A Resilient Authentication and Trojan Detection Technique for Hard IP  by Saha, Debasri
 Procedia Technology  6 ( 2012 )  24 – 30 
2212-0173 © 2012 The Authors. Published by Elsevier Ltd. Selection and/or peer-review under responsibility of the Department of Computer Science & 
Engineering, National Institute of Technology Rourkela
doi: 10.1016/j.protcy.2012.10.004 
International Conference on Communication, Computing, and Security, 2012
A Resilient Authentication and Trojan Detection Technique
for Hard IP
Debasri Saha
Indian Institute of Technology Patna, Patna-800013, India
Abstract
A manufacture-ready design layout of a chip is vulnerable to authentication threats and infection with trojan horse in its fabrication
facility or in a SoC house. The existing countermeasures are sensitive to process variation. We propose a layout watermarking
scheme through reorientation of few dummy fills in the interconnect layer and resizing of few net segments. Layout watermarking
is so performed that it has a controlled delay effect on the active paths leading to certain scan flip-flops chosen judicially. This delay
effect can be captured as delay fault induced responses from the packaged chip while tested with a faster clock and a particular test
vector pair, but the difference of post-marking delay with respect to the test clock period remains more than the effect of process
variation. Results on overhead of watermarking and its robustness for ISCAS’85 benchmark circuits are encouraging.
c⃝ 2012 Published by Elsevier Ltd. Selection and/or peer-review under responsibility of Department of Computer Science &
Engineering, National Institute of Technology Rourkela.
Keywords: Intellectual property protection; watermarking; delay fault; testing; dummy fill synthesis; wire sizing.
1. Introduction
Electronic design component or hardware core are reused and those constitute Intellectual Property (IP) for semi-
conductor industries. Manufacture ready layout has immense significance as hard IP. It is either directly transferred to
fabrication facility to be reused on plug-and-play System-on-Chip (SoC) or underdoes minute modification of inter-
face to be reused in platform-based SoC. In the fabrication facility, untrusted team may generate multiple masks or ICs
from this layout followed by their illegal reselling or may include additional circuitry (trojan horse) into the layout for
extracting valuable design information from the ICs fabricated from this trojan-infected layout masks. In SoC com-
pany, malicious designer may generate additional copies of the design layout or extract valuable design information
through redesigning.
For protection of layout, the signature of layout designer is to be embedded in form of watermark so that the
watermark can be verified from any copies of the layout, or from the ICs illegally created in untrusted fabrication
facility for establishment of digital right of the IP vendor. If the signature extracted from a trojan-infected IC closely
∗ Debasri Saha. Tel.: +91-612-255-2137 ; fax: +91-612-227-7383 .
E-mail address: debasri@iitp.ac.in
Available online at www.sciencedirect.com
© 2012 The Authors. Published by Elsevier Ltd. Selection and/or peer-review under responsibility of the Depart ent of Computer 
Science & Engineering, National Institute of Technology Rourkela Open access under CC BY-NC-ND license.
Open access under CC BY-NC-ND license.
25 Debasri Saha /  Procedia Technology  6 ( 2012 )  24 – 30 
matches with the desired the one with very few bits flipped, it strongly indicates inclusion of trojan horse. The
proposed way of post fabrication IP authentication and trojan detection is resistant against process variation.
The paper is organized as follows. Prior approaches are discussed in Section 2. Two schemes for layout water-
marking are presented in Section 3. The technique of achieving process invariant post-fab detectibility with these
schemes and the detailed analysis are given in Section 4. Section 5 presents the experimental results. The concluding
remarks appear in Section 6.
2. Previous works
There are several watermarking techniques for protection of logic design (e.g., (Kirovski, Hwang & Potkonjak
2006), (Castillo & Meyer-Baese 2007)) and physical design (Saha & Sur-Kolay 2010) or for post-layout (Nie &
Toyonaga 2007). The signature does not remain post fab verifiable for (Nie & Toyonaga 2007). The techniques in
(Kirovski, Hwang & Potkonjak 2006) (Castillo & Meyer-Baese 2007) (Saha & Sur-Kolay 2010) facilitate post fab
authentication but detection of trojan is not possible as the signature is not delay or power based. The work in (Li &
Lach 2008) precisely measures actual combinational delay of large number of paths within a fabricated IC. It supports
post fab authentication and trojan detection, however it is not effective due to its time inefficiency, susceptibility to
noise and process variation. Also, it is not useful for pre fab authentication.
In our scheme, instead of precisely measuring delay, delays at scan flip-flops (scan points) are compared (less/more)
with respect to test clock period. Scan points are judicially chosen whose delays are close to the test clock period and
a controlled delay effect is applied through layout watermarking so that this effect becomes observable as a delay fault
induced response vector at the scan points with the faster test clock but post marking delay remains beyond the range
of process variation.
3. Watermarking for controlled change in delay
We attempt to embed watermark in the layout such that it enforces controlled change in the delay of the active
paths leading to some scan flip-flops and effect of watermarking becomes observable from the chip. We introduce
reorientation of certain dummy fills for fine change and resizing of certain wire segments for coarse change in delay
to control the change in delay.
3.1. Area fills for fine tuning in delay
Insertion of dummy floating fill is a Design-for-Manufacturability (DFM) step, which has the objective of increas-
ing uniformity of layout with the constraints on the raise of interconnect capacitance and fill data volume (Kahng &
Samadi 2008). For that, various shapes of fills and methods of determining the locations of the fills have been tried
(Kahng & Samadi 2008, Kurokawa & Kanamoto 2005). From the viewpoint of watermarking, at least two distinct fill
shapes in each layer must be allowed to represent signature bits 0 and 1. The rectangularfill shape, on one hand is suit-
able while DFM aspects are considered (Kim, Petranovic & Sylvester 2007, Nieuwoudty, Kawaz & Massoud 2008),
on the other it has different orientations to embed signature bits – 0 and 1. While the orientation of dummy fills are
determined to ensure minimum increase in both intra and inter layer coupling capacitance, each interconnect layer
may be split into square frames, where each frame can be any of two kinds:
HFrame having all fills horizontal or ‘H’ type and
VFrame having all fills vertical or ‘V ’ type.
Now, reorientation of dummy fills in a frame affects coupling capacitance and consequently crosstalk-induced delay
of the adjacent net segments. While a dummy fill parallel to a net segment is reoriented to make it perpendicular, its
induced delay on the net segment is reduced and vice versa. For watermarking, a sequence of frames is selected as
watermark locations. In order to enforce desired delay effect, dummy fills in some of those frames are reoriented.
Finally, a HFrame of the sequence is encoded as signature bit 0 and a HFrame as 1 to generate signature Sl1. The
way of determining desired delay effect is discussed in first paragraph of section 4.1.3.1. Representing signature bits
using the orientations of the dummy fills is shown in Fig. 1(a).
26   Debasri Saha /  Procedia Technology  6 ( 2012 )  24 – 30 
0 1
net segment
dummy fills
y
width reduced
width reduced
encode as 1
encode as 0
encode 
 as
encode 
 as
(a) (b)
Fig. 1. (a) Orientation of dummy fills as signature bit; (b) Resizing of net segment as signature bit
ΔΝ
ΔΤ
Clk
Clk_d
Clk_r
(a) (b)
Rg1
Rg2
> ΔΤ + δ1
Rg3
<ΔΤ − δ2
ΔΤ
ΔΤ+δ1
ΔΤ−δ2
Fig. 2. (a) Deriving test clock Clk r (b) Three distinct delay ranges
3.2. Wire resizing for coarse tuning of delay
Optimal width of each net segment satisfying design rules is determined to minimize delay. Its effect on area and
power are often considered as constraints (Sapatnekar 1996). Consequently resizing of wire width has specific delay
effects. A sequence of net segments is selected and one signature bit is embedded per net segment. If the required
change (inceaser/decrease) in the width of the net segment to the next permissible value facilitates the change in delay
in the direction as required to make the delay effect observable, and it is acceptable by the design rules in that process
technology, the width of the wire is changed and encoded as 1. Otherwise the width is kept unchanged, and encoded
as 0 to generate signature Sl2. Representing signature bits using the resizing of net segments is shown in Fig. 1(b).
Finally, Sl1 is concatenated with Sl2 to obtain signature Sl , which remains embedded into the layout.
4. Proposed technique
This section contains the steps of the proposed technique and the analysis of the technique.
4.1. Steps to ensure process-invariant post-fab detectibility
4.1.1. Computing delay at scan points
Let Sld =< b1,b2, ...,bnl > be the signature of the layout designer. The test vector I1 is chosen randomly, and test
vector I2 is obtained applying a right shift on I1. The design is simulated by applying I1 followed by I2 with normal
clock clk. Let Δs=<Δ1,Δ2, ...,Δns> be the delay vector associated with the ns scan points for application of I2.
4.1.2. Selection of test clock and test points
The histogram H (Δs) represents the distribution of delay values at the scan points. If the peak appears at the kth
bin, each bin of size δ , then the test period ΔT =(kδ +δ/2). The normal clock, delayed clockClk d and the resultant
test clockClk r are shown in Fig. 2(a).
If no be the length of the post-fabrication observable signature So, then no test points are to be selected from the ns
scan points from three distinct delay ranges Rg1, Rg2 and Rg3 [Fig. 2(b)] as given below:
Rg1: Centered on test clock period ΔT and of width 0.5(δ1+ δ2);
Rg2: Greater than ΔT + δ1;
Rg3: Less than ΔT − δ2.
All the scan points, say n′o, with delays lie in the delay range Rg1 are selected. It is our objective that the post marking
27 Debasri Saha /  Procedia Technology  6 ( 2012 )  24 – 30 
    selected
netsegment ni
intermediate
   dummy
aggressor nj x - adjacent frame
upper layers
lower layers
(b.i)
y - adjacent frame
upper layers
lower layers
(b.ii)
S1
n1
n2
n3 n4
n5
n6
S1
n1
n2
n3
n5
n6 n7n4
(a.i ) (a.ii)
n7
x
yz
aggressor nj
intermediate
   dummy
selected
netsegment ni
Fig. 3. (a) i. Robust and ii. Non-Robust sensitized path; (b) Active region of i. vertical and ii. horizontal net segment
delay for these scan points lie either in the range Rg2 or in Rg3. The rest, i.e., (no−n′o) test points are selected from
the delay ranges Rg2 and Rg3, whose delay will remain unchanged after marking. Therefore, the post marking delay
of all the chosen scan points will be either in range Rg2 or in Rg3.
The values of δ1 and δ2, which define the ranges Rg1, Rg2 Rg3 and are determined as follows. The variability of
gate delay is computed from certain randomly sampled gates in the circuit. Next, the delay ranges δ1 and δ2 are
chosen corresponding to twice of that variability in order to account variability of net delay and the mismatch between
simulation vs. actual (silicon) delay.
All the selected test points in scan out order constitute the location vector L for So and the delay values corresponding
to L constitute the delay vector Δno=<Δ1,Δ2, ...,Δno>. Let R1=< r11,r12, ...,r1no > and R2=< r21,r22, ...,r2no > be
the response vectors corresponding to test vectors I1 and I2 at these no test points.
4.1.3. Selection of net segments for reorienting dummies in their neighborhood and for resizing
A one-way functionF is applied on the layout signature Sld to generate a vector τ with n′o-bits, which are associ-
ated as target bits to the test points in L chosen from the delay range Rg1.
4.1.3.1. Selection of type of change (increase/decrease) in delay: For each test point (say i) from Rg1, response
bits r1i and r2i are compared with target bit τi to determine the nature of change (increase/ decrease) in delay required
at ith test point to induce or mask delay fault (Krstic & Cheng 1998) to generate desired target bits, or to make target
response process-invariant.
if r1i ∕= r2i
if r1i=τi increase Δi to ΔT + δ1 on robust path;
if r2i=τi reduce Δi to ΔT − δ2 on robust path;
else if r1i=r2i ∕= τi, increase Δi to ΔT + δ1 on non-robust path.
Hence, one of the following three delay effects is to be activated at each test point chosen from Rg1.
D1. increase delay on robust path to generate r1i;
D2. reduce delay on robust path to generate r2i;
D3. increase delay on non-robust path to create value of τi.
4.1.3.2. Selection of net-segments to induce desired change in delay:
Step 1: The active path, i.e., robust (sensitized) path (for delay effect D1 and D2) or non-robust (sensitized) path
(for delay effect D3), is determined in the output cone of the test point. This path is robust/non-robust depending
28   Debasri Saha /  Procedia Technology  6 ( 2012 )  24 – 30 
Incr. in delay desired
bit 0 in Sld
( a )
Decr. in delay desired
bit 1 in Sld
( b )
y
x
net nj
net ni
Dummy fill
Fig. 4. Reorientation of dummy fills in a frame to enforce desired change (a) increase and (b) decrease in delay
on chosen input pair < I1, I2 >. Robust path propagates the output value and all its off-inputs are either stable ncv
(non-controlling value) or transit cv→ ncv if on-inputs transit similarly. Non-robust path propagates the output value
and at-least one of its off-input transits cv→ ncv while the corresponding on-input transits ncv→ cv [Figs 3(a.i) and
3(a.ii)] .
Step 2: On this active path, the net-segments along with corresponding aggressors are selected. For a net segment
aligned in x direction i.e. horizontal (or in y direction i.e. vertical), its active region consists of its frame and the
intra-layer frames adjacent and next to adjacent in y-direction (or in x-direction) and the two frames in z-direction in
next to upper and in next to lower layers as shown in Figs 3(b.i) and 3(b.ii).
A net segment ni is selected for reorientation of dummies in its neighborhood, if there exists another net segment n j
(say, aggressor) in the active region of ni such that ni and n j have opposite transitions, both are non-critical and they
have unlocked dummy fills in between (initially all the dummies are unlocked). If ni does not have a neighbor with
opposite transition in its active region, then it is chosen for resizing.
4.1.4. Embedding watermarks in layout:
For each net-segment selected for reorientation of dummies in its neighborhood, we consider the frames and their
dummy fills lying in between ni and n j. We take ∣Sld ∣ such frames. For each such frame, if reorientation of its fills
is indicated by the corresponding bit of ∣Sld ∣ and this reorientation favors desired change (increase/decrease) in delay,
then the fills (parallel/perpendicular to ni) in that frame are reoriented, otherwise not [Fig. 4]. The orientation of fills
in that sequence of frames is encoded as signature Sl1. Resizing is performed as specified in subsection 3.2 for the net
segments chosen for resizing. For these sequence of net segments, wire-resizing is encoded as signature Sl2.
4.1.5. Observable signature due to layout marking:
The watermarked layout is simulated using the test clock clk r for the test vector pair < I1, I2 >, and the response
vector at the sequence of selected test points constitutes observable signature So.
4.2. Analysis for robustness
Resilience of post-fab observable signature So against process variation:
On-chip delay is affected by manufacturing variability of gates and nets. As watermarks are to be verified with the
test clock of period ΔT , the goal is to keep the delay at the test points for I2 after marking either greater than (ΔT+δ1)
or less than (ΔT−δ2), where δ1 and δ2 are the delay corrections due to manufacturing variability. The length of
signature Sl1 is determined the signature Sld , but the length of signature Sl2 is chosen suitably so that their resultant
effect controls the delay at each test point to remain in the specified ranges.
Robustness of layout signature Sl against tampering:
Robustness of signature Sl1 embedded by reorientation of fills against tampering is measured by nmf /n f , where n f
be the total number of frames, and nmf the number of marked frames. Robustness of signature Sl2 embedded through
wire-resizing against tampering is measured by nmt/nt , where nt be the total number of net segments, and nmt the
number of marked net segments. Then, the probability Pl of the layout signature Sl to be tampered is given by
(nmf /n f ) ⋅ (nmt/nt) which measures the robustness of Sl against tampering.
Analysis of robustness against some possible attacks.
(i) An attacker may remove or add or reorient few fills without likely impact on performance of the design. The
probability that the removed/reoriented fills were watermarked is given by Pl . If any removed fill was watermarked,
29 Debasri Saha /  Procedia Technology  6 ( 2012 )  24 – 30 
all the fills in the same frame would be removed to delete one signature bit and the uniform density criteria will be
seriously affected. If fills are removed from discrete locations, the signature remains robust.
(ii) If the entire dummy fill system is removed and a good dummy filling algorithm is used to generate a new
solution for dummy fill synthesis, the signature bits embedded through resizing of net segments remain intact and
help to identify the IP owner from the layout.
(iii) The attacker may do sizing of the all the net segments to remove signature Sl2. In high performance ASICs,
the two most sensitive parameters delay and power are optimized through simultaneous consideration of wire sizing,
gate sizing, buffer sizing and buffer placement. Therefore, once wire sizing is changed, optimization due to the other
techniques do not remain effective.
Robustness of observable signature So against guesswork:
Attacker may guess no number of test points from ns scan points and the correct signature bits ‘0’/‘1’ located on
those test points. The robustness Poo of So against such random guesswork is (1/
(ns
no
)
) ⋅ (1/2no). An alternative way
is to guess the test vector pair <I1, I2> and the test points. Then the robustness Poi of So against such guesswork is
(1/
(ns
no
)
) ⋅ (nio/2nI) where nI is the number of primary inputs, and nio is the number of test vectors producing the same
signature response at the chosen no test points.
Due to insertion of trojan in the fabrication facility, it is highly likely that some of the bits of signature So are
flipped signalling the possible presence of trojan horse.
Table 1. Effect on interconnect capacitance due to embedding of watermarks
Bench No. of Length Intra-layer interconnect CC Inter-layer interconnect CC
mark gates/nets of Sl (ff/100 μm) (ff/100 μm)
circuits /matal layers (in bits) pre-marking post-marking % incr. pre-marking post-marking % incr.
c432 160/196/5 108 1.2352 1.2418 0.541 1.0891 1.0961 0.643
c499 202/243/5 256 1.0782 1.0844 0.576 1.0300 1.0367 0.656
c880 383/443/5 292 1.3710 1.3777 0.492 1.3983 1.4065 0.592
c1355 546/587/5 312 1.4021 1.4096 0.541 1.4632 1.4721 0.615
c1908 880/913/5 312 1.4892 1.4971 0.532 1.5320 1.5413 0.610
c2670 1269/1502/5 584 1.6336 1.6425 0.547 1.7785 1.7894 0.616
c5315 2307/2485/5 592 1.7700 1.7780 0.454 1.9200 1.9301 0.525
c7552 3513/3720/5 592 1.7451 1.7529 0.452 1.9190 1.9289 0.520
Average 0.514 0.598
Table 2. Effect on delay due to embedding of watermarks and results on trojan detection
Benchmark Length of Interconnect delay (in ps) % Increase # clock total # % trojan
circuits So (in bits) before marking after marking in delay period test vector detected
c432 7 198.81 198.90 0.048 4 4812 95.8
c499 24 172.88 172.96 0.049 4 4427 96.7
c880 24 232.98 233.08 0.041 4 7189 96.6
c1355 24 239.84 239.95 0.044 5 43389 84.4
c1908 24 319.19 319.32 0.041 5 22359 88.7
c2670 48 419.42 419.61 0.047 5 31857 90.0
c5315 48 424.95 425.10 0.036 5 18177 82.7
c7552 48 323.32 323.44 0.037 5 17483 86.3
Average 0.043 90.2
5. Experimental results
The ISCAS’85 benchmark circuits are chosen for our experiments. Inputs and outputs are latched for the circuits.
Our proposed scheme for layout watermarking is implemented in C on a 1.2 GHz SUN BLADE 2000 machine with
OS Solaris 9. We have taken design layout files (.def files) and inserted metal fills according to frame-based scenario
30   Debasri Saha /  Procedia Technology  6 ( 2012 )  24 – 30 
Table 3. Robustness and time complexity
Benchmark Robustness against attacks CPU times
Pl Poo Poi embedding layout verifying chip verifying
c432 3.86E−7 7.80E−3 1.45E−11 0.1038 0.0782 0.0076
c499 1.26E−6 5.66E−15 4.32E−20 0.1437 0.1181 0.0077
c880 7.36E−7 1.83E−10 2.66E−21 0.1937 0.1517 0.0126
c1355 8.46E−7 5.67E−10 4.32E−15 0.2331 0.1764 0.0170
c1908 4.87E−7 2.00E−9 3.90E−12 0.3489 0.2518 0.0465
c2670 7.85E−7 4.87E−57 9.93E−113 0.4808 0.3602 0.0362
c5315 2.81E−7 9.01E−50 6.62E−89 0.8370 0.5764 0.0776
c7552 1.22E−7 2.77E−46 3.79E−94 1.1466 0.7639 0.1145
Average 6.58E−7 0.4359 0.3095 0.0399
and implemented the design for 65nm technology node. Then coupling capacitances of the net-segments are extracted
and associated with the layout. Delay at selected test points (latched outputs) in the circuits are computed. Also the
total circuit delay is computed using Eldo SPICE. We used Matlab to generate histogram for delay vector Δs and
compute test time period ΔT . Next, layout watermarking is performed. For this watermarked circuit, parasitics are
extracted again and the total circuit delay is computed. 3D field solver FastCap is used to estimate intra-layer and
inter-layer effect on interconnect capacitance before and after watermarking. Table 1 shows the % increase in intra-
layer and inter-layer coupling capacitance. Also, it reflects the effectiveness of the scheme for detecting hardware
trojan through the results in column 6, 7 and 8. Table 2 shows the % change in total circuit delay due to watermarking.
Table 3 shows the robustness of the proposed scheme in terms of the probability Pl , Poo and Poi and the CPU time
requirements for the scheme.
6. Conclusion
The proposed Watermarking of layout marking on average causes 0.514% and 0.598% increase in intra-layer
and inter-layer coupling capacitance and 0.043 respectively. The percentage increase in delay is on average 0.04%.
Robustness of watermarking against layout tampering is measured in terms of probability Pl which is of order of 10−7
and that against guesswork while testing the fabricated chip is safficiently high for the ISCAS’85 benchmarks. Its
trojan detection capability is from 82% to 96% for those benchmarks.
References
Castillo, E. & U. Meyer-Baese. 2007. “IPP@HDL: Efficient Intellectual Property Protection Scheme for IP Cores.” IEEE Trans. on VLSI 15(5):578–
591.
Kahng, A. & K. Samadi. 2008. “CMP Fill Synthesis: A Survey of Recent Studies.” IEEE Trans. on CAD/ICAS 27(1):3–19.
Kim, Y., D. Petranovic & D. Sylvester. 2007. Simple and Accurate Models for Capacitance Increment due to Metal Fill Insertion. In Proc. ASPDAC.
pp. 456–461.
Kirovski, D., Y. Hwang & M. Potkonjak. 2006. “Protecting Combinational Logic Synthesis Solutions.” IEEE Trans. on CAD/ICAS 25(12):2687–
2696.
Krstic, A. & K.-T. Cheng. 1998. Delay fault testing for VLSI Circuits. Kluwer Academic Publishers.
Kurokawa, A. & T. Kanamoto. 2005. “Efficient Dummy Filling Methods to Reduce Interconnect Capacitance and Number of Dummy Metal Fills.”
IEICE Trans. on Fund. of Electronics, Comm. and Comp. Sc. E88-A(12):3471–3478.
Li, J. & J. Lach. 2008. At-speed delay characterization for IC authentication and Trojan Horse detection. In Proc. IEEE Workshop on HOST.
pp. 8–14.
Nie, T. & M. Toyonaga. 2007. “An Efficient and Reliable Watermarking System for IP Protection.” IEICE Trans. on Fund. of Electronics, Comm.
and Comp. Sc. E90-A(9):1932–1939.
Nieuwoudty, A., J. Kawaz & Y. Massoud. 2008. Investigating the Impact of Fill Metal on Crosstalk-Induced Delay and Noise. In Proc. ISQED.
pp. 724–729.
Saha, D. & S. Sur-Kolay. 2010. A Unified Approach for IP Protection across Design Phases in a Packaged Chip. In Proc. IEEE Intl. Conf. on VLSI
Design. pp. 105–110.
Sapatnekar, S. S. 1996. “Wire Sizing as a Convex Optimization Problem: Exploring the Area-Delay Tradeoff.” IEEE Trans. on CAD 15(8):1001–
1011.
