Efficacy of Satisfiability Based Attacks in the Presence of Circuit
  Reverse Engineering Errors by Tan, Qinhan et al.
ar
X
iv
:2
00
5.
13
04
8v
1 
 [c
s.C
R]
  2
6 M
ay
 20
20
Efficacy of Satisfiability-Based Attacks in the
Presence of Circuit Reverse-Engineering Errors
Qinhan Tan
College of Computer Science and Technology
Zhejiang University
Hangzhou, China
tanqinhan@zju.edu.cn
Seetal Potluri
Department of ECE
North Carolina State University
Raleigh, U.S.
spotlur2@ncsu.edu
Aydin Aysu
Department of ECE
North Carolina State University
Raleigh, U.S.
aaysu@ncsu.edu
Abstract—Intellectual Property (IP) theft is a serious concern
for the integrated circuit (IC) industry. To address this concern,
logic locking countermeasure transforms a logic circuit to a
different one to obfuscate its inner details. The transformation
caused by obfuscation is reversed only upon application of the
programmed secret key, thus preserving the circuit’s original
function. This technique is known to be vulnerable to Satisfia-
bility (SAT)-based attacks. But in order to succeed, SAT-based
attacks implicitly assume a perfectly reverse-engineered circuit,
which is difficult to achieve in practice due to reverse engineering
(RE) errors caused by automated circuit extraction. In this paper,
we analyze the effects of random circuit RE-errors on the success
of SAT-based attacks. Empirical evaluation on ISCAS, MCNC
benchmarks as well as a fully-fledged RISC-V CPU reveals that
the attack success degrades exponentially with increase in the
number of random RE-errors. Therefore, the adversaries either
have to equip RE-tools with near perfection or propose better
SAT-based attacks that can work with RE-imperfections.
Index Terms—IP-Theft, Logic-Locking, Satisfiability-Based At-
tacks, Reverse-Engineering Errors
I. INTRODUCTION
Logic locking has been proposed to mitigate hardware IP-
theft, which is a serious concern for the IC industry [1]–
[18]. Logic locking is, unfortunately, known to be vulnerable
to Satisfiability (SAT)-based attacks [19]–[29]. But all SAT-
based attacks assume a perfectly reverse-engineered circuit.
This assumption may be invalid if the adversary purchases
the IC from the open market, captures images and uses
machine learning for automated circuit extraction, which is
error prone [30]–[32]. There is, however, no prior work on
evaluating the impact of reverse-engineering (RE) errors on
attack accuracy. In this paper, for the first time, we analyze and
quantify the effect of such errors. The primary contributions
of the paper are as follows:
• We propose an error model for RE and evaluate the
attack accuracy for single as well as multiple random
error scenarios.
• We identify different error scenarios which can and
cannot be canceled out by applying the suitable key.
• Using benchmarks as well as a RISC-V CPU, we quan-
tify the impact of RE-errors on the attack accuracy.
• Surprisingly, we unveil that in the presence of errors,
increasing logic locking amount can reduce the security.
Our research reveals that SAT-attacks can fail even if there is
a single RE-error, but there may be cases of attack success with
a reasonably high error count. The conclusions of our paper
is threefold. First, the RE tools typically need high accuracy
for attacking logic locking. Second, end-user adversary needs
better SAT attacks to work with RE-errors. Third, in majority
of the cases adding more locks to the circuit increases attack
success (reduces the security-level) in the presence of errors.
II. SATISFIABILITY-BASED ATTACK
SAT-solvers find the inputs to a Boolean expression such
that the expression evaluates to true. The adversary can thus
formulate the locked circuit obtained through RE as a Boolean
expression and use Boolean SAT-solvers to find a secret key
for the given input-output pairs. The fundamental challenge is,
however, to extract the secret key by observing a limited set
of input-output pairs. Therefore, straightforward SAT-solver
usage is ineffective—although it returns a key, the key may
only satisfy the limited set and not guaranteed to satisfy input-
output pairs outside this set. SAT-attack solves this problem
by two intuitions.
First, unlike cryptographic constructions, the secret key
itself may not be unique, causing multiple keys to form
equivalence-classes that would generate identical input-output
pairs. Second, a wrong-key equivalence-class can be pruned
off by determining the distinguishing input pattern (DIP), a
certain input pattern which produces different outputs for two
keys from two different equivalence classes. As a result, the at-
tack aims to perform a brute-force search on key equivalence-
classes, which is more efficient than performing brute-force
search on individual keys.
The attack at a high-level works as follows. The adversary
reconstructs the locked netlist through RE and formulates the
circuit as a SAT-instance to find the DIPs. The adversary then
gets an activated chip from the market that can generate valid
input-output pairs. This chip is referred to as the oracle. The
adversary applies the DIP to the oracle and records the output.
The DIP-output pair is used to prune-off wrong equivalence
class(es) of keys by updating the SAT-instance. The process
continues until there is only one equivalence class left, which
has to be the equivalence class of the correct keys.
Now we formally describe the attack. Let the reverse-
engineered locked circuit be C( ~X, ~K, ~Y ), which has input
vector ~X and output vector ~Y , and which is locked with key
Algorithm 1: SAT-based Logic Decryption Algo-
rithm [19]
Input: C and eval
Result: ~Kc
i := 1;
F1 = C( ~X, ~K1, ~Y1) ∧ C( ~X, ~K2, ~Y2);
while sat[Fi ∧ ( ~Y1 6= ~Y2)] do
~Xd
i
= sat assignment ~X[Fi ∧ (
~Y1 6= ~Y2)];
~Y d
i
= eval( ~Xd
i
);
Fi+1 = Fi ∧ C(
~Xd
i
, ~K1,
~Y d
i
) ∧ C( ~Xd
i
, ~K2,
~Y d
i
);
i := i+ 1;
end
~Kc = sat assignment ~K1(Fi);
vector ~K . Let the locked circuit has M input bits and L gates.
Algorithm 1 shows the SAT-attack in detail, where i signifies
the iteration number. F1 is the initial SAT-instance and Fi is
the SAT-instance in the ith iteration. Each step of the algorithm
is defined as follows:
Step 2: Formulates the SAT-instance as two copies of the
locked circuit C( ~X, ~K1, ~Y1) and C( ~X, ~K2, ~Y2) with same
input ~X but different keys ~K1, ~K2 and different outputs ~Y1,
~Y2. In the next step, this formulation is exploited to generate
different keys that produce different outputs.
Step 3: Checks if the there are at least two different equiv-
alence classes that satisfy the current SAT-instance. If this
condition is satisfied, it enters the loop, otherwise terminates
the loop;
Step 4: Runs the SAT-solver on the current SAT-instance.
From the returned SAT assignment { ~X, ~K1, ~Y1, ~K2, ~Y2}, this
step also extracts the DIP for ith iteration, denoted as ~Xd
i
,
Step 5: Evaluates the oracle output for ~Xd
i
, denoted as ~Y d
i
.
Step 6: Adds corresponding DIP-output constraints to the
SAT-instance (C( ~Xd
i
, ~K1,
~Y d
i
)∧C( ~Xd
i
, ~K2,
~Y d
i
)) to eliminate
wrong-key equivalence-class(es) for the ith iteration.
Step 9: Executes the SAT-solver on the SAT-instance after
loop termination and extracts ~K1 from the returned SAT-
assignment { ~X, ~K1, ~Y1, ~K2, ~Y2}. Since the while condition
in line 3 fails if and only if there is a single equivalence
class left, ~K1 is guaranteed to be functionally correct, i.e.,
~Kc = ~K1. This is a unique property of SAT-attack, which
preempts verification. Otherwise even if the attacker finds
the correct key, the verification step needs checking outputs
for all possible 2M input patterns, which is computationally
infeasible for large circuits.
III. ANALYZING THE IMPACT OF RE-ERRORS
The errors in the circuit RE can cause decryption to return
the wrong keys, that is otherwise guaranteed to return the
correct ones. This section analyzes the effects of the RE errors
by describing the SAT-instance formulation by using a toy
example.
TABLE I
FORMULATING LOGIC GATES AS CNF FOR SAT-ATTACK
Logic gate Boolean clauses
z = or(x1, x2)
(
x1 + z
)
.
(
x2 + z
)
.
(
x1 + x2 + z
)
z = and(x1, x2)
(
x1 + z
)
.
(
x2 + z
)
.
(
x1 + x2 + z
)
z = nand(x1, x2)
(
x1 + z
)
.
(
x2 + z
)
.
(
x1 + x2 + z
)
z = xor(x1, x2)
(
x1 + x2 + z
)
.
(
x1 + x2 + z
)
.
(
x1 + x2 + z
)
.
(
x1 + x2 + z
)
a
b
c
(a) Original Circuit
k
a
b
c
(b) Locked Circuit
k
a
b
c
(c) RE-error: Insecure
k
a
b
c
(d) RE-error: Secure 
k
a
b
c
(e) RE-error: Secure
(Incorrect key) (UNSAT)
dd d d
Fig. 1. Motivational example to analyze impact of RE-errors
SAT-solvers require inputs organized in a special format,
called the conjunctive normal form (CNF), such that the
expression evaluates to true. Table I shows an example for the
CNF formulation of or, and, nand, and xor gates. Figure 1
(a) shows a 2-bit input 1-bit output sample circuit. This
Boolean function takes a, b as inputs and computes c = a.b.
Figure 1 (b) shows the corresponding locked version with
random insertion [1] of 1 xor-type key-gate (shown in red).
Note that the correct key in this case is ‘1’. Equations 1 and 2
show the conversion of the locked circuit to SAT-instances
C( ~X, ~K1, ~Y1) and C( ~X, ~K2, ~Y2) respectively using Table I,
where C(.), the portion in black corresponds to the and gate
and the portion in red corresponds to the xor key-gate.
C( ~X, ~K1, ~Y1)=
[
(a+d1)(b+d1)(a+ b+d1)(d1 +k1+ c1)
(d1 + k1 + c1)(d1 + k1 + c1)(d1 + k1 + c1)
]
(1)
C( ~X, ~K2, ~Y2)=
[
(a+d2)(b+d2)(a+ b+d2)(d2 +k2+ c2)
(d2 + k2 + c2)(d2 + k2 + c2)(d2 + k2 + c2)
]
(2)
Equations 1 and 2 are used to generate F1 in step 2 of the
algorithm. Subsequently, in the first iteration, step 4 of the
algorithm returns {a, b, k1, k2, c1, c2}={000101}, thus the first
DIP is ~Xd1={a, b}=00 and the corresponding oracle response
is ~Y d1 =0.0=1. Substituting
~Xd1 and
~Y d1 in step 6 yields:
F2 = F1 ∧ (d1 ⊕ k1) ∧ (d2 ⊕ k2) (3)
.
Using equation 3 in second iteration, the while loop in step
3 fails, because F2 ∧ (c1 6= c2) is unsatisfiable. Thus, the loop
terminates and running the SAT-solver on F2 (step 9) gives
~Kc=1, which makes the locked circuit’s Boolean function
(a.b) ⊕ ~Kc=(a.b)⊕ 1=a.b. Thus, ~Kc is functionally correct,
in the absence of RE-errors. The SAT-attack is able to find the
correct key with just one DIP for this toy circuit.
A. RE-Error Model
In this paper, we assume only RE-errors for 2-input logic
gates. Since the possibilities are xor, xnor, nand, nor, and
and or, we consider the possible RE-errors as the possible
interpretation errors between the candidate choices within
this list. For example, a 2-input nand gate within original
netlist could be erroneously reverse-engineered as one of the
candidates within the list {nor, xor, xnor, and, or}. If, e.g.,
it was erroneously reverse-engineered as and, we refer to it
as nand → and type RE-error. To cover all possible cases,
we also assume that the errors can occur randomly.
Even with RE-errors, the attack can return a functionally
correct key. We term them as “RE-errors not improving the
security”. By contrast, for certain RE-errors (1) the attack can
return a functionally incorrect key; or (2) the SAT-instance
could be unsatisfiable (the SAT-solver returns UNSAT). We
term them as “RE-errors improving the security”. Next, we
discuss each of these categories in more detail.
B. RE-errors not improving the security
Case 1: Figure 1 (c) shows a locked circuit with and→ nand
type of RE-error with the faulty gate shown in blue. For this
case, all the steps explained in the absence of error remains
the same, except that in the last step, the algorithm returns
~Kc=0, which makes the locked circuit Boolean function
(a.b)⊕ ~Kc=(a.b)⊕ 0=(a.b). Thus, ~Kc is functionally correct
and the RE-error is absorbed by the key, thus making the
attack successful despite the error. This is an example of RE-
error that does not improve the security.
C. RE-errors improving the security
Case 2: Figure 1 (d) shows a locked circuit with and → or
type of RE-error, with the faulty gate shown in blue. In this
case,
F1=
[
(a+ d1)(b + d1)(a+ b+ d1).(d1 + k1 + c1)
(d1 + k1 + c1)(d1 + k1 + c1)(d1 + k1 + c1)
]
∧
[
(a+ d2)(b + d2)(a+ b+ d2)
.(d2+k2+ c2)(d2+k2+ c2)(d2+k2+ c2)(d2+k2+ c2)
]
(4)
Using equation 4 in the first iteration, step 4 of the al-
gorithm returns {a, b, k1, k2, c1, c2}=000101, thus the first
DIP is ~Xd1={a, b}=00 and corresponding oracle output is
~Y d1 =0.0=1. Substituting
~Xd1 and
~Y d1 in step 6 yields:
F2 = F1 ∧ (d1.k1) ∧ (d2.k2) (5)
.
Fig. 2. Flow-chart for attack simulation with multiple-errors
Using equation 5 in the second iteration, the while loop
in step 3 of the algorithm fails, because F2 ∧ (c1 6= c2) is
unsatisfiable. Thus, the loop terminates and running SAT-
solver on F2 (step 9) gives ~Kc=1, which makes the locked
circuit’s Boolean function (a+b)⊕ ~Kc=(a+b)⊕1=a+ b 6=a.b.
Thus, ~Kc is functionally incorrect. This is an example of
RE-error that improves the security.
Case 3: Figure 1 (e) shows and → xor type of RE-error,
with the faulty gate shown in blue. In this case, the SAT-attack
returns UNSAT. The while loop in logic decryption algorithm
terminates after first iteration because there is no key that
satisfies both the original circuit as well as the DIP. This is
another example of an RE-error that improves the security,
because the attacker is unable to decipher the correct key.
D. The Causes of the Different Cases
The causes for different cases (correct-key, incorrect-key, UN-
SAT) for the attack with RE-errors is three-fold:
• The DIPs ( ~Xd
i
) are generated for the locked circuit, which
is erroneous;
• The Outputs (~Yi) are evaluated on the oracle, which
provides correct outputs; and
• The locked (erroneous) circuit is constrained to satisfy
the { ~Xd
i
, ~Y d
i
} pairs.
Because of these contradictory constraints, unlike the no-
error case, in the erroneous case the algorithm is not guar-
anteed to return functionally correct key. As a result, in
some cases it returns UNSAT and in some cases functionally
incorrect key. This motivates us to understand the likelihood
of the attack success, in terms of the number of cases in which
the attack fails than otherwise, in single as well as multiple
error scenarios. We therefore perform extensive experiments to
evaluate the attack accuracy for wide range of error scenarios.
IV. EVALUATING THE IMPACT OF RE-ERRORS
Figure 2 shows the flow used to simulate SAT-attack. The
only difference between conventional flow and this flow is
the replacement of perfectly reverse-engineered circuit with
erroneous reverse-engineered circuit. If the circuit has L gates,
TABLE II
EVALUATION OF ATTACK-SUCCESS FOR VARIOUS SINGLE
REVERSE-ENGINEERING ERRORS (N = 1)WITH 5% LOGIC-LOCKING.
Benchmark nand → xor → xor → xor → xnor → xnor → and →
nor nor xnor nand nand nor or
apex2 0% 71% 100% 71% 59% 13% 0.3%
apex4 0% 47% 100% 47% 53% 53% 0.1%
i4 0% 50% 100% 50% 57% 57% 0%
i7 0% 56% 100% 54% 61% 61% 0%
i8 0% 38% 100% 38% 56% 56% 0.1%
i9 0% 56% 100% 56% 36% 36% 0%
seq 0% 53% 100% 53% 52% 54% 0.1%
k2 0% 37% 100% 37% 57% 57% 0%
ex1010 0% 56% 100% 56% 58% 58% 0%
dalu 0% 47% 100% 48% 62% 64% 3.3%
des 0% 50% 100% 51% 56% 56% 0.1%
c432 0% 9% 22% 87% 67% 67% 0%
c499 0% 2% 38% 2% 29% 29% 0%
c880 0% 63% 100% 53% 64% 64% 0%
c1355 0% 46% 100% 46% 38% 38% 0%
c1908 0% 53% 100% 53% 68% 68% 0%
c2670 2% 48% 100% 48% 54% 54% 2.1%
c3540 7% 53% 100% 49% 50% 50% 0%
c5315 0% 35% 100% 35% 48% 48% 0%
c7552 1.1% 54% 100% 58% 53% 91% 0.3%
RISC-V 0.2% 27% 59% 27% 35% 35% 0.1%
then by definition we are allowed to inject at most L errors. We
inject N ≤ L random RE-errors (multiple-error scenario), run
the SAT-attack and subsequently perform formal-equivalence-
checking if the result is satisfiable). The SAT-attack is recorded
as failed for the cases when the result is UNSAT or when
satisfiable but the decrypted key makes the locked circuit
formally different from the original circuit. Otherwise it is
recorded as successful. We run this procedure for K random
multiple-error scenarios and record the statistics.
A. Evaluation Strategy for Single and Multiple Errors
To systematically understand the impact of errors on the
attack accuracy, we first begin with single reverse-engineering
errors. We exhaustively try all gates as candidate choices, since
the total simulation time is linear in the circuit size.
Coming to multiple-errors, it is not possible to exhaust
all possibilities because given an L-gate circuit, total num-
ber of possible multiple-error scenarios (combinations) is(
L
2
)
+
(
L
3
)
. . .
(
L
L
)
= 2L − L − 1. Since this function grows
exponentially with L, it is not practically feasible to exhaus-
tively evaluate all possible multiple-error scenarios for large
industrial-strength circuits. Thus, we evaluate attack accuracy
on a subset of random multiple-error scenarios.
B. Evaluation Results
IBM BladeCenter® High-Performance Cluster (HPC) dual-
core nodes with 8GB memory, single-threaded execution and
abort limit of 1 week, are used for all the runs. For each
value of N (#RE − errors), the experiments took 1 week.
We have tried for 8 values of N (2, 3, 4, 5, 6, 7, 8, 16), so
it took altogether 8 weeks of compute time on the HPC.
Table II shows the exhaustive results for single RE-errors
for 8 different types of RE-errors based on the error-model
described in Section III-A. We define % Attack Success as
#insecure cases
#secure cases+# insecure cases
.
2 4 6 8 10 12 14 16
0
10
20
30
# RE-Errors
%
A
tt
ac
k
S
u
cc
es
s
apex2 apex4
i4 i7
i8 i9
seq k2
ex5 ex1010
dalu des
c432 c499
c880 c1355
c1908 c3540
c5315
Fig. 3. Increase in attack success with increase in RE-errors. 25% logic-
locking and K = 1000 are used for the evaluation.
0 2 4 6 8 10 12 14
0
20
40
60
80
100
% Logic-Locking
%
A
tt
ac
k
S
u
cc
es
s
nand→ xor
xor → nor
xnor → nand
and→ or
Fig. 4. Increase in %Attack Success with %Logic-Locking for k2 circuit.
This table shows that the attack success is a function of
the type of RE-error. For e.g: for xor → xnor type RE-error,
attack success is 100% for most benchmarks, because the only
manifestations in those cases were xor-type key gates, which
the SAT-solver tolerates by flipping the corresponding key-bit
(which is not possible for the remaining 7 types of RE-errors).
On the contrary, for nand→ nor and and→ or types of RE-
errors, attack success was close to 0% for most benchmarks.
For remaining types of RE-errors, the attack success was
somewhere in between these two extremes.
Figure 3 illustrates the attack success for the different values
of N (X-axis) with 25% logic-locking and K = 1000. This
plot shows exponential degradation in attack success with
linear increase in N . The 25% logic-locking of RISC-V CPU
using sle software [33] itself exceeds the abort limit, hence not
reported. Figure 4 shows the attack success as a function of
%logic locking. Although there is no clear trend, there is a
general increase in attack success with increase in key-size.
This is counter-intuitive, because we expect the attack success
to degrade with increase in the key-size.
C. Evaluating the Error-Removal Attack
Attack failure is registered if the SAT-instance if unsatisfi-
able or if satisfiable but the decrypted key verified incorrect
through functional execution. In either case, the attacker’s
next step would be to remove RE-errors and reconstruct
the original circuit. However, the attacker is unaware of the
number/locations/error-scenario, so he is forced to perform
brute-force checking. If there are m possible error choices for
each gate and k RE errors, the number of possibile locations is(
L
k
)
.(mk). Coming to the number of errors, k can range from
1 to L. So, total number of possibilities is
∑L
k=1
(
L
k
)
.(mk).
We know that
∑L
k=1
(
L
k
)
= O(2L), hence the complexity of∑L
k=1m
k.
(
L
k
)
is either similar or better than this. Thus error-
removal and reconstruction is infeasible for large circuits.
V. CONCLUSIONS
In the logic-locking threat model, the adversary may not be
the foundry itself but an end-user purchasing the IC from the
open market. This paper analyzes such an end-user adversary,
who needs to deal with errors when doing RE of the IC. We
quantify the efficacy of SAT-based attack in the presence of
RE-errors and identify the underlying reasons as to why it
can/cannot succeed. Empirical results suggest dependence of
the attack success on the type of RE-error and exponential
degradation of attack success with error count. Surprisingly,
in most cases the attack success increases with increase in
key-size.
REFERENCES
[1] J. Roy, F. Koushanfar, and I. Markov, “EPIC: Ending Piracy of Integrated
Circuits,” in IEEE Design, Automation and Test in Europe (DATE), 2008,
pp. 1069–1074.
[2] T. T. W. W. China and T. P. W. I. P. Rights. [Online]. Available:
https://www.forbes.com/sites/davidvolodzko/2018/11/11/the-trade-war-with-china-and-the-problem-with-intellectual-property-rights/#9f2f079728e5
[3] J. Rajendran, Y. Pino, O. Sinanoglu, and R. Karri, “Security analysis
of logic obfuscation,” in IEEE Design Automation Conference (DAC),
2012, pp. 83–89.
[4] S. Dupuis, P. Ba, G. Di-Natale, M. Flottes, and B. Rouzeyre, “A novel
hardware logic encryption technique for thwarting illegal overproduction
and hardware trojans,” in IEEE International On-Line Testing Sympo-
sium, 2014, pp. 49–54.
[5] J. Rajendran, H. Zhang, C. Zhang, G. Rose, Y. Pino, O. Sinanoglu, and
R. Karri, “Fault analysis-based logic encryption,” IEEE Transactions on
Computers, vol. 21, no. 5, pp. 410–424, 2015.
[6] M. Yasin, B. Mazumdar, J. Rajendran, and O. Sinanoglu, “SARLock:
SAT attack resistant logic locking,” in IEEE International Symposium on
Hardware Oriented Security and Trust (HOST), May 2016, pp. 236–241.
[7] Y. Xie and A. Srivastava, “Anti-SAT: Mitigating SAT attack on logic
locking,” IEEE Transactions on Computer-Aided Design of Integrated
Circuits and Systems (TCAD), vol. 38, no. 2, pp. 199–207, Feb 2019.
[8] K. Shamsi, M. Li, T. Meade, Z. Zhao, D. Z. Pan, and Y. Jin, “Cyclic
obfuscation for creating SAT-unresolvable circuits,” in IEEE Great
Lakes Symposium on VLSI (GLSVLSI), 2017, pp. 173–178.
[9] M. Yasin, B. Mazumdar, J. J. V. Rajendran, and O. Sinanoglu, “TTLock:
Tenacious and traceless logic locking,” in IEEE International Symposium
on Hardware Oriented Security and Trust, May 2017, pp. 166–166.
[10] M. Yasin, A. Sengupta, M. T. Nabeel, M. Ashraf, J. Rajendran, and
O. Sinanoglu, “Provably-secure logic locking: From theory to practice,”
in ACM Conference on Computer and Communications Security, 2017,
pp. 1601–1618.
[11] U. Guin, Q. Shi, D. Forte, and M. M. Tehranipoor, “FORTIS: A
comprehensive solution for establishing forward trust for protecting
IPs and ICs,” ACM Transactions on Design Automation of Electronic
Systems (TODAES), vol. 21, no. 4, pp. 63:1–63:20, 2016.
[12] U. Guin, Ziqi Zhou, and A. Singh, “A novel design-for-security (DFS)
architecture to prevent unauthorized IC overproduction,” in IEEE VLSI
Test Symposium (VTS), 2017, pp. 1–6.
[13] U. Guin, Z. Zhou, and A. Singh, “Robust design-for-security architecture
for enabling trust in IC manufacturing and test,” IEEE Transactions on
Very Large Scale Integration Systems (TVLSI), vol. 26, no. 5, pp. 818–
830, 2018.
[14] N. Limaye, A. Sengupta, M. Nabeel, and O. Sinanoglu, “Is robust
design-for-security robust enough? attack on locked circuits with re-
stricted scan chain access,” in IEEE International Conference on Com-
puter Aided Design, 2019.
[15] R. Karmakar, S. Chattopadhyay, and R. Kapur, “A scan obfuscation
guided design-for-security approach for sequential circuits,” IEEE Trans-
actions on Circuits and Systems II: Express Briefs, pp. 1–1, 2019.
[16] K. Shamsi, T. Meade, M. Li, D. Z. Pan, and Y. Jin, “On the approxima-
tion resiliency of logic locking and ic camouflaging schemes,” IEEE
Transactions on Information Forensics and Security (TIFS), vol. 14,
no. 2, pp. 347–359, 2019.
[17] A. Rezaei, Y. Li, Y. Shen, S. Kong, and H. Zhou, “CycSAT-unresolvable
cyclic logic encryption using unreachable states,” in IEEE Asia and
South Pacific Design Automation Conference (ASP-DAC), 2019, pp.
358–363.
[18] S. Potluri, A. Aysu, and A. Kumar, “SeqL: Secure Scan-Locking for
IP Protection,” in IEEE International Symposium on Quality Electronic
Design (ISQED), 2020.
[19] P. Subramanyan, S. Ray, and S. Malik, “Evaluating the security of logic
encryption algorithms,” in IEEE International Symposium on Hardware
Oriented Security and Trust (HOST), 2015, pp. 137–143.
[20] K. Shamsi, M. Li, T. Meade, Z. Zhao, D. Pan, and Y. Jin, “AppSAT:
Approximately deobfuscating integrated circuits,” in IEEE International
Symposium on Hardware Oriented Security and Trust (HOST), 2017,
pp. 95–100.
[21] T. Meade, Z. Zhao, S. Zhang, D. Pan, and Y. Jin, “Revisit sequential
logic obfuscation: Attacks and defenses,” in IEEE International Sympo-
sium on Circuits and Systems (ISCAS), 2017, pp. 1–4.
[22] K. Juretus and I. Savidis, “Time domain sequential locking for increased
security,” in IEEE International Symposium on Circuits and Systems
(ISCAS), May 2018, pp. 1–5.
[23] R. Karmakar, H. Kumar, and S. Chattopadhyay, “On finding suitable
key-gate locations in logic encryption,” in IEEE International Sympo-
sium on Circuits and Systems (ISCAS), 2018, pp. 1–5.
[24] R. Karmakar, S. Chattopadhyay, and M. Chakraborty, “Improving se-
curity of logic encryption in presence of design-for-testability infras-
tructure,” in IEEE Inter ational Symposium on Circuits and Systems
(ISCAS), 2019, pp. 1–5.
[25] K. Z. Azar, H. M. Kamali, H. Homayoun, and A. Sasan, “SMT
attack: Next generation attack on obfuscated circuits with capabilities
and performance beyond the SAT attacks,” in IACR Transactions on
Cryptographic Hardware and Embedded Systems (CHES), 2019.
[26] Y. Shen and H. Zhou, “Double DIP: Re-evaluating security of logic
encryption algorithms,” in IEEE Great Lakes Symposium on VLSI
(GLSVLSI), 2017, pp. 179–184.
[27] L. Alrahis, M. Yasin, H. Saleh, B. Mohammad, M. Al-Qutayri, and
O. Sinanoglu, “ScanSAT: Unlocking obfuscated scan chains,” in IEEE
Asia South Pacific Design Automation Conference (ASP-DAC), 2019,
pp. 352–357.
[28] Y. Shen, Y. Li, A. Rezaei, S. Kong, D. Dlott, and H. Zhou, “BeSAT:
Behavioral sat-based attack on cyclic logic encryption,” in IEEE Asia
and South Pacific Design Automation Conference (ASP-DAC), 2019, pp.
657–662.
[29] H. Zhou, R. Jiang, and S. Kong, “CycSAT: SAT-based attack on cyclic
logic encryptions,” in IEEE International Conference on Computer-
Aided Design (ICCAD), 2017, pp. 49–56.
[30] R. Torrance and D. James, “The State-of-the-Art in IC reverse engineer-
ing,” in IACR Transactions on Cryptographic Hardware and Embedded
Systems (CHES), 2009.
[31] C. Bao, D. Forte, and A. Srivastava, “On application of one-class svm
to reverse engineering-based hardware trojan detection,” in International
Symposium on Quality Electronic Design (ISQED), 2014, pp. 47–54.
[32] S. E. Quadir, J. Chen, D. Forte, N. Asadizanjani, S. Shahbazmohamadi,
L. Wang, J. Chandy, and M. Tehranipoor, “A survey on chip to
system reverse engineering,” ACM Journal on Emerging Technologies
in Computing Systems (JETC), vol. 13, no. 1, pp. 6:1–6:34, 2016.
[33] Satisfiability-based attack source code. [Online]. Available:
https://bitbucket.org/spramod/host15-logic-encryption/src/default/
