

# Challenging the Security of Logic Locking Schemes in the Era of Deep Learning: A Neuroevolutionary Approach

DOMNIK SISEJKOVIC, FARHAD MERCHANT, LENNART M. REIMANN, HARSHIT SRIVASTAVA, AHMED HALLAWA, and RAINER LEUPERS, Institute for Communication Technologies and Embedded Systems, RWTH Aachen University, Germany

Logic locking is a prominent technique to protect the integrity of hardware designs throughout the integrated circuit design and fabrication flow. However, in recent years, the security of locking schemes has been thoroughly challenged by the introduction of various deobfuscation attacks. As in most research branches, deep learning is being introduced in the domain of logic locking as well. Therefore, in this paper we present SnapShot: a novel attack on logic locking that is the first of its kind to utilize artificial neural networks to directly predict a key bit value from a locked synthesized gate-level netlist without using a golden reference. Hereby, the attack uses a simpler yet more flexible learning model compared to existing work. Two different approaches are evaluated. The first approach is based on a simple feedforward fully connected neural network. The second approach utilizes genetic algorithms to evolve more complex convolutional neural network architectures specialized for the given task. The attack flow offers a generic and customizable framework for attacking locking schemes using machine learning techniques. We perform an extensive evaluation of SnapShot for two realistic attack scenarios, comprising both reference combinational and sequential benchmark circuits as well as silicon-proven RISC-V core modules. The evaluation results show that SnapShot achieves an average key prediction accuracy of 82.60% for the selected attack scenario, with a significant performance increase of 10.49 percentage points compared to the state of the art. Moreover, SnapShot outperforms the existing technique on all evaluated benchmarks. The results indicate that the security foundation of common logic locking schemes is build on questionable assumptions. Based on the lessons learned, we discuss the vulnerabilities and potentials of logic locking uncovered by SnapShot. The conclusions offer insights into the challenges of designing future logic locking schemes that are resilient to machine learning attacks.

CCS Concepts: • Security and privacy → Security in hardware;

Additional Key Words and Phrases: IP protection, logic locking, deep learning, neuroevolution, RISC-V

## 1 INTRODUCTION

The Integrated Circuit (IC) design and fabrication flow is nowadays heavily steered by short time-to-market and reduced design costs. This trend has led to a horizontal business model in which IC design houses have to rely on third party Intellectual Property (IP) and outsourcing the fabrication to off-site foundries. The involvement of untrusted parties in both IC design and fabrication has raised countless security concerns, ranging from IP piracy to the insertion of malicious circuit modifications known as hardware Trojans [29, 37].

One promising solution to ensure the integrity of ICs is known as logic locking [39]. The core idea behind this technique is the insertion of additional logic into a gate-level netlist in order to make the original IP design functionally dependent on a secret key. For example, XOR/XNOR gates can be disseminated in the netlist in a way that the original functionality remains preserved only if a *correct* key drives the additional gates. Since the key is only known to the original IP owner, the IP design remains concealed while passing through the hands of untrusted external (layout) designers and the foundry [3]. Hereby, the security of logic locking is based on the assumption that a

---

Authors' address: Dominik Sisejkovic, sisejkovic@ice.rwth-aachen.de; Farhad Merchant, merchantf@ice.rwth-aachen.de; Lennart M. Reimann, reimannl@ice.rwth-aachen.de; Harshit Srivastava, srivastava@ice.rwth-aachen.de; Ahmed Hallawa, hallawa@ice.rwth-aachen.de; Rainer Leupers, leupers@ice.rwth-aachen.de, Institute for Communication Technologies and Embedded Systems, RWTH Aachen University, Germany, Templergraben 55, Aachen, Germany, 52062.

malicious entity has to first uncover the correct activation key before being able to reverse engineer and understand the design. Only thereafter, a meaningful hardware Trojan can be implemented.

In the past decade, a wide spectrum of logic locking schemes [28, 30, 39] as well as key-recovery attacks [7, 8, 22, 33, 35, 40] have been introduced. However, the efficiency and applicability of these attacks greatly depend on the assumed attack model. Most attacks in the past have relied on the availability of a golden reference, i.e., an *oracle* with I/O access in the form of an activated IC (available from the semiconductor market) or a set of golden I/O patterns (e.g., test vectors). Based on this assumption, powerful oracle-guided attacks have been devised, such as Boolean Satisfiability (SAT) based attacks [40] and path-sensitization [28].

**Motivation:** Several important observations indicate the diminishing applicability of oracle-guided attacks. First, it has recently been shown that having physical access to an activated IC allows the adversary to get hold of the secret key, even in the presence of a tamper-proof memory [27]. Secondly, it is possible to design hardware Trojans that leak the secret key to an adversary once the IC is activated, regardless of the locking scheme or key protection mechanism [15]. These two observations originate in the problem of storing and protecting the secret logic locking key on the fabricated chip. Finally, the most powerful attacks, including SAT-based attacks, often rely on having full access to an activated IC, including an open scan-chain; otherwise, most attacks become infeasible [40]. Interestingly, this assumption is not realistic, since genuine IC vendors never leave a scan-chain open or at least use some form of authentication [21]. These observations yield two important conclusions: (i) currently, the only realistic attacks on logic locking are oracle-less attacks, since the oracle offers no advantage due to the mentioned pitfalls and (ii) the primary focus of logic locking is shifting towards the protection of an IP design in its first production round before an oracle is available. Despite the inherent difficulty of not having a golden reference, a powerful oracle-less attack known as SAIL has recently been reported [7]. SAIL aims at recovering local logic structures from a locked IC using Machine Learning (ML) without the necessity of oracle I/O access. The success of SAIL emerges out of the simple, predictable and often deterministic changes introduced by logic locking schemes. With the introduction of SAIL, a new ground for oracle-less attacks on logic locking using ML techniques has been established.

**Contributions:** Inspired by SAIL, this work introduces *SnapShot*; a novel oracle-less attack on logic locking that utilizes Artificial Neural Networks (ANNs) to directly predict key values by analyzing "snapshots", i.e., excerpts of a locked gate-level netlist. The significance of SnapShot lies in the following:

- SnapShot is applicable without a golden reference, thereby following a realistic attack scenario. The adversary only needs access to the gate-level netlist or layout, upon which the netlist can be extracted.
- The attack is applicable for any known gate-insertion-based scheme. The general applicability of the SnapShot attack flow is provided by the representation used for processing netlists with a machine learning model. This representation is capable of incorporating any kind of netlist structures through customization (elaborated in Section 4.2).
- SnapShot is suitable for both combinational and sequential ICs. This is another feature provided by the netlist representation format which is easily expandable to incorporate flip-flops in sequential ICs (evaluated in Section 5).
- SnapShot has a linear time complexity with respect to the key length. This feature is given by the nature of the attack: each key input can be processed separately.
- The attack flow can be customized for attack exploration: any supervised learning model can be used for the training process irrespective of the locking scheme (Section 4.3).

Based on the aforementioned advantages, the key contributions of this work can be summarized as follows:

- The introduction of SnapShot: an oracle-less attack on logic locking that is the first of its kind to *directly* predict a key value from a locked synthesized gate-level netlist thereby utilizing neuroevolutionary and deep learning techniques. The applicability of SnapShot is showcased using two approaches. The first one is based on a simple neural network with fully connected layers. The second approach utilizes a neuroevolutionary mechanism to automatically evolve Convolutional Neural Network (CNN) architectures with genetic algorithms, thereby mitigating the complexity of manually drafting suitable CNN architectures. The evolved networks are targeted towards maximizing the attack efficiency for specific benchmarks and attack scenarios. SnapShot achieves an average activation key prediction accuracy of 82.60%, thereby outperforming the state-of-the-art attack by 10.49 percentage points.
- A new representation of a selected subcircuit that is expandable to sequential ICs and adaptive in terms of how much information is stored for a given circuit. This representation allows the processing of any gate-insertion-based logic locking scheme and is well suited for the training of ANNs.
- The evaluation of SnapShot on two realistic attack scenarios, including both commonly used benchmarks and silicon-proven RISC-V processor modules. To the best of our knowledge, the attack scenario based on a generalized set of netlists has not been evaluated before.
- An analysis of the emerging challenges in the design of logic locking schemes that are resilient to ML-based key-guessing attacks.

The rest of the paper is organized as follows. Section 2 introduces the basic theoretical concepts used throughout this work. Section 3 presents the related work. The SnapShot attack flow is presented in Section 4, and the experimental evaluation and results are discussed in Section 5. A discussion on the challenges of ML-resilient locking is given in Section 6. Limitations and research opportunities are outlined in Section 7. Finally, Section 8 concludes the paper.

## 2 PRELIMINARIES

### 2.1 Logic Locking

Logic locking is used for protecting the integrity of ICs throughout the design and fabrication flow. Usually, logic locking is implemented by inserting different types of key-bounded gates (known as *key gates*) into a netlist. The key bit for each key gate is provided through the input pins of the netlist. For example, the random insertion scheme known as EPIC disseminates XOR/XNOR gates at random locations in the netlist [30]. XOR gates bound to a key bit 0 and XNOR gates bound to a key bit 1 always buffer the second gate input, thereby preserving the original IC functionality. One example is given in Fig. 1 (a). Here the key gate KG1 is added into the netlist. If driven by the correct key bit ( $k_1 = 0$ ), the signal  $s$  is buffered through KG1, thereby preserving its original value. The *security foundation* of this scheme lies in the difficulty of guessing whether an inverter of the XNOR or XOR+INV gate belongs to the original circuit or not; otherwise, a simple removal would be possible. In the past decade, a wide range of locking schemes has been introduced [39], all relying on the insertion of some form of key-controlled redundant hardware into a netlist.

### 2.2 Logic Locking in the IC Design and Fabrication Flow

Logic locking introduces a secret key into the IC design and fabrication flow, as presented in Fig. 1 (b). The IP owner (trusted regime) generates a gate-level netlist and uses a secret key to lock the design with a selected locking scheme. Afterwards, the locked design proceeds in the untrusted regime. This typically includes an external design house (for layout generation) and the



Fig. 1. (a) Example Logic Locking and (b) Logic Locking in the IC Design and Fabrication Flow

foundry. After fabrication, the chip is returned to the owner for activation. Since the secret key is only known to the IP owner, logic locking protects the design while in the untrusted regime.

Note that the external design house is sometimes not included in the flow since some IP owners have internal front end (RTL and logic synthesis) and back end (layout generation) teams. However, especially smaller companies often subcontract parts of the design services, e.g., back end, to an external design house due to tight deadlines, cost reduction and the lack of necessary skills [36]. Moreover, the secret key induced by the locking mechanism is not required for a successful layout design and chip production.

### 2.3 Terminology

The mentioned IC design flow includes the usage of netlists in different formats. In this work, we often use the term *resynthesized netlist*. A netlist is regarded as resynthesized as it has to be synthesized *once more* after logic locking is applied to maximize the structural changes induced by a locking scheme. Therefore, it is important to differentiate a *pre-resynthesized* and a *post-resynthesized* netlist. As shown in Fig. 1 (b), a locked pre-resynthesized netlist is a netlist which has not been resynthesized after logic locking is applied. A locked post-resynthesized netlist is locked and resynthesized. In the rest of the paper, we refer to a gate-level netlist as *netlist*.

In this work, schemes that are resilient against key-guessing (prediction) attacks of a machine learning model, are referred to as ML-resilient. In the general case, schemes that are resilient against guessing attacks performed by any system (human or artificial), are referred to as learning-resilient. In this context, ML resiliency is a subset of learning resiliency.

### 2.4 Attack Model

As previously discussed, the effectiveness and applicability of different logic locking schemes strongly depend on the assumed attack model. In this work, we assume the most restrictive attack model from the attacker's point of view: the adversary has *only* access to the locked netlist (directly as a rogue external designer or by reverse-engineering the GDSII in the foundry). Since an activated IC is not available, a comparison to golden I/O patterns is not possible. By definition, this attack model forces an attacker to recover the key based on the least amount of information available.

Furthermore, it is assumed that the locations of the key inputs (pins) are known to the adversary. Only the key itself remains a secret. These are commonly accepted assumptions regardless of the availability of an oracle IC [3, 39, 40].

### 2.5 Deep Learning and Neural Networks

Artificial neural networks represent a general class of machine learning algorithms. In this work, we exploit the capabilities of convolutional neural networks; one of the most significant networks in the landscape of deep learning techniques [24]. CNNs are a specific type of neural networks



Fig. 2. Architecture of a Convolutional Neural Network

which were initially designed for 2-dimensional convolutions, inspired by the biological process of the visual cortex of animals [20]. Since their introduction, CNNs have successfully pioneered the field of object classification and detection in the spectrum of deep learning. Their achievements are further fueled by the increasing availability of fast computation and vast amounts of data. The key enabling factor for their superior performance is their ability to extract meaningful features by exploiting hierarchical data patterns, i.e., recognizing spatial and temporal *correlation in data*. Moreover, CNNs are well suited for object detection in unstructured data such as images.

For this work, it is important to understand the very basic structure of a CNN. A general CNN architecture blueprint is presented in Fig. 2. The input to the network is an image. The output is typically a classification prediction (e.g., whether the key bit value is 0 or 1). The two major components of the network include the *feature extraction* and the *classification*. The feature extraction is based on the typical CNN layers that we refer to as *internal layers* (sometimes also referred to as hidden layers). The classification part is built using a fully connected neural network. The term "fully connected" implies that every neuron in the previous layer is connected to every neuron of the next layer. In general terms, the fully connected layers are trained to *classify* images based on the *features* extracted using the internal layers. The internal layers are typically a sequence of two layer types: convolution and pooling.

Convolution layers extract features from the input image by detecting local conjunctions of features from previous layers. The result of the convolution is typically further processed using an activation function to increase the non-linearity. A commonly used activation function is the Rectified Linear Unit (ReLU). Furthermore, pooling layers perform the down sampling of feature maps, thereby progressively reducing the spatial size of the representation to reduce the amount of data and computation in the network. The most common approach used in pooling is known as max pooling.

After the feature extraction, the flattening layer converts the data into a 1-dimensional array that is fed as input to the fully connected layers. These layers assemble a traditional multi-layer network that use a softmax activation function in the final output layer. As mentioned before, the internal layers extract high-level features of the input image. Based on these features, the fully connected layers classify the input image into various classes. More details can be found in [19, 20].

Another important type of ANN is known as Multi-Layer Perceptron (MLP). An MLP is a feedforward neural network which consists of multiple layers. An MLP takes flattened vectors as inputs rather than 2D or 3D data (similar to the classification part in Fig. 2 (b)). In this work, we apply a simple MLP with fully-connected layers and compare the results to the more complex

CNNs. Even though MLPs are nowadays succeeded by the more efficient CNNs, they are still a popular choice in machine learning for a variety of classification tasks.

**Motivation for ANNs:** In this work, it turns out that the problem of predicting a correct key bit can be represented in the form of images that are suitable for processing with ANNs. The images show a clear correlation between key values and recognizable netlist structures, especially offering the potential for feature extraction using CNNs. Further justification is presented in Section 4.5 after introducing all relevant concepts.

## 2.6 Genetic Algorithms and Neuroevolution

Genetic Algorithms (GAs) belong to the class of evolutionary algorithms that represent population-based meta-heuristic optimization techniques inspired by biological evolution [12]. The solutions in a population compete based on their quality (fitness) that is evaluated using a fitness function. Throughout multiple generations, solutions with a higher fitness are evolved by reapplying the genetic operators (selection, crossover and mutation) to the current population. A key component of GAs is the specific representation (encoding) of a solution as presented to the evolutionary algorithm. This *manipulable* representation is referred to as *genotype*. The actual solution to a problem, i.e., manifestation of the genotype is known as *phenotype*. An important feature of evolutionary algorithms is their ability to work with black-box optimization problems, i.e., the algorithms do not need any domain-specific knowledge to perform the optimization.

The evolution of neural networks by using evolutionary algorithms is referred to as *neuroevolution* [2]. In this case, the task of the evolutionary process is to automatically evolve CNN architectures that are suitable for a selected problem domain. In general, neuroevolution can be used to evolve the network weights, structure or both. In this work, the genotype denotes a series of rules for constructing the CNN, while the phenotype represents a fully constructed CNN architecture. Note that neuroevolution is only one of many Neural Architectural Search (NAS) methods available [13]. NAS belongs to AutoML; a research area that focuses on methods to make machine learning more efficient and automated. More details are available in [14].

**Motivation for neuroevolution:** The reason for using neuroevolution in this work is twofold. First, selecting a suitable CNN architecture used for feature extraction is a challenging task, since it depends on the problem domain itself and often includes optimizing different hyperparameters. By using GAs to automatically evolve the architecture, the neuroevolutionary approach facilitates the exploration and selection of CNNs that are specifically drafted for the given problem domain. Hereby, the evolution is focused on resolving the issue of finding a suitable number and type of internal layers in the feature extraction component of the CNN. The reason why we focus on this aspect of the architecture is that all other components can be set to standard values which are often used in literature, while the selection of the internal layers highly depends on the problem domain. Secondly, the evolution process drastically speeds up the architecture selection as we assume a limited amount of time and resources to perform the task. Therefore, iterating through all possible CNN architectures is not a viable option. Interestingly, this showcases an important result: a potential attacker is able to efficiently attack locking schemes with SnapShot even without specialized knowledge about designing CNN architectures in a limited amount of time and with limited resources. Finally, by focusing on the architectural aspect of CNNs, we are able to learn about the complexity of the underlying classification problem based on the evolved networks (discussed in Section 5.6). Note that neuroevolution can be used for simple MLPs as well. However, since MLPs tend to have only a few layers, we design and evaluate the MLP architectures manually.

## Challenging the Security of Logic Locking Schemes in the Era of Deep Learning



Fig. 3. SAIL Attack Flow

### 3 RELATED WORK

Only a few oracle-less attacks have been reported so far. The first is the desynthesis attack [26]. Based on the observation that the locked and the original netlist should be similar in terms of the number and type of gates, the attack resynthesizes the netlist with a random key. Afterwards, the attack uses Hill Climbing search to find a key that yields a maximum similarity between the locked and resynthesized netlist. However, this attack is not scalable for larger key lengths and presumes a sound knowledge of the synthesis tool. Therefore, its efficiency for large-scale designs remains uncertain. In comparison, SnapShot scales linearly with the key length.

The recently introduced redundancy attack reveals a novel vulnerability of logic locking schemes based on identifying logic redundancies introduced by incorrect key bits [22]. The attack prunes out the incorrect values of a key when it introduces a significant level of functional redundancy. However, a recent work has devised a locking scheme that is resilient against this attack [23]. Therefore, we do not conduct a comparison to this attack. Note that SnapShot is also applicable to the mentioned resilient locking since it is based on key gate insertion.

Another oracle-less attack is known as SWEEP [1]. This attack exploits the structural changes induced during the synthesis process to extract correct key values. It works as follows. The attack hard-codes both the correct and the incorrect key bit value for each key input based on a training set of locked benchmarks. For each value of each key input, the attack reoptimizes the design and performs a synthesis analysis. Based on the synthesis report, the attack identifies any design features that are correlated to the correct key values. Finally, the same procedure is repeated for the target netlist. Based on a comparison using a scoring algorithm to evaluate each design feature, the attack identifies the correct key bits with a high confidence. However, this attack is not applicable to XOR/XNOR-based locking, therefore we do not perform a comparison to this attack.

The recent oracle-less Topology-Guided Attack (TGA) is based on the intuition that basic functions in a logic cone are typically repeated multiple times in a netlist [43]. These are referred to as Unit Functions (UFs). In case a key gate is placed in an instance of a UF, the correct key bit value can be recovered by searching through equivalent UFs that are constructed using all hypothesis key values by self-referencing the given netlist. This attack is similar to our work in the sense that it exploits the fact that limited XOR/XNOR-induced changes are mostly same for similar portions of a netlist. To prevent TGA, the authors present a scheme in which either a key gate is placed in a unique UF or all equivalent UFs are locked simultaneously. Both result in the TGA search being unsuccessful. Note that even if this scheme is used, it does not affect the way a single key gate is inserted. Therefore, the solution still exhibits the same vulnerabilities in terms of SnapShot.

In recent times, several ML and Evolutionary Computation (EC) based attacks have emerged. The BOCANet attack utilizes deep recurrent neural networks to compromise hardware obfuscation [35]. GenUnlock formulates logic locking as an optimization problem and utilizes genetic algorithms to perform an attack [9]. Similarly, the particle swarm optimization guided attack uses EC to find an approximate key that produces correct outputs in most cases [17]. Even though these attacks utilize similar algorithmic models as SnapShot, they all depend on having access to input/output observations taken from an activated IC. Therefore, these do not fall into the oracle-less category.

The most relevant attack for a comparison with SnapShot is SAIL [7]. SAIL is a structural attack on logic locking that utilizes ML algorithms to retrieve local logic structures from the locked post-resynthesized netlist (referred to as *target netlist*). The applied algorithms include a support vector machine, random forest and a multi-layer neural network. The SAIL attack flow is presented in Fig. 3. The attack strategy is as follows. Pre- and post-resynthesized locked designs are provided as training data to train two different models: the Change Prediction Model (CPM) and the Reconstruction Model (RM). Given a netlist subgraph (locality) extracted near the selected key input, i.e., key gate, CPM predicts whether a structural change has occurred, i.e., whether the synthesis tool has induced any changes around the inserted key gates. If a change is predicted, RM is utilized to predict the pre-resynthesized subgraph, i.e., it reverses the changes of the logic synthesis. Out of the reconstructed subgraph, the key value is determined *based on the properties of XOR-based locking*: an XOR gate is inserted for key bit 0, and XNOR for a key bit 1 [7, 8].

**Advantages of SnapShot:** To understand the advantages of SnapShot, we need to analyze the limitations of SAIL. The major comparison points are as follows:

- SAIL is *only* applicable to XOR-based locking, since it relies on its inherent security properties (XOR bound to 0 and XNOR bound to 1). Therefore, it is *not possible* to utilize SAIL to predict a key for schemes that do not rely on the mentioned XOR/XNOR property, such as a MUX-based locking scheme. In comparison, due to the nature of the attack and the customizable representation, SnapShot can be applied to a wide range of schemes and netlist structures. Note that the actual prediction accuracy depends on the security foundation of the evaluated locking schemes, yet the applicability is ensured.
- In essence, SAIL learns to reconstruct the synthesis changes to predict the original netlist structure. Therefore, the key prediction in SAIL is only possible for reconstructed or unchanged netlist localities. This implies that the success of SAIL heavily depends on the complexity of the synthesis procedure that is used after logic locking is applied. Consequently, the attack success depends on having access to the original synthesis tool that was used in the design flow of the netlist under attack, thereby introducing another obstacle for the adversary. In comparison, SnapShot allows a *direct* prediction of the key bit values based on the provided netlist localities, since the attack is using only post-resynthesized netlists. Therefore, the direct prediction enables a simpler and more flexible attack vector for an adversary.
- Finally, SAIL depends on training two different models (CPM and RM), while SnapShot includes the training of only one model, thereby offering another advantage for an adversary. Even with a simplified learning model, SnapShot achieves a significant improvement in the key prediction accuracy.

#### 4 THE SNAPSHOT ATTACK

The objective of SnapShot is the immediate prediction of a key bit value based on the extracted *locality* (subgraph of gates) around each key gate. The reasoning to this attack is as follows. As per attack model, the adversary is aware of the exact locations of all key inputs. For each key input, the exact key gate (or structure) can be identified by simply following the key input signal. This can be

## Challenging the Security of Logic Locking Schemes in the Era of Deep Learning



Fig. 4. SnapShot Attack Flow

repeated for each bit of the key individually. For XOR/XNOR locking schemes, the key gate is the first gate that is connected to a given key input. Since current gate insertion-based locking schemes only induce *limited local changes* to the netlist [7], it is possible for the underlying neural network to predict which key bit value is expected for a selected locality around a specific key gate.

The SnapShot attack flow is presented in Fig. 4. The input of the flow includes a target netlist, the number of samples used for the data generation ( $N$ ) and the key length ( $K$ ). The target netlist is a locked and resynthesized netlist (see Section 2.3 for details). The final output of the attack is the predicted activation key for the target netlist. The flow consists of four stages: setup, extraction, ANN design and deployment. In the following, all steps are discussed in detail in the given order, thereby referencing the flow in Fig. 4.

### 4.1 Setup

The setup includes the preparation of a *data set* upon which a *training set* is extracted in the next stage (Fig. 4 (step i)). First, it is important to understand the difference between these two sets. The data set represents a set of locked benchmark netlists, i.e., a set of post-resynthesized netlists locked with a selected locking scheme. The training set denotes the actual labeled localities in the form of vectors that are extracted from the data set for each key input of every benchmark (explained in the next stage). The setup can be configured to target *two realistic attack scenarios*: the Generalized Set Scenario (GSS) and the Self-Referencing Scenario (SRS).

**GSS:** In GSS, the adversary tries to predict the correct key for a locked target netlist using an ML model that is trained based on the extracted data from a *generalized data set*. The generalized data set is generated by locking a large number of *other* (different from target) netlists with random keys with the selected scheme. Note that the generalized data set does not contain the target netlist and that the netlists can implement any functionality. Each netlist, out of the  $N$  selected netlists in the generalized set, is locked with a single key of length  $K$ . After locking, all locked netlists are



Fig. 5. Example: Netlist Transformation

resynthesized, resulting in  $N$  locked and resynthesized netlists. These are used to train the model and attack the target. *The reasoning behind GSS is that in a real-life attack, an adversary can use any available circuits (e.g., open-source or in-house designs) to train the model.* To the best of our knowledge, this scenario has not been addressed in existing literature so far.

**SRS:** In SRS, instead of using other netlists, the adversary can create a data set by *relocking*, i.e., self-referencing, the locked target netlist with additional keys. This is performed by copying the target netlist  $N$  times and relocking all  $N$  copies with separate keys of length  $K$ . Finally, the  $N$  locked netlists are resynthesized. SRS implies that each relocked netlist has two sets of key inputs: the *original* target key inputs under attack that are same for every netlist and the *additional* key inputs from the relocking phase that are different for every netlist. Afterwards, the additional key inputs of the generated set are used to train the ML model to predict the key of the target netlist. In both attack scenarios, the training is done based on a set of locked netlists. However, in GSS the set consists of a variety of different designs, while in SRS it consists of many copies of the target netlist. Nevertheless, SRS has the advantage that an adversary does not need to possess other netlists to train the ML model and that the training is based on data that is closely related to the actual target. The latter has a positive impact on the prediction capabilities of SnapShot, as discussed in Section 5.

**Transformation:** In both GSS and SRS, we perform one essential step after the resynthesis: the netlist transformation. This step ensure the translation of the synthesized netlists into a generic technology-independent format. We perform this step by instructing the underlying synthesis tool to map the design to a generic technology library and store it using plain Verilog. When storing, the synthesis tool transforms each technology cell into its equivalent Boolean function. This function is represented using simple combinational *assignments* in Verilog. These assignments are parsed, transformed into three-address code and finally stored using primitive Verilog gates. An example transformation for the sum operation (output  $S$ ) of a Full Adder (FA) is shown in Fig. 5. First, the output  $S$  of the technology-dependent FA is written out as a Verilog assignment. Finally, the Verilog expression is transformed into primitive Verilog gates. Therefore, the resulting file is a technology-independent gate-level netlist.

For logic synthesis and mapping, we utilize the Synopsys Design Compiler and its accompanying generic technology library. Being technology-independent has the advantage of not specializing the attack for a particular technology node, since using a specific library can negatively influence the generalization of the approach. Moreover, an adversary can always resynthesize a design with a generic library regardless of the underlying technology.

The transformation step offers one more feature. Since the Verilog assignments can be processed in the form of three-address code, the transformation step enforces that every gate in the resulting netlist has a *maximum of two inputs*. Only BUF and INV gates have one input. This property is further utilized in the extraction stage of SnapShot.

Table 1. Locality Vector Encoding

| Gate Type | NOT | AND | NAND | OR | XOR | NOR | XNOR | BUF | FF |
|-----------|-----|-----|------|----|-----|-----|------|-----|----|
| Code      | 1   | 2   | 3    | 4  | 5   | 6   | 7    | 8   | 9  |

---

**Algorithm 1** LVE: Locality Vector Extraction

---

**Input:** Locked Generic Netlist ( $Net$ ), Backward Path Depth ( $D_b$ ), Forward Path Depth ( $D_f$ ), Fan-In ( $F_{in}$ ), Fan-Out ( $F_{out}$ ), Encoding Table ( $E$ ) and Activation Key (optional) ( $K_{act}$ )

**Output:** Set of Locality Vectors ( $L$ )

```

1:  $L \leftarrow [\emptyset]$                                 // Prepare locality vector set
2:  $K \leftarrow |Net.K_{in}|$                          // Length of key input
3:  $T \leftarrow \{Backward, Forward\}$                   // BFS type

4: for  $i = 0$  to  $K$  do
5:    $KG_i \leftarrow \text{GateConnectedTo}(Net.K_{in}[i])$ 
6:    $G_i \leftarrow \text{InputGatesOf}(KG_i)[1]$ 

7:   /* Extract values */
8:    $l_b \leftarrow \text{BFS}(T.\text{Backward}, G_i, E, D_b, F_{in})$ 
9:    $l_{kg} \leftarrow E[\text{Type}(KG_i)]$ 
10:   $l_f \leftarrow \text{BFS}(T.\text{Forward}, KG_i, E, D_f, F_{out})$ 

11:  /* Merge values */
12:   $L[i] \leftarrow \{l_b, l_{kg}, l_f\}$ 

13:  /* If  $K_{act}$  given: label the locality */
14:  if  $K_{act} \neq \{\emptyset\}$  then
15:     $L[i] \leftarrow \{K_{act}[i], L[i]\}$ 
16:  end if
17: end for
18: return  $L$ 
```

---

## 4.2 Extraction

Once the data set is prepared, the next step is to assemble the training set (Fig. 4 (step *ii*)). This set consists of a large number of *labeled localities*. Remember that a locality is simply a subgraph around a selected key gate that is connected to a particular (1-bit) key input. The extraction of the localities is not uniquely defined, i.e., a variety of *extraction strategies* are viable. However, a selected strategy must ensure that all necessary information that is crucial for the ANN learning and prediction process is captured in the extracted representation of a locality. This information includes the number of gates, the gate types and their relationship (how the gates are connected).

**Locality Vector:** As specifically CNNs work well with unstructured image data, it is advantageous to represent all subgraphs in a form that can be translated into images. Hereby, the prediction problem is represented as the *classification* of the extracted image (locality) as key bit 0 or 1. For this purpose, we propose a *locality vector* representation. A locality vector is a sequence of *numbers* representing the extracted subgraph. The vector reflects the actual netlist subgraph in the following way. Each entry in the vector represents a single location in the netlist. A location can be filled by a single gate or remain empty (no gate present). The actual value of the entry simultaneously determines two properties of a location: the existence of a gate on that location and the gate type. These properties are defined by a selected encoding of the gate types. We selected the encoding in Table 1. Note that this encoding includes all possible primitive gate types that can occur in a design. A particular value uniquely identifies the gate type. The existence of a gate is encoded indirectly: an empty location is marked with the value 0. If the value is greater than 0, the location is filled by a gate of a particular type.

**Extraction Procedure:** So far, we have discussed how the locality vector is able to store information about the existence of particular gates as well as their types. The next step is to understand how the relationship of the gates is stored. The way the gates are connected is reflected by the

*position* of each value in the vector. This means that based on the location of a value in the vector, we can determine its input and output gates. As before, encoding the relationship in the position is not uniquely defined. For this purpose, we define the Locality Vector Extraction (LVE) procedure shown in Algorithm 1. LVE works as follows. The main LVE loop repeats for every (1-bit) key input (line 4). In the first step (line 5), LVE finds the first gate ( $KG_i$ ) connected to the currently observed key input ( $Net.K_{in}[i]$ ), as well as the first non-key input connected to  $KG_i$  ( $G_i$ , line 6). In the second step, LVE extracts three independent sections of a locality vector. The first section is extracted by performing a Breadth-First Search (BFS) starting from  $G_i$  towards the netlist inputs (backward path, line 8). The backward BFS starts from  $G_i$  since we already know that the first input of  $KG_i$  is a key input. The second section extracts the encoding of the "center" gate  $KG_i$  by looking up the encoding table  $E$  (line 9). Note that  $E$  is defined in Table 1. The third section is extracted by performing a BFS starting from  $KG_i$  in the direction of the netlist outputs (forward path, line 10). Finally, all three sections are concatenated to form a locality vector (line 12). In case an activation key ( $K_{act}$ ) is provided, each locality is labeled with its respective activation key-bit by prepending the value to the locality vector (lines 14-16).  $K_{act}$  is an optional argument since LVE can be used to generate a training set (labeled vectors) as well as a test set (unlabeled vectors).

The BFS used in LVE for the extraction of the backward and the forward path is shown in Algorithm 2. The BFS receives the following inputs: the BFS type ( $T_{bfs}$ ) defining whether a backward or forward search is performed, the root gate ( $R$ ), the encoding table ( $E$ ), the maximum allowed search depth for the backward ( $D_b$ ) and forward ( $D_f$ ) path, the fan-in ( $F_{in}$ ) and fan-out ( $F_{out}$ ) size per gate. Note that the depths and fan-sizes are each represented by one variable ( $D$  and  $F$ ). The algorithm itself is a standard BFS with variable properties as discussed in the following.

The search direction is selected by  $T_{bfs}$ . For a backward search, the neighbor gates are all *input* gates of the currently processed gate  $G_i$  (line 10). For a forward search, the neighbor gates are all *output* gates of  $G_i$  (line 12). The algorithm assumes a fixed number of possible inputs (for backward BFS) or outputs (for forward BFS) per gate. This property is defined by  $F$ . As the transformation in the setup stage of SnapShot ensures that each gate has a maximum of two inputs (see Section 4.1), for a backward BFS,  $F_{in}$  is set to 2 (LVE line 8). However, a single gate can have any number of possible output gates connected to it. Therefore, for a forward BFS, the number of output gates is defined by  $F_{out}$  (LVE line 10). Fixing the number of inputs/outputs ensures that each locality has the same length regardless of the actual netlist subgraph it represents. In case a single gate deviates from the fixed value, the BFS algorithm creates additional *empty* gates (lines 15-17). The encoding for an empty gate is the value 0. Finally, the BFS terminates when the selected search depth is reached (lines 34-36).

The actual locality vector  $l$  is assembled by extracting the encoding for each visited neighbor (lines 25-29). Hereby, the encoding of the currently processed neighbor  $N_j$  is either prepended (for backward BFS) or appended (for forward BFS) to  $l$ . The reason for using different insertion methods depending on  $T_{bfs}$  is to reflect the topological order of the gates in the locality vector. If we assume that the key gate is placed in a central position in  $l$ , then gates that are closer to the netlist inputs are placed towards the left end of  $l$ . Consequently, gates that are closer to the netlist outputs are placed towards the right end of  $l$ .

One example extraction for a single 1-bit key input (marked red) is shown in Fig. 6. The parameters are set as follows:  $D_b = 3$ ,  $D_f = 2$ ,  $F_{in} = 2$  and  $F_{out} = 3$ . Using the encoding in Table 1 and the proposed LVE procedure, one labeled locality vector is extracted in the format  $[K_{act}, l_b, l_{kg}, l_f]$ . The example also visualizes empty gates (marked with 0).

This representation has the following beneficial properties. It is complete in the sense that all types of subgraphs can be represented by traversing the netlist. The amount of data stored in one vector can be adapted by adjusting the *depth* of the backward and forward path as well as the

---

### Algorithm 2 BFS Extraction Procedure

---

**Input:** BFS Type ( $T_{bfs}$ ), Root Node ( $R$ ), Encoding Table ( $E$ ), Max Depth ( $D$ ) and Fan-In/Out ( $F$ )  
**Output:** Locality Vector ( $l$ )

```

1:  $l \leftarrow \{\emptyset\}; Q \leftarrow [\emptyset]$                                 // Prepare locality vector and FIFO queue
2:  $done \leftarrow FALSE; D_i \leftarrow 1$                                      // Prepare control variable and set current depth
3:  $Q.Enqueue(R)$                                                        // Add root gate
4:  $R.Visited \leftarrow TRUE$                                               // Set root as visited

5: while  $\text{IsEmpty}(Q) \&& !done$  do
6:    $G_i \leftarrow Q.Dequeue()$ 
7:    $N \leftarrow [\emptyset]$ 

8:   /* Returns  $\{\emptyset\}$  for empty gate & primary IOs */
9:   if  $T_{bfs} == T.\text{Backward}$  then
10:     $N \leftarrow \text{InputGatesOf}(G_i)$ 
11:   else
12:     $N \leftarrow \text{OutputGatesOf}(G_i)$ 
13:   end if

14:   /* Ensures: gate has  $F$  ins or outs; Note: if  $|N| == F$ , no empty gate is added */
15:   for  $j = |N|$  to  $F$  do
16:      $N[j] \leftarrow \text{NewEmptyGate}()$ 
17:   end for

18:   /* Visit neighbors */
19:   for  $j = 0$  to  $F$  do
20:      $N_j \leftarrow N[j]$ 
21:     if  $!N_j.Visited$  then
22:        $Q.Enqueue(N_j)$ 
23:        $N_j.Visited \leftarrow TRUE$ 

24:     /* Extract value */
25:     if  $T_{bfs} == T.\text{Backward}$  then
26:        $l.Prepend(E[\text{Type}(N_j)])$ 
27:     else
28:        $l.Append(E[\text{Type}(N_j)])$ 
29:     end if
30:   end if
31: end for

32:   /* Check if max depth reached */
33:    $D_i \leftarrow D_i + 1$ 
34:   if  $D_i == D$  then
35:      $done \leftarrow TRUE$ 
36:   end if
37: end while
38: return  $l$ 
```

---

*fan-in/out* size. Finally, the representation is expandable to sequential circuits by simply adding an encoding for a flip-flop.

To verify that no information about the subgraph is lost, we can perform a simple test. By "reversing" the LVE procedure on a vector using the selected parameters, it is a trivial task to reconstruct the representing netlist subgraph. Therefore, it stands to reason that no information loss occurs. However, it is important to consistently follow the same deterministic steps in the



Fig. 6. Example: Localities Extraction and Representation

extraction. Let us consider the  $l_b$  section of the locality at  $D_b = 3$  in Fig. 6. It is not relevant whether the extraction order is  $l_b = [5, 1, 0, 3]$  or  $l_b = [3, 0, 1, 5]$  as long as the same order is applied consistently for all sections and all localities.

The proposed locality representation gives SnapShot one more advantage: universal applicability. For example, in MUX-based locking, a MUX is simply a collection of gates that can be represented with localities or the complete MUX can be encoded with a separate value. Moreover, the described setup and extraction stage of SnapShot can be used for any attack that exploits information from the netlist subgraphs.

#### 4.3 ANN Design

In this stage, a suitable ANN model is generated based on the prepared training set (Fig. 4 (step *iii*)). In this work, we focus on two neural network types: simple fully connected MLPs and more complex CNNs. Note that any ML model can be used at this stage. Due to the relatively simple structure of MLPs, we define the suitable MLPs manually (Section 5.2). On the other hand, the architecture of CNNs is *evolved* and *trained* as discussed in the following. The CNN evolution contains four important components: the genetic algorithm, the genotype, the phenotype and the fitness function (see Fig. 7).

**Genetic Algorithm:** GAs are a suitable tool for black-box optimization problems. In SnapShot, the GA is utilized to automatically find a *fitting CNN feature extraction architecture* for the given classification problem, thereby releasing the attacker from having to manually draft a suitable CNN. The GA internally works with a population of solutions to a specific problem. The solutions are adapted through the application of the genetic operators. Fig. 7 visualizes the exact operators (bit-flip mutation, two-point crossover and tournament selection) that are used in the implementation as well. This manipulation results in advancing the quality of the solutions through multiple generations (Fig. 7 (step *i*)). To utilize a GA, it is necessary to define how a solution is represented (genotype), decoded (phenotype) and how it is evaluated (fitness function).

**Genotype:** As explained in Section 2.5, a complete CNN architecture consists of two components: the feature extraction and the classification. These components are defined by a set of properties (e.g., number of layers, layer types, input/output dimensions and others). Some of these properties must remain *fixed* to provide a foundation for valid CNN architectures. Therefore, we define a fixed frame that includes the following: the *first convolutional* (input) layer and the *last two layers* (a fully connected layer and the final output layer). Note that flattening is applied before the fully connected layer. This frame is based on common CNN architectural features, where the first internal layer is always a convolutional layer and the classification is typically assembled of two fully connected layers. On the other hand, *the variable properties are the ones being evolved by the GA*. These include the *number* and *type* of internal layers. The type includes *max pooling* and *2D convolution*. These

## Challenging the Security of Logic Locking Schemes in the Era of Deep Learning



Fig. 7. CNN Architecture Evolution with GA

properties must be represented with a suitable genotype, i.e., the encoded representation of a concrete solution as presented to the GA. For SnapShot, the genotype is encoded as a *bitstring* of size  $2 \cdot L$ , where the first  $L$  bits denote the presence of the individual internal layer ( $[x_1^p, \dots, x_L^p]$ ) and the last  $L$  bits the layer types ( $[x_{L+1}^t, \dots, x_{2L}^t]$ ), as shown in Fig. 7 (step *ii*). For example, if  $x_i^p = 1$ , the  $i$ -th internal layer is present and its type is defined by  $x_{i+L}^t$ . Using this genotype, we fix the classification component and evolve the architecture of the feature extraction component.

**Phenotype:** The discussed genotype is just a blueprint, i.e., a set of instructions defining how an architecture is assembled. Before a solution is evaluated, its genotype must be decoded into a concrete CNN instance, i.e., the phenotype. This is done by processing the genotype from left to right, thereby placing the existing internal layers *between* the fixed layers according to the defined layer type, as presented in Fig. 7 (step *iii*). The given input and output dimensions of the fixed layers are selected based on the input image size and the used hyperparameters (explained in Section 5).

**Fitness Function:** Once the genotype is decoded into a concrete CNN architecture, the fitness evaluation can be performed (Fig. 7 (step *iv*)). The CNN is trained based on the training set prepared in the extraction stage of the SnapShot attack flow. A single CNN instance is trained to classify the training localities into 0 or 1 bit values for a selected amount of epochs. The number of epochs equals the number of times the complete training set is fed into the CNN. To evaluate the fitness, we define the *performance measure* of the CNN prediction as the Key Prediction Accuracy (KPA). The KPA equals the percentage of correctly predicted key bits for a specific netlist, where each key bit input is predicted individually. For example, a KPA of 70% indicates that 70% of the bits of a single key are correctly predicted. This fitness function steers the evolution mechanism to evolve internal CNN layers which maximize the feature extraction process and result in higher classification accuracy for this particular problem.

Once the KPA for a particular CNN architecture is calculated for the training set, it is assigned to the respective solution in the GA population. After a selected number of generations, the GA terminates and returns the *best solution* (architecture), i.e., the one with the highest KPA. This final solution is further used in the next stage of SnapShot.

### 4.4 Deployment

Once the ANN architectures are fixed, the ANN prediction model (the best available trained CNN architecture or defined MLP) is deployed to predict the key for the locked target netlist (Fig. 4 (step *iv*)). To perform the prediction, the target netlist is transformed into a generic netlist



Fig. 8. Vector Images for 0 and 1 Key Bit Values

(same procedure as described in Section 4.1) and its localities are extracted into a *test set*. The only difference to a training set is that now the localities are not labeled (since the correct key is unknown). Afterwards, each locality is presented to the prediction model to predict its key bit value, resulting in the final SnapShot output: *the predicted key*. Since each key bit value can be predicted (attacked) independently, SnapShot is easily scalable to larger designs.

#### 4.5 Application of ANNs

To justify the selection of ANNs (in particular CNNs) for this particular problem, we present the following example. We perform the *setup stage* of SnapShot for a randomly selected circuit locked with EPIC using 64-bit keys. In the next step, we extract 400 localities for both labels 0 and 1, using a pre-selected depth resulting in vectors of length 400. Finally, all 0 and 1 localities are stacked horizontally to form two images: the first one represents all 0-labeled vectors, and the second represents all 1-labeled vectors. The result is shown in Fig. 8. Through careful examination, it is possible to determine *repeating patterns* specific to each key bit value. Example patterns are marked in both images with dashed lines. In this case, the difference, i.e., the correlation between the key bit values and the represented images is clearly recognizable (even by a human). Since extracting and learning correlation in data is a key feature of CNNs, it stands to reason that CNNs are a suitable choice for this classification problem.

### 5 EVALUATION

#### 5.1 Experimental Setup

**Benchmarks:** For evaluation, three open-source benchmark sets have been selected (Table 2): ISCAS'85 [6], ITC'99 [11] and a set of modules selected from the 64-bit RISC-V processor core Ariane [41]. Note that ITC'99 contains sequential circuits with Flip Flops (FF). We evaluated both the generalized set scenario and the self-referencing scenario. SRS is relevant for comparing SnapShot to the state-of-the-art attack SAIL, while GSS has not been evaluated before. The GA is used for evolving CNNs for each benchmark and attack scenario *separately*.

**Environment:** The scripting is done using two Python frameworks: Keras/Tensorflow for deep learning and DEAP for evolutionary computation. The evaluation was performed on an Intel Core i5 CPU@3.2 GHz with 16 GB of RAM and a single Nvidia GeForce RTX 2080 Ti graphic card.

**Input Formatting:** The localities are extracted using the described LVE procedure for the following parameters:  $D_b = 5$ ,  $D_f = 5$ ,  $F_{in} = 2$ ,  $F_{out} = 3$  and the encoding from Table 1. The extracted localities are trimmed to a length of 400 (removing excess empty locations) and normalized to values between 0 and 1. The MLP model uses these 1D vectors as input. To process the localities with the CNN model, the data is reshaped to the dimension 20x20x1. The reshaping is done with the standard methods provided by the Python library numpy.

**Locking Scheme:** The EPIC scheme has been selected to evaluate the effectiveness of SnapShot. The reasoning is twofold. First, EPIC is a *superset* of other XOR/XNOR-based locking schemes, as other methods insert gates with a more *selective* choice of locations compared to a random insertion, thereby inserting the *same* key gates as EPIC. Therefore, the only differentiation to other schemes is the location selection. For example, SLL inserts key gates based on their relationship to hamper path sensitization attacks [28]. However, even if SLL performs a selective insertion, the key gates itself are identical to the ones in EPIC. Moreover, a random selection can inherently include all variations of location selections. The second reason is the generalization of the attack; a more selective insertion can only lead to more information leakage compared to a fully random choice.

**Performance Measure:** We evaluate the ANN prediction results using the key prediction accuracy (KPA) as defined in Section 4.3.

## 5.2 MLP Model Setup

As discussed earlier, MLPs typically consist of only a few hidden layers; otherwise the amount of trainable parameters easily explodes. We evaluated multiple MLP architectures manually by varying the number of hidden layers as well as the number of units per layer for both SRS and GSS. All layers are fully connected. The input layer consists of 400 units (same as locality length). The

Table 2. Benchmark Circuits Used for Evaluation

| (a) ISCAS'85 Benchmarks |      |        |       | (b) ITC'99 Benchmarks |      |        |      |       | (c) Ariane RISC-V Modules |      |        |       |
|-------------------------|------|--------|-------|-----------------------|------|--------|------|-------|---------------------------|------|--------|-------|
| IC                      | #Ins | #Gates | #Outs | IC                    | #Ins | #Gates | #FFs | #Outs | IC                        | #Ins | #Gates | #Outs |
| c1355                   | 41   | 546    | 32    | b15                   | 37   | 6931   | 447  | 70    | iscan                     | 32   | 240    | 139   |
| c1908                   | 33   | 880    | 25    | b21                   | 34   | 7931   | 494  | 22    | commit                    | 985  | 1584   | 417   |
| c2670                   | 233  | 1193   | 140   | b22                   | 34   | 12128  | 709  | 22    | brunit                    | 342  | 1655   | 328   |
| c3540                   | 50   | 1669   | 22    | b17                   | 38   | 21191  | 1407 | 97    | decoder                   | 518  | 2169   | 362   |
| c5315                   | 178  | 2307   | 123   | b18                   | 37   | 49293  | 3308 | 30    | pcselect                  | 521  | 3333   | 128   |
| c6288                   | 32   | 2416   | 32    | b19                   | 47   | 98726  | 6618 | 40    | brpredict                 | 814  | 4669   | 333   |
| c7552                   | 270  | 3512   | 108   |                       |      |        |      |       | alu                       | 206  | 7412   | 65    |

Table 3. ANN Hyperparameters

| (a) MLP                               |                | (b) CNN                            |                           |
|---------------------------------------|----------------|------------------------------------|---------------------------|
| Parameter                             | Value          | Parameter                          | Value                     |
| Layer Types                           | Dense          | Input/Conv./Dense Layer Act. Func. | ReLU                      |
| Input Layer Act. Func.                | ReLU           | Output Layer Act. Func.            | Softmax                   |
| Hidden Layer Act. Func.               | ReLU           | Loss Functions                     | Sparse Cat. Cross Entropy |
| Output Layer Act. Func.               | Softmax        | Input/Conv. Layer Kernel Size      | 3x3                       |
| GSS #Units per Layer                  | 400x1000x256x2 | # Filters in Input/Conv. Layer     | 64/128                    |
| SRS #Units per Layer                  | 400x512x128x2  | # Units in Dense/Output Layer      | 128/2                     |
| Batch Size                            | 128            | Pool/Stride Size                   | 2x2/1                     |
|                                       |                | Batch Size                         | 128                       |
| Optimizer/Learning Rate/Beta_1/Beta_2 |                | Adam/0.001/0.9/0.999               |                           |

output layer consists of two outputs (one per key bit value). After the exploration, we fixed one architecture for each scenario based on the best performance achieved in the tuning phase. All MLP hyperparameters are listed in Table 3 (a). In this case, due to no evident performance difference, the same MLP architecture is applied to all benchmarks in SRS. The final networks are trained for 100 epochs before deployment.

### 5.3 CNN Evolution Setup

**CNN Architecture:** The CNN evolution is performed as discussed in Section 4.3. All other fixed hyperparameters are listed in Table 3 (b). We selected the standard parameters that are commonly used in literature for modern CNNs [32, 34]. Dropout is not used since overfitting has not been observed in the evaluation. The maximum number of internal layers is limited to *seven*. This value is selected through preliminary testing with up to fourteen layers. Moreover, the number of layers in the evolved CNNs (discussed in Section 5.6) tends to be much lower than seven, since a lower number of internal layers results in more efficient networks. This confirms that seven layers are sufficient for the architecture exploration for this particular problem.

**GA Setup:** All relevant GA parameters are listed in Table 4. The GA parameters are selected based on a preliminary tuning phase as well as commonly used parameters and operators. However, both the notion and the implementation of all GA and CNN parameters are beyond the scope of this work and more details can be found in [2, 12, 20].

**Stopping Criterion:** In GA, every CNN architecture is trained for a selected number of epochs until the stopping criterion for training is reached. In order to tune the number of epochs to an amount that is *sufficient for the CNN to converge* for all benchmarks, we trained a randomly selected architecture for each benchmark and attack scenario until an upper-limit of 80% KPA is reached (Fig. 9). The reason why this limit has been selected is to extract the average amount of epochs necessary for all CNNs to converge to a reasonable KPA. Based on the results, 80% upper-bound is sufficient to capture the learning asymptote and filter out fitter solutions. Consequently, the stopping criterion is set to 44 epochs. Note that this value is used in the training of CNNs during the GA exploration phase where it is not necessary to train the CNN instances to their limits. Once the best network is selected, the number of epochs can be increased before deployment.

### 5.4 Results: Generalized Set Scenario

For GSS, we trained the constructed MLP and the evolved CNNs using a training set compiled of all ISCAS'85 and ITC'99 benchmarks mentioned in Table 2. Each training benchmark is locking 1,000 times with 64-bit keys, resulting in a total of 832,000 training localities. The test set consists of all

Table 4. GA Parameters

| Parameter                  | Value          |
|----------------------------|----------------|
| GA Alg. Type               | Generational   |
| Population Size            | 10             |
| Representation             | Bitstring      |
| Generations                | 20             |
| Fitness                    | KPA            |
| Epochs                     | 44             |
| Mutation Op.               | Bit-Flip       |
| Mutation Prob.             | 0.1            |
| Crossover Prob.            | 0.9            |
| Selection Op.              | Tournament (3) |
| Crossover Op.              | Two-Point      |
| Gen. of Initial Population | Random         |



Fig. 9. Convergence Graph



Fig. 10. Attack Evaluation for the Generalized Set and Self-Referencing Scenario

selected Ariane modules (Table 2 (c)), each locked 1,000 times with random 64-bit keys; resulting in a total of 448,000 test localities (64,000 per target).

The average test KPA (Fig. 10 (b)) across all modules for GSS is 57.71% for MLP, and 61.56% for CNN, with a maximum of 77.55% for the *pcselect* module (Fig. 10 (a)). This indicates the feasibility of learning from other locked netlists to predict a key of a previously unseen netlist with an average increase in accuracy of up to 11.56 percentage points compared to a random guess. Compared to MLP, the CNN model offers a relatively small performance gain of 3.85% percentage points on average. In general, GSS offers one advantage over SRS; only one universal training set needs to be assembled regardless of the target, i.e., the relocking of the target netlist is avoided.

### 5.5 Results: Self-Referencing Scenario

SRS describes a more powerful scenario; learning and predicting on the same locked netlist. We locked all ISCAS'85 and ITC'99 benchmarks shown in Table 2 with 64-bit (target) keys. The training

set is generated by *relocking* the already locked benchmarks repeatedly 1,000 times with 64-bit keys, resulting in 64,000 training localities per benchmark and iteration instance.

The achieved average test KPA for the SnapShot MLP and CNN models is shown in Fig. 10 (c) in comparison to the state-of-art SAIL attack. The average KPA of CNN-SnapShot is 82.60%, resulting in a significant improvement of 10.49 percentage points compared to SAIL, as shown in Fig. 10 (d). Note that this average is based only the ISCAS'85 benchmarks to be consistent with the SAIL evaluation. Moreover, SnapShot outperforms SAIL for *all* evaluated benchmarks. Another important observation is that SnapShot achieves a minimum KPA of 78.43% (for *c2670*), whereas SAIL achieves a KPA of 55.83% (for *c1355*); only 5.83 percentage points more than a random guess. Therefore, the evolved CNNs are able to achieve a high KPA regardless of the circuit type. However, circuits with more regular structures, such as *c6288*, result in a higher KPA since additional logic is easier detected in repeating structures.

The MLP-based approach in SnapShot achieves a relatively low average KPA of 68.00% (Fig. 10 (d)), with lower performance values for almost all benchmarks compared to SAIL, and a lower performance compared to all CNN-based KPAs.

To demonstrate the scalability of SnapShot, in addition to the values in (Fig. 10 (c)), we performed another evaluation of SnapShot-based MLP and CNN attacks using larger sequential benchmarks. As shown in Fig. 10 (e), both SnapShot variants result in consistently high KPA values (above 71.64% for MLP and 79.92% for CNN). However, similarly to the previous evaluation, the evolved CNNs outperform the MLP model for all benchmarks. The total average KPA across *all* combinational (ISCAS'85) and sequential (ITC'99) circuits using SnapShot is 71.57% for MLP and 81.67% for the CNNs (Fig. 10 (d)). Interestingly, the CNN approach achieves similar performance values regardless of the circuit type. *This strongly suggests that convolutional neural networks offer a reliable tool for attacking XOR/XNOR-based logic locking schemes, while using a simpler and more flexible prediction model compared to the state of the art.* Moreover, the evaluation indicates that CNNs offer consistently better performance values compared to standard MLPs for this particular key prediction problem.

Furthermore, compared to GSS, SnapShot achieves significantly higher KPA values for SRS. This comparison offers novel insights into a previously untested scenario. Thereby, we can conclude that SRS enables a more focused learning process targeted towards the specific locked netlist irrespective of the underlying ML-model, *offering a more favorable attack scenario for an adversary.*

## 5.6 Evolved CNN Architectures

The best evolved architectures for all benchmarks and scenarios are presented in Table 5 and Table 6 in the form of genotypes. For GSS, only one final network is evolved since the training set is equivalent for all benchmarks. In comparison, SRS yields a single network for each benchmarks. Interestingly, the evolved networks have a maximum of only five internal layers for GSS and up to three layers for SRS. This offers the following insights. First, the GSS training set is more difficult to learn, i.e., it requires a more refined feature extraction. This corresponds to the way the training sets are generated, as in GSS a single large set of different relocked benchmarks is used while in SRS a self-referencing set is generated. Secondly, the evolutionary process suggests that using a smaller number of layers is sufficient, as no genotype using all layers has been reported as a fitter solution. Therefore, starting with a limit of seven layers is more than enough for this particular problem. Furthermore, the evaluated stopping criterion of only 44 epochs (Section 5.3) indicates that the training process easily converges. These observations suggest that the classification of XOR and XNOR localities to their correct activation bits is not a particularly difficult problem. *Consequently, the results imply that the security foundation of XOR/XNOR-based locking schemes is questionable and that it must be revised.*

Table 5. Evolved CNN Architecture (Genotype) for GSS

| IC                  | [[Layer Presence], [Layer Type]]           |
|---------------------|--------------------------------------------|
| Training Benchmarks | [[[0, 1, 1, 1, 0, 1], [0, 1, 1, 1, 1, 0]]] |

Table 6. Evolved CNN Architectures (Genotypes) for SRS

(a) ISCASC'85

| IC    | [[Layer Presence], [Layer Type]]                |
|-------|-------------------------------------------------|
| c1355 | [[0, 1, 0, 0, 0, 0, 1], [1, 0, 1, 1, 1, 0, 1]]] |
| c1908 | [[0, 0, 0, 1, 0, 0, 0], [0, 0, 1, 1, 0, 0, 0]]] |
| c2670 | [[0, 1, 0, 0, 0, 0, 0], [0, 0, 1, 1, 1, 1, 1]]] |
| c3540 | [[0, 0, 0, 0, 1, 1, 0], [1, 0, 0, 0, 1, 0, 0]]] |
| c5315 | [[0, 0, 0, 0, 1, 1, 0], [1, 0, 0, 0, 1, 0, 0]]] |
| c6288 | [[0, 0, 0, 0, 1, 1, 0], [1, 0, 0, 0, 1, 0, 0]]] |
| c7552 | [[1, 1, 1, 0, 0, 0, 0], [0, 1, 0, 1, 0, 0, 1]]] |

(b) ITC'99

| IC  | [[Layer Presence], [Layer Type]]                |
|-----|-------------------------------------------------|
| b15 | [[0, 0, 0, 0, 0, 0, 1], [1, 0, 0, 0, 1, 1, 1]]] |
| b21 | [[0, 1, 0, 0, 0, 0, 0], [1, 1, 1, 0, 1, 0, 0]]] |
| b22 | [[0, 0, 0, 0, 0, 0, 1], [1, 1, 1, 0, 0, 0, 1]]] |
| b17 | [[0, 0, 1, 0, 0, 0, 0], [1, 1, 1, 0, 0, 0, 0]]] |
| b18 | [[0, 0, 0, 0, 0, 0, 1], [0, 0, 0, 0, 0, 1, 1]]] |
| b19 | [[0, 0, 1, 0, 0, 0, 0], [1, 0, 1, 0, 0, 1, 1]]] |

All networks can be reproduced based on the provided genotypes, hyperparameters (Table 3), fixed layers (Section 5.3) as well as open-source benchmarks (Section 5.1).

## 5.7 Training Time Analysis

The neuroevolutionary mechanism facilitates the process of defining suitable layer configurations for the feature extraction component of the neural network. Using the neuroevolutionary process, an adversary is able to search through only a fraction of the possible configurations and still achieve valuable results. This mirrors the scenario in which an adversary has only a limited amount of time to acquire the correct activation key and proceed with reverse engineering. For example, after the design has been sent to the foundry, typically only a few months are needed until the fabrication is done. This window greatly limits the available time frame for performing an attack, since a malicious change still has to be implemented before the final fabrication. Therefore, having an attack that can converge more quickly is crucial for the success of the adversary.

**Genotype and Phenotype Search Space:** The limit of 7 internal layers yields a genotype search space of  $2^{14}$  different configurations, since 7 bits are needed to represent the existence of each layer and 7 bits to represent their types. However, some different genotypes can map to an equivalent phenotype. This is the case if a particular layer presence bit  $x_i^p = 0$ . In this case, the corresponding layer type  $x_{L+i}^t$  is not relevant for the construction of the phenotype (CNN architecture). Therefore, the total phenotype search space is  $3^7 = 2,187$ . However, during the mutation and crossover procedures, even different genotypes with an equivalent phenotype store potentially valuable (and different) genetic material. Therefore, these genotypes must still be considered in the genetic process. Nonetheless, to avoid a dependency on the genotype, in the following we discuss the timing comparison in terms of the phenotype search space.

**Iterative Search:** As mentioned, an iterative search has to consider  $3^7$  different configurations.

**Neuroevolution:** The size of the search space using the neuroevolutionary mechanism is defined by two GA parameters (Table 4): the number of generations and the size of the population. Since a generational GA is selected, in every generation, a new population is generated. This amounts to  $20 \cdot 10 = 200$  configurations, i.e., only 9.14% of the total search space.

**Time Comparison:** The evaluation of a *single* configuration takes 44 epochs. Assuming the existence of a single GPU (see Section 5.1), one epoch takes approximately 10 seconds. An iterative search using this setup amounts to 11.13 days. In comparison, the neuroevolution takes 1.01 days. In practice, neuroevolution takes even less time since equivalent genotypes are only evaluated

once and the fitness function can be adapted to detect phenotypes that have been evaluated before. It is evidently possible to distribute the search using multiple GPUs. However, this has not been evaluated in this work as using a single GPU offers clear timing insights into the attack.

## 6 DISCUSSION AND ANALYSIS

To design learning-resilient logic locking, understanding the reasons for the vulnerabilities induced by existing locking schemes is essential. Let us look at two aspects of logic locking: the location selection and the introduced change. The location selection indicates how a locking scheme *decides* where a change is introduced. If the selection or the actual change exposes information in some form, an entity (human or artificial system) is able to learn about the key. Therefore, a locking scheme that has no biased location selection and introduces unpredictable changes is learning-resilient. To test this claim, we performed the following experiment. We locked multiple benchmarks with a modified version of EPIC with randomly generated 64-bit keys, without another synthesis round. The modified scheme inserts XOR/XNOR gates *regardless* of the key bit value. Obviously, this scheme is functionally incorrect, however it serves its purpose; SnapShot reports KPA values of 50% for all benchmarks. In other words, the selected locking scheme forces the CNN to randomly guess the key, as no information is leaked through the location selection or the introduced change, as both are completely random and unpredictable.

From a different perspective, this experiment shows that a locking scheme can be learning-resilient if *two identical localities* (same vector image) for two different key inputs result in *different labels*, i.e., two equal images suggesting different labels. Consequently, such a behavior enforces a random guess. *Based on this analysis, we can conclude that a learning-resilient locking scheme should be resilient against guessing attacks even before resynthesis, i.e., it should not depend on the changes induced by a synthesis tool.*

Interestingly, the experiment also suggests that EPIC leaks information based on the introduced change, not the location selection. However, for EPIC, the information leakage is straightforward. XOR is inserted for a key bit 0, and XNOR (XOR + inverter) for a key bit 1. This scheme implies that an XOR locality is predicted to be a 1 only if XOR is by chance placed as input to an inverter (similar for XNOR and 0). However, this case does not appear very often.

Moreover, a functionally correct learning-resilient scheme is revealed when looking at the cases where SnapShot made a false prediction. For example, when two key gates are inserted (by chance) back to back, they form a run of gates, e.g., XOR-XOR for the key 00. In this case, SnapShot is not able to guess whether the key is 00 or 11 as both result in a correct buffering. However, a run of gates can easily be detected and replaced by a single gate, thereby dissolving the learning-resilience.

Another conclusion can be drawn based on the attack complexity. SnapShot (as well as SAIL) can attack each key input individually since the key gates typically exhibit a very local dependency without interacting with other key-driven gates in the netlist. The reason for this is simple; each key gate is driven by a separate key input which does not rely on other key inputs for its correctness. Increasing the complexity of the mutual dependencies among key inputs also increases the difficulty of guessing a correct key bit, since (in theory) multiple key bits must be considered at the same time. A possible mitigation can be found in embedded key-generation units that ensure a highly interdependent key set [18]. However, these units represent an add-on mitigation. Therefore, it is more relevant to look into schemes that are learning-resilient by design. The learning resiliency of key-generation units remains to be evaluated.

**Lessons Learned:** Based on the provided data and analysis, we can conclude that ML-based attacks offer a novel pathway to uncover critical vulnerabilities in logic locking schemes. The SnapShot attack has showcased that it is possible to successfully attack the fundamental security assumption of XOR-based locking, leading to the conclusion that an adversary can make an

educated guess about the key bits based on the inserted key gate types. Evidently, this goes against the assumed security foundation of XOR-based locking. Interestingly, a vast amount of attacks, including the most powerful SAT-based attacks [40], do not rely on this assumption at all, but rather focus on secondary security aspects of locking schemes (e.g., functional corruption for incorrect keys). Challenging the security foundation with machine learning can lead to novel insights for the design of next-generation locking schemes and a new landscape of key-recovery attacks.

## 7 LIMITATIONS AND RESEARCH OPPORTUNITIES

A limitation of prediction-based attacks is the uncertainty of the prediction for each key bit. Even though the key can be retrieved with a high accuracy, it still remains a challenge to determine *which key bits* are correctly predicted. However, the predicted result can be used as a seed for subsequent attacks to further refine the key, as showcased in [8]. Furthermore, a predicted key can be fixed in the design to "remove" the redundant logic with reoptimization. This step can facilitate the process of identifying different components of a larger design through similarity matching (an important step in modern reverse engineering [4]).

The attack flow of SnapShot includes a black box optimization mechanism. Therefore, the flow can be extended for automatic attack exploration using a variety of representations (locality extraction strategies) and ML models for supervised learning. However, due to the nature of the representation (Section 4.2) as well as the existing correlation in data (Section 4.5), neural networks are a suitable tool for this problem.

Furthermore, GSS outlines a new research opportunity; assembling a generic benchmark suite covering a large spectrum of locked netlists. In the long run, this benchmark suite can be utilized for training a model to automatically design learning-resilient schemes. Moreover, an interesting research task is to analyze the impact of the locality size on the prediction accuracy.

Recently, a great variety of more advanced logic locking schemes has been introduced that offer protection even against SAT-based attacks [16, 25, 39]. However, some of these schemes, such as Anti-SAT [38] and CAS-Lock [31], rely on the mentioned XOR/XNOR property to encode the correct user-defined key. Therefore, the evaluation in this work provides insights into a fundamental security issue that even spans across the latest logic locking schemes. Nonetheless, directly attacking these schemes with SnapShot remains part of the future work.

Another potentially suitable deep learning model for attacking logic locking schemes are Graph Neural Networks (GNNs) [5]. These networks perform inference on data that is described in the form of graphs. GNNs have been evaluated on circuit-related problems as well [42]. In particular, GNNs have been used for attack time estimation on logic locking [10]. In this sense, GNNs offer a potentially fruitful research ground in the domain of hardware security. Moreover, it might be possible to transfer existing convolutional neural architectures to this specific classification problem. However, since this problem domain and the used representation are novel, we decided to let the evolution optimize the structure of the CNN for this particular key prediction challenge.

## 8 CONCLUSION

In this work, we presented SnapShot; a novel oracle-less attack on logic locking based on multi-layer perceptrons and convolutional neural networks. The attack is the first of its kind that is able to immediately predict a key value out of a locked netlist using neural networks, without reconstructing the original design. Moreover, the neuroevolutionary approach showcases the agile development of a powerful attack using limited resources. We proposed a flexible representation of netlist subgraphs that can be utilized for ML-based approaches. The attack was evaluated on two realistic attack scenarios, including the previously untested generalized set scenario. SnapShot reports a significant improvement of 10.49 percentage points in key prediction accuracy, thereby achieving an average

accuracy of 82.60%; outperforming the state-of-the-art approach for all evaluated benchmarks. Furthermore, we have shown that CNNs achieve a higher performance compared to standard MLPs. Finally, we analyzed the critical vulnerabilities of logic locking that enable ML-based attacks. As a limitation, in its current format, the applicability of SnapShot to novel schemes which do not rely on XOR/XNOR gates remains to be evaluated. With SnapShot, we encourage more research on exploring the challenges of logic locking design in the deep learning era. Based on the presented insights, in future work, we plan to investigate the design of learning-resilient locking schemes.

## REFERENCES

- [1] A. Alaqi, D. Forte, and S. Bhunia. 2019. Sweep to the Secret: A Constant Propagation Attack on Logic Locking. In *2019 AsianHOST*. 1–6.
- [2] Leandro M. Almeida and Teresa B. Ludermir. 2008. An Evolutionary Approach for Tuning Artificial Neural Network Parameters. In *HAIS*, Emilio Corchado, Ajith Abraham, and Witold Pedrycz (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 156–163.
- [3] Sarah Amir, Bicky Shakya, Domenic Forte, Mark Tehranipoor, and Swarup Bhunia. 2017. Comparative Analysis of Hardware Obfuscation for IP Protection. In *Proceedings of GLSVLSI ’17*. ACM, New York, NY, USA, 363–368. <https://doi.org/10.1145/3060403.3060495>
- [4] Johanna Baehr, Alessandro Bernardini, Georg Sigl, and Ulf Schlichtmann. 2019. Machine Learning and Structural Characteristics for Reverse Engineering. In *Proceedings of the 24th ASPDAC ’19*. ACM, New York, NY, USA, 96–103. <https://doi.org/10.1145/3287624.3288740>
- [5] Peter W Battaglia, Jessica B Hamrick, Victor Bapst, Alvaro Sanchez-Gonzalez, Vinicius Zambaldi, Mateusz Malinowski, Andrea Tacchetti, David Raposo, Adam Santoro, Ryan Faulkner, et al. 2018. Relational Inductive Biases, Deep Learning, and Graph Networks. *arXiv preprint arXiv:1806.01261* (2018).
- [6] F. Brglez, D. Bryan, and K. Kozminski. 1989. Combinational Profiles of Sequential Benchmark Circuits. In *IEEE ISCAS*. 1929–1934 vol.3. <https://doi.org/10.1109/ISCAS.1989.100747>
- [7] P. Chakraborty, J. Cruz, and S. Bhunia. 2018. SAIL: Machine Learning Guided Structural Analysis Attack on Hardware Obfuscation. In *2018 AsianHOST*. 56–61. <https://doi.org/10.1109/AsianHOST.2018.8607163>
- [8] P. Chakraborty, J. Cruz, and S. Bhunia. 2019. SURF: Joint Structural Functional Attack on Logic Locking. In *2019 IEEE HOST*. 181–190. <https://doi.org/10.1109/HST.2019.8741028>
- [9] H. Chen, C. Fu, J. Zhao, and F. Koushanfar. 2019. GenUnlock: An Automated Genetic Algorithm Framework for Unlocking Logic Encryption. In *2019 IEEE/ACM ICCAD*. 1–8.
- [10] Z. Chen, G. Kolhe, S. Rafatirad, C. Lu, S. Manoj P.D., H. Homayoun, and L. Zhao. 2020. Estimating the Circuit De-obfuscation Runtime based on Graph Deep Learning. In *2020 DATE*. 358–363.
- [11] F. Corno, M. S. Reorda, and G. Squillero. 2000. RT-level ITC’99 Benchmarks and First ATPG Results. *IEEE Design Test of Computers* 17, 3 (2000), 44–53.
- [12] A. E. Eiben and James E. Smith. 2015. *Introduction to Evolutionary Computing* (2nd ed.). Springer Publishing Company, Incorporated.
- [13] Thomas Elsken, Jan Hendrik Metzen, and Frank Hutter. 2018. Neural architecture search: A survey. *arXiv preprint arXiv:1808.05377* (2018).
- [14] Xin He, Kaiyong Zhao, and Xiaowen Chu. 2020. AutoML: A Survey of the State-of-the-Art. *arXiv:cs.LG/1908.00709*
- [15] Ayush Jain, Ziqi Zhou, and Ujjwal Guin. 2019. TAAL: Tampering Attack on Any Key-based Logic Locked Circuits. *arXiv:cs.CR/1909.07426*
- [16] H. M. Kamali, K. Z. Azar, H. Homayoun, and A. Sasan. 2019. Full-Lock: Hard Distributions of SAT instances for Obfuscating Circuits using Fully Configurable Logic and Routing Blocks. In *2019 56th ACM/IEEE DAC*. 1–6.
- [17] R. Karmakar and S. Chattopadhyay. 2020. A Particle Swarm Optimization Guided Approximate Key Search Attack on Logic Locking in The Absence of Scan Access. In *2020 DATE*. 448–453.
- [18] R. Karmakar, S. Chattopadhyay, and R. Kapur. 2017. Enhancing Security of Logic Encryption Using Embedded Key Generation Unit. In *2017 ITC-Asia*. 131–136. <https://doi.org/10.1109/ITC-ASIA.2017.8097127>
- [19] S. Khan, H. Rahmani, S. A. A. Shah, M. Bennamoun, G. Medioni, and S. Dickinson. 2018. *A Guide to Convolutional Neural Networks for Computer Vision*.
- [20] Yann LeCun and Yoshua Bengio. 1998. The Handbook of Brain Theory and Neural Networks. MIT Press, Chapter Convolutional Networks for Images, Speech, and Time Series, 255–258.
- [21] Jeremy Lee, Mohammad Tehranipoor, and Jim Plusquellic. 2006. A Low-Cost Solution for Protecting IPs Against Scan-Based Side-Channel Attacks. In *VTS ’06*. IEEE Computer Society, USA, 94–99. <https://doi.org/10.1109/VTS.2006.7>

- [22] L. Li and A. Orailoglu. 2019. Piercing Logic Locking Keys through Redundancy Identification. In *2019 DATE*. 540–545. <https://doi.org/10.23919/DATE.2019.8714955>
- [23] L. Li and A. Orailoglu. 2019. Shielding Logic Locking from Redundancy Attacks. In *2019 VTS*. 1–6. <https://doi.org/10.1109/VTS.2019.8758671>
- [24] Zewen Li, Wenjie Yang, Shouheng Peng, and Fan Liu. 2020. A Survey of Convolutional Neural Networks: Analysis, Applications, and Prospects. *arXiv:arXiv:2004.02806*
- [25] Y. Liu, M. Zuzak, Y. Xie, A. Chakraborty, and A. Srivastava. 2020. Strong Anti-SAT: Secure and Effective Logic Locking. In *2020 ISQED*. 199–205.
- [26] Mohamed El Massad, Jun Zhang, Siddharth Garg, and Mahesh V. Tripunitara. 2017. Logic Locking for Secure Outsourced Chip Fabrication: A New Attack and Provably Secure Defense Mechanism. *CoRR abs/1703.10187* (2017). *arXiv:1703.10187*
- [27] Mir Tanjidur Rahman, Shahin Tajik, M. Sazadur Rahman, Mark Tehranipoor, and Navid Asadizanjani. 2019. The Key is Left under the Mat: On the Inappropriate Security Assumption of Logic Locking Schemes. *Cryptology ePrint Archive, Report 2019/719*. <https://eprint.iacr.org/2019/719>.
- [28] J. Rajendran, Y. Pino, O. Sinanoglu, and R. Karri. 2012. Security Analysis of Logic Obfuscation. In *DAC 2012*. 83–89. <https://doi.org/10.1145/2228360.2228377>
- [29] M. Rostami, F. Koushanfar, and R. Karri. 2014. A Primer on Hardware Security: Models, Methods, and Metrics. *Proc. IEEE* 102, 8 (Aug 2014), 1283–1295.
- [30] J. A. Roy, F. Koushanfar, and I. L. Markov. 2008. EPIC: Ending Piracy of Integrated Circuits. In *2008 DATE*. 1069–1074. <https://doi.org/10.1109/DAT.2008.4484823>
- [31] Bicky Shakya, Xiaolin Xu, Mark Tehranipoor, and Domenic Forte. 2019. CAS-Lock: A Security-Corruptibility Trade-off Resilient Logic Locking Scheme. *TCHES* 2020, 1 (Nov. 2019), 175–202. <https://doi.org/10.13154/tches.v2020.i1.175-202>
- [32] Karen Simonyan and Andrew Zisserman. 2015. Very Deep Convolutional Networks for Large-Scale Image Recognition. In *ICLR 2015, San Diego, CA, USA, May 7-9, 2015, Conference Track Proceedings*, Yoshua Bengio and Yann LeCun (Eds.). <http://arxiv.org/abs/1409.1556>
- [33] P. Subramanyan, S. Ray, and S. Malik. 2015. Evaluating the Security of Logic Encryption Algorithms. In *2015 HOST*. 137–143. <https://doi.org/10.1109/HST.2015.7140252>
- [34] Christian Szegedy, Sergey Ioffe, Vincent Vanhoucke, and Alexander A. Alemi. 2017. Inception-v4, Inception-ResNet and the Impact of Residual Connections on Learning. In *AAAI 2017*. AAAI Press, 4278–4284.
- [35] Fatemeh Tehranipoor, Nima Karimian, Mehran Mozaffari Kermani, and Hamid Mahmoodi. 2019. Deep RNN-Oriented Paradigm Shift through BOCANet: Broken Obfuscated Circuit Attack. In *GLSVLSI ’19*. ACM, New York, NY, USA, 335–338. <https://doi.org/10.1145/3299874.3318031>
- [36] Dominik Šišejković, Farhad Merchant, Lennart M. Reimann, Rainer Leupers, Massimiliano Giacometti, and Sascha Kegreiß. 2020. A Secure Hardware-Software Solution Based on RISC-V, Logic Locking and Microkernel. In *SCOPES ’20*. ACM, New York, NY, USA, 62–65. <https://doi.org/10.1145/3378678.3391886>
- [37] K. Xiao, D. Forte, Y. Jin, R. Karri, S. Bhunia, and M. Tehranipoor. 2016. Hardware Trojans: Lessons Learned after One Decade of Research. *ACM Trans. Des. Autom. Electron. Syst.* 22, 1, Article 6 (May 2016), 23 pages. <https://doi.org/10.1145/2906147>
- [38] Y. Xie and A. Srivastava. 2017. Anti-SAT: Mitigating SAT Attack on Logic Locking. *Cryptology ePrint Archive, Report 2017/761*. <http://eprint.iacr.org/2017/761>.
- [39] M. Yasin and O. Sinanoglu. 2017. Evolution of Logic Locking. In *2017 IFIP/IEEE VLSI-SoC*. 1–6. <https://doi.org/10.1109/VLSI-SoC.2017.8203496>
- [40] Kimia Zamiri Azar, Hadi Mardani Kamali, Houman Homayoun, and Avesta Sasan. 2019. Threats on Logic Locking: A Decade Later. In *GLSVLSI ’19*. ACM, New York, NY, USA, 471–476. <https://doi.org/10.1145/3299874.3319495>
- [41] F. Zaruba and L. Benini. 2019. The Cost of Application-Class Processing: Energy and Performance Analysis of a Linux-Ready 1.7-GHz 64-Bit RISC-V Core in 22-nm FDSOI Technology. *IEEE Transactions on Very Large Scale Integration (VLSI) Systems* 27, 11 (Nov 2019), 2629–2640. <https://doi.org/10.1109/TVLSI.2019.2926114>
- [42] Guo Zhang, Hao He, and Dina Katabi. 2019. Circuit-GNN: Graph Neural Networks for Distributed Circuit Design (*Proceedings of Machine Learning Research*), Kamalika Chaudhuri and Ruslan Salakhutdinov (Eds.), Vol. 97. PMLR, Long Beach, California, USA, 7364–7373. <http://proceedings.mlr.press/v97/zhang19e.html>
- [43] Yuqiao Zhang, Pinchen Cui, Ziqi Zhou, and Ujjwal Guin. 2019. TGA: An Oracle-Less and Topology-Guided Attack on Logic Locking. In *ASHES 2019*. ACM, New York, NY, USA, 75–83. <https://doi.org/10.1145/3338508.3359576>