

# Functional Analysis Attacks on Logic Locking

Deepak Sironi and Pramod Subramanyan<sup>ID</sup>

**Abstract**—Logic locking refers to a set of techniques that can protect integrated circuits (ICs) from counterfeiting, piracy and malicious functionality changes by an untrusted foundry. It achieves these goals by introducing new inputs, called key inputs, and additional logic to an IC such that the circuit produces the correct output only when the key inputs are set to specific values. The correct values of the key inputs are kept secret from the untrusted foundry and programmed after manufacturing and before distribution, thus rendering piracy, counterfeiting and malicious design changes infeasible. The security of logic locking relies on the assumption that the untrusted foundry cannot infer the correct values of the key inputs by analysis of the circuit. In this paper, we introduce a new attack on state-of-the-art logic locking schemes which invalidates the above assumption. We propose Functional Analysis attacks on Logic Locking algorithms (abbreviated as **FALL** attacks). **FALL** attacks have two stages. Their first stage is dependent on the locking algorithm and involves analyzing structural and functional properties of locked circuits to identify a list of potential locking keys. The second stage is algorithm agnostic and introduces a powerful addition to SAT-based attacks called *key confirmation*. Key confirmation can identify the correct key from a list of alternatives and works even on circuits that are resilient to the SAT attack. In comparison to past work, the **FALL** attack is more practical as it can often succeed (90% of successful attempts in our experiments) by only analyzing the locked netlist, *without requiring oracle access to an unlocked circuit*. Our experimental evaluation shows that **FALL** attacks are able to defeat 65 out of 80 (81%) circuits locked using Stripped-Functionality Logic Locking (**SFLL-HD**).

**Index Terms**—Hardware, security, logic locking, integrated circuit (IC) counterfeiting, overproduction.

## I. INTRODUCTION

**G**LOBALIZATION and concomitant de-verticalization of the semiconductor supply chain have resulted in IC design houses becoming increasingly reliant on potentially untrustworthy offshore foundries. This reliance has raised concerns of integrated circuit (IC) piracy, unauthorized overproduction, and malicious design modifications by adversarial entities that may be part of these contract foundries [10], [14], [31]. These issues have both financial [12] and national security implications [22].

Manuscript received July 18, 2019; revised December 17, 2019 and January 10, 2020; accepted January 11, 2020. Date of publication January 20, 2020; date of current version February 6, 2020. This work was supported in part by the Science and Engineering Research Board, a unit of the Department of Science and Technology, Government of India. The associate editor coordinating the review of this manuscript and approving it for publication was Prof. Georg Sigl. (*Corresponding author: Pramod Subramanyan*)

Deepak Sironi was with the Indian Institute of Technology Kanpur, Kanpur 208016, India. He is now with the Department of Computer Sciences, University of Wisconsin–Madison, Madison, WI 53706 USA (e-mail: dsironi@cs.wisc.edu).

Pramod Subramanyan is with the Department of Computer Science and Engineering, Indian Institute of Technology Kanpur, Kanpur 208016, India (e-mail: spramod@cse.iitk.ac.in).

Digital Object Identifier 10.1109/TIFS.2020.2968183

A potential solution to these problems is logic locking [3], [6], [11], [17], [18]: a set of techniques that introduce additional logic and new inputs to a digital circuit in order to create a “locked” version of it. The locked circuit operates correctly if and only if the new inputs, referred to as key inputs, are set to the right values. Typically, key inputs are connected to a tamper-proof memory and the circuit is activated by the design house by programming the correct key values in the tamper-proof memory *after* manufacturing and prior to sale. The security assumption underlying logic locking is that the *adversary (untrusted foundry) does not know the correct values of the key inputs and cannot compute them*.

Initial proposals for logic locking did not satisfy this assumption and were vulnerable to attack [15], [16], [25], [36], [39]. For example, Rajendran *et al.* [16] used automatic test pattern generation (ATPG) tools to compute input values that would allow an adversary to reveal the values of key bits. Subramanyan *et al.* [25] developed the SAT attack which defeated all known logic encryption techniques at the time. The SAT attack works by using a Boolean SATisifiability solver to iteratively find inputs that distinguish between equivalence classes of keys. For each such input, an activated IC (perhaps purchased from the market by the adversary) is queried for the correct output and this information is fed back to the SAT solver when computing the next distinguishing input. The practicality of this attack depends on the number of equivalence classes of keys present in the locked circuit.

Much subsequent work has focused on SAT attack resilient logic locking [32], [33], [37], [40], [41]. These proposals attempt to guarantee that the number of equivalence classes of keys is exponential in the key length. Broadly speaking, they have two components. One sub-circuit “flips” the output of the original circuit for a particular cube or set of cubes. The cube stripping unit is independent of the key inputs but is dependent on the *correct key input values*. We refer to this component as the *cube stripping unit*. This flipped output is then inverted by a key-dependent circuit that we refer to as the *programmable functionality restoration unit*. This latter circuit is guaranteed to have an exponential number of equivalence classes of keys and ensures SAT attack resilience. Initial proposals along these lines were Anti-SAT [32], [33] and SARLock [37]. However, Anti-SAT was vulnerable to the signal probability skew (SPS) [37] attack while SARLock was vulnerable to the Double DIP [21] attack and the Approximate SAT [20] attack. Both schemes are vulnerable to removal and bypass attacks [34], [38]. Subsequently, Yasin *et al.* proposed TTLock [41] and Stripped-Functionality Logic Locking (**SFLL**) [19], [40]. SFLL was the only family of logic locking techniques resilient to all known attacks at the time of submission of our conference paper [24].

In this paper, we introduce a novel class of Functional Analysis attacks on Logic Locking (abbreviated as FALL attacks). FALL attacks defeat TTLock and the SFLL-HD<sup>h</sup> variant of SFLL. Our approach uses structural and functional analyses of circuit nodes to first identify the gates that are the output of the cube stripping module in order to determine the locking key. There are two challenges involved in this.

First, the locked netlist is a sea of gates, and it is unclear which of these is the gate being searched for. Examining every gate using computationally expensive functional analyses is not feasible. Testing whether a gate is equivalent to the cube stripping function for some key value involves solving a quantified Boolean formula (QBF). QBF is PSPACE-complete [2] in comparison to SAT which is “only” NP-complete [9]. Therefore, the naïve approach of examining every gate does not even scale to small netlists. We tackle these problems by the development of a set of structural and functional properties of the cube stripping function used in SFLL-HD<sup>h</sup> and use SAT-based analyses to find nodes with these properties. The second challenge is determining the key given the output of cube stripping unit. Here too, we develop SAT-based analyses to extract potential locking keys from a given circuit node.

In about 90% of successful attempts in our experiments, the first stage of the attack shortlists exactly one potential key. In such cases, the FALL attack *does not require input/output (I/O) oracle access* to an unlocked circuit. Any malicious foundry who can reconstruct gate-level structures from the masks can use FALL without setting up logic analyzers, loading the scan chain, etc. This suggests that attacking logic locking may be much easier than previously believed.

In a few cases, more than one key may be shortlisted. To address this problem, we introduce a novel SAT-based key confirmation algorithm. Given a list of suspected key values and I/O oracle access, key confirmation can be used to find which one (or none) of these suspected key values is correct. This has important implications as key confirmation can be used in isolation with *arbitrary analysis techniques and for arbitrary locking techniques and not just the analyses developed for SFLL-HD<sup>h</sup>/TTLock in this paper*. An attacker need only guess a key value through some circuit analysis and key confirmation can be used to verify this guess. For instance, recent work has introduced the SURF attack [5] which uses machine learning (ML) techniques to guess the key input values. While these techniques can determine a likely key, they cannot *guarantee* correctness. This is where key confirmation comes in: it can prove/disprove a high-probability guess. Key confirmation succeeds on circuits resilient to the SAT attack and provides a new pathway for the use of powerful Boolean reasoning engines in logic locking attacks.

We present a thorough experimental analysis of the FALL attack. Our evaluation shows that FALL attacks succeed on 65 out of 80 benchmark circuits (81%) in our evaluation. Among these 65, the functional analysis shortlists exactly one key for 58 circuits (90% of successful attempts), supporting our claim that Oracle-less attacks are indeed practical. We show experimentally that the key confirmation attack succeeds

on all the circuits we examine and is orders of magnitude faster than the SAT attack [25].

### A. Contributions

This paper makes the following contributions.

- We present functional analysis attacks on logic locking which use structural and functional analyses to defeat SFLL-HD<sup>h</sup> and TTLock.
- We present an important improvement to the SAT attack called key confirmation that enables the combination of key value hints gathered from structural/functional analyses with the SAT-based analyses. Key confirmation allows the SAT attack to succeed even against SAT-resilient logic locking and applies to all combinational logic locking schemes.
- We present a thorough evaluation of FALL attacks and key confirmation on set of over 80 benchmarks circuits locked using SFLL-HD<sup>h</sup> and TTLock. Our attacks defeat 65 (81%) of these circuits.

*Conference Publication:* This paper is based on a conference publication in DATE 2019 [24]. This journal paper introduces the following novel contributions: (i) the key confirmation attack that extends the SAT attacks to target so called “SAT-resilient” attack schemes (§ VI), and (ii) proofs for the FALL lemmas and the correctness of key confirmation, and (iii) a working example of locking using SFLL and TTLock (§ III-B) and FALL attacks on this example (interspersed with the text in § IV and § V), and (iv) an experimental evaluation of the key confirmation attack (§ VII-C).

## II. BACKGROUND AND NOTATION

This section provides the background and notation used in the rest of this paper.

### A. Notation

Let  $\mathbb{B} = \{0, 1\}$  be the Boolean domain. A combinational circuit is modeled as a directed acyclic graph (DAG)  $G = (V, E)$ . Nodes in the graph correspond to logic gates, input nodes. Some input nodes and logic gates may also be outputs. Edge  $(v_1, v_2) \in E$  if  $v_2$  is a fanin (input) of the gate  $v_1$ .

Given a node  $v \in V$ , define  $\text{fanins}(v) = \{v' \mid (v, v') \in E\}$ .  $\#\text{fanins}(v)$  is the cardinality of  $\text{fanins}(v)$ . For  $v \in V$  such that  $\#\text{fanins}(v) = k$ ,  $\text{nodefn}_v$  is the  $k$ -ary Boolean function associated with the node;  $\text{nodefn}_v : V \rightarrow (\mathbb{B}^k \rightarrow \mathbb{B})$ . For example, if  $v_1$  is a 2-input AND gate,  $\text{nodefn}_{v_1} = \lambda ab. a \wedge b$ . For input nodes,  $\text{nodefn}_v$  is an uninterpreted 0-ary Boolean function (or equivalently, a propositional variable). The circuit function of node  $v$ , denoted  $\text{cktfn}_v$  is defined recursively as:  $\text{cktfn}_v = \text{nodefn}_v(\text{cktfn}_{v_1}, \dots, \text{cktfn}_{v_n})$  where  $v_i \in \text{fanins}(v)$ . The transitive fanin cone of a node  $v$ , denoted  $\text{TFC}(v)$ , is the set of all nodes  $v_j$  such that  $(v, v_j) \in E$  or there exists some  $v_i \in V$  such that  $(v_i, v_j) \in E$  and  $v_i \in \text{TFC}(v)$ . The support of a node, denoted by  $\text{Supp}(v)$ , is the set of all nodes  $v_j$  such that  $v_j \in \text{TFC}(v)$  and  $\#\text{fanins}(v_j) = 0$ .

The notation  $\langle x_1, x_2, \dots, x_m \rangle$  refers to the  $m$ -tuple consisting of  $x_1, \dots, x_m$ . We will write tuples of variables in upper case; e.g.  $X$ ,  $Y$  and  $K$ . For example  $X = \langle x_1, x_2, \dots, x_m \rangle$ .

We will use italics:  $x_1, x_2, k_1, k_2$ , etc. to refer to variables. Constant values are shown in fixed width:  $X, K, x_1, k_1$ , etc.

The notation  $a \wedge b$  refers to the conjunction (AND) of  $a$  and  $b$ ,  $a \vee b$  refers to their disjunction (OR),  $a \oplus b$  refers to their exclusive or (XOR), and  $\neg a$  refers to logical negation (NOT). A literal is either a variable (e.g.,  $a$ ) or its negation (e.g.,  $\neg a$ ). A conjunction of literals (e.g.,  $a \wedge \neg b \wedge c$ ) is called a *cube*.

### B. Representing Circuits and Sets in SAT Solvers

In a locked netlist, some input nodes are key inputs while the remaining are circuit inputs. We will represent the tuple of key inputs by  $K$ , and the tuple of circuit inputs by  $X$ . The set of outputs of circuit is  $Y$ . Define the Boolean function  $isKey(v)$  s.t.  $isKey(v) = 1$  iff node  $v \in K$ ; in other words,  $isKey(v)$  is the characteristic function of  $K$ .

When using SAT solvers to reason about circuit behavior, we will represent the functional behavior of the circuit via the characteristic function of its input/output relation: the Boolean function  $C(X, K, Y)$  will be satisfiable iff the circuit input values  $X$ , and key input values  $K$  result in the output value  $Y$ . The characteristic function is typically computed using the Tseitin transformation [30] which introduces new variables but we will ignore this detail in the interest of simplicity.

The key confirmation attack needs an I/O oracle for an activated circuit. This is modelled as a Boolean function  $oracle : \mathbb{B}^m \rightarrow \mathbb{B}^n$  where  $m$  and  $n$  are the number of circuit inputs and outputs respectively.  $oracle(X)$  is the output value of the activated circuit for the input value  $X$ .

Similarly, in order to represent sets of Boolean values in SAT solvers, we will use the indicator function of the set. Suppose we have the following set of values for the key inputs:  $K_{set} = \{(1, 0, 1, 1), (1, 0, 0, 1), (0, 1, 1, 0), (0, 0, 1, 0)\}$ . This set can be represented by the formula  $\varphi(k_1, k_2, k_3, k_4) \doteq (k_1 \wedge \neg k_2 \wedge k_4) \vee (\neg k_1 \wedge k_3 \wedge \neg k_4)$ . Note that function  $\varphi$  has output 1 exactly for the members of the set  $K_{set}$ .

### C. Useful Properties of Boolean Functions

We will use the following properties of Boolean functions in the functional analyses of SFLL and TTLock.

*Hamming Distance:* Given two bit vectors  $X^1 = \langle x_1^1, \dots, x_m^1 \rangle$  and  $X^2 = \langle x_1^2, \dots, x_m^2 \rangle$ , define  $HD(X^1, X^2) \doteq \sum_{i=1}^m (x_i^1 \oplus x_i^2)$  to be their Hamming distance.

*Unateness:* A Boolean function  $f$  is said to be positive (resp. negative) unate in the variable  $x$  if changing  $x$  from 0 to 1 while keeping all the other variables the same, never changes the output of the function  $f$  from 1 to 0 (resp. 0 to 1).

Formally, we say that a Boolean function  $f(x_1, \dots, x_m) : \mathbb{B}^m \rightarrow \mathbb{B}$  is positive unate in the variable  $x_i$  if  $f(x_1, \dots, x_{i-1}, 0, x_{i+1}, \dots) \leq f(x_1, \dots, x_{i-1}, 1, x_{i+1}, \dots)$ . We say that  $f$  is negative unate in the variable  $x_i$  if  $f(x_1, \dots, x_{i-1}, 1, x_{i+1}, \dots) \leq f(x_1, \dots, x_{i-1}, 0, x_{i+1}, \dots)$ . Function  $f$  is said to be unate in  $x_i$  if it is either positive or negative unate in  $x_i$ .<sup>1</sup> Intuitively, unateness is a monotonicity property which states that the function monotonically increases/decreases along with a specific variable  $x$ .

<sup>1</sup> $a \leq b$  is defined as  $\neg a \vee b$ .



Fig. 1. Overview of SAT attack resilient locking algorithms like TTLock and SFLL-HD<sup>h</sup>. We show a single output circuit for simplicity, additional outputs are handled symmetrically.

In § V, we will show that the cube stripping function of TTLock has the property of unateness and that this property can be exploited to extract the protected cube.

### D. A Model of SFLL and TTLock

Figure 1 shows the structure of SFLL-HD<sup>h</sup> and TTLock. As described in the previous section, the locking scheme consists of three components. The first is the original circuit which is shown as the blue triangle. The second is the cube stripper, which is shown as the red rectangle. The output of the cube stripper is XOR'd with the output of the original. This means that the original circuit produces the “wrong” output for all inputs which result in a high output from the cube stripper. The blue rectangle near the bottom of the figure shows the functionality restoration unit.

The circuit inputs are represented by the tuple  $X = \langle x_1, \dots, x_m \rangle$ . The key inputs are represented by the tuple  $K = \langle k_1, \dots, k_m \rangle$ . The output of the cube stripper is the Boolean function  $strip_h(K_c)(X)$ . Here  $K_c$  is the protected cube and is a *fixed bit-vector value* while  $X$  is the tuple of input variables. We exploit the insight that a general implementation of SFLL must leave structural traces of the value of  $K_c$  in the netlist and our analyses provide algorithms to infer this value for TTLock and SFLL-HD<sup>h</sup>. We note that there are other variants of SFLL, e.g. SFLL-fault [19]. Extending the analyses to these variants is not in the scope of this paper.

## III. ATTACK OVERVIEW

This section first describes the adversary model for the FAL attack. It then provides an overview of the attack itself.

### A. Adversary Model

The adversary is assumed to be a malicious foundry with layout and mask information. The gate level netlist can be reverse engineered from this [29]. The adversary knows the locking algorithm and its parameters (e.g.,  $h$  in SFLL-HD<sup>h</sup>). We follow [16], [25], [40] etc. and assume the adversary can distinguish between key inputs and circuit inputs, and restrict our attention to combinational circuits. Sequential circuits can be viewed as combinational by treating flip-flop inputs and outputs as combinational outputs and inputs respectively. We assume the adversary *may* have access to an activated circuit through which they can observe the output for a specific input.

If parameter  $h$  in SFLL-HD <sup>$h$</sup>  is not known, then one can sweep values of  $h$ . This may lead to some incorrect key values being inferred for the wrong values of  $h$ , but these can be eliminated by the key confirmation attack (see § VI). Distinguishing key inputs from circuit inputs is easily done by examining which inputs are connected to I/O pads/flip-flops and which are connected to tamper-proof memory.

### B. Overview of TTLock and SFLL

Figure 2a shows a simple circuit that computes the Boolean function  $y = (a \wedge b) \vee (b \wedge c) \vee (c \wedge a) \vee d$ . This circuit is locked using the TTLock algorithm [41] and the resulting circuit is shown in Figure 2b. The same circuit locked using the SFLL-HD <sup>$h$</sup>  algorithm is shown in Figure 2b. This section provides an overview of the locking algorithms, the challenges in attacking them and the vulnerabilities in the algorithm that are exploited by FALL attacks.

1) *Overview of TTLock:* The locked circuit shown in Figure 2b has two components: (i) a functionality-stripped circuit shown in the dashed blue box, and (ii) the functionality restoration unit shown in the dashed cyan box.

Let us first consider the functionality-stripped circuit. The two new additions to the circuit in comparison to Figure 2a are the two gates shown in red. What is the impact of the gate labelled  $F$ ? The output of this gate is high only when  $a \wedge \neg b \wedge \neg c \wedge d = 1$ , or equivalently when  $a = d = 1$  and  $b = c = 0$ . In the SFLL/TTLock terminology, the product term  $a \wedge \neg b \wedge \neg c \wedge d$  is called a protected cube. Notice the functionality-stripped circuit's output differs from the original circuit (in Figure 2a) for exactly this cube.

Now let us turn our attention to the functionality restoration unit. This circuit compares the values of inputs  $a, b, c$  and  $d$  with the key inputs  $k_1, k_2, k_3$  and  $k_4$  respectively. If  $a = k_1, b = k_2, c = k_3$  and  $d = k_4$ , then the functionality restoration unit flips the output of the functionality-stripped circuit. What is the purpose of the functionality restoration unit? If the key inputs  $k_1, k_2, k_3$  and  $k_4$  are set to the same value as the protected cube, that is if  $k_1 = k_4 = 1$  and  $k_2 = k_3 = 0$ , then output  $y$  of the locked circuit in Figure 2b is identical to the output of the original circuit in Figure 2a. In other words, the circuit only produces the correct output when the keys are set to the protected cube.

2) *Overview of SFLL-HD <sup>$h$</sup> :* Notice that Figure 2c is very similar to Figure 2b except for the nodes  $F$  and  $G$ . Node  $F$  implements the following function.

$$\begin{aligned} F(a, b, c, d) \doteq & (\neg a \wedge \neg b \wedge \neg c \wedge d) \vee (a \wedge b \wedge \neg c \wedge d) \\ & \vee (a \wedge \neg b \wedge c \wedge d) \vee (a \wedge \neg b \wedge \neg c \wedge \neg d) \end{aligned} \quad (1)$$

The output of the function  $F(a, b, c, d)$  is 1 for all cubes that Hamming distance 1 from the protected cube  $a \wedge \neg b \wedge \neg c \wedge d$ . This value 1 corresponds to the parameter  $h$  in SFLL-HD <sup>$h$</sup>  and is the crucial difference between SFLL-HD and TTLock. In TTLock, the functionality-stripped circuit's output differs from the original circuit for exactly one cube. In contrast, the functionality-stripped circuit's output differs from the protected cube for all inputs that are Hamming distance  $h$  from



(a) Original circuit.



(b) Circuit locked using TTLock. The protected cube is  $a \wedge \neg b \wedge \neg c \wedge d$ .



(c) Circuit locked using SFLL-HD<sup>1</sup>. All cubes exactly Hamming distance 1 from the protected cube  $a \wedge \neg b \wedge \neg c \wedge d$  are flipped by the functionality-stripped circuit.

Fig. 2. Example circuit locked with TTLock and SFLL-HD<sup>1</sup>.

the protected cube in SFLL-HD <sup>$h$</sup> . As a result, SFLL-HD <sup>$h$</sup>  can cause exponentially more output corruption than TTLock.

The functionality restoration unit in SFLL-HD <sup>$h$</sup>  is analogously changed.



Fig. 3. Optimized version of the circuit shown in Figure 2b. Since ABC uses the AND-Inverter-Graph (AIG) representation, each node in this circuit is a AND gate. Dotted edges represent inverted inputs while solid edges represent non-inverted inputs. Upward facing triangles are inputs and the downward facing triangle is the output.

Node  $G$  implements the following function.

$$\begin{aligned} G(p, q, r, s) \doteq & \neg((p \vee q \vee r) \wedge (p \vee r \vee s) \\ & \wedge (p \vee q \vee s) \wedge (q \vee r \vee s)) \quad (2) \end{aligned}$$

It flips the output of the functionality-stripped circuit for all cubes that are Hamming distance 1 from the values of the key inputs.

If the key inputs are equal to the protected cube, then the original functionality of the circuit is restored because the functionality restoration unit “un-does” the corruption introduced by the functionality-stripped circuit.

### C. Overview of Attacking TTLock and SFLL-HD<sup>h</sup>

Observe that the protected cube must be hard-coded into the circuit in both Figures 2b and 2c. For instance, if the protected cube (and hence correct key) were to be changed from  $(k_1, k_2, k_3, k_4) = (1, 0, 0, 1)$  to  $(1, 1, 1, 1)$ , the locked circuit would need to change as well: the inputs to the gate  $F$  would not have any inverters (negation bubbles). *Therefore, structural and functional analyses of the circuit could potentially leak the correct key and this is the key insight we use in this paper.*

Specifically, if the adversary could identify the NAND gate  $F$  and the comparators (XOR gates) labelled  $c_1, c_2, c_3$  and  $c_4$ , it would be easy to figure out what the protected cube is and set the key inputs appropriately. The catch is that finding these gates is difficult due to synthesis-time optimizations. Figure 3 shows the same circuit as Figure 2b but after it has been processed using ABC’s [13] structural hashing (strash) command. We see that it is not at all obvious which node in Figure 3 is equivalent to the gate  $F$  in Figure 2b and which nodes are equivalent to the four comparators. This is despite the fact that we have both the unlocked and unoptimized circuits available to us. An attacker would not have this information, so it would be harder to find the gate.

*Overview of Attack Stages:* We now provide a high-level overview of the FALL attack. Figure 4 shows the main stages of the FALL attack. The first two stages use structural analyses



Fig. 4. Attack algorithm overview.

to identify candidate gates that may be the output of a cube stripping module. These are described in Section IV. The next two stages subject these candidate nodes to functional analyses to identify suspected key values. Algorithms for functional analysis exploit unateness and Hamming distance properties of the cube stripping functions used in SFLL and are described in Section V. Given a shortlist of suspected key values, the final stage verifies whether one of these key values is correct using the key confirmation algorithm described in Section VI. This stage need not be carried out if only one key was identified by the functional analyses or if the adversary does not have oracle access to an activated circuit.

## IV. STRUCTURAL ANALYSES

This section describes structural analyses to identify nodes that may be the output of the cube stripping unit.

### A. Comparator Identification

The first step in systematically attacking TTLock and SFLL is to identify the comparators (XOR gates) – gates  $c_1, c_2, c_3$  and  $c_4$  – in Figures 2b and 2c. Identifying these gates is helpful because it gives the pairing between the key inputs and the circuit inputs. In these example circuits,  $k_1$  is compared with  $a$ ,  $k_2$  with  $b$ ,  $k_3$  with  $c$  and  $k_4$  with  $d$ . If we know that the protected cube is  $a \wedge \neg b \wedge \neg c \wedge d$ , the above pairing lets us deduce that  $(k_1, k_2, k_3, k_4) = (1, 0, 0, 1)$  is the correct key. While finding the comparators is easy in Figure 2a, how do we do it in an optimized netlist like Figure 3? Here, the FALL attack uses structural analysis followed by functional analysis.

- 1) First, we find all nodes in the circuit whose support consists of one key input and one circuit input. Some nodes in Figure 3 which satisfy this criterion are nodes 10, 11, 12, 13, 14 and 15. Examples of nodes which do *not* satisfy this criterion are node 25, which depends on two circuit inputs and node 28 which depends on more than two inputs.
- 2) Second, among the nodes identified in step 1 which satisfy the support criterion, we check using a SAT solver if

their functionality is equivalent to an XOR/XNOR gate. If so the gate is marked as a comparator. In Figure 3 both node 12's and node 13's functionality are equivalent to an XNOR gate but node 10 is not.

Stated precisely, comparator identification is an algorithm that finds all gates in the locked circuit whose circuit function is equivalent to  $(z \oplus x_i) \iff k_i$  for some  $z$ . Here  $x_i$  must be a circuit input,  $k_i$  must be a key input and  $z$  captures whether  $k_i$  is being compared with  $x_i$  or  $\neg x_i$ . The result of comparator identification is the set  $Comp = \{(v_i, x_i, k_i), \dots\}$  where each tuple  $(v_i, x_i, k_i)$  is such that  $Supp(v_i) = \{x_i, k_i\}$ ,  $isKey(x_i) = 0$ ,  $isKey(k_i) = 1$ , and one of the following two formulas is valid: (i)  $cktn_{v_i} \iff x_i \oplus k_i$  and (ii)  $cktn_{v_i} \iff \neg(x_i \oplus k_i)$ .

### B. Support Set Matching

The set of all circuit inputs that appear in the comparators identified by the algorithm described in the previous subsection also tells us the set of circuit inputs appearing in protected cube. This insight can help us shortlist potential circuit nodes corresponding to the protected cube.

In formal notation, the above insight says that all circuit inputs  $x_i$  that appear in  $Comp$  should be the support of the cube stripping unit. Support set matching finds all such nodes. Given the set  $Comp = \{(v_i, x_i, k_i), \dots\}$ , define the projection  $Comp_x$  as  $Comp_x = \{x_i \mid (v_i, x_i, k_i) \in Comp\}$ .  $Cand$  is set of all gates whose support is identical to  $Comp_x$ . This set of gates contains the output of the cube stripping unit.

In Figure 3, nodes 30 and 33 have  $a, b, c$  and  $d$  in their support but not any of the key inputs. Therefore, both nodes are part of  $Comp$ . One of these likely to be the node  $F$  in Figures 2b and 2c, the output of the cube stripping unit.

To identify which of these two nodes is the actual output of the cube stripper, we use Boolean functional analysis. This will be described in the next section.

## V. FUNCTIONAL ANALYSES

This section first develops functional properties of the cube stripping function used in SFLL. It then describes three algorithms that exploit these properties to find the “hidden” key input parameters of the cube stripping unit.

### A. Functional Properties of Cube Stripping

Cube stripping involves the choice of a protected cube, represented by the tuple  $K_c = \langle k_1, \dots, k_m \rangle$  where  $m = |Comp|$  and  $k_i \in \mathbb{B}$ . The stripping function  $strip(K_c) : \mathbb{B}^m \rightarrow (\mathbb{B}^m \rightarrow \mathbb{B})$  is parameterized by this protected cube. The output of the functionality stripped circuit (the dashed box in Figure 1) is inverted for the input  $X = \langle x_1, \dots, x_m \rangle$  when  $strip(K_c)(X) = 1$ . For a given locked circuit and associated key value, the value of  $K_c$  is “hard-coded” into the implementation of  $strip$ , which is why we typeset  $K_c$  in a fixed width font. The attacker’s goal is to learn this value of  $K_c$ .

In this paper we study functional properties of the following cube stripping function:  $strip_h(K_c)(X) \doteq HD(K_c, X) = h$ .  $strip_h$  flips the output for all input patterns exactly Hamming

distance  $h$  from the protected cube  $\langle k_1, \dots, k_m \rangle$ . This is the cube stripping function for SFLL-HD $^h$  and the special case of  $h = 0$  corresponds to the cube stripping function for TTLock. This function has three specific properties that can be exploited to determine the value of  $K_c$ .

1) *Unateness (TTLock/SFLL-HD $^0$ ):* An important insight in attacking TTLock is that regardless of the exact values of the key inputs, the function computed by the gate  $F$  has the special property of *unateness* in all its variables.

In our running example, the functionality of node 30 in Figure 3 is  $cktn_{30}(a, b, c, d) = a \wedge \neg b \wedge \neg c \wedge d$ . Consider  $cktn_{30}(1, b, c, d)$ , which is  $\neg b \wedge \neg c \wedge d$ , while  $cktn_{30}(0, b, c, d) = 0$ . Therefore, changing  $a$  from 0 to 1 while keeping all the other variables the same will never cause  $F$  to go from 1 to 0. This means that  $F$  is positive unate in  $a$ . By a similar argument,  $F$  is negative unate in the variables  $b$  and  $c$ , while it is positive unate in the variable  $d$ . From this, we can deduce that the protected cube is  $a \wedge \neg b \wedge \neg c \wedge d$  and hence a potential key is  $(k_1, k_2, k_3, k_4) = (1, 0, 0, 1)$ . For another example, let  $\langle k_1, k_2, k_3 \rangle = (1, 0, 1)$ . Then  $strip_0(\langle k_1, k_2, k_3 \rangle)(\langle x_1, x_2, x_3 \rangle) = x_1 \wedge \neg x_2 \wedge x_3$ . This is positive unate in  $x_1$  as  $0 \leq \neg x_2 \wedge x_3$ , and negative unate in  $x_2$  as  $0 \leq x_1 \wedge x_3$ .

*Lemma 1:* The cube stripping function for TTLock/SFLL-HD $^0$  is unate in every variable  $x_i$ . Further, it is positive unate in  $x_i$  if  $k_i = 1$  and negative unate in  $x_i$  if  $k_i = 0$ .

Proof of the lemma is given in the appendix.

2) *Non-Overlapping Errors Property (SFLL-HD $^h$ ):* Consider the definition of  $strip_h$ , let  $K_c = \langle k_1, \dots, k_4 \rangle = \langle 1, 1, 1, 1 \rangle$  and  $h = 1$ . Consider the two input values  $X^1 = \langle 1, 1, 1, 0 \rangle$  and  $X^2 = \langle 0, 1, 1, 1 \rangle$ .  $strip_1(K_c)(X^1) = 1 = strip_1(K_c)(X^2)$ .  $X^1$  and  $X^2$  are Hamming distance 2 apart. Due to the definition of  $strip_1$  they are also Hamming distance 1 from  $K_c$ . This means that the values of  $x_i$  on which the two patterns agree –  $x_2$  and  $x_3$  – must be equal to  $k_2$  and  $k_3$  respectively. This is because the “errors” in  $X^1$  and  $X^2$  cannot overlap as they are Hamming distance  $2h$  apart. Generalizing this observation leads to the following result.

*Lemma 2:* Suppose  $X^1 = \langle x_1^1, \dots, x_m^1 \rangle$ ,  $X^2 = \langle x_1^2, \dots, x_m^2 \rangle$ ,  $K_c = \langle k_1, \dots, k_m \rangle$  and  $strip_h(K_c)(X^1) = 1 = strip_h(K_c)(X^2)$ . If  $HD(X^1, X^2) = 2h$ , then for every  $j$  such that  $x_j^1 = x_j^2$ , we must have  $x_j^1 = x_j^2 = k_j$ .

See appendix for proof.

Let us return to the example circuit in Figure 2c and the cube stripping function  $F$  for this circuit shown in Equation 1. The four values of  $(a, b, c, d)$  that result in  $F(a, b, c, d) = 1$  are  $(0, 0, 0, 1)$ ,  $(1, 1, 0, 1)$ ,  $(1, 0, 1, 1)$  and  $(1, 0, 0, 0)$ . Recall that  $h = 1$  for this circuit and the protected cube is  $(a, b, c, d) = (1, 0, 0, 1)$ . Consider the pair  $(0, 0, 0, 1)$  and  $(1, 1, 0, 1)$ . These two vectors are Hamming distance 2 apart and we see that the two indices on which the vectors agree ( $c$  and  $d$ ) are equal to their respective values in the protected cube. Therefore from these two vectors, we can deduce that  $c = 0$  and  $d = 1$ . Similarly from the vectors  $(1, 0, 1, 1)$  and  $(1, 0, 0, 0)$  we can deduce that  $a = 1$  and  $b = 0$ .

3) *Sliding Window Property (SFLL-HD $^h$ ):* Let us revisit the example from the non-overlapping errors property. Let

**Algorithm 1** Algorithm ANALYZEUNATENESS

---

```

1: procedure ANALYZEUNATENESS( $c$ )
2:    $keys \leftarrow \emptyset$ 
3:   for  $x_i \in Supp(c)$  do
4:     if  $isPositiveUnate(c, x_i)$  then
5:        $keys \leftarrow keys \cup (x_i \mapsto 1)$ 
6:     else if  $isNegativeUnate(c, x_i)$  then
7:        $keys \leftarrow keys \cup (x_i \mapsto 0)$ 
8:     else return  $\perp$ 
9:    end if
10:   end for
11:   return  $keys$ 
12: end procedure

```

---

$K_c = \langle k_1, \dots, k_4 \rangle = \langle 1, 1, 1, 1 \rangle$  and  $h = 1$ . For the input value  $X^1 = \langle 1, 1, 1, 0 \rangle$ , we have  $strip_1(K_c)(X^1) = 1$ . Notice that there cannot exist another assignment  $X^2 = \langle x_1^2, \dots, x_4^2 \rangle$  with  $x_4^2 = 0$ ,  $HD(X^1, X^2) = 2$  and  $strip_1(K_c)(X^2) = 1$ . This is because  $x_4^2 \neq k_4$ , so the remaining bits in  $X^2$  must be equal to  $K_c$  so that  $strip_1(K_c)(X^2) = 1$ . But this forces the Hamming distance between  $X^1$  and  $X^2$  to be 0 (and not 2 as desired). This observation leads to the following result.

**Lemma 3:** Consider the assignments  $X^1 = \langle x_1^1, \dots, x_m^1 \rangle$  and  $X^2 = \langle x_1^2, \dots, x_m^2 \rangle$ . Let  $K_c = \langle k_1, \dots, k_m \rangle$  as before. The formula  $strip_h(K_c)(X^1) = 1 \wedge strip_h(K_c)(X^2) = 1 \wedge HD(X^1, X^2) = 2h \wedge x_j^1 = x_j^2 \wedge x_j^1 = b$  is satisfiable iff  $b = k_j$ .

The proof of this lemma is given in the appendix.

**B. Functional Analysis Algorithms**

In this subsection, we describe three attack algorithms on SFLL that are based on Lemmas 1, 2 and 3. Each algorithm takes as input a candidate node  $c$  in the circuit DAG. Let  $X = Supp(c)$ . The functional analyses described in this subsection determine whether the circuit function of this node  $ckfn_c(X)$  is equivalent to  $strip(K_c)(X)$  for some assignment to  $K_c$ . In other words, we are trying to solve the quantified Boolean formula (QBF):  $\exists K_c. \forall X. ckfn_c(X) = strip(K_c)(X)$ . However, solving this QBF instance is computationally hard. So instead we exploit Lemmas 1, 2 and 3 to determine potential values of  $K_c$  and verify this “guess” using combinational equivalence checking.

1) *AnalyzeUnateness*: This is shown in Algorithm 1 and can be used to attack SFLL-HD<sup>0</sup>/TTLock. It takes as input a circuit node  $c$  and outputs an assignment to each node in the support set of  $c$  if the function represented by  $c$  is unate, otherwise it returns  $\perp$ . This assignment is the protected cube. **Applicability**: This algorithm is only applicable to SFLL-HD<sup>h</sup> when  $h = 0$ , i.e. TTLock.

2) *SlidingWindow*: Algorithm 2 takes as input the circuit node  $c$  and the algorithm checks if  $c$  behaves as the cube stripping unit of SFLL-HD<sup>h</sup>. It works by asking if there are two distinct satisfying assignments to  $ckfn_c$  which are Hamming distance of  $2h$  apart. If no such assignment exists then  $\perp$  is returned. Otherwise, by Lemma 2, bits which are equal in both satisfying assignments must also be equal to the corresponding key bits. The remaining bits are obtained

**Algorithm 2** Algorithm SLIDINGWINDOW

---

```

1: procedure SLIDINGWINDOW( $c$ )
2:    $keys \leftarrow \emptyset$ 
3:    $S \leftarrow Supp(c)$ 
4:    $c' \leftarrow substitute(c, \{(x_i, x'_i) \mid x \in S\})$ 
5:    $F \leftarrow c \wedge c' \wedge HD(Supp(c), Supp(c')) = 2h$ 
6:   if  $solve(F) = UNSAT$  then return  $\perp$ 
7:   end if
8:   for  $x_i \in S$  do
9:      $(m_i, m'_i) \leftarrow (\text{model}_{x_i}(F), \text{model}_{x'_i}(F))$ 
10:    if  $m_i = m'_i$  then
11:       $keys \leftarrow keys \cup (x_i \mapsto m_i)$ 
12:    else
13:       $r_i \leftarrow solve(F \wedge (x_i = x'_i \wedge x'_i = m_i))$ 
14:       $r'_i \leftarrow solve(F \wedge (x_i = x'_i \wedge x'_i = m'_i))$ 
15:      if  $r_i = SAT \wedge r'_i = UNSAT$  then
16:         $keys \leftarrow keys \cup (x_i \mapsto m_i)$ 
17:      else if  $r_i = UNSAT \wedge r'_i = SAT$  then
18:         $keys \leftarrow keys \cup (x_i \mapsto m'_i)$ 
19:      else
20:        return  $\perp$ 
21:      end if
22:    end if
23:   end for
24:   return  $keys$ 
25: end procedure

```

---

by iterating through each remaining bit and applying the SAT query in Lemma 3. If any query is inconsistent with Lemma 3 during this process then  $\perp$  is returned. If successful, the return value is the protected cube.

**Applicability**: This algorithm is used to attack SFLL-HD<sup>h</sup> for  $0 < h < \lfloor m/2 \rfloor$  where  $m$  is the number of key inputs. Note that  $h > \lfloor m/2 \rfloor$  is symmetric to  $h < \lfloor m/2 \rfloor$  with respect to negation of the key.

3) *Distance2H*: Algorithm 3 is based on Lemma 2. This procedure is similar to SLIDINGWINDOW in that it computes two satisfying assignments to  $c$  that are distance of  $2h$  apart. Any bits that are equal between the two assignments must be equal to the key bits. The remaining bits are computed by asking if there are two more satisfying assignments such that the bits which were not equal in the first pair of assignments are now equal. These new assignments must also be Hamming distance of  $2h$  apart. The second query, if successful, determines the remaining key bits by Lemma 3.

**Applicability**: This algorithm is applicable when  $0 < 4h \leq m$  where  $m$  is the number of key inputs.

**C. Equivalence Checking**

It is important to note that Lemmas 1, 2 and 3 encode *necessary* but not sufficient properties of the cube stripping function. We ensure sufficiency by using combinational equivalence checking. Suppose the key value returned by Algorithm 1, 2 or 3 is  $K_c$ . We check satisfiability of  $strip_h(K_c)(X) \neq ckfn_c(X)$  where  $X$  is the support of the node  $c$ . If this query is

**Algorithm 3** Algorithm DISTANCE2H

---

```

1: procedure DISTANCE2H( $c$ )
2:    $S \leftarrow \text{Supp}(c)$ 
3:    $c' \leftarrow \text{substitute}(c, \{(x_i, x'_i) \mid x \in S\})$ 
4:    $F \leftarrow c \wedge c' \wedge \text{HD}(\text{Supp}(c), \text{Supp}(c')) = 2h$ 
5:   if  $\text{solve}(F) = \text{UNSAT}$  then return  $\perp$ 
6:   end if
7:    $M_F \leftarrow \{(x_i, \text{model}_{x_i}(F), \text{model}_{x'_i}(F)) \mid x_i \in S\}$ 
8:    $keys_A \leftarrow \{(x_i \mapsto m_i) \mid (x_i, m_i, m'_i) \in M_F \wedge m_i = m'_i\}$ 
9:    $Cnst \leftarrow \{(x_i = x'_i) \mid (x_i, m_i, m'_i) \in M_F \wedge m_i \neq m'_i\}$ 
10:   $G \leftarrow F \wedge (\bigwedge_{p_i \in Cnst} p_i)$ 
11:  if  $\text{solve}(G) = \text{UNSAT}$  then return  $\perp$ 
12:  end if
13:   $M_G \leftarrow \{(x_i, \text{model}_{x_i}(G), \text{model}_{x'_i}(G)) \mid x_i \in S\}$ 
14:   $keys_B \leftarrow \{(x_i \mapsto m_i) \mid (x_i, m_i, m'_i) \in M_G \wedge m_i = m'_i\}$ 
15:  return  $keys_A \cup keys_B$ 
16: end procedure

```

---

unsatisfiable, this means that the node  $c$  is equivalent to cube stripping function  $\text{strip}_h(K_c)$ .

## VI. KEY CONFIRMATION

In most cases the functional analyses determine exactly one correct locking key. However, there are few exceptions. One case occurs when both the output of the cube stripper module ( $F$  in Figure 2c) as well as its negation ( $\neg F$ ) appear in the circuit. In this case, the algorithms may shortlist both the correct key, e.g.  $\langle 1, 0, 0, 1 \rangle$  and its complement  $\langle 0, 1, 1, 0 \rangle$ . Another scenario is when purely by coincidence the circuit contains a function that happens to look like the cube stripper module, but is actually not. In the case of TTLock, the latter case occurs when the circuit contains any unate function of all the circuit inputs. In this case too, the algorithms will output multiple keys: one of these will be correct while the remaining are spurious. How do we determine which of the keys in this list is the correct key? We introduce the key confirmation algorithm to solve this problem.

The key confirmation algorithm takes as input a circuit represented by its characteristic relation  $C(X, K, Y)$ , a set of key values represented by the indicator function of this set  $\varphi(K)$  and an I/O oracle. The indicate function  $\varphi$  is a Boolean formula over the key variables that constrains the search space of the algorithm. For example, suppose the circuit analyses have shortlisted two keys  $\langle 1, 1, 0, 1 \rangle$  and  $\langle 0, 0, 1, 0 \rangle$ . The  $\varphi(K) \doteq (k_1 \wedge k_2 \wedge \neg k_3 \wedge k_4) \vee (\neg k_1 \wedge \neg k_2 \wedge k_3 \wedge \neg k_4)$ . The algorithm either returns a key value  $K_c$  s.t.  $K_c \models \varphi$  or  $\perp$  if no key value is consistent with  $\varphi$  and the oracle.

If no information about the keys is available then we set  $\varphi(K) = \text{true}$ ; this corresponds to the universal set and *in this case, the algorithm devolves into the standard SAT attack [25]*.

### A. Algorithm Description

To understand the algorithm, it is helpful to review the notion of a distinguishing input introduced by Subramanyan *et al.* [25] in the SAT attack paper. Following the notation in that paper, we will represent the circuit by

**Algorithm 4** Key Confirmation Algorithm

---

```

1: procedure KEYCONFIRMATION( $C, \varphi, oracle$ )
2:    $i \leftarrow 1$ 
3:    $P_1 \leftarrow \varphi(K_1)$ 
4:    $Q_1 \leftarrow C(X, K_1, Y_1) \wedge C(X, K_2, Y_2) \wedge Y_1 \neq Y_2$ 
5:   while true do
6:     if  $\text{solve}[P_i] = \text{UNSAT}$  then
7:       return  $\perp$ 
8:     end if
9:      $K_i \leftarrow \text{model}_{K_1}(P_i)$ 
10:    if  $\text{solve}[Q_i \wedge (K_1 = K_i)] = \text{UNSAT}$  then
11:      return  $K_i$ 
12:    end if
13:     $X_i^d \leftarrow \text{model}_X(Q_i)$ 
14:     $Y_i^d \leftarrow oracle(X_i^d)$ 
15:     $P_{i+1} \leftarrow P_i \wedge C(X_i^d, K_1, Y_i^d)$ 
16:     $Q_{i+1} \leftarrow Q_i \wedge C(X_i^d, K_2, Y_i^d)$ 
17:     $i \leftarrow i + 1$ 
18:  end while
19: end procedure

```

---

its characteristic relation  $C(X, K, Y)$ , where  $X$  is the vector of circuit inputs,  $K$  is the vector of key inputs and  $Y$  is the vector of circuit outputs. Recall that the relation  $C(X, K, Y)$  is satisfiable iff the circuit produces output  $Y$  for input  $X$  when the key inputs are set to  $K$ . Given the above relation, we say that  $X^d$  is a distinguishing input pattern for the key inputs  $K_1$  and  $K_2$  iff  $C(X^d, K_1, Y_1^d) \wedge C(X^d, K_2, Y_2^d) \wedge (Y_1^d \neq Y_2^d)$  is satisfiable. In other words, a distinguishing input pattern for two keys is an input such that the circuit produces different outputs for this input and the corresponding keys.

The SAT-based key confirmation is shown in Algorithm 4. The two main components of the algorithm are the sequences of formulas  $P_i$  and  $Q_i$ , which we implemented using two SAT solver objects.  $P_i$  are used to produce *candidate* key values that are consistent with  $\varphi$  and the I/O patterns observed thus far. Note that since  $P_1$  is  $\varphi$ , all subsequent  $P_i \implies \varphi$ .  $Q_i$  is used to generate distinguishing inputs. When  $P_i$  becomes UNSAT, it means no key value is consistent with  $\varphi$  and the oracle. Or equivalently, the initial “guess” encoded in  $\varphi$  was incorrect. The algorithm terminates with a correct key when  $Q_i$  becomes UNSAT, i.e. no more distinguishing inputs exist.

The algorithm works as follows. In line 9, we extract the key value  $K_i$  that is consistent with  $\varphi$  and the input/output patterns seen thus far. In line 10, we pose a query to the SAT solver to find a distinguishing input such that  $K_1 = K_i$ . In line 13, we extract this distinguishing input. The oracle is queried for the output for this input in line 14. Finally, the formulas  $P_i$  and  $Q_i$  are updated with the newly obtained input/output pattern in lines 15 and 16. The two significant differences from the SAT attack [25] are: (i) the two solver objects corresponding to  $P_i$  and  $Q_i$  which helps separate the generation of candidate keys from the generation of distinguishing inputs, and (ii) the restriction that  $P_i \implies \varphi$ . The former allows us to differentiate between two different types of UNSAT results from the solver: no key value being consistent with  $\varphi$  (line 7),

and no more distinguishing inputs (line 10). This would not be possible in the SAT attack formulation because we only get one type of UNSAT result. The latter change ensures that instead of searching over the entire space of keys, we restrict the search to keys satisfying  $\varphi$ .

### B. Examples of Key Confirmation Algorithm Execution

Consider the operation of the key confirmation algorithm for the TTLock netlist shown in Figure 2b. Without any information about possible key values, i.e. when  $\varphi = \text{true}$ , then every input is a distinguishing input for this circuit and every input rules out only one incorrect key value. This ensures security against the plain SAT attack.

Now consider the case when  $\varphi(k_1, k_2, k_3, k_4) = k_1 \wedge \neg k_2 \wedge \neg k_3 \wedge k_4$ ; this corresponds to the key value  $\langle k_1, k_2, k_3, k_4 \rangle = \langle 1, 0, 0, 1 \rangle$ . Lines 6–13 of Algorithm 4 attempt to find an input that distinguishes between the key value  $\langle 1, 0, 0, 1 \rangle$  and all other key values. Note that *every such distinguishing input must be part of the protected cube*. As a result, the first distinguishing input is  $\langle a, b, c, d \rangle = \langle 1, 0, 0, 1 \rangle$ . When the oracle is queried for this input, we find that output is 1. After this constraint is added to the formulas in lines 15 and 16, no more distinguishing inputs can be found. The algorithm terminates on line 11 with  $\langle 1, 0, 0, 1 \rangle$  as the correct key.

Let us consider a scenario where we guess the wrong key. Suppose  $\varphi(k_1, k_2, k_3, k_4) = k_1 \wedge \neg k_2 \wedge \neg k_3 \wedge \neg k_4$ ; this corresponds to the key value  $\langle k_1, k_2, k_3, k_4 \rangle = \langle 1, 0, 0, 0 \rangle$ . The first distinguishing input between this key and all other keys tested by the solver is  $\langle a, b, c, d \rangle = \langle 1, 0, 0, 0 \rangle$ . The correct output for this input pattern is 0, and this is returned by the oracle. Note the output of the functionality stripped circuit for this input  $\langle 1, 0, 0, 0 \rangle$  is 0 and then the functionality restoration unit flips this output to 1 because of the initial constraint on the key inputs. Therefore, when we now add this constraint to the formula  $P$  in line 15, the formula  $P$  becomes unsatisfiable. This causes the algorithm to terminate with failure on line 7.

### C. Correctness of Key Confirmation

Correctness of Algorithm 4 is stated in the following lemma.

**Lemma 4:** Algorithm 4 terminates and returns either (i) the key  $K_c$  or (ii)  $\perp$ . The former occurs iff  $K_c \models \varphi$  and  $\forall X. C(X, K_c, Y) \iff Y = \text{oracle}(X)$ . The latter occurs iff no such  $K_c$  exists.

The proof of this lemma is given in the appendix.

The second clause of Lemma 4 is important to emphasize. Key confirmation terminates with the result  $\perp$  iff no key value  $K_c$  s.t.  $K_c \models \varphi$  is correct for the given oracle. This implies key confirmation can be safely used even if the key value was “incorrectly” guessed – the algorithm will detect this.

## VII. EVALUATION

This section describes our experimental evaluation of FALL attacks. We describe the evaluation methodology, then present the results of the functional analyses, after which we present our evaluation of the key confirmation attack.

TABLE I  
BENCHMARK CIRCUITS. #IN, #OUT AND #KEY REFER TO THE NUMBER OF INPUTS, OUTPUTS AND KEYS RESPECTIVELY

| ckt    | #in | #out | #keys | # of gates |      |      |
|--------|-----|------|-------|------------|------|------|
|        |     |      |       | Original   | SFLL |      |
|        |     |      |       |            | min  | max  |
| ex1010 | 10  | 10   | 10    | 2754       | 2783 | 2899 |
| apex4  | 10  | 19   | 10    | 2886       | 2938 | 3058 |
| c1908  | 33  | 25   | 33    | 414        | 1322 | 1376 |
| c432   | 36  | 7    | 36    | 209        | 1119 | 1155 |
| apex2  | 39  | 3    | 39    | 345        | 1367 | 1407 |
| c1355  | 41  | 32   | 41    | 504        | 1729 | 1746 |
| seq    | 41  | 35   | 41    | 1964       | 3177 | 3187 |
| c499   | 41  | 32   | 41    | 400        | 1729 | 1750 |
| k2     | 46  | 45   | 46    | 1474       | 2890 | 2903 |
| c3540  | 50  | 22   | 50    | 1038       | 2591 | 2595 |
| c880   | 60  | 26   | 60    | 327        | 2338 | 2368 |
| dalu   | 75  | 16   | 64    | 1202       | 3284 | 3312 |
| i9     | 88  | 63   | 64    | 591        | 2981 | 3015 |
| i8     | 133 | 81   | 64    | 1725       | 3609 | 3637 |
| c5315  | 178 | 123  | 64    | 1773       | 4076 | 4108 |
| i4     | 192 | 6    | 64    | 246        | 2261 | 2289 |
| i7     | 199 | 67   | 64    | 663        | 3038 | 3066 |
| c7552  | 207 | 108  | 64    | 2074       | 4076 | 4105 |
| c2670  | 233 | 140  | 64    | 717        | 2733 | 2775 |
| des    | 256 | 245  | 64    | 3839       | 7229 | 7257 |

### A. Methodology

We evaluated the effectiveness of FALL attacks on a set of ISCAS’85 benchmark circuits and combinational circuits from the Microelectronics Center of North Carolina (MCNC). Details of these circuits are shown in Table I. These benchmark circuits remain reflective of contemporary combinational circuits and have been used extensively in prior work on logic locking, e.g. [21], [25], [33]. We implemented the TTLock and SFLL locking algorithms for varying values of the Hamming distance parameter  $h$  and key size of 64 and 128 bits. We did not study key size of 256 bits because there is only one circuit with 256 circuit inputs. We study four different values of the Hamming distance  $h$  for each key size:  $h = 0$  (TTLock),  $h = \lfloor m/8 \rfloor$ ,  $h = \lfloor m/4 \rfloor$ , and  $h = \lfloor m/3 \rfloor$  where  $m$  is the number of key inputs. We chose these different values to study the impact of key size and  $h$  in the scalability of the algorithm. Due to space limitations, we only show graphs/tables for the maximum key size of 64 bits. Results for the larger key size are discussed in the text in subsection VII-B.

Locked netlists were optimized using ABC v1.01 [13] by running the `strash` command followed by repeated application of the `rewrite`, `refactor` and `balance` commands. We note that ABC is a state-of-the-art open source synthesis tool and is regularly used in the design automation and verification research. These particular commands are very effective in circuit optimization while also minimizing any elidable structural bias. We chose ABC because we are not aware of any other open source synthesis tool that comes close to feature parity with it.

*1) Implementation:* The circuit analyses were implemented in Python and use the Lingeling SAT Solver [4]. Source code for these analyses is available at [23]. The key confirmation algorithm was implemented in C++ as a modification to the open source SAT attack tool [26].



Fig. 5. Circuit analyses: execution time vs number of benchmarks solved in that time.

2) *Execution Platform:* Our experiments were conducted on the CentOS Linux distribution version 7.2 running on 28-core Intel® Xeon® Platinum 8180 (“SkyLake”) Server CPUs. All experiments had a time limit of 1000 seconds.

#### B. Circuit Analysis Results

Figure 5 show the performance of the circuit analyses attacks on the benchmarks in our experimental framework. Four graphs are shown: the left most of which is for SFLL-HD<sup>0</sup> while the remaining are for SFLL-HD<sup>h</sup> with varying values of the Hamming Distance  $h$ . For each graph, the x-axis shows execution time while the y-axis shows the number of benchmark circuits decrypted within that time.

The DISTANCE2H attack defeats all SFLL-HD<sup>h</sup> locked circuits for  $h = \lfloor m/8 \rfloor$  and  $h = \lfloor m/4 \rfloor$ . We repeated this experiment for the seven largest circuits with a key size of 128 bits and the DISTANCE2H attack defeated all of these locked circuits. Recall that DISTANCE2H is not applicable when  $4h > m$ . ANALYZEUNATENESS is able to defeat 18 out of 20 TTLock circuits; the two remaining circuits are defeated by the plain SAT attack. SLIDINGWINDOW is able to defeat all locked circuits for  $h = \lfloor m/8 \rfloor$ , but does not perform as well for larger values of  $h$ . This is because the SAT calls for larger values of  $h$  are computationally harder as they involve more adder gates in the Hamming Distance computation. In summary, **65 out of 80 circuits (81%) are defeated** by at least one of our attack algorithms.

Among these 65 circuits for which the attack is successful, **a unique key is identified for 58 circuits (90%)**. This means **58 out of 80 circuits were defeated without oracle access** (I/O access to an unlocked IC) — only functional analysis of the netlist was required. Among the seven circuits for which multiple keys were shortlisted, the attack shortlists two keys which are bitwise complements of each other for four circuits, three keys are shortlisted for two other circuits. One corner cases occurs for c432: 36 keys are shortlisted, this is still a huge reduction from the initial space of  $2^{36}$  possible keys.

Recall that Algorithm DISTANCE2H is only applicable for  $0 < h \leq \lfloor m/4 \rfloor$ . Results show that DISTANCE2H defeats all circuits for which it is applicable. SLIDINGWINDOW is applicable for  $0 < h < \lfloor m/2 \rfloor$ , and results show that is less scalable than DISTANCE2H because it has to make many more calls to the SAT solver.

#### C. Key Confirmation Results

Figure 6 shows the execution time of the key confirmation algorithm and compares and contrasts this with the “vanilla” SAT attack. Note that the y-axis is shown on a log scale. The bars represent the mean execution time of key confirmation for a particular circuit encoded with the various locking algorithms and parameters discussed above. Key values are obtained from the results of the experiments described in the previous subsection. The thin black line shows error bars corresponding to one standard deviation. We note that **key confirmation**



Fig. 6. Mean execution times of key confirmation and SAT attacks.

is orders of magnitude faster than the SAT attack while providing the same correctness guarantees.

Key confirmation provides a powerful new tool for attackers analyzing a locked netlist. Attackers can use some arbitrary circuit analysis to guess a few likely keys, and then use key confirmation to determine which (if any) of these is the correct key. **Key confirmation is applicable even if the locked netlist is SAT attack resilient.** Indeed, the SAT attack fails on most of these locked circuits as shown in Figure 5. This is because SAT-resilience only requires that there be exponentially many distinguishing inputs overall. However, key confirmation is not searching over the entire space of distinguishing inputs, but only over the inputs that distinguish from the keys in  $\varphi$ . Therefore, even though there may be exponentially many distinguishing inputs overall, if we can eliminate many of them via structural, functional or statistical analyses, the remaining set can be analyzed using key confirmation.

#### D. Why does the FALL attack fail?

Across all benchmarks and all attack algorithms, there are a total of 25 cases in which some variant of the FALL attack fails. In 23 of these cases, the time limit of 1000 seconds is exceeded. All 23 timeouts occur for the SLIDINGWINDOW algorithm. Note that this algorithm makes up to  $2 \times |\mathcal{K}_c|$  number of calls to the SAT solver, where  $|\mathcal{K}_c|$  is the number of literals in the protected cube. This reliance on SAT solving causes it to timeout on some of the larger benchmarks. Using Gaussian elimination instead of SAT-based analyses, as done by Yang *et al.* [35] could potentially speed up the attack; a detailed comparison with [35] is deferred to § VIII.

In the remaining two cases, the cube stripper module has been entirely optimized out of the netlist by the synthesis tool. We note that both of these circuits have only 10 key inputs and therefore the protected cube also has only 10 inputs. This allows the synthesizer (*abc*) to merge the protected cube with the rest of the circuit. However, the small number

of keys means that both circuits are defeated by the plain SAT attack. This is not a coincidence; the ability of the synthesis tool to remove the cube stripper is dependent on the efficacy of two-level minimization (à la Espresso). Two-level minimization is unlikely to scale beyond 16 or so inputs. Therefore, we do not believe this will yield an effective countermeasure.

#### E. Discussion

We now present a brief discussion of the limitations, implications, and avenues for future work related to the FALL and key confirmation attacks.

1) *Significance of the Key Confirmation Attack:* The key confirmation attack opens up new possibilities for the application of Boolean reasoning engines based on SAT solvers to logic locking research. This extension to the SAT attack shows how keys that are “guessed” using some structural, functional or statistical analysis can be provided as a hint to the SAT solver. As discussed in § VII-C, these hints are usable by the algorithm even against SAT-resilient locking schemes. In fact, the key confirmation attack can also be used to parallelize the SAT attack by partitioning the key input space into different regions and setting  $\varphi$  to search over these distinct regions in each parallel invocation. Exploration of these and other related ideas is left for future work.

2) *Applicability to Other Locking Schemes:* The structural analyses of the FALL attack are not specific to SFLL/TTLock. They can be used to identify the functionality restoration unit in all variants of SFLL including SFLL-fault [19]. This can help identify the circuit inputs for the protected cube. However, the identification of cube stripper and extracting the protected cube via the functional analyses in § V is specific to SFLL-HD<sup>h</sup> and TTLock. Extending the analyses to find the protected cube in SFLL-fault is an open problem for future work.

Note that the key confirmation attack is entirely independent of the structural and functional analyses and not at all specific

to SFLL. It is an extension to the SAT attack where the attacker only needs to somehow guess some set of keys or constraint over keys and can provide this to the SAT solver as a hint. The solver can use this information to greatly accelerate the search for the correct locking key. We believe this is of independent interest for general attacks on combinational logic locking.

### VIII. RELATED WORK

This section provides a brief overview of related attacks. **Attacks on SFLL-HD:** In concurrent work, Yang *et al.* [35] introduce a novel attack that also uses structural analysis of the netlist to identify the cube stripper. However, they use manual inspection to look for signals connecting the cube stripper and the functionality restoration unit and rely on the topological structure of these nodes to identify the output of the cube stripper. An important insight in their work is that the cube stripper in SFLL-HD<sup>h</sup> will have a tree-like structure with each branch of the tree corresponding to a particular protected pattern. They introduce an algorithm that is based on Gaussian-elimination to identify the key from the cube stripping unit. The main differences with our attack are the following. First, our analysis is completely automated, while Yang *et al.* used manual inspection to identify the cube stripping unit. Second, instead of using Gaussian elimination to identify the key, we use Boolean function analyses (lemmas 2 and 3). Gaussian elimination has the advantage of being a polynomial time algorithm while we rely on SAT-based analyses. Combining their functional analyses with ours could potentially result in a more scalable attack on SFLL-HD<sup>h</sup>.

Alrahis *et al.* [1] also introduced novel attacks on SFLL concurrently with this work. They use the reverse engineering tool BSIM [27], [28] to identify the cube stripper and functionality restoration unit. Our structural and functional analyses are more sophisticated than the implementations in BSIM because they are focused on SFLL-HD. The BSIM toolbox is based on  $k$ -cut matching [7], [8] and so it will miss structures where intermediate sub-circuits have more than  $k$  inputs. Alrahis *et al.* work around this to some extent by reverse engineering and then resynthesizing the circuit with a smaller gate library, but this method is not guaranteed to be foolproof.

**SAT-based Attacks:** The key confirmation attack builds on rich body of literature in SAT-based attacks on logic locking, examples of which include the SAT attack [25], the Double DIP attack [21] and AppSAT [20]. As discussed in § VII-E, the main advantage of key confirmation is that it is an *exact* attack that can work on netlists resilient to the SAT, double DIP and AppSAT attacks.

### IX. CONCLUSION

This paper proposed a set of Functional Analysis attacks on Logic Locking (FALL attacks). We developed structural and functional analyses to determine potential key values of a locked logic circuit. We then showed how these potential key values could be verified using our key confirmation algorithm.

Our work has three important implications. First, we showed how arbitrary structural and functional analyses can be synergistically combined with powerful Boolean reasoning engines using the key confirmation algorithm. Second, our attack was shown to often succeed (90% of successful attempts in our experiments) without requiring oracle access to an unlocked circuit. This suggests that logic locking attacks may be much more easily carried out than was previously assumed. Experiments showed that FALL defeated 65 out of 80 benchmark circuits locked using SFLL-HD<sup>h</sup>.

### APPENDIX: PROOFS

This appendix proves the lemmas in § V and VI.

*Lemma 1:* The cube stripping function for TTLock/SFLL-HD<sup>0</sup> is unate in every variable  $x_i$ . Further, it is positive unate in  $x_i$  if  $k_i = 1$  and negative unate in  $x_i$  if  $k_i = 0$ .

*Proof:* The proof is by induction on the number of literals in the protected cube. In the base case, the protected cube has only one literal; it is either  $x_i$  or  $\neg x_i$ . The function  $f(x_i) \doteq x_i$  is positive unate in the variable  $x_i$  while the function  $f(x_i) \doteq \neg x_i$  is negative unate in the variable  $x_i$ .

Now consider the inductive step. We have cube  $C(x_1, \dots, x_{i-1})$  consisting of  $i - 1$  literals which is assumed to be unate in all its variables. We have to show that both the cubes  $C(x_1, \dots, x_{i-1}) \wedge x_i$  and  $C(x_1, \dots, x_{i-1}) \wedge \neg x_i$  are unate in the variable  $x_i$ . Let us consider only the cube  $C(x_1, \dots, x_{i-1}) \wedge x_i$  w.l.o.g as the argument is symmetric for  $C(x_1, \dots, x_{i-1}) \wedge \neg x_i$ . This cube is positive unate in the variable  $x_i$ . For all the other variables in  $C(x_1, \dots, x_{i-1})$ , since  $C$  is unate in each of those variables, it is also unate in  $C(x_1, \dots, x_{i-1}) \wedge x_i$  for those variables.  $\square$

*Lemma 2:* Suppose  $x^1 = \langle x_1^1, \dots, x_m^1 \rangle$ ,  $x^2 = \langle x_1^2, \dots, x_m^2 \rangle$ ,  $K_c = \langle k_1, \dots, k_m \rangle$  and  $\text{strip}_h(K_c)(x^1) = 1 = \text{strip}_h(K_c)(x^2)$ . If  $HD(x^1, x^2) = 2h$ , then for every  $j$  such that  $x_j^1 = x_j^2$ , we must have  $x_j^1 = x_j^2 = k_j$ .

*Proof:* The proof is by induction on  $h$ . The base case for  $h = 0$  is clearly true, because in this case  $\text{strip}_h(K_c)(x^1) = \text{strip}_h(K_c)(x^2) = 1$  iff  $K_c = x^1 = x^2$ . This implies that  $x_j^1 = x_j^2 = k_j$  for all  $j$ .

In the inductive step, assume the lemma holds for  $h - 1$ . Consider some arbitrary  $x^1, x^2$  such that  $\text{strip}_{h-1}(K_c)(x^1) = \text{strip}_{h-1}(K_c)(x^2) = 1$  and  $HD(x^1, x^2) = 2h - 2$ . Suppose there exist  $i$  and  $l$  with  $i \neq l$  and  $x_i^1 = x_i^2$  and  $x_l^1 = x_l^2$ . By the lemma for  $h - 1$ , we have  $x_i^1 = x_i^2 = k_i$  and  $x_l^1 = x_l^2 = k_l$ . Now consider the vectors  $Y^1 = \langle y_1^1, \dots, y_m^1 \rangle$  and  $Y^2 = \langle y_1^2, \dots, y_m^2 \rangle$  which are constructed as follows.  $Y^1$  is the same as  $X^1$  except that index  $i$  is flipped, while  $Y^2$  is the same as  $X^2$  except at index  $l$  which is flipped. Notice that  $\text{strip}_h(K_c)(Y^1) = \text{strip}_h(K_c)(Y^2) = 1$  because each of these vectors differ from the protected cube on one more index (either  $i$  or  $l$ ). Further  $HD(Y^1, Y^2) = 2h$  because  $i \neq l$ . We see that for all  $j$  such that  $y_j^1 = y_j^2$ , we must have  $y_j^1 = y_j^2 = k_j$  because these indices are the same in both  $Y^1$  and  $X^1$  as well as  $Y^2$  and  $X^2$  respectively. In other words, we have shown the lemma also holds for  $h$  if it holds for  $h - 1$ .  $\square$

**Lemma 3:** Consider the assignments  $x^1 = \langle x_1^1, \dots, x_m^1 \rangle$  and  $x^2 = \langle x_1^2, \dots, x_m^2 \rangle$ . Let  $K_c = \langle k_1, \dots, k_m \rangle$  as before. The formula  $\text{strip}_h(K_c)(x^1) = 1 \wedge \text{strip}_h(K_c)(x^2) = 1 \wedge \text{HD}(x^1, x^2) = 2h \wedge x_j^1 = x_j^2 \wedge x_j^1 = b$  is satisfiable iff  $b = k_j$ .

**Proof:** The proof of this lemma is a direct consequence of Lemma 2. Note that the above statement of the lemma is equivalent to saying that the formula  $\text{strip}_h(K_c)(x^1) = 1 \wedge \text{strip}_h(K_c)(x^2) = 1 \wedge \text{HD}(x^1, x^2) = 2h \wedge x_j^1 = x_j^2 \wedge x_j^1 = b$  is unsatisfiable iff  $b \neq k_j$ . This follows from Lemma 2.  $\square$

**Lemma 4:** Algorithm 4 terminates and returns either (i) the key  $K_c$  or (ii)  $\perp$ . The former occurs iff  $K_c \models \varphi$  and  $\forall X. C(X, K_c, Y) \iff Y = \text{oracle}(X)$ . The latter occurs iff no such  $K_c$  exists.

**Proof:** Each iteration of the loop rules out at least one distinguishing input. Since there are only a finite number of distinguishing inputs of the circuit, this guarantees the algorithm will terminate. If the algorithm returns a key  $K_c$ , then this key is satisfies  $P_i$ , so this ensures that  $K_c \models \varphi$ . Further, this also means there are no distinguishing inputs for  $K_c$  and any other key as line 10 was UNSAT. This guarantees that  $K_c$  is the correct key. If the algorithm returns  $\perp$ , it means that there is no input consistent with  $\varphi(K_1)$  and the input/output patterns from the oracle.  $\square$

#### ACKNOWLEDGMENT

The authors would like to thank the anonymous reviewers for their insightful comments which helped improve the quality of this paper. They are also grateful to Intel Corporation for providing access to computational resources which were used to run the experiments for this article.

#### REFERENCES

- [1] L. Alrahis, M. Yasin, H. Saleh, B. Mohammad, and M. Al-Qutayri, “Functional reverse engineering on SAT-attack resilient logic locking,” in *Proc. IEEE Int. Symp. Circuits Syst. (ISCAS)*, May 2019, pp. 1–5.
- [2] B. Aspvall, M. F. Plass, and R. E. Tarjan, “A linear-time algorithm for testing the truth of certain quantified Boolean formulas,” *Inf. Process. Lett.*, vol. 8, no. 3, pp. 121–123, 1979.
- [3] A. Baumgarten, A. Tyagi, and J. Zambreno, “Preventing IC piracy using reconfigurable logic barriers,” *IEEE Des. Test. Comput.*, vol. 27, no. 1, pp. 66–75, Jan. 2010.
- [4] A. Biere, “Lingeling, Plingeling and Treengeling,” in *Proc. SAT Competition*, A. Balint, A. Belov, M. Heule, and M. Järvisalo, Eds. Helsinki, Finland: Univ. of Helsinki, 2013. [Online]. Available: <https://helda.helsinki.fi/handle/10138/40026>
- [5] P. Chakraborty, J. Cruz, and S. Bhunia, “SURF: Joint structural functional attack on logic locking,” in *Proc. IEEE Int. Symp. Hardw. Oriented Secur. Trust (HOST)*, May 2019, pp. 181–190.
- [6] R. S. Chakraborty and S. Bhunia, “Hardware protection and authentication through netlist level obfuscation,” in *Proc. IEEE/ACM Int. Conf. Comput.-Aided Design*, Nov. 2008, pp. 674–677.
- [7] S. Chatterjee, A. Mishchenko, R. K. Brayton, X. Wang, and T. Kam, “Reducing structural bias in technology mapping,” *IEEE Trans. Comput.-Aided Des. Integr. Circuits Syst.*, vol. 25, no. 12, pp. 2894–2903, Dec. 2006.
- [8] J. Cong and Y. Ding, “FlowMap: An optimal technology mapping algorithm for delay optimization in lookup-table based FPGA designs,” *IEEE Trans. Comput.-Aided Des. Integr. Circuits Syst.*, vol. 13, no. 1, pp. 1–12, Jan. 1994.
- [9] S. A. Cook, “The complexity of theorem-proving procedures,” in *Proc. 3rd Annu. ACM Symp. Theory Comput.*, 1971, pp. 151–158.
- [10] (2005). *Defense Science Board Task Force on High Performance Microchip Supply*. [Online]. Available: <http://www.acq.osd.mil/dsb/reports/ADA435563.pdf>
- [11] S. Dupuis, P.-S. Ba, G. Di Natale, M.-L. Flottes, and B. Rouzeyre, “A novel hardware logic encryption technique for thwarting illegal overproduction and hardware trojans,” in *Proc. IEEE 20th Int. On-Line Test. Symp. (IOLTS)*, Jul. 2014, pp. 49–54.
- [12] (2012). *IHS Technology Press Release: Top 5 Most Counterfeited Parts Represent a \$169 Billion Potential Challenge for Global Semiconductor Industry*. [Online]. Available: <https://technology.ihs.com/405654/top-5-most-counterfeited-parts-represent-a-169-billion-potential-challenge-for-global-semiconductor-market>
- [13] A. Mishchenko, (2018). *ABC: System for Sequential Logic Synthesis and Formal Verification*. [Online]. Available: <https://github.com/berkeley-abc/abc>
- [14] M. Pecht and S. Tiku, “Bogus: Electronic manufacturing and consumers confront a rising tide of counterfeit electronics,” *IEEE Spectr.*, vol. 43, no. 5, pp. 37–46, May 2006.
- [15] S. M. Plaza and I. L. Markov, “Solving the third-shift problem in IC piracy with test-aware logic locking,” *IEEE Trans. Comput.-Aided Des. Integr. Circuits Syst.*, vol. 34, no. 6, pp. 961–971, Jun. 2015.
- [16] J. Rajendran, Y. Pino, O. Simanoglu, and R. Karri, “Security analysis of logic obfuscation,” in *Proc. 49th Annu. Design Automat. Conf.*, 2012, pp. 83–89.
- [17] J. Rajendran *et al.*, “Fault Analysis-based logic encryption,” *IEEE Trans. Comput.*, vol. 64, no. 2, pp. 410–424, Feb. 2015.
- [18] J. A. Roy, F. Koushanfar, and I. L. Markov, “EPIC: Ending piracy of integrated circuits,” in *Proc. Design, Autom. Test Eur.*, Mar. 2008, pp. 1069–1074.
- [19] A. Sengupta, M. T. Nabeel, M. Yasin, and O. Sinanoglu, “ATPG-based cost-effective, secure logic locking,” in *Proc. IEEE 36th VLSI Test Symp. (VTS)*, San Francisco, CA, USA, Apr. 2018, pp. 1–6.
- [20] K. Shamsi, M. Li, T. Meade, Z. Zhao, D. Z. Pan, and Y. Jin, “AppSAT: Approximately deobfuscating integrated circuits,” in *Proc. IEEE Int. Symp. Hardw. Oriented Secur. Trust (HOST)*, May 2017, pp. 95–100.
- [21] Y. Shen and H. Zhou, “Double DIP: Re-evaluating security of logic encryption algorithms,” in *Proc. Great Lakes Symp. VLSI*, 2017, pp. 179–184.
- [22] (2013). *Semiconductor Industry Association: Anti-Counterfeiting Whitepaper One-Pager*. [Online]. Available: <http://www.semiconductors.org/clientuploads/directory/DocumentSIA/Anti%20Counterfeiting%20Task%20Force/ACTF%20Whitepaper%20Counterfeit%20One%20Pager%20Final.pdf>
- [23] D. Sironi and P. Subramanyan, (2018). *Fall Attacks Source*. [Online]. Available: <https://bitbucket.org/spramod/fall-attacks>
- [24] D. Sironi and P. Subramanyan, “Functional analysis attacks on logic locking,” in *Proc. Design, Automat. Test Eur. Conf. Exhib. (DATE)*, Mar. 2019, pp. 936–939.
- [25] P. Subramanyan, S. Ray, and S. Malik, “Evaluating the security of logic encryption algorithms,” in *Proc. IEEE Int. Symp. Hardw. Oriented Secur. Trust (HOST)*, May 2015, pp. 137–143.
- [26] P. Subramanyan and S. Ray, (2019). *SAT and Key Confirmation Attacks Repository*. [Online]. Available: <https://bitbucket.org/spramod/host15-logic-encryption>
- [27] P. Subramanyan *et al.*, “Reverse engineering digital circuits using structural and functional analyses,” *IEEE Trans. Emerg. Topics Comput.*, vol. 2, no. 1, pp. 63–80, Mar. 2014.
- [28] P. Subramanyan, N. Tsiskaridze, K. Pasricha, D. Reisman, A. Susnea, and S. Malik, “Reverse engineering digital circuits using functional analysis,” in *Proc. Design, Autom. Test Eur. Conf. Exhib. (DATE)*, Mar. 2013, pp. 1277–1280.
- [29] R. Torrance and D. James, “The state-of-the-art in IC reverse engineering,” in *Proc. 11th Int. Workshop Cryptograph. Hardw. Embedded Syst.*, 2009, pp. 363–381.
- [30] G. S. Tseitin, “On the complexity of derivation in propositional calculus,” in *Automation of Reasoning*, J. Siekmann and G. Wrightson, Eds. Berlin, Germany: Springer, 1983, pp. 466–483.
- [31] J. Villasenor and M. Tehrani Poor, “The hidden dangers of chop-shop electronics,” *IEEE Spectr.*, to be published.
- [32] Y. Xie and A. Srivastava, “Mitigating SAT attack on logic locking,” in *Proc. Int. Conf. Cryptograph. Hardw. Embedded Syst.*, 2016, pp. 127–146.
- [33] Y. Xie and A. Srivastava, “Anti-SAT: Mitigating SAT attack on logic locking,” *IEEE Trans. Comput.-Aided Des. Integr. Circuits Syst.*, vol. 38, no. 2, pp. 199–207, Feb. 2019.

- [34] X. Xu, B. Shakya, M. M. Tehranipoor, and D. Forte, "Novel bypass attack and BDD-based tradeoff analysis against all known logic locking attacks," in *Proc. Int. Conf. Cryptograph. Hardw. Embedded Syst.*, 2017, pp. 189–210.
- [35] F. Yang, M. Tang, and O. Sinanoglu, "Stripped functionality logic locking with Hamming distance based restore unit (SFLL-hd)-unlocked," *IEEE Trans. Inf. Forensics Security*, vol. 14, no. 10, pp. 2778–2786, Oct. 2019.
- [36] M. Yasin, B. Mazumdar, S. S. Ali, and O. Sinanoglu, "Security analysis of logic encryption against the most effective side-channel attack: DPA," in *Proc. IEEE Int. Symp. Defect Fault Tolerance VLSI Nanotechnol. Syst. (DFTS)*, Oct. 2015, pp. 97–102.
- [37] M. Yasin, B. Mazumdar, J. J. V. Rajendran, and O. Sinanoglu, "SAR-Lock: SAT attack resistant logic locking," in *Proc. 2016 IEEE Int. Symp. Hardw. Oriented Secur. Trust (HOST)*, May 2016, pp. 236–241.
- [38] M. Yasin, B. Mazumdar, O. Sinanoglu, and J. Rajendran, "Removal attacks on logic locking and camouflaging techniques," *IEEE Trans. Emerg. Topics Comput.*, to be published.
- [39] M. Yasin, S. M. Saeed, J. Rajendran, and O. Sinanoglu, "Activation of logic encrypted chips: Pre-test or post-test?" in *Proc. Conf. Design, Automat. Test Eur.*, 2016, pp. 139–144.
- [40] M. Yasin *et al.*, "Provably-secure logic locking: From theory to practice," in *Proc. ACM SIGSAC Conf. Comput. Commun. Secur.*, Oct. 2017, pp. 1601–1618.
- [41] M. Yasin *et al.*, "What to lock?: Functional and parametric locking," in *Proc. Great Lakes Symp. VLSI*, 2017, pp. 351–356.



**Deepak Sirone** received the B.Tech. degree from the National Institute of Technology, Kozhikode, in 2016, and the M.Tech. degree from the Indian Institute of Technology, Kanpur, in 2019. He is currently pursuing the Ph.D. degree with the Department of Computer Sciences, University of Wisconsin–Madison. His research interest includes systems security.



**Pramod Subramanyan** received the B.E. degree from the R. V. College of Engineering in 2006, the M.Sc. (Engg.) degree from the Indian Institute of Science in 2011, and the Ph.D. degree from the Department of Electrical Engineering, Princeton University, in 2017. He is currently an Assistant Professor with the Department of Computer Science and Engineering, Indian Institute of Technology, Kanpur. His research interests include the intersection of systems security and formal methods.