack and Its Countermeasure Towards Secure
  Logic Locking by Zhang, Yuqiao et al.
Noname manuscript No.
(will be inserted by the editor)
A Novel Topology-Guided Attack and Its Countermeasure Towards
Secure Logic Locking
Yuqiao Zhang · Ayush Jain · Pinchen Cui · Ziqi Zhou · Ujjwal Guin
the date of receipt and acceptance should be inserted later
Abstract The outsourcing of the design and manufacturing
of integrated circuits (ICs) in the current horizontal semi-
conductor integration flow has posed various security threats
due to the presence of untrusted entities, such as overpro-
duction of ICs, sale of out-of-specification/rejected ICs, and
piracy of Intellectual Properties (IPs). Consequently, logic
locking emerged as one of the prominent design for trust
techniques. Unfortunately, these locking techniques are now
inclined more towards achieving complete Boolean satisfi-
ability (SAT) resiliency after the seminal work published
in [45]. In this paper, we propose a novel oracle-less attack
that is based on the topological analysis of the locked netlist
even though it is SAT-resilient. The attack relies on identify-
ing and constructing unit functions with a hypothesis key to
be searched in the entire netlist to find its replica. The pro-
posed graph search algorithm efficiently finds the duplicate
functions in the netlist, making it a self-referencing attack.
This proposed attack is extremely efficient and can deter-
mine the secret key within few minutes. We have also pro-
posed a countermeasure to make the circuit resilient against
this topology-guided attack to progress towards a secure
logic locking technique.
Keywords Logic locking · Boolean satisfiability · Boolean
functions · piracy · overproduction · directed graph ·
depth-first search
Y. Zhang · A. Jain · Z. Zhou · U. Guin
Department of Electrical and Computer Engineering,
Auburn University, Auburn, AL, USA
E-mail:
{yuqiao.zhang, ayush.jain, ziqi.zhou, ujjwal.guin}@auburn.edu
P. Cui
Department of Computer Science and Software Engineering,
Auburn University, Auburn, AL, USA
E-mail: pinchen@auburn.edu
1 Introduction
The prohibitive cost of building and maintaining a
foundry (fab) with advanced technology nodes has forced
many design companies to become fabless and adopt the
horizontal semiconductor integration model. Currently, ma-
jority of the design houses integrates intellectual proper-
ties (IPs) obtained from different third-party IP (3PIP) ven-
dors along with its design and outsources the manufactur-
ing to an offshore foundry resulting in a global supply chain
with distributed vendors carrying out design, verification,
fabrication, testing, and distribution of chips. The involve-
ment of untrusted entities at various stages in the IC manu-
facturing and testing process has resulted in evident security
threats, such as piracy or theft of IPs, overproduction of ICs,
and sale of out-of-specification/rejected ICs [3,6,8,9,16,47].
Many design-for-trust techniques have been studied over
the years as countermeasures against the aforementioned
threats [3, 11, 16, 19, 21, 24, 31, 32, 35, 49].
Amongst the many, logic locking is the most widely
accepted and studied design-for-trust technique to prevent
threats originated from untrusted manufacturing and test.
Logic locking hides the inner details of the circuit by in-
corporating key gates in the original circuit resulting in a
key-dependent locked counterpart. The resultant locked cir-
cuit functions correctly once the secret key programmed in
its tamper-proof memory. Otherwise, it will produce erro-
neous outputs for the same input patterns, which makes it
practically unusable. Over the years, different locking tech-
niques are proposed, which can be primarily categorised
based on key-insertion strategy (see Figure 1) and can be
described as – (i) XOR-based [16–18, 32, 35], (ii) MUX-
based [25, 28, 33], (iii) LUT-based [5, 23, 27], and (iv)
state-space based [10]. However, XOR-based logic locking
is popular due to its simplicity.
ar
X
iv
:2
00
6.
05
93
0v
1 
 [c
s.C
R]
  1
0 J
un
 20
20
2 Yuqiao Zhang et al.
a
b
y
a
b
y
Memory
a
b
y
Memory
1
0
a
b
y
Memory
(a)
(c) (d)
(b)
k
k
k1 k2 k3 k4
G1
G1G1
Gk
G3
G3G3
G3
G2
G2
G1
G2
Fig. 1: Logic locking methods: (a) An original netlist
(b) XOR/XNOR-based logic locking (c) MUX-based logic
locking (d) LUT-based logic locking.
The research community is driven constantly to reveal
vulnerabilities of logic locking through attacks and propos-
ing countermeasures in turn. The majority of early work was
demonstrated vulnerable by oracle guided key-pruning at-
tacks [45] and its variants [4, 40, 42, 43]. Since then, many
SAT resilient solutions have been proposed [12, 16–18, 20,
22,29,37,39,50]. However, some of them have been broken
as well [4, 26, 38, 41, 44]. Even though the SAT attacks are
widely popular amongst the research community, the attack
model assumes the availability of an oracle or a function-
ality correct (unlocked) IC pre-loaded with the correct key,
and adversary has the scan-chain access to obtain the input-
output responses. This serves as the limitation as many of
the chips used in critical or DoD applications as it is highly
unlikely to be circulated (unless it is a commercial-off-the-
shelf, COTS part) in the market just after manufacturing. In
addition, the concept of restricting scan-access has also been
adopted to provide security against the SAT attacks. An ad-
versary is not restricted to perform only SAT-based attacks
as it may deploy other effective attacks to extract the secret
key from a locked netlist. Therefore, it is necessary to take
into account and explore the different directions by which
an untrusted foundry can exploit security vulnerabilities to
undermine the security of logic locking.
In this paper, we propose a novel oracle-less attack on
logic locked circuits to determine the key. Exploring the ca-
pabilities of an adversary, is it possible to determine the
secret key simply by analyzing the circuit topology? The
answer is yes, as the entire circuit topology is built from
basic Boolean functions that are repeated multiple times.
An adversary can determine the secret key by comparing
the locked instances of these functions with the unlocked
instances in the entire netlist. This proposed attack is an
oracle-less self-referencing attack. We denote our proposed
attack as TGA: Topology-GuidedAttack on logic locked cir-
cuits. By using our proposed attack, the secret key can be
estimated efficiently even for the circuits that the SAT at-
tack fails (see in Section 5 for c6288 circuit). In addition, an
adversary can unlock any netlists using our proposed attack
without waiting for a working chip available in the market or
with no scan access. This was further validated and demon-
strated at UF/FICS Hardware De-obfuscation competition
at Trusted and Assured Microelectronics (TAME) forum [1].
The contributions of this paper are as follows:
1. A novel oracle-less topology-guided attack on logic
locking: We proposed a topological function search at-
tack that relies on identifying and searching the repeated
functions in a netlist. We denote these basic functions as
unit function UF, which are repeated multiple times in a
circuit. If a key gate is placed in an instance of repeated
UF during the locking of a circuit, the original netlist
can be recovered by searching the equivalent unit func-
tions (EUFs), which are constructed with all hypothesis
key values. As the UFs are constructed in few layers of
gates, the number of key gates and key bits associated
with a UF is limited resulting in very small EUF search
combinations. The results in Table 1 and 2 shows the ef-
ficiency of the proposed attack by recovering majority
of key bits correctly for ISCAS’85 and ITC’99 bench-
mark circuits locked with Random Logic Locking (RLL)
and Secure Logic Locking (SLL). The effectiveness of
our proposed TGA is also validated using locked bench-
marks from TrustHub [36] (see Table 3). In contrast with
the traditional oracle (unlocked chip) attacks, no oracle
is required to launch our proposed attack.
2. An efficient function search algorithm: To perform the
search, an efficient Depth-First-Search (DFS) based al-
gorithm is developed to find the equivalent unit functions
in a locked netlist. The complete netlist is first converted
to a directed graph [46], where each gate in the netlist
is represented as a vertex, and each wire is modeled as
an edge. In this paper, we demonstrate and implement a
DFS-based EUF search algorithm to determine the cor-
rect value of a secret key. The average time to determine
a secret key bit is in the order of seconds. As a result, a
locked circuit can be broken in a few minutes, when they
are locked with a few hundred/thousand key gates.
3. A countermeasure against the proposed TGA attack: As
the proposed attack recovers the original design by per-
forming the EUF search in the netlist, it can be prevented
if the function search with hypothesis keys does not find
results or produces contradictory results. This resiliency
against the attack can be achieved by inserting the key
gates in all the repeated instances of an UF as the ad-
versary won’t reach a decision about the actual value of
the key bit by comparing with its unlocked version. To
achieve this, DFS-based search algorithm is again ex-
ploited to identify all repeated and unique instances of a
unit function. Note that the key length can be variable in
a range instead of a fixed value, which can increase both
the efficiency of the key insertion and the security of the
locked design.
A Novel Topology-Guided Attack and Its Countermeasure Towards Secure Logic Locking 3
The rest of the paper is organized as follows: the back-
ground of XOR-based logic locking is provided in Section 2.
We present our proposed topology-guided attack method-
ology in Section 3. We present the countermeasure against
the proposed attack in Section 4. We present the results for
the implementation of the proposed attack on different logic
locked benchmark circuits in section 5. Finally, we conclude
our paper in Section 6.
2 XOR-based logic locking
To describe our proposed topology-guided attack based on
function search, it is necessary to present XOR-based logic
locking. Additionally, we need to analyze the resulting cir-
cuit modifications based on the selected correct key bit and
the key gate type (either XOR or XNOR) to lock the origi-
nal functionality. This will assist in building equivalent unit
functions EUFs that will be searched in the netlist to per-
form the proposed attack.
X1
X2 Y
G1 G2
Y
G1 G2
k = 0
X3
Y
G1 G2
k = 1
X1
X2
X3
Y
G1 G2
k = 1
X1
X2
X1
X2
X4
X’4
X4 X4
X4
(a)
(c)
(b)
(d)
Gk
Gk Gk
X3
X3
X’4
X’4
Fig. 2: Logic locking using Exclusive OR (XOR) gates. (a)
Original netlist. (b) Locked netlist when k = 0. (c) Case-I:
Locked netlist when k = 1. (d) Case-II: Locked netlist when
k = 1 (using DeMorgan’s Theorem).
Figure 2 shows an example to lock a circuit using an
XOR gate, which has three inputs (X1, X2 and X3) and one
output (Y ). One key gate with value k is selected to obfus-
cate the functionality of the circuit. The original circuit is
shown in Figure 2.(a). There can be two possible key values,
k = 0 and k = 1. For k = 0, an XOR gate can directly be
placed at nodeX4, which is shown in Figure 2.(b). However,
for k = 1, two possible scenarios may occur. One can invert
the previous stage functionality, which is shown in Figure
2.(c). It is also possible to modify successive stage function
using DeMorgan’s Theorem, shown in Figure 2.(d).
In this example, the original function of the circuit is
Y = X3 · X4, where X4 = X1 · X2. It is not necessary
to change the functionality of the preceding or succeeding
stages of the XOR gate, when k = 0.
X
′
4 = X4 ⊕ 0 = X4 = X1 ·X2 (1)
To preserve the original functionality for k = 1, it is
required either to invert the functionality of the preced-
ing stage (Figure 2.(c)) or compensate the functionality of
the following stage (Figure 2.(d)) of the added XOR gate.
For the first case, the original functionality preserves as
X
′
4 = 1 ⊕ X4 = X4. For the second case, DeMorgan’s
transformation is necessary as shown below:
Y = X3 +X
′
4 = X3 ·X ′4 = X3 · (1⊕X4) = X3 ·X4 (2)
Note that only XOR gates are used in the example to
lock the netlist. However, one can also use XNOR gates for
such purposes, which has the opposite logic function com-
pared with the XOR gate. It is important to remember that
one cannot insert the XOR gate with k = 0 and XNOR gate
with k = 1 for every key bit, as the adversary can easily de-
termine the secret key just by simply observing the type of
key gates.
3 Proposed Topology-Guided Attack on Logic Locking
The general locking strategy adopted to provide security in a
circuit includes the placement of key gates either randomly
or in some particular manner (e.g., pair-wise). Since, the se-
cret key associated with the key gates is the same for all
the chips manufactured with the same design, finding this
key from one netlist undermines the security resulted from
logic locking. In this section, we show how an adversary can
easily extract the secret key for a key-based locked design
using our proposed oracle-less and topology-guided attack,
which is built on searching the hypothesis key-based equiva-
lent unit function in the entire locked netlist. Moreover, this
attack overcomes the limitations of SAT attacks that require
oracle with scan access. For the same, we present the differ-
ent steps involved in performing the proposed attack.
3.1 Adversarial Model
The unambiguous objective of an attacker is to undermine
the security of a logic locking technique by determining
the secret key. The secret key is stored in a secure and
tamper-proof memory so that the adversary cannot access
the key values directly from an unlocked chip. The adver-
sarial model is presented to clearly state the resources and
the assets possessed by an adversary. In our attack model,
the adversary is assumed to be an untrusted foundry and has
access to the following:
– Gate-level netlist: As the primary attacker, the foundry
can have the access to the gate-level netlist of a locked
IC. The SoC designers typically send the circuit lay-
out information using GDSII or OASIS files [34] to a
foundry for chip fabrication. With the help of advanced
tools, the foundry can extract the gate-level netlist from
those provided GDSII/OASIS files. [48].
4 Yuqiao Zhang et al.
HA
P Q
S C
HA
P Q
S C
C0
S0
HA
P Q
S C
HA
P Q
S C
S1
HA
P Q
S C
HA
P Q
S C
S2
HA
P Q
S C
HA
P Q
S C
C3
S3
C4 C1
C1
C2
C2
B0 A0B1 A1B2 A2B3 A3
C3
Fig. 3: Four-bit ripple carry adder consists of eight identical
half adders (HA). If a HA is locked, an adversary can re-
cover the original netlist by simply comparing it with other
unlocked HAs.
– Location of the key gates: The location of key gates
can be determined by the adversary. The key gates are
connected either directly or through temporary storage
elements to the tamper-proof memory. An adversary
can easily track the routing path from the tamper-proof
memory to the corresponding gates to determine their
locations.
– Locked unit function: It is trivial for an untrusted foundry
to construct equivalent unit functions EUFs for launch-
ing the topology-guided attack, as it has the netlist and
locations of the key gates.
3.2 Motivation
The basic idea of launching our proposed attack is based
on the repeated functionality that exists in a circuit. The
Boolean functions are generally not unique in a circuit and
repeated multiple times to implement its overall functional-
ity. The majority of circuits are constructed based on small
functional units. For example, several small functions (we
describe as ‘unit functions’ or UFs) are repeated in an arith-
metic logic unit (ALU) of a processor, adders, multipliers,
advance encryption standards (AES), RSA, and many other
digital circuits. If any of such unit functions are not obfus-
cated during the logic locking process, all the locked func-
tions will be unlocked simply by comparing them with their
unlocked version.
Figure 3 provides a four-bit ripple carry adder circuit
as an example to illustrate the concept of our proposed at-
tack. This full adder FA consists of eight identical one-bit
half adders (HA) with inputs (P and Q) and outputs (S and
C). Each individual half adder can be considered as a unit
function UF, which is repeated multiple times inside this
full adder. If one of these half adders is locked using an
XOR/XNOR gate, an adversary only needs to find an orig-
inal unlocked HA, and then match this with the locked HA
to recover the key value (see details in Section 3.5).
3.3 Construction of Equivalent Unit Function
Our proposed attack constructs an equivalent unit function
to perform the search. While constructing the EUF, an ad-
versary may encounter two different cases, either there is
only one key gate or there are multiple key gates in the UF.
In either case, the (EUF) is constructed using one/more hy-
pothesis key bits or a combination of hypothesis key bits,
and searches that EUF in the entire netlist to find a match.
The hypothesis key bits will be the correct secret key bits for
the respective UF if a match is found corresponding to the
EUF. Otherwise, it constructs another EUF using a different
combination or values for the hypothesis key bits in both the
cases and searches the netlist again. The number of EUFs
depends on the number of key gates included in the UF. In
this section, we show how EUFs are created to determine
the secret key for both RLL and SLL circuits.
3.3.1 Random logic locking
In the random logic locking (RLL), the secure key gates are
inserted randomly inside the circuit that needs to be pro-
tected. In the large designs with thousands of gates, it is
highly unlikely that multiple key gates will be inserted adja-
cent to each other. Thus, the inserted key gates usually can
be considered individually to construct the equivalent unit
functions.
X1
X2
X3
fG1 G2
X3
fG1 G2
k
X1
X2
X3
f
G1 G2
X1
X2
X3
f
G1 G2
X1
X2
X3
fG1 G2
X1
X2
X4
(a) (b)
(c) (d)
(e)
Gk
X’4
X’4
X’4
X’4X4
Fig. 4: EUF construction for different hypothesis key values.
(a) Original unlocked netlist. (b) Netlist is secured with key
value k = 1. (c) EUF0 for hypothesis key kh = 0. (d)
EUF1 for hypothesis key kh = 1 (Case-I). (e) EUF1ˆ for
hypothesis key kh = 1 (Case-II).
Figure 4 illustrates the construction of the equivalent
unit functions with a single key gate, which can be used
to launch the function search attack. Figure 4.(a) represents
an original unit function to be locked using a correct secret
key k = 1. The locked circuit is shown in Figure 4.(b).
The adversary cannot deduce the value of the key, simply
by observing the key gate. It first makes an assumption for
kh = 0, and constructs the EUF, which is shown in Figure
4.(c). It then searches this function in the locked circuit to
find a match. If no match is found (as the actual key is 1),
A Novel Topology-Guided Attack and Its Countermeasure Towards Secure Logic Locking 5
it constructs another EUF for kh = 1. Two possible scenar-
ios may occur. For Case-I, the output of the previous stage
needs to be inverted (shown in Figure 4.(d)). On the other
hand, DeMorgan’s transformation needs to be carried out to
obtain the EUF for kh = 1 for Case-II, which is shown in
Figure 4.(e). As inferred from the construction of the equiv-
alent unit function, each key gate has two hypothesis keys
with three transformations represented as: (i) EUF0 where
the hypothesis key kh = 0, (ii) EUF1 (Case-I) where the
hypothesis key kh = 1, and (iii) EUF1ˆ (Case-II) where the
hypothesis key kh = 1 but the modification is carried out
using DeMorgan’s Theorem. As a result, we can generalize
and say that the number of EUFs for a given UF equals to
3j , where j represents the number of key gates included in
the unit functions, which will be used in strong logic locking
discussed in the following.
3.3.2 Strong logic locking
The objective of strong logic locking (SLL) is to maximize
the interference between different key gates to restrict key
sensitization at the output [32]. In SLL, two or more key
gates are inserted adjacent to each other so that their outputs
converge at the next stage logic gate. The propagation of one
of the key-bit will be possible only if certain conditions are
forced on other key inputs or they are known. As these key
inputs are not accessible by the attackers, they cannot force
the logic values necessary to sensitize a key. As a result,
the proposed TGA on SLL requires equivalent unit function
search with multiple keys instead of a single one for random
logic locking.
X1
X2
X3
X4
X5
X6
G1
G2
G3
G4
G5
X7
X8
X9
X10
Y
X1
X2
X3
X4
X5
X6
G1
G2
G3
G4
G5
X7
X8
X9
X10
Y
NVM
G6
G7
X9'
X7'
X8'
G8
k1
k2
k3
X1
X2
X3
X4
X5
X6
G1
G2
G3
G4
G5
X7
X8
X9
X10
Y
X1
X2
X3
X4
X5
X6
G1
G2
G3
G4
G5
X7
X8
X9
X10
Y
X1
X2
X3
X4
X5
X6
G1
G2
G3
G4
G5
X7
X8
X9
X10
Y
X1
X2
X3
X4
X5
X6
G1
G2
G3
G4
G5
X7
X8
X9
X10
Y
(a) (b)
(c) (d)
(e) (f)
Fig. 5: Equivalent unit functions for multiple gates with
different hypothesis keys. (a) Original netlist. (b) Locked
netlist with key value k1k2k3 = 101. (c) EUF100 for hy-
pothesis key, kh = 100. (d) EUF011 for kh = 011. (e)
EUF01ˆ0 for kh = 010. (f) EUF101ˆ for kh = 101.
Figure 5 illustrates the construction of EUFs with mul-
tiple key gates that will assist in performing the func-
tion search. The original unit function (as shown in Fig-
ures 5.(a)) is locked with three key gates to increase the in-
ter key-dependency. The locked unit function is shown in
Figure 5.(b) with correct key k1k2k3 = 101. As an ad-
versary cannot extract the correct key value from the non-
volatile memory directly, all the EUFs will be constructed
and searched in the entire locked netlist. However, the num-
ber of constructed EUFs will increase due to the number
of key gates and its combination in the UF. As mentioned
earlier, each key gate results 3 different EUFs (e.g., EUF0,
EUF1, and EUF1ˆ based on the hypothesis key values (ei-
ther 0 or 1). This will result in overall 27 EUFs (i.e., 33, as
j = 3 is the number of key gates in the UF) for Figure 5.(b),
amongst which only 4 of them are shown in Figure 5.(c)-(f).
These EUFs are derived from different key combinations.
For example,EUF100 in Figure 5.(c) is constructed with hy-
pothesis key bits based transformation asEUF1,EUF0 and
EUF0 for key gates G7, G6 and G8 respectively. Also, we
construct EUF011 as shown in Figure 5.(d). if we transform
based on the hypothesis key bits kh = 011 for key gates
G7 (EUF0), G6 (EUF1) and G8 (EUF1). Figure 5.(e)
shows yet another EUF represented as EUF01ˆ0, where the
hypothesis key is 0, 1 (Case-II) and 0. Likewise, if we select
the transformation as EUF1, EUF0 and EUF1ˆ (Case-II)
for key gates G7, G6 and G8 respectively, then we will get
the EUF101ˆ shown in Figure 5.(f). Once all the EUFs are
constructed, all of them will be searched in the netlist to find
a match. As Figure 5.(f) is identical to Figure 5.(a), the hy-
pothesis key combination kh = 101 should be the correct
key value. If no such match is found for any of the EUFs, an
adversary cannot make the prediction on the key combina-
tion resulting the UF being unique in the circuit.
3.4 Unit Function Search using DFS Algorithm
An efficient search algorithm has been developed to search
the EUFs in the locked netlist. The structure of a circuit can
be transformed and represented as a directed graph, and all
the algorithms that can be used to search the component in
the directed graphs, can also be applied to search the EUF.
Therefore, we propose to use the Depth-First-Search (DFS)-
based algorithm to launch the attack. Generally, the DFS
method follows the rule: in the graph traverse procedure, the
edge from the most recently reached and connected vertex
that still has unexplored edges will always be selected as
next edge [46]. Before performing the DFS-based search, a
data object structure needs to be defined to store and trans-
form the netlist as a directed graph. The gate object needs
to have the following attributes: gate type (e.g., XOR, AND,
etc.), name of the gate (i.e., its identification in the netlist),
an array that contains its preceding gates (i.e., its inputs),
and an array contains its following gates (i.e., its outputs).
6 Yuqiao Zhang et al.
Then the circuit structure can be transformed and stored into
a dictionary, in which the keys are the types of the gates and
the values are corresponding gate objects. Dictionary is basi-
cally a data structure that stores mappings and relationships
of data [13]. The use of a dictionary makes the search for
specific type of gates more efficient.
Algorithm 1: Function UFS
Unit Function search based on DFS Algorithm.
Input : The gate-level netlist of a circuit (C), Unit Function
(UF )
Output: Result List (LR)
1 Read C and UF , and transform them into dictionaries, O and
T ;
2 R← UF.root; LS ← O[R.type]; LR ← φ ;
3 for each gate G in LS do
4 if DFS(R,G) then
5 LR.append(G);
6 end
7 end
8 return LR;
9 Function DFS(r, g):
10 F ← True;
11 L1 ← r.PrecedingGates; L2 ← g.PrecedingGates;
12 T1 ← L1.types; T2 ← L1.types;
13 if L1 is empty then
14 return True;
15 end
16 for each gate type T in T1 do
17 if gate type T not in T2 then
18 return False;
19 else
20 T2.remove(T )
21 end
22 for each gate RN in L1 do
23 LT ← φ ;
24 for each gate GT in L2 do
25 if GT .type = RN .type then
26 LT .append(GT );
27 end
28 end
29 FT ← False;
30 for each gate GN in LT do
31 if DFS(RN , GN ) then
32 FT ← True;
33 break
34 end
35 end
36 F ← F ∗ FT ;
37 end
38 return F
The procedure of DFS-based search is described in Al-
gorithm 1. The general idea can be described as follows: for
every gate that is the same type with the root gate of the UF,
we traverse all its preceding gates to check whether the exis-
tence of the same structure. Whenever a specific UF need to
be searched in this netlist, we define the last gate of the UF
as the root gate (Line 2 in the Algorithm 1). An example root
gate is G2 in the Figure 4). All the gates that have the same
type with the root gate (G2) in the dictionary (Line 3) are
stored into an array. The DFS is then performed on all these
found gates (Line 3-7). Finally, all the UFs in the netlist will
be found and the count of the UF will be returned as the
output (Line 8). The detailed implementation of the DFS is
demonstrated in Lines 9-38.
The algorithm is implemented with Python 2.7 [30].
The worst case time complexity of the search algorithm is
O(n ∗ u), where n is the size of netlist and u is the size
of a unit function. This is an acceptable complexity, since
it is known that the subgraph isomorphism problem is an
NP-complete problem and its time complexity is quadratic
in the number of nodes [15, 34]. Note that, the optimiza-
tion of the algorithm complexity is not the major objective
of this paper. However, our search strategy slightly reduces
the search complexity by using a dictionary to locate root
gates. In this case, the algorithm performs similar to a sub-
tree isomorphism search (or a sequence of tree isomorphism
searches), whose complexity is known to be at least sub-
quadratic [2]. Reading the netlist and transforming it into
a dictionary may have different complexity, and the com-
plexity we mentioned does not consider the complexity of
constructing a netlist dictionary.
3.5 Proposed attack using Equivalent Unit Function Search
The objective of the proposed topology-guided attack is to
recover the entire original netlist using equivalent unit func-
tion search (UFS). Algorithm 2 describes the proposed at-
tack. The locked circuit (C∗) is given as the input, and the
list of predicted key values (KP ) with the success rate (SR)
will be returned as outputs. KP contains the predicted value
of each key gates, which can be either 0, 1, or X. The X
represents an unknown value when the search fails to find
a match and make the prediction. The locations of the key
gates can be found by tracking the routes originated from
the tamper-proof memory, and their numbers can be deter-
mined as |K|. In order to determine the key value inside
a particular unit function, different unit functions need to be
constructed based on the number of key gates inserted in this
unit function. In addition, each of the key gate comes with
a hypothesis key value (either 0 or 1), and this also leads
to the different hypothesis key combinations when there are
multiple key gates inserted in an UF.
For each key gate ki, the unit function will be con-
structed based on the value l. Here, l denotes how many
layers of gates are considered when constructing the unit
functions. The l is initialized as 1 at the beginning (Line
6), which is also shown in Figure 4. Next, the unit func-
tion based on the ki and l will be generated (Line 7), and
the number of key gates (includes ki) in this unit function
will be determined as j (Line 8). The hypothesis key com-
binations for all the key gates in this unit function will be
A Novel Topology-Guided Attack and Its Countermeasure Towards Secure Logic Locking 7
generated and stored in a list J (Line 9). Note that the order
of the keys has no relationship with the real sequence in the
circuit, and the number of the combinations is 2j . Once the
key combination list is generated, all the possible EUFs will
be constructed based on the hypothesis key combinations
(Line 11). For each key gate, three different cases need to be
considered (see Figure 4 for details), thus 3j EUFs will be
generated. The unit function search (UFS) (described in sec-
tion 3.4) is then performed to search the repeated instances
of EUFs (Line 12-14). 2j count values will be accumulated
Algorithm 2: Topology-guided attack using UFS
Input : Locked Circuit Netlist (C∗)
Output: List of predicted key values (KP ), Success Rate (SR)
1 Read the netlist C∗;
2 Determine the location and number |K| of key gates;
3 Initialize correct prediction counter, pc ← 0 ;
4 for i← 1 to |K| do
5 if ki is not determined in KP then
6 Initialize layer counter, l← 1;
7 Get the unit function for ki based on l ;
8 Get number of key gates j in the function;
9 J ← key combinations list, where the length of J =
2j ;
10 R← [0] ∗ 2j ;
11 Generate 3j equivalent unit functions for 2j key
combinations ;
12 for each generated EUF do
13 J ′ ← hypothesis key of EUF;
14 R[J.index(J ′)]←
R[J.index(J ′)] + UFS(C∗, EUF ).sz();
15 end
16 if R.nonzero = 1 then
17 J ′ ← R.index(1);
18 Correct hypothesis key kj ← J[J ′] ;
19 if Any key gate in kj is placed in a fan-out net
then
20 kj = FV ( );
21 end
22 Write kj into KP ; pc ← pc + j;
23 else if R.nonzero = 0 then
24 k1...kj ← X;
25 Write k1...kj into KP ;
26 else
27 l← l+ 1, go to line 7
28 else
29 Continue
30 end
31 Compute success rate, SR← pc|K| × 100%;
32 Output KP , SR;
33 Function FV( ):
34 Construct different EUFs for the fanout paths;
35 Search EUFs for each path and make key prediction ;
36 if Opposite predictions for different paths then
37 ki ←X ;
38 else if Same predictions for different paths then
39 ki ← {0 or 1};
40 end
41 return ki
in a list R (initialized with all 0 in Line 10) for all key as-
sumptions.
Upon finishing the search of all the EUFs, if only one
count value in R is non-zero, this non-zero value corre-
sponding EUF represents a correct key prediction. The hy-
pothesis key J ′ of this EUF will be written into KP , and
prediction counter (pc) will be increased by the length of
this hypothesis key, j (Line 16-22). Note that, if the key
gate is placed in a fan-out net, additional process needs to
be performed (Line 19-21). Function FV ( ) verifies the key
decision on each path. It may happen that different paths for
the same key gate may have different key predictions. As
a result, no prediction will be made in case of any two (or
more) paths provides opposite key value predictions (Line
36-37). Correct predictions will only be made if different
paths make the same prediction (Line 38-39).
On the other hand, if all of the elements in R are equal
to 0, this means this unit function is unique in the circuit and
the adversary cannot make a prediction on the key value. As
a result, unknown value (X) is assigned to all the j key gates
in this unit function, and the values are also stored in to KP
(Line23-25). In the case of multiple count values in R are
non-zero, the adversary can neither make the key value pre-
diction based on the current EUF. It is necessary to increase
the size of the EUF by increasing the layer of gates consid-
ered in EUF constructions. Therefore, the l value needs to
be increased by 1, and the entire searching procedure will
be re-performed (26-28).
SR =
pc
|K| × 100% (3)
Finally, the success rate is computed using Equation 3.
Here, |K| presents the size of the key while pc indicates the
value stored in the correct prediction counter. The algorithm
will finally report predicted key list KP and SR (Line 27).
The proposed attack may also cause the incorrect pre-
dictions. For example, it is possible that the actual key bit
is 1 when the attack give an estimation as 0, and vice versa.
It is thus necessary to measure the accuracy of the proposed
attack. The misprediction rate (MR) of our proposed attack
can be described as the ratio of the incorrect predictions to
the key size and is presented using the following equation:
MR =
pi
|K| × 100% (4)
where, pi represents the total number of incorrect predic-
tions.
4 Countermeasure for TGA
In this section, we propose an effective key insertion algo-
rithm, which can prevent the proposed topology-guided at-
tack. As an adversary performs EUF search in the netlist
to find out the reference UF, this attack can be prevented if
8 Yuqiao Zhang et al.
the search of those key gates and EUFs always returns no
results or contradictory values. The basic idea of the coun-
termeasure is to lock all the repeated instances of UFs and
insert the key gate(s) in all unique UFs in the circuit simul-
taneously. As a result, the adversary cannot predict and re-
cover the correct key values by comparing the locked UFs
with the unlocked version. In order to find all the repeated
instances of selected UF, the UF search will be performed at
the beginning before the key gates are placed into the netlist.
Algorithm 3: Insertion of key gates to prevent
topology-guided attack
Input : Gate level netlist of a circuit (C),
Key size (〈Kmin,Kmax〉)
Output: Locked netlist (C∗) and Key value (K∗)
1 Initialization: n← 0, r ← 0;
2 while n < Kmin do
3 Select a root gate randomly from C;
4 Construct the unit function, UF ;
5 r ← UFS(C,UF ).sz();
6 if RLL then
7 if r = 1 then
8 Insert the key gate at one random input of root
gate and assign key value, kn ∈ {0, 1};
9 Write key value, K∗[n]← kn;
10 n← n+ 1;
11 else if 1 < r ≤ Kmax − n then
12 Lock all the UFs;
13 Write key values to K∗[n+ r : n];
14 n← n+ r;
15 end
16 else if SLL then
17 if r = 1 then
18 Insert j key bits in the unique UF , and assign key
values, kn, k(n+1), . . . , k(n+j) ;
19 Write key value,
K∗[n+ j : n]← [k(n+j), . . . , k(n+1), kn] ;
20 n← n+ j;
21 else if 1 < r ≤ Kmax − n then
22 Lock all the UFs;
23 Write key values to K∗[(n+ r ∗ j) : n];
24 n← n+ r ∗ j;
25 end
26 end
27 end
28 Output C∗ and K∗;
Algorithm 3 illustrates our proposed solution for key
gate(s) insertion. The original unlocked netlist (C) will be
provided as the initial input, along with the key size (〈
Kmin,Kmax 〉), which indicates the range of number of
key gates that needs to be inserted in the circuit. Finally,
the locked circuit netlist (C∗) and the secret key K∗ will
be the outputs of the algorithm. Here, n denotes the key
index, which is the number of key gates that has been al-
ready inserted in the circuit and initialized to be 0 (Line 1).
The entire process can be described as follows: First, a gate
is selected randomly from the original unlocked netlist as
the root gate (Line 3). Then, the unit function based on the
root gate will be created for the search later (Lines 4). Next,
UFS(C,UF ).sz() returns r , which denotes the number of
this selected UF repeated in the circuit (Line 5). Depending
on the value of r, whether 1 (unique) or greater than 1 (re-
peated), key gate(s) can be inserted in this UF in accordance
with RLL or SLL techniques.
For RLL, r = 1 signifies the constructed UF is unique,
and the UFS function found only one instance (itself) in
the netlist. As a result, a random key gate (either XOR or
XNOR) will be inserted before the root gate and the UF will
be modified randomly based on the key value. After the key
gate insertion, the key bit value is written in the respective
location of K∗, and the value of n will be increased by 1
(Lines 9-10). In the case of r > Kmax−n which represents
that the number of this repeated UF is more than the max-
imum remaining number of key gates we expect to insert,
the algorithm will randomly choose a different gate as the
new root gate (Line 3). Otherwise, the algorithm will lock
all the repeated instances of this constructed UF in the cir-
cuit (Line 12). The respective key bit locations in K∗ are
written with the key values (Line 13). Note that it is ineffec-
tive to lock all these instances with only one key value, i.e.,
all 0s or all 1s, as the attacker can recover the entire netlist
by simply analyzing the type of the key gate. A combination
of 1s and 0s (shown in Figures 2) will be a better option in
order to provide enough security for the circuit. However, it
is mandatory to lock all the repeated UFs. Finally, the value
of n is increased by r.
Similarly, for r = 1, SLL can be carried out by insert-
ing j key gates in the UF, namely kn, kn+1, . . . , kn+j (line
18). After the insertion of the key gates, the value of these
key bits is written in the respective location of K∗, and the
value of n will be increased by j since j key gates has been
inserted already (Lines 19-20). In the case of r > Kmax−n
when the number of this repeated UF is more than the max-
imum remaining number of key gates, the algorithm will
automatically choose a different gate as the new root gate
(Line 3). Otherwise, the algorithm will lock all the repeated
instances of this constructedUF with SLL in the circuit (Line
23). The respective key bit locations and values is also up-
dated in K∗ (Line 24). At last, the value of n is increased by
r ∗ j.
5 Simulation results and discussions
In this section, we present the results and evaluate the per-
formance of our proposed topology-guided attack on differ-
ent logic locking schemes. We provide an in-depth analy-
sis for key prediction accuracy of the proposed attack on
ISCAS’85 [7] and ITC’99 [14] benchmark circuits locked
with RLL and SLL using our in-house script. In addition, we
A Novel Topology-Guided Attack and Its Countermeasure Towards Secure Logic Locking 9
98 99 100
(a) c6288-RLL
0
50
100
Fr
eq
ue
nc
y
80 85 90 95
(b) c5315-RLL
0
20
40
Fr
eq
ue
nc
y
90 10095
(c) b15-RLL
0
20
40
Fr
eq
ue
nc
y
92 94 96 98 100
(d) b17-RLL
0
20
40
Fr
eq
ue
nc
y
98 10099
(e) c6288-SLL
0
20
40
Fr
eq
ue
nc
y
80 85 90 95
(f) c5315-SLL
0
20
40
Fr
eq
ue
nc
y
90 10095
(g) b15-SLL
0
20
40
60
Fr
eq
ue
nc
y
92 94 96 98 100
(h) b17-SLL
0
10
20
30
Fr
eq
ue
nc
y
μ  = 88.56 
σ2 = 6.7018
μ  = 96.48 
σ2 = 3.2613
μ  = 96.41 
σ2 = 2.4179
μ  = 95.70 
σ2 = 1.7434
μ  = 96.09 
σ2 = 1.3757
μ  = 88.75 
σ2 = 3.4779
μ  = 99.25 
σ2 = 0.8001
σ2 = 0.0986
μ  = 99.38 
Fig. 6: Histogram plots of the SR for different benchmark circuits with 128 key bits: (a) c6288-RLL (b) c5315-RLL (c)
b15-RLL (d) b17-RLL (e) c6288-SLL (f) c5315-SLL (g) b15-SLL (h) b17-SLL.
have validated our proposed attack on TrustHub benchmark
circuits [36].
5.1 Performance Analysis
Four different benchmark circuits, c6288, c5315, b15, b17
are first selected for determining the success rate (SR) and
misprediction rate (MR) of our proposed TGA. We have
created 100 instances of the locked circuit based on RLL
and SLL) for each benchmark circuits, where 128 key gates
are placed, and then attacked using Algorithm 2. For each
locked circuit, the success rate (SR) is computed using Equa-
tion 3, while the misprediction rate MR is calculated us-
ing Equation 4. In general, the mean and variance are pre-
sented by µ and σ2 for Gaussian distributions related to SR,
whereas they are represented by λ−1 and λ−2 for exponen-
tial distributions that is related to MR plots.
Figure 6 shows the histogram plots of SR metric for
the four selected benchmark circuits based on RLL (see
Figure 6.(a)-(d)) and SLL (shown in Figure 6.(e)-(h)). For
benchmark circuit c6288-RLL, we estimate the majority of
the key bits (Figure 6.(a)) as this multiplier consists of many
half and full adders. 127 out of 128 key bits can be predicted
successfully, which results in a minimum SR of 99.22%.
Figure 6.(b) shows the SR distribution for c5315-RLL cir-
cuit. A Gaussian distribution is observed with µ of 88.56%
and σ2 of 6.7018. Similar behavior is observed for the other
two benchmarks circuits as shown in Figure 6.(c) and Fig-
ure 6.(d). The µ for b15−RLL and b17−RLL are 96.48%
and 96.41% with the σ values as 3.2613 and 2.4179 respec-
tively. We observe a similar Gaussian distributions for the
SR on locked circuits using SLL (see Figure 6.(e)-(h)). Note
that the overall variance of the SR distribution is decreased
when increasing the size of the benchmark circuits due to
the increasedEUF search space in the circuit, which makes
our proposed attack more effective for extracting key value
in large designs.
The histogram plots of misprediction (MR) for the same
selected benchmark circuits are presented in Figure 7. Fig-
ures 7.(a)–(d) present the MR plot for the circuits locked
with RLL. For c6288-RLL benchmark circuit, all the key bits
can be determined correctly with a 0% MR in majority of the
cases. The worst case is one bit misprediction, resulting in
maximum value of MR within 1%. As for c5315-RLL, we
observe an exponential distribution with a mean (λ−1) of
1.23% and variance (λ−2) of 1.5129. As observed from Fig-
ure 7.(c) and Figure 7, b15-RLL shows λ−1 of 0.48% and
λ−2 of 0.2304, whereas b17-RLL shows λ−1 of 0.51% and
λ−2 of 0.2601. Likewise, a similar analysis can be done for
MR for the same selected benchmark circuits locked with
SLL plotted in Figure 7.(e)–(h). In general, both mean and
variance of MR are decreased with the increase in the size of
the benchmark circuits, which makes this attack more accu-
rate for larger designs.
Table 1 shows the success rate (SR) and misprediction
rate (MR) of our proposed attack on different ISCAS’85 [7]
and ITC’99 [14] benchmark circuits locked with random
logic locking. The number of logic gates in the circuit and
inserted key gates are presented in Columns 2 and 3, re-
spectively. The total area overhead due to the inserted num-
ber of key gates is constrained to 10% such that 128 key
gates are inserted randomly. However, the overhead added
by the key gates can be negligible for larger designs with
thousands of gates. Columns 4, 5, and 6 show the mini-
mum, average, and maximum SR values (see Equation 3)
10 Yuqiao Zhang et al.
0 10.5
(a) c6288-RLL
0
100
200
Fr
eq
ue
nc
y
0 2 4
(b) c5315-RLL
0
50
100
Fr
eq
ue
nc
y
0 2 4
(c) b15-RLL
0
100
200
Fr
eq
ue
nc
y
0 2 4
(d) b17-RLL
0
100
200
Fr
eq
ue
nc
y
0 10.5
(e) c6288-SLL
0
50
100
Fr
eq
ue
nc
y
0 2 4
(f) c5315-SLL
0
50
100
Fr
eq
ue
nc
y
0 2 4
(g) b15-SLL
0
50
100
150
Fr
eq
ue
nc
y
0 2 4
(h) b17-SLL
0
50
100
Fr
eq
ue
nc
y
λ-1 = 0.009 
λ-2 = 0.0081
λ-1 = 1.23 
λ-2 = 1.5129
λ-1 = 0.48 
λ-2 = 0.2304
λ-1 = 0.51 
λ-2 = 0.2601
λ-1 = 0.83 
λ-2 = 0.6889
λ-1 = 0.55 
λ-2 = 0.3025
λ-1 = 0.75 
λ-2 = 0.5625
λ-1 = 0.00 
λ-2 = 0.0000
Fig. 7: Histogram plots of the MR for different RLL and SLL benchmark circuits with 128 key bits: (a) c6288-RLL (b)
c5315-RLL (c) b15-RLL (d) b17-RLL (e) c6288-SLL (f) c5315-SLL (g) b15-SLL (h) b17-SLL
Table 1: Success rate (SR) and misprediction rate (MR) for estimating keys for RLL circuits.
Benchmark # TotalGates
# Key
Gates
Success Rate (SR) Misprediction Rate (MR)
Min. Avg. Max. Min. Avg. Max.
c3540 1669 128 76.56% 80.39% 88.28% 0.00% 1.76% 3.12%
c5315 2307 128 82.03% 88.56% 95.31% 0.00% 1.23% 3.91%
c6288 2406 128 99.22% 99.38% 100.00% 0.00% 0.09% 0.78%
c7552 3512 128 85.93% 91.08% 97.66% 0.00% 2.03% 4.69%
b14 3461 128 85.94% 94.16% 98.44% 0.00% 0.52% 3.12%
b15 6931 128 90.63% 96.48% 99.22% 0.00% 0.48% 1.56%
b20 7741 128 93.75% 97.17% 99.22% 0.00% 0.25% 1.56%
b21 7931 128 89.84% 95.40% 99.22% 0.00% 0.35% 1.56%
b22 12128 128 93.75% 96.34% 99.22% 0.00% 0.37% 1.56%
b17 21191 128 92.97% 96.41% 100.00% 0.00% 0.51% 3.12%
b18 49293 128 82.81% 90.25% 100.00% 0.00% 0.29% 2.34%
b19 98726 128 82.81% 89.56% 98.44% 0.00% 0.45% 3.12%
by analyzing 100 locked instances for each benchmark cir-
cuit to determine the accuracy of proposed topology-guided
attack (see Algorithm 2 for details). For c7552 benchmark,
128 key gates are inserted randomly in the netlist with 3512
logic gates. The minimum accuracy of 85.93% is observed,
where the attack predicts 110 out of 128 key value correctly
and the maximum prediction accuracy attained is 97.66%,
where the attack identifies 125 key bits. Similar analysis can
be performed for all the benchmarks shown in each row. For
the larger benchmark circuits, the average success rate SR
can be increased over 90% because of the increased search
space, which makes our proposed topology-guided attack
efficient for larger designs. Note that, although SAT fails on
benchmark c6288, our proposed attack provides better ac-
curacy (average of 99.38%) for benchmark c6288 due to its
special topology – it is a multiplier, which consists of 225
full adders and 15 half adders. Therefore, an adversary can
choose our proposed attack as an alternate of SAT attacks.
It is also necessary to evaluate the correctness of the cal-
culated SR, so the accuracy of the attack is concluded as
well. The minimum, average, and maximum misprediction
rate, MR, are calculated using Equation 4 and provided at
Columns 7, 8, and 9, respectively of Table 1. We observe
an exponential distribution (see Figure 7) for MR. The aver-
age MR is less than 1% for majority of benchmark circuits,
which makes our attack very effective for determining the
secret key. Note that it can reach to a higher value for some
benchmark circuits (e.g., 4.69% for c7552, where 6 key bits
are predicted incorrectly).
In Table 2, we evaluated the same benchmark circuits
but locked with SLL to evaluate SR and MR of our proposed
topology-guided attack. For each benchmark is shown in
Column 1; 100 different locked instances are implemented
with 128 key gates insertion; and the results of SR and MR
are concluded in Columns 4 to 9 with minimum, average
and maximum rate. For b14 benchmark, the minimum SR of
A Novel Topology-Guided Attack and Its Countermeasure Towards Secure Logic Locking 11
Table 2: SR and MR for estimating keys for SLL circuits.
Benchmark # TotalGates
# Key
Gates
Success Rate (SR) Misprediction Rate (MR)
Min. Avg. Max. Min. Avg. Max.
c3540 1669 128 70.31% 80.56% 90.63% 0.00% 2.01% 4.68%
c6288 2406 128 96.88% 99.25% 100.00% 0.00% 0.00% 0.00%
c7552 3512 128 82.03% 90.21% 95.31% 0.00% 0.97% 4.69%
b14 3461 128 88.28% 93.67% 95.31% 0.00% 0.92% 2.34%
b15 6931 128 91.40% 96.19% 99.22% 0.00% 0.59% 2.34%
b20 7741 128 92.19% 96.95% 99.22% 0.00% 0.84% 2.34%
b21 7931 128 91.41% 94.50% 98.44% 0.00% 0.63% 2.34%
b22 12128 128 92.19% 95.78% 98.44% 0.00% 0.77% 3.12%
b17 21191 128 90.62% 95.46% 100.00% 0.00% 0.83% 3.12%
b18 49293 128 82.03% 89.36% 96.09% 0.00% 0.80% 2.34%
b19 98726 128 81.25% 88.11% 96.01% 0.00% 0.95% 3.12%
88.28% is observed, where our proposed attack can at least
predicts 113 out of 128 key value correctly. Also, 95.31% is
attained as the maximum SR, where the attack can identify
122 key bits successfully. As for the MR, a maximum value
2.34% can be observed that depicts 3 bits were predicted
incorrectly. Similar analysis can be studied on all the bench-
mark listed in the table. Following the earlier trend, as the
size of the benchmark circuit increases, the overall average
SR increases with lower MR. The overall performance eval-
uation for the same benchmark is similar to the result shown
in Table 1. As a result, our proposed topology-guided attack
can be performed on the SLL efficiently as well.
Table 3: SR and MR for estimating keys for locked circuits
from Trust-Hub.
Benchmark # TotalGates
# Key
Inputs SR MR
c880-SL320 404 32 87.50% 3.12%
c1350-SL320 593 32 78.13% 0.00%
c1908-SL320 768 32 84.38% 3.12%
c2670-SL320 1042 32 84.38% 3.12%
c3540-SL640 1546 64 82.81% 1.56%
c5315-SL640 2090 64 87.50% 1.56%
c6288-SL1280 2603 128 96.88% 0.00%
c7552-SL1280 3173 128 88.28% 0.78%
To reinforce our conclusion from Table 1 and Table 2,
we also selected 8 different benchmark circuits from trust-
Hub [36] and performed our topology-guided attack to eval-
uate the effectiveness. Table 3 presents the obtained results
for the same. The selected benchmark is noted in Column
1 with the corresponding number of logic gates in the cir-
cuit shown in Column 2. Columns 3 presents the number
of key inputs instead of key gates for each benchmark cir-
cuits as one key input may be fed into multiple key gates.
The resultant SR and MR are concluded in Columns 4 and
5. For c3540-SL640, 64 key inputs are inserted in the cir-
cuit. The SR is 82.81%, which depicts 53 key inputs can be
predicted with correct values. When comparing the results,
1 incorrect prediction is found, which produces a mispredic-
tion rate MR of 1.56%. As for the c6288-SL1280 benchmark
circuit, 128 key inputs are inserted to protect the circuit. The
SR of 96.88% can be observed which indicates that the ma-
jority of key inputs can be recovered based on our attack
(125 key bits). The MR is 0.00%, which 0 key bit is mispre-
dicted out of the entire 128 key inputs. We have emphasized
c6288 benchmark circuit as to present a clear comparison
with the SAT attack, which was not efficient on this circuit.
5.2 Complexity Analysis
SAT problem is a NP-complete problem, thus solving a SAT-
resistant locking leads to an exponential worst-case com-
plexity.However, our proposed topology-guided attack does
not need to compare any input and output pairs, and all the
inserted key gates are analyzed individually. Therefore, the
time complexity of the attack itself is simply linear to the
key size, namely, O(|K|). Note that, our attack algorithm is
based on UFS, the actual overall complexity isO(|K|∗n∗u)
where n and u represent the size of the netlist and average
size of the unit functions, respectively. Thus, the complexity
could be considered as linear for a particular circuit, since
the netlist size is fixed, and the size of UF normally ranges
from 3-10 gates, depending on the key gate location. In Al-
gorithm 2, once a key bit is predicted and written in the key
list KP , it will never be analyzed again as the value is re-
covered already. As a result, the computation complexity of
launching the attack on SLL is the same as it is for RLL.
6 Conclusion
In this paper, we proposed a novel oracle-less topology-
guided attack that is based on unit function search. Due
to the repetitive usage of UF in a netlist, the key bits for
a locked unit functions can be determined by constructing
EUFs with hypothesis key bits and comparing them against
the corresponding unlocked UFs. Compared to the tradi-
tional SAT-based attacks, the proposed topology-guided at-
12 Yuqiao Zhang et al.
tack does not require input/output pairs or an activated chip.
Moreover, SAT resistant countermeasures cannot prevent an
adversary from launching this attack. To demonstrate the
success of this attack, we presented the results on differ-
ent benchmark circuits locked with random logic locking
and strong logic locking techniques. We also validated our
proposed attack on existing locked benchmark circuits from
the trust-Hub. The success rate and misprediction rate met-
rics are proposed to evaluate the effectiveness of this attack.
It is important to emphasize on the complexity of this at-
tack which is linear with the key size on both RLL and SLL,
which makes it very effective for circuits with larger key
sizes. A countermeasure is also proposed as a solution to
prevent this topology-guided attack. The basic idea is to in-
sert the key gate in a unique unit function or lock all the
instances repeated in the netlist. Note that this solution can
only be used to prevent this topology-guided attack. To de-
sign a secure logic locking technique, one needs to select an
existing secure logic locking technique along with our pro-
posed solution.
Acknowledgement
This work was supported by the National Science Founda-
tion under grant number CNS-1755733. Any opinions, find-
ings, and conclusions or recommendations expressed in this
material are those of the authors and do not necessarily re-
flect the views of the National Science Foundation.
References
1. UF/FICS Hardware De-obfuscation Competition, https://trust-
hub.org/competitions/hwobfuscation1, 2019
2. Abboud, A., Backurs, A., Hansen, T.D., Vassilevska Williams, V.,
Zamir, O.: Subtree isomorphism revisited. ACM Transactions on
Algorithms (TALG) 14(3), 27 (2018)
3. Alkabani, Y.M., Koushanfar, F.: Active hardware metering for in-
tellectual property protection and security. In: Proc. of USENIX
Security Symposium, pp. 20:1–20:16 (2007)
4. Alrahis, L., Yasin, M., Limaye, N., Saleh, H., Mohammad, B.,
Alqutayri, M., Sinanoglu, O.: ScanSAT: Unlocking Static and Dy-
namic Scan Obfuscation. Transactions on Emerging Topics in
Computing (2019)
5. Baumgarten, A., Tyagi, A., Zambreno, J.: Preventing IC piracy
using reconfigurable logic barriers. IEEE Design & Test of Com-
puters pp. 66–75 (2010)
6. Bhunia, S., Tehranipoor, M.: Hardware Security: A Hands-on
Learning Approach. Morgan Kaufmann (2018)
7. Bryan, D.: The ISCAS’85 benchmark circuits and netlist format.
North Carolina State University 25 (1985)
8. Castillo, E., Meyer-Baese, U., Garcı´a, A., Parrilla, L., Lloris, A.:
IPP@HDL: Efficient Intellectual Property Protection Scheme for
IP Cores. IEEE Trans. Very Large Scale Integr. Syst. pp. 578–591
(2007)
9. Chakraborty, R., Bhunia, S.: Hardware protection and authentica-
tion through netlist level obfuscation. In: Proc. of IEEE/ACM In-
ternational Conference on Computer-Aided Design, pp. 674 –677
(2008)
10. Chakraborty, R.S., Bhunia, S.: HARPOON: an obfuscation-based
SoC design methodology for hardware protection. IEEE Transac-
tions on Computer-Aided Design of Integrated Circuits and Sys-
tems pp. 1493–1502 (2009)
11. Charbon, E.: Hierarchical watermarking in IC design. In: Custom
Integrated Circuits Conference, pp. 295–298 (1998)
12. Chiang, H.Y., Chen, Y.C., Ji, D.X., Yang, X.M., Lin, C.C., Wang,
C.Y.: LOOPLock: LOgic OPtimization based Cyclic Logic Lock-
ing. Transactions on Computer-Aided Design of Integrated Cir-
cuits and Systems (2019)
13. Cormen, T.H., Leiserson, C.E., Rivest, R.L., Stein, C.: Introduc-
tion to algorithms. MIT press (2009)
14. Davidson, S.: (2019). Https://www.cerc.utexas.edu/itc99-
benchmarks/bench.html
15. Dickinson, P.J., Bunke, H., Dadej, A., Kraetzl, M.: On graphs with
unique node labels. In: International Workshop on Graph-Based
Representations in Pattern Recognition, pp. 13–23. Springer
(2003)
16. Guin, U., Shi, Q., Forte, D., Tehranipoor, M.M.: FORTIS: a com-
prehensive solution for establishing forward trust for protecting
IPs and ICs. ACM Transactions on Design Automation of Elec-
tronic Systems (2016)
17. Guin, U., Zhou, Z., Singh, A.: A novel design-for-security (DFS)
architecture to prevent unauthorized IC overproduction. In: Proc.
of the IEEE VLSI Test Symposium (VTS), pp. 1–6 (2017)
18. Guin, U., Zhou, Z., Singh, A.: Robust design-for-security architec-
ture for enabling trust in IC manufacturing and test. IEEE Trans-
actions on Very Large Scale Integration (VLSI) Systems pp. 818–
830 (2018)
19. Jarvis, R.W., McIntyre, M.G.: Split manufacturing method for ad-
vanced semiconductor circuits (2007). US Patent 7,195,931
20. Juretus, K., Savidis, I.: Increasing the SAT Attack Resiliency of
In-Cone Logic Locking. In: International Symposium on Circuits
and Systems (ISCAS), pp. 1–5 (2019)
21. Kahng, A., Lach, J., Mangione-Smith, W., Mantik, S., Markov, I.,
Potkonjak, M., Tucker, P., Wang, H., Wolfe, G.: Constraint-based
watermarking techniques for design IP protection. IEEE Transac-
tions on Computer-Aided Design of Integrated Circuits and Sys-
tems pp. 1236–1252 (2001)
22. Karmakar, R., Chatopadhyay, S., Kapur, R.: Encrypt flip-flop: A
novel logic encryption technique for sequential circuits. arXiv
preprint arXiv:1801.04961 (2018)
23. Khaleghi, S., Da Zhao, K., Rao, W.: IC piracy prevention via de-
sign withholding and entanglement. In: The 20th Asia and South
Pacific Design Automation Conference, pp. 821–826 (2015)
24. Koushanfar, F., Qu, G.: Hardware metering. In: Proc. IEEE-ACM
Design Automation Conference, pp. 490–493 (2001). DOI 10.
1109/DAC.2001.156189
25. Lee, Y.W., Touba, N.A.: Improving logic obfuscation via logic
cone analysis. In: Latin-American Test Symposium (LATS), pp.
1–6 (2015)
26. Limaye, N., Sengupta, A., Nabeel, M., Sinanoglu, O.: Is Ro-
bust Design-for-Security Robust Enough? Attack on Locked
Circuits with Restricted Scan Chain Access. arXiv preprint
arXiv:1906.07806 (2019)
27. Liu, B., Wang, B.: Embedded reconfigurable logic for ASIC de-
sign obfuscation against supply chain attacks. In: Proceedings of
the conference on Design, Automation & Test in Europe, p. 243
(2014)
28. Plaza, S.M., Markov, I.L.: Solving the third-shift problem in
IC piracy with test-aware logic locking. IEEE Transactions on
Computer-Aided Design of Integrated Circuits and Systems pp.
961–971 (2015)
29. Potluri, S., Kumar, A., Aysu, A.: SeqL: SAT-attack Resilient Se-
quential Locking (2020)
30. Python-2.7: https://www.python.org/download/
releases/2.7/ (2019)
A Novel Topology-Guided Attack and Its Countermeasure Towards Secure Logic Locking 13
31. Qu, G., Potkonjak, M.: Intellectual property protection in VLSI
designs: theory and practice. Springer Science & Business Media
(2003)
32. Rajendran, J., Pino, Y., Sinanoglu, O., Karri, R.: Security analysis
of logic obfuscation. In: Proc. of ACM/IEEE on Design Automa-
tion Conference, pp. 83–89 (2012)
33. Rajendran, J., Zhang, H., Zhang, C., Rose, G.S., Pino, Y.,
Sinanoglu, O., Karri, R.: Fault analysis-based logic encryption.
IEEE Transactions on Computers pp. 410–424 (2015)
34. Reich, A.J., Nakagawa, K.H., Boone, R.E.: OASIS vs. GDSII
stream format efficiency. In: 23rd Annual BACUS Symposium
on Photomask Technology, vol. 5256, pp. 163–174 (2003)
35. Roy, J., Koushanfar, F., Markov, I.: EPIC: Ending Piracy of In-
tegrated Circuits. In: DATE, pp. 1069 –1074 (2008). DOI
10.1109/DATE.2008.4484823
36. Salmani, H., Tehranipoor, M.: Trust-hub (2018). [Online]. Avail-
able: https://trust-hub.org/home
37. Sengupta, A., Nabeel, M., Limaye, N., Ashraf, M., Sinanoglu, O.:
Truly stripping functionality for logic locking: A fault-based per-
spective. Transactions on Computer-Aided Design of Integrated
Circuits and Systems (2020)
38. Shakya, B., Xu, X., Tehranipoor, M., Forte, D.: Defeating cas-
unlock
39. Shakya, B., Xu, X., Tehranipoor, M., Forte, D.: Cas-lock: A
security-corruptibility trade-off resilient logic locking scheme.
IACR Transactions on Cryptographic Hardware and Embedded
Systems pp. 175–202 (2020)
40. Shamsi, K., Li, M., Meade, T., Zhao, Z., Pan, D.Z., Jin, Y.: App-
SAT: Approximately deobfuscating integrated circuits. In: Int.
Symp. on Hardware Oriented Security and Trust (2017)
41. Shamsi, K., Li, M., Pan, D.Z., Jin, Y.: Kc2: Key-condition crunch-
ing for fast sequential circuit deobfuscation. In: 2019 Design, Au-
tomation & Test in Europe Conference & Exhibition (DATE), pp.
534–539. IEEE (2019)
42. Shamsi, K., Li, M., Plaks, K., Fazzari, S., Pan, D.Z., Jin, Y.: IP
Protection and Supply Chain Security through Logic Obfuscation:
A Systematic Overview. Trans. on Design Automation of Elec-
tronic Systems (TODAES) p. 65 (2019)
43. Shen, Y., Zhou, H.: Double DIP: Re-Evaluating Security of Logic
Encryption Algorithms. In: Proceedings of the on Great Lakes
Symposium on VLSI, pp. 179–184 (2017)
44. Sirone, D., Subramanyan, P.: Functional analysis attacks on logic
locking. IEEE Transactions on Information Forensics and Security
15, 2514–2527 (2020)
45. Subramanyan, P., Ray, S., Malik, S.: Evaluating the security of
logic encryption algorithms. In: Int. Symp. on Hardware Oriented
Security and Trust, pp. 137–143 (2015)
46. Tarjan, R.: Depth-first search and linear graph algorithms. SIAM
journal on computing pp. 146–160 (1972)
47. Tehranipoor, M.M., Guin, U., Forte, D.: Counterfeit Integrated
Circuits: Detection and Avoidance. Springer (2015)
48. Torrance, R., James, D.: The state-of-the-art in IC reverse engi-
neering. In: International Workshop on Cryptographic Hardware
and Embedded Systems, pp. 363–381 (2009)
49. Vaidyanathan, K., Liu, R., Sumbul, E., Zhu, Q., Franchetti, F.,
Pileggi, L.: Efficient and secure intellectual property (IP) design
with split fabrication. In: Int. Symp. on Hardware Oriented Secu-
rity and Trust, pp. 13–18 (2014)
50. Wang, X., Zhang, D., He, M., Su, D., Tehranipoor, M.: Secure scan
and test using obfuscation throughout supply chain. IEEE Trans-
actions on Computer-Aided Design of Integrated Circuits and Sys-
tems 37(9), 1867–1880 (2017)
