Logic camouflage is a widely adopted technique that mitigates the threat of intellectual property (IP) piracy and overproduction in the integrated circuit (IC) supply chain. Camouflaged logic achieves functional obfuscation through physical-level ambiguity and post-manufacturing programmability. However, discussions on programmability are confined to the level of logic cells/gates, limiting the broader-scale application of logic camouflage. In this work, we propose a novel module-level configuration methodology for programmable camouflaged logic that can be implemented without additional hardware ports and with negligible resources. We prove theoretically that the configuration of the programmable camouflaged logic cells can be achieved through the inputs and netlist of the original module. Further, we propose a novel lightweight ferroelectric FET (FeFET)-based reconfigurable logic gate (rGate) family and apply it to the proposed methodology. With the flexible replacement and the proposed configuration-aware conversion algorithm, this work is characterized by the input-only programming scheme as well as the combination of high output error rate and point-function-like defense. Evaluations show an average of >95% of the alternative rGate location for camouflage, which is sufficient for the security-aware design. We illustrate the exponential complexity in function state traversal and the enhanced defense capability of locked blackbox against Boolean Satisfiability (SAT) attacks compared with key-based methods. We also preserve an evident output Hamming distance and introduce negligible hardware overheads in both gate-level and module-level evaluations under typical benchmarks.

1 Introduction

The integrated circuit (IC) supply chain has become long and distributed worldwide, especially with the rapid iteration of integrated circuit technologies [24]. The third-party service, including IC design, logic synthesis, verification, fabrication, testing, packing, and system integration, has become effective and even inevitable in reducing the cost. However, the third party may be malicious and cause hardware security concerns. Among these threats, intellectual property (IP) piracy is critical because the attackers may reverse-engineer the chip to obtain the design details [30]. Driven by profits, reverse engineering develops so rapidly that even advanced process nodes are threatened [2].

To mitigate the threat and protect IP, logic camouflage and logic locking are widely adopted techniques with a wide protection range in the manufacturing flow and have been explored in the last 20 years [35]. As shown in Figures 1(a) and (b), logic camouflage obscures the original function at the physical level during manufacturing, which makes the camouflaged cells present different logic functions under almost the same layout [1, 6, 10, 12, 21, 23, 26, 27, 38]. Logic locking typically inserts additional key-controlled logic elements into the original logic module, offering post-manufacturing programmability for the IP holders [17, 18, 19, 28, 29, 33, 34, 41, 42, 43, 45]. Although prior works have proposed a variety of different defense schemes, the core concept revolves around concealing critical function information and leveraging it to govern the overall module behavior.

Fig. 1.

Even though existing efforts have achieved the transformation between logic camouflage and locking [46], there exists a notable distinction between them considering programmability. As shown in Figure 1(b), for logic camouflage, the majority of the work adopts manufacturing-time programming (configuring functionality), such as through doping, dummy connections. Once the chip is manufactured, its functionality is determined and cannot be altered. For IP owners, this diminishes post-manufacturing control ability. Although a few works have proposed programmable logic camouflage methods [1, 10, 12], discussions on programmability are limited to the gate level, making large-scale system deployment challenging. In contrast, logic locking retains some additional programming ports, namely, the keys. While IP owners can achieve post-manufacturing control through key authorization, these additional programming ports are independent of the module’s input ports. This leads to algorithm-based vulnerabilities [36] and higher key-related hardware overheads [16].

Taking into account the advantages and disadvantages of the two aforementioned approaches, this article reexamines the post-manufacturing programming phase. The higher the convenience of programming (through key ports), the more easily the functional space can be traversed, providing attackers with greater freedom of access. Conversely, if attempts are made to program without using keys, the convenience of programming diminishes, which is unfriendly to both designers and users. We observe that existing works have not thoroughly discussed methods based on keyless module-level programming. The primary challenge lies in the fact that if the configuration of functionality does not leverage key-related ports, it will inevitably utilize the module’s original input ports and internal wires. However, during user utilization, the inputs to the module are not constant. Solely using volatile elements such as XOR gates as programming objects will evidently lead to continuous changes in circuit functionality, which is unacceptable. Therefore, a more reasonable approach is to use memory-based reconfigurable devices (based on registers or emerging nonvolatile devices). However, accurately configuring each programming element to operate in the desired function is not a straightforward task primarily due to the absence of explicit key ports.

Inspired by the above thoughts, this work proposes a module-level post-manufacturing programming methodology for security-aware programmable camouflaging cells. The primary contribution of this work is the proposal of a comprehensive post-manufacturing programmable logic camouflage design flow for IP owners requiring no additional hardware ports and negligible hardware resources (Figure 1(c)). We provide theoretical analysis and proofs on function configuration feasibility and introduce a family of camouflaged gates based on a ferroelectric Field-Effect Transistor (FeFET) to showcase our methodology. In detail, we propose a family of reconfigurable logic gates (rGates) that implement two-state-logic camouflage with low overheads and provide four design types for users to choose based on specific needs. Then, we propose a configuration-aware rGate conversion algorithm and provide theoretical analysis, which promises a successful function configuration using only the input ports. Since module functions cannot be controlled by explicit key ports, we analyze the complexity of functional attempts. We further analyze the oracle-guided attacks against unauthorized modules to show the combination of high-output error rates with point-function-like properties, which demonstrates the security advantages. We also discuss the physical and side-channel attack resiliency of FeFETs.

In summary, this work makes the following contributions:

—

A Module-Level Programming Methodology: This work presents a comprehensive methodology for logic camouflage tailored for IP owners, supporting post-manufacturing programmability without the need for additional key ports to successfully configure functionality. The design methodology encompasses camouflage circuit design, circuit replacement methods, configuration-aware algorithms, and theoretical analysis and proofs. It is worth mentioning that our design methodology is not limited to the FeFET-based rGate described below, but also applies to reconfigurable logic gates in complementary metal-oxide-semiconductors (CMOSs), e.g., using register-controlled logic functions, which indicates that our theory has a broader scope of application.

—

Reconfigurable Gate (rGate) Family: We introduce a group of CMOS-compatible, threshold-defined camouflaged, and low-overhead FeFET-based reconfigurable rGates. These gates accept logic inputs to configure the logic function with proper programming conditions. Additionally, we propose four flexible gate-level modification types that can conveniently protect the original circuit without significantly altering the IP design.

—

Configuration-Aware rGate Conversion Algorithm: We propose an algorithm for selecting and converting potential rGate positions from original IP modules, ensuring that the camouflaged module can be correctly programmed using only the input ports and internal wires/nets. We provide theoretical analysis and proof of its feasibility.

—

Security and Overhead Analysis: We analyzed the security and defensive capabilities of this work in various attack scenarios. In particular, when attackers targeting locked devices, we demonstrate an exponential increase in function configuration attempts and a similar point-function-defense pruning process while preserving output corruption capability. Furthermore, we conducted a comparison and analysis of hardware overheads with existing works at both the gate level and module level.

2 Background

This section introduces related logic camouflage and logic locking works plus SAT-based attacks and defenses, together with a brief introduction to FeFET.

2.1 Logic Camouflage and Logic Locking

IP theft is a significant security concern in the semiconductor industry. Logic camouflage and logic locking provide defensive solutions for IP designers [30]. The primary concept behind logic camouflage is to achieve different logic functionalities using the same layout, thereby thwarting reverse engineering attacks [21]. The authors of [6, 12, 21, 23, 26, 27, 38] and associated works extensively discuss the camouflage technique. For logic locking, the basic idea is to introduce additional secret information (i.e., keys) so that new IP without secret information will not work properly. Only when the IP designer licenses the key to the IP user is the function information of the IP considered complete and accurate. Logic camouflage and locking research have a history of nearly 20 years; this article does not aim to provide an exhaustive overview of all developments in IP protection. We recommend that readers who are interested in delving deeper into this topic refer to [13, 17, 30, 35].

In contrast to focusing on the technical details of related works, this work places a greater emphasis on the programming characteristics of the two technologies. While the authors of [46] have unveiled the transforming patterns between the two, leading to the dominance of the logic locking paradigm in current research, the programming processes of these two technologies differ, rendering them not entirely equivalent. In the logic camouflage paradigm, its programmability is not as robust as the logic locking paradigm. This is because the configuration of camouflage logic is typically completed during manufacturing. Consequently, most logic camouflage implementations lack post-manufacturing programmability, weakening the control that IP owners have over ICs after manufacturing. On the other hand, while logic locking achieves good post-manufacturing programmability by introducing additional key ports, for attackers, this also serves as a desirable back door for traversing the state space and searching the keys efficiently.

Despite existing efforts attempting to integrate programmability and logic camouflage [1, 10, 12, 27], none has systematically discussed how to achieve programming for camouflaged logic at the module level without introducing additional configuration ports. The major challenges associated with this have been discussed in Section 1. The most straightforward solution is to deploy camouflaged units to the positions closest to the input ports, enabling programming through the input ports. However, this restricts the freedom to choose the location of camouflaged cells, further impacting flexible deployment and larger-scale applications.

2.2 SAT-Based Attack and Defense

The attack on logic locking (including transforming logic camouflage into a logic locking format) has been a hot research topic, and the SAT attack [36] is considered to be a breakthrough. An SAT attack is an oracle-guided attack based on Boolean satisfiability. An attacker initiates an SAT (Boolean Satisfiability Problem) attack by first obtaining a netlist of the locked circuit, typically by reverse engineering from malicious foundries. Next, the attacker iteratively encodes the logic locking constraints into an SAT formula, where the primary goal is to find a satisfying assignment (i.e., distinguishing input pattern [DIP]) that eliminates the false key. The attacker then employs an SAT solver to eliminate the incorrect keys within a few iterations. Once all the wrong keys are excluded quickly, this implies a successful key recovery, thereby compromising the security of the locked circuit.

The defenses against SAT attacks and their variants are roughly divided into three aspects: point function structure [42, 43, 45], cyclic and behavioral obfuscation [28, 29, 33, 41], and routing obfuscation [18, 19, 34], summarized in [3, 16]. The main idea of point-function-based defense is to make each iteration eliminate as few false keys as possible, so that the number of iterations increases exponentially with the number of keys. However, the concept of point functions inevitably brings additional problems: the module output error rate is very low, which is a compromise to prevent the key from being eliminated quickly in the iteration. The latter two defenses focus respectively on preventing netlists from being modeled to the SAT solver and increasing the time of each SAT-solving iteration, which results in larger overheads [16].

In summary, attackers are trying to break the defense architecture and turn it into a model that the SAT solver can quickly prune, and defenders are trying to make this process more difficult and costly. We suggest that the attack and defense of logic locking are closely related to the relationship between input space and key space. In the typical combinational logic locking paradigm, it is usually believed that the key is fed through memory and scan chains, and the attacker can make arbitrary key attempts, which also means that the input space and the key space are independent. In this work, we attempt to use only input ports for function programming/configuration to couple the previously independent input space and key space to improve the complexity of the SAT solving process.

2.3 Nonvolatile Devices and FeFET

Emerging nonvolatile devices are promising in computing [14], memory [5], energy-harvesting applications [22], and more. They exhibit different electrical characteristics by switching the internal state and will not lose the state when the power is cut off. In this work, we make full use of this “configuration before computing” feature and distinguish it from the traditional volatile structure using keys to unlock the function to achieve a novel security effect.

FeFET is a nonvolatile device that embeds a ferroelectric (Fe) capacitor into the transistor gate stack, which has been applied to memory research [39]. As shown in Figures 2(a) and 2(b), FeFET and CMOS transistors have high similarity in physical structure and high compatibility for feasible large-scale integration in advanced process nodes. Yin et al. [47] proposed FeFET-based compact and energy-efficient ternary content addressable memories (TCAMs). They demonstrate the similar layout and design rules between FeFETS and conventional metal-oxide-semiconductor field-effect transistors (MOSFETs). The structural similarity not only brings convenience at the design and manufacturing level but also provides obfuscation effects in terms of security. De et al. [8] proposed a charge-trap-based obfuscation by exploiting the gate capacitance ability of FeFETs, leading to better concealment against reverse engineering.

Fig. 2.

The threshold voltage ( \(V_T\) ) of FeFETs is reconfigurable, as illustrated by the I-V curves in Figures 2(c) and (d) [10]. With the use of \(HfO_2\) -based Zr-doped material, an FeFET enables the capability of excellent CMOS compatibility and scalability even at advanced technology nodes [9, 37]. This work adopts two types of FeFETs: n-type and p-type, as evaluated in [20], to store one bit of binary states per FeFET: always on and always off. Either state can be switched to the other by applying a proper \(V_{GS}\) beyond the coercive voltage. Currently, FeFETs exhibit a typical write endurance of about \(10^5\) to \(10^{10}\) depending on the device optimization and the configuration process [31]. This limited endurance also provides a guarantee to restrict the maximum hacking and attempting times.

3 Proposed Methodology

The goal of this work is to design a module-level programming methodology for programmable camouflaged logic without using additional key ports. This section first introduces the target configuration flow using input ports only and the major challenges. We then present the specific design details. This section describes the FeFET-based rGates as the logic camouflaging cells, chosen to illustrate a novel lightweight design applied to the proposed methodology. However, our approach is not limited to this specific camouflaging cell. Algorithm 1, proposed in Section 3.5, exhibits a certain degree of generality for other types of programmable camouflaging units with different structures.

3.1 Overall Programming and Configuration Flow

The proposed programming and configuration flow is shown in Figure 3, which demonstrates the overall process. Figure 3(a) shows the locked logic module, in which the rGates are not configured and the logic function is wrong. Figures 3(b) and 3(c) show the rGates configuration process by using the Configuration Input Pattern (CIP). After fixing a pre-selected CIP, the \(V_{dd}\) should be raised to \(V_R\) for a period of time; all rGates in the circuit will be configured successively so that the circuit can achieve the correct function. Since the configuration process is essentially the key activation process, the hardware overhead is a one-time cost. Figure 3(d) shows the unlocked module with the correct function after the configuration, and the \(V_{dd}\) is back to a lower value. From this step, the activation is completed and the end-user can execute the function with arbitrary input patterns.

Fig. 3.

3.2 Major Design Challenges and the Proposed Solutions

Design goal: Use only input ports and internal nets/wires for logic function programming and configuration without using additional key ports.

Challenge 1: Keyless camouflaged element implement. Without key control, the camouflaged logic should be redesigned to implement successful programming and configuration. For prior volatile logic locking techniques, the elimination of keys is almost impossible because the circuit locking behavior is completely reliant on keys. However, for nonvolatile FeFETs, the circuit can be programmed first and then execute the logic with the functions stored in FeFETs.

Challenge 2: Keyless configuration. Since the unlock process determines the module function, the programming and configuration process must ensure that the camouflaged logic can be configured correctly. However, as shown in Figure 1(c), a logic module contains both CMOS logic gates and rGates, and the input ports belong to the whole logic module. Therefore, compared with Figure 1(b), there are no separate gates that can be controlled directly through input ports. Thus, the function of rGates depends on the interconnection state within the circuit module.

In summary, the design of the keyless camouflaged cells and the keyless configuration are two critical issues. In Sections 3.3 to 3.5, we present techniques for solving these essential problems, with theoretical analysis and appropriate examples.

3.3 Keyless Camouflage Logic Design: FeFET-Based rGates

Design goal: rGates can execute the original (correct) function and at least one obfuscation (false) function. rGates can be reconfigured to different functions under certain programming settings.

This work proposes a family of FeFET-based rGates at the gate level. This work proposes two types of rGate and corresponding design methods. As shown in Figure 4(a), the original CMOS logic gate function is \(F^{\prime }\) , and \(F_n\) and \(F_p\) represent the NMOS and PMOS circuit structure of function F, respectively. The type-1 rGate and type-2 rGate utilize an additional logic G to obfuscate the original logic. As shown in Figures 4(b) and 4(c), type-1 and type-2 rGates function as \({F^{\prime }/(FG)^{\prime }}\) and \({F^{\prime }/(F+G)^{\prime }}\) , respectively, and the reverse engineering cannot reveal the correct logic due to the uncertainty of the FeFET on/off states. The Ctr signal connected to the FeFETs will be discussed in Sections 3.4 and 3.5. We need to emphasize that the Ctr signal is different from the traditional key because there are no explicit key ports that connect to Ctr. Since type-2 is essentially a dual structure of type-1, the configuration principle and process are similar. Next, we take type-1 as an example to introduce the computing mode and the configuration mode of the circuit behavior.

Fig. 4.

Computing mode: The working scenario of this mode is that when the end-users have obtained the authorization and completed the chip activation, the circuit logic function has been configured correctly. In this mode, \(V_{dd}\) is kept stable at \(V_{WORK}\) , which is lower than the FeFET coercive voltage such that the polarization states of FeFETs will not change and remain consistent. Therefore, every rGate is performing a correct and stable function.

Configuration mode: This mode configures the rGate function. In this mode, \(V_{dd}\) is set to \(V_R\) , a voltage higher than the coercive voltage, to provide sufficient \(V_{GS}\) for switching the FeFET on/off states (i.e., the ferroelectric polarization state, or the FeFET positive/negative \(V_T\) state). It should be emphasized that the \(V_{dd}\) is global to all gates, containing CMOS gates and rGates. Figure 5(a) explains the configuration process. In Figure 5(b), if the \(F_n\) and \(G_n\) are both on and the \(F_p\) and \(G_p\) are both off, for the n-type FeFET, the source and drain are grounded; for the p-type FeFET, the source is floating and the drain is grounded. If the voltage at node Ctr is \(V_{R}\) , according to Figure 2, the n-type and p-type FeFETs are reconfigured to the low- \(V_T\) (LVT) state, which represents the “always on” and “always off” behavior, respectively. Thus, the rGate functions as \(F^{\prime }\) , because \(G_n\) is shorted by an “always on” n-type FeFET and the \(G_p\) branch is open by an “always off” p-type FeFET.

Fig. 5.

In Figure 5(c), if both \(F_n\) and \(G_n\) are off and both \(F_p\) and \(G_p\) are on, for the n-type FeFET, its source is floating and the drain voltage is \(V_R\) ; for the p-type FeFET, its source and drain voltage are both \(V_R\) . If the voltage at node Ctr is 0, according to Figure 2, the n-type and p-type FeFETs are reconfigured to the high- \(V_T\) (HVT) state, which represents “always off” and “always on” behavior, respectively. Thus, the rGate functions as \((FG)^{\prime }\) , because \(G_n\) is not shorted (n-type FeFET is off) and the \(G_p\) branch is not open (p-type FeFET is on).

An example of a type-1 rGate \({B^{\prime }/(AB)^{\prime }}\) is simulated and the transient waveform is shown in Figure 6. In this example, Ctr is equal to B. From 0 to \(0.4 \mu s\) , since the global \(V_{dd}\) is \(V_R\) and the input A and B are both 1, the rGate is reconfigured to \(B^{\prime }\) . From \(0.4 \mu s\) to \(0.8 \mu s\) , since the global \(V_{dd}\) value is \(V_{WORK}\) , the polarization state of the ferroelectric transistor remains stable and the function of the rGate remains \(B^{\prime }\) . From \(0.8 \mu s\) to \(1.2 \mu s\) , the rGate is reconfigured to \((AB)^{\prime }\) since the global \(V_{dd}\) is \(V_R\) and the input A and B are both 0. From \(1.2 \mu s\) to \(1.6\mu s\) , since the global \(V_{dd}\) value is \(V_{WORK}\) , the polarization state of the ferroelectric transistor remains unchanged and the function of the logic gate remains \((AB)^{\prime }\) . From \(1.6 \mu s\) to \(2.4 \mu s\) , the process is the same as the 0 to \(0.8 \mu s\) process.

Fig. 6.

It should be emphasized that although each rGate has two functions, there is no restriction on which one is the correct function and which one is the obfuscation function. Because of the arbitrariness of F and G, we can easily modify any CMOS logic gate flexibly to enable different logic obfuscation. In the next section, we will introduce the proposed replacement strategy in detail.

3.4 Proposed Flexible Gate Replacement Strategy

Design goal: For a circuit that is not protected by logic locking/camouflage, i.e., the original circuit, a methodology is required to replace the CMOS gates with rGates at selected positions in the circuit so that the attacker cannot know the logic function of the original CMOS gate from the netlist structure.

We provide four types of gate-level camouflage to flexibly replace the original logic gates into rGates. Figure 7 depicts the replacement methodology. Figure 7(a) shows an original CMOS logic module; Figures 7(b) and 7(c) explain the corresponding replacement strategy. For each rGate, as illustrated, there are two functions depending on the polarization state of FeFETs. The design goal is to add an obfuscation logic and keep the other logic as the original logic. For writing clarity, the reverse symbol (’) is ignored in the latter text.

Fig. 7.

Type-A: Type-A applies to “AND-like gate” and the obfuscation logic is “cut” down from the original logic. As shown in gate A, the original logic is I1 \(\cdot\) I2, equivalent to the logic function “FG” of the type-1 rGate, and the obfuscation logic can be seen as “F”, which is I1 in this case (I2 is cut down).

Type-B: Type-B applies to “OR-like gate” and the obfuscation logic is “expanded” from the original logic. As shown in gate B, the original logic is I1 \(\cdot\) I2+I3 \(\cdot\) I4 \(\cdot\) I5, equivalent to the logic function “F” of the type-2 rGate, and the obfuscation logic can be seen as “ \(F+G\) ”, which is I1 \(\cdot\) I2+I3 \(\cdot\) I4 \(\cdot\) I5+I6 in this case (I6 is expanded).

Type-C: Type-C applies to “AND-like gate” and the obfuscation logic is “expanded” from the original logic. As shown in gate C, the original logic is I6 \(\cdot\) I7 \(\cdot\) I8, equivalent to the logic function “F” of the type-1 rGate, and the obfuscation logic can be seen as “FG”, which is I6I7I8I9 in this case (I9 is expanded).

Type-D: Type-D applies to “OR-like gate” and the obfuscation logic is “cut” from the original logic. As shown in gate D, the original logic is I1 \(\cdot\) I2+I3 \(\cdot\) I4 \(\cdot\) I5+I6 \(\cdot\) I7 \(\cdot\) I8+I9, equivalent to the logic function “ \(F+G\) ” of the type-2 rGate, and the obfuscation logic can be seen as “F”, which is I1 \(\cdot\) I2+I3 \(\cdot\) I4 \(\cdot\) I5+I6 \(\cdot\) I7 \(\cdot\) I8 in this case (I9 is cut down).

Figure 8 provides a concrete example of the proposed replacement strategy. Assuming that the designer intends to obfuscate the CMOS logic gate (A+B) \(\cdot\) C, the designer can choose any of the following three replacement types.

Fig. 8.

Type-A with (A+B) cutting down: Since (A+B) \(\cdot\) C can be seen as (A+B) ‘AND’ C, C can be considered as obfuscation logic. FeFETs can control whether (A+B) participates in circuit operations or not. As shown in Figure 8, when key = 0, (A+B) participates in the circuit operation; when key = 1, (A+B) does not participate in the circuit operation. Therefore, when the FeFETs are correctly configured, the rGate function is (A+B) \(\cdot\) C. Otherwise, the rGate function is C, which is wrong, leading to function obfuscation.

Type-B with expanded D: With an additional logic D, (A+B) \(\cdot\) C can be obfuscated with (A+B) \(\cdot\) C+D. FeFETs can control whether D participates in circuit operations or not. As shown in Figure 8, when key = 1, D participates in the circuit operation; when key = 0, D does not participate in the circuit operation. Therefore, when the FeFETs are correctly configured, the rGate function is (A+B) \(\cdot\) C. Otherwise, the rGate function is (A+B) \(\cdot\) C+D, which is wrong, leading to function obfuscation.

Type-C with expanded D: With an additional logic D, (A+B) \(\cdot\) C can be obfuscated with (A+B) \(\cdot\) C \(\cdot\) D. FeFETs can control whether D participates in circuit operations or not. As shown in Figure 8, when key = 0, D participates in the circuit operation; when key = 1, D does not participate in the circuit operation. Therefore, when the FeFETs are correctly configured, the rGate function is (A+B) \(\cdot\) C. Otherwise, the rGate function is (A+B) \(\cdot\) C \(\cdot\) D, which is wrong, leading to function obfuscation.

The reason this example does not use type-D is that this logical expression (A+B) \(\cdot\) C cannot be written as \(F+G\) . Therefore, an obfuscation logic F cannot be found here. It is also possible to change the logical expression to the form AB+AC so that AB or AC can be regarded as obfuscation logic, but the additional hardware cost is increased. In addition, the logic D here is not necessarily a single variable, but rather a combination of multiple variables.

The proposed novel rGate structure shows significant advantages in improving obfuscation flexibility and reducing design complexity. Unlike other FeFET-based reconfigurable gates that focus on polymorphic functionality [10], this design can easily modify the original CMOS logic gate into a new rGate because F and G can be any combination of logic. Thanks to the compatibility of ferroelectric and CMOS processes, the modification and integration are not subject to process constraints. As the structures of the rGate family are not fixed and are similar to the CMOS logic gate, they also achieve a good layout obfuscation effect, which makes the attacker need to spend more time searching for the rGates.

After replacing the logic gate, in the next section, we will present how to configure the module function using the input ports and how to define the Ctr signal of each rGate.

3.5 Keyless Configuration Design: Configuration-Aware rGate Conversion Algorithm and Module Configuration

3.5.1 Design Goal and Prerequisites.

Design goal: Since all input signals of an rGate are derived from input ports or internal signals of the circuit, it is necessary to analyze which CMOS gates in the original circuit module can be replaced in order to ensure that the correct function of the module can be configured/activated through a selected CIP (Figures 3(b) and 3(c)). The Ctr signals should also be defined.

Prerequisites for the analysis in this section: (i) Since the scan chain is assumed to be accessible in the attack model, combinatorial logic analysis is considered in this work and the internal loop formed by circuit gates and wires is not considered. (ii) According to the architecture of this work, when the selected CIP is fixed and \(V_{dd} = V_R\) , all rGates are successfully configured within a period of time. Because there is no explicit configuration port and \(V_{dd}\) is global, the configuration of rGates cannot be configured individually.

3.5.2 The Impracticality of Random rGate Replacement.

We first show why not all CMOS logic gates in the original circuit can be replaced with rGates. Let’s assume that we randomly choose N CMOS logic gates and replace them with the rGates, using strategies in Section 3.4. For each CMOS gate, the corresponding rGate inevitably exists because we provide several flexible replacement types to construct rGates. However, whether there is a CIP so that all N rGates can be configured to the correct function at the same time is difficult. We need to make it clear that this is not just a question of traversing the input space to get a solution.

Suppose that the function of the ith rGate after the nth function reconfiguration can be expressed as \(Y_n^i=f_{(\overrightarrow{IN}_n,Ctr_n)}^i (\overrightarrow{IN},Ctr)\) , where \(\overrightarrow{IN}_n\) and \(Ctr_n\) represent the logic gate input value and Ctr value, respectively, when the rGate function is last reconfigured, which is a constant vector. \(\overrightarrow{IN}\) and Ctr are variables that describe the in/out relationship. When we attempt to reconfigure the rGate for the \((n+1)\) th times, we expect the \(\overrightarrow{IN}\) and Ctr at this time to meet the configuration conditions of the target functions.

However, Figures 4 and 5 shows a critical characteristic that the inputs and outputs of each rGate are fixed during the configuration process, which may cause serious conflicts. Assume that there are two rGates i and j and the input of j is dependent on the output of i, which can be expressed as \(\overrightarrow{IN}_n^i=g(Y_n^i)\) . Now, we aim to reconfigure the function of i, leading to a fixed and constant value \(Y_{n+1}^i\) . Simultaneously, we intend to reconfigure the function of j with the condition constraint of \(\overrightarrow{IN}_{n+1}^j\) . When constraints are applied to both sides of the equation, it’s highly probable that the solution for the remaining variables results in an empty set.

Figure 9 shows an example of this conflict. Suppose we randomly select the two logic gates in Figure 9(a) and replace them with rGate i and j in Figure 9(b). We choose type-C and type-D in Section 3.4, respectively, using two extra wires for obfuscation, which are colored in pink and green. We have marked the values of critical wires during the configuration process. Since the configuration processes of the two logic gates are simultaneous, there is a conflict between the output of i and the input of j, resulting in a failure configuration. Therefore, random selection of replacement locations is not an effective method; we propose a new position pre-selection method to avoid these conflicts.

Fig. 9.

3.5.3 Proposed Configuration-Aware rGate Conversion Algorithm.

We have shown that the reconfiguration conditions of rGates may cause extra constraints and result in circuit conflicts. To eliminate this conflict, the proposed algorithm is to determine the replacement type and Ctr assignment of rGate. Before the specific algorithm is given, we first present two important theorems.

Theorem 3.1.

Considering only the configuration process, whether an rGate is replaced when a CIP is given does not affect the input/output value of this logic gate when this rGate can be configured correctly under this CIP.

Proof.

Assume that a CMOS gate \(i_0\) in the original circuit can be expressed as \(Y^{i_0}=f_{f_c}^{i_0} (\overrightarrow{IN})\) , where \(f_c\) is the correct function of the original gate. Suppose that the rGate i is used to replace \(i_0\) , which can be expressed as \(Y^i=f_{obfuscation\left\lbrace f_c,f_e\right\rbrace }^i (\overrightarrow{IN},Ctr)\) , where we make a slight modification on the expression and show that the function of i is a selection between \(f_c\) and \(f_e\) (error function). Obviously, \(obfuscation\left\lbrace f_c,f_e\right\rbrace\) is directly related to the \(\overrightarrow{IN}\) and Ctr during the configuration process. According to the given condition in the theorem, it is assumed that rGate i can be correctly configured to \(f_c\) when the current CIP is fixed. Since i can be configured correctly, it must be one of the two configuration conditions in Section 3.3 regardless of the rGate type. Further, we analyze the configuration conditions, and we know that \(F_n\) and \(G_n\) have the same behavior that is both on or off. As shown in Figure 4, for type-1 (Figure 4(b)), if \(F_n\) and \(G_n\) are on and the output is 0, the output of the original circuit (Figure 4(a)) is also 0; if \(F_n\) and \(G_n\) are off and the output is 1, the output of the original circuit is also 1. For type-2 (Figure 4(c)), if \(F_n\) and \(G_n\) are on and the output is 0, the output of the original circuit is also 0. If \(F_n\) and \(G_n\) are off and the output is 1, the output of the original circuit is also 1. Therefore, for the values of the input and output of the original logic gate (excluding Ctr), the substitution of rGate does not change under the condition of the theorem. □

Theorem 3.2.

Considering only the configuration process, for an rGate i with the expression as \(Y^i=f_{obfuscation\left\lbrace f_c,f_e\right\rbrace }^i (\overrightarrow{IN},Ctr)\) , \(\exists IN_c \in \overrightarrow{IN} \text{ s.t. } Ctr=IN_c\) while satisfying configuration conditions.

Proof.

From Section 3.3, it is demonstrated that function configuration only happened in two cases: (1) when both \(F_n\) and \(G_n\) are simultaneously on and Ctr equals 1 and (2) when both \(F_n\) and \(G_n\) are simultaneously off and Ctr equals 0. Let’s consider the transition process for these two cases; readers can refer to Figures 4 and 5 for understanding: When \(F_n\) and \(G_n\) are both on—in this scenario, there must exist a path S from GND to the output Y, where all transistors on S are on. This implies that the corresponding input values for the transistors on S are all set to 1. When the configuration conditions change, \(F_n\) and \(G_n\) are both off. In this case, at least one NMOS transistor \(T_c\) on S switches to the off state. Otherwise, S would still connect GND to Y, which contradicts the condition of “ \(F_n\) and \(G_n\) both off”. This implies that at least one input \(IN_c\) corresponding to the \(T_c\) is set to 0, aligning with the requirement of Ctr = 0. Therefore, \(IN_c\) is the target input variable that possesses the property of being assigned to Ctr. □

Finally, we introduce the algorithm implementation. Algorithm 1 introduces how IP designers can implement module-level programming methodology for programmable camouflaged logic in original unprotected circuits. The main idea of the algorithm is to take the gate input-output conditions into account for replacement type selection.

We first input a selected CIP to the original circuit (line 4). Since there is no obfuscation in the original circuit, the state of the circuit is fully known. Theorem 3.1 states that when a CIP can configure rGates, the input-output value of the replacement node before and after replacement does not change. Therefore, the state of circuit C and the state of \(C_L\) remain exactly the same as long as the rGate can meet the configuration conditions. In other words, as long as a logic gate in circuit C meets the configuration conditions of the rGate while entering the selected CIP, replacing it with an rGate with the same CIP also meets the configuration conditions. Therefore, we only need to record the input value \(F_n\) (Section 3.3) of each logic gate (line 6); then, we can replace the logic gate according to the replacement strategies in Section 3.3 based on the condition of \(F_n\) (lines 9–15).

For the last part, we discuss the Ctr assignment of each rGate. Since the replacement of logic gates is determined according to the case of \(F_n\) , the Ctr assignment of each logic gate is different. If the IP designer chooses to introduce additional logic as obfuscation logic in Section 3.4, then we assign Ctr to a stable variable that meets the configuration condition and let the obfuscation logic fit the condition as well. If the IP designer chooses a subset of the logic as obfuscation logic in Section 3.4, then, according to Theorem 3.2, it is only necessary to find the \(IN_c\) variable and assign it to Ctr, and the corresponding obfuscation logic only needs to satisfy the structural characteristics.

3.5.4 Example of Configuration-Aware rGate Conversion Algorithm.

We present a concrete example to help the reader understand our theorem and algorithm. Figures 10(a)–(c) show how an IP designer protects the original circuit. First, the designer needs to select a CIP as the unlock vector of the circuit and deploy the CIP into the original circuit to obtain the wire values of the circuit (Figure 10(a)). Then, according to the input of each logic gate, the designer records \(F_n\) (Figure 10(b)). If the designer needs to replace N rGates, it only needs to select N positions and combine the information of \(F_n\) of each position to select the replacement strategy, as shown in Figure 10(c). It should be noted here that the conflict in Figure 9 occurs because \(F_n\) is not taken into account and the wrong type-C is used for OR gate replacement, where type-A and type-B are the proper choices.

Fig. 10.

Figures 10(d)–(f) show how an end-user unlocks the locked chip in Figure 10(c). Assuming that the user has been authorized and obtained the CIP, the user can input the CIP and raise the power supply voltage. In this case, rGates that meet the configuration conditions will be configured successfully, but not all rGates will be configured immediately. When the rGates near the module inputs are successfully configured, the rGates farther away from the module inputs will be successfully configured soon afterward. Note that we have access permission to scan the chain; thus, we are dealing with combinational logic locking and there is no loop in the module. In addition, activation is a one-time process; therefore, the endurance and hardware overheads are negligible.

Figure 11 shows a simulation waveform describing the configuration using a CIP. We select ITC99-b05 [7] and take N = 10; corrX indicates that the gate with index number X in the circuit is rGate, \(corrX = 1\) indicates that the rGate is successfully configured, and \(corr = 1\) indicates that all N rGates are successfully configured at the same time. When the input is not equal to the CIP selected in advance, the 10 rGates are not fully configured. If the input is equal to CIP, all rGates are correctly configured.

Fig. 11.

3.6 Summary

From the perspective of IP designers, Section 3 introduces a module-level programming methodology by using input ports and internal nets/wires only. This section presents a detailed theoretical analysis and design methodologies of rGate design, rGate replacement types, a configuration-aware rGate conversion algorithm, and module configuration. In the next section, we will analyze the security performance from the perspective of a malicious adversary.

4 Security Analysis

This section analyzes the security performance. We first provide the attack model and then demonstrate the resistance to the SAT attack leveraging the keyless feature.

4.1 Attack Model and Target

The main focus of this work is on module-level post-manufacturing programming of camouflaged logic. Here, we categorically discuss the various capabilities possessed by attackers and the potential effects of their attacks.

FeFET and rGate: While we provide some concealment advantages of FeFETs in the evaluation and discussion section, we consider the location of the ferroelectric transistor to be known in our security analysis. However, the attackers do not know the correct polarization states of the FeFETs, which is the correct function of the rGates. This assumption is consistent with the FeFET camouflaging theories [10]. We also assume that the attacker knows the nature of FeFETs and rGate configuration conditions, which allow the attackers to attempt the functions of rGates by using input ports.

Reverse-engineered locked netlist: Thanks to the physical characteristics of ferroelectric transistors, they exhibit CMOS similarity in layout construction compared with other types of nonvolatile devices. Therefore, accurately pinpointing their locations is not a straightforward task. If attackers cannot determine the position of FeFETs, the defensive effectiveness of this work will be consistent with [32]. We proceed to consider more advanced attacks. If attackers opt to use physical analysis to ascertain the position of FeFETs, it implies that they must possess advanced technologies and incur additional significant time and cost expenses. Determining the location of rGates also implies establishing a novel netlist, which can be achieved by adding extra key ports and individually controlling the functionality of each rGate (depending on the attacker’s level of understanding of rGates). However, it should be noted that, due to the absence of explicit key ports in the modules we designed, the key ports established in the netlist are essentially virtual. Therefore, if confronted with an actual unlocked IC, the keys derived from the netlist solution mentioned earlier cannot be directly applied.

We further analyze the differences between solving through the established netlist with virtual key ports and the actual IC netlist. We define the generalized actual netlist as \(\overrightarrow{Y}=F_{\overrightarrow{CIP}} (\overrightarrow{Input})\) , where \(\overrightarrow{CIP}\) is a specific CIP that determines a specific function of the module, \(\overrightarrow{Input}\) is the inputs of the module, and \(\overrightarrow{Y}\) is the outputs of the module. More specifically, the attacker first needs to input a specific \(\overrightarrow{CIP}\) to configure a specific function \(F_{\overrightarrow{CIP}}\) (with a higher \(V_{dd}\) ), and can then execute the function and obtain the output by entering arbitrary \(\overrightarrow{Input}\) . We consider an established netlist with virtual key ports, in which the keys configure the module function \(\overrightarrow{Y}=F_{\overrightarrow{Keys}} (\overrightarrow{Input})\) . Since the input ports and key ports are independent, the configuration process and the function execution process are synchronized; therefore, they can be represented as \(\overrightarrow{Y}=F(\overrightarrow{Input}, \overrightarrow{Keys})\) , which is the same as the traditional expression. SAT modeling for \(\overrightarrow{Y}=F_{\overrightarrow{CIP}} (\overrightarrow{Input})\) is simple since it only needs to be expressed as \(C(\overrightarrow{Input},\overrightarrow{Output})\) in a conjunctive normal form (CNF), and functional configuration constraints need to be added before feeding to the SAT solver.

Oracle, an unlocked/activated chip: We focus on oracle-guided attacks and believe that an attacker could obtain well-configured chips from the open market. An unlocked chip is considered a black box, and an attacker can only control the input and obtain the output without understanding the internal secrets. Access to the scan chains is permitted for input attempts and output observation.

Attack target: The attacker is targeting the correct CIP and using it to reconfigure any unlocked chip. Once the chip is unlocked, the function can be performed correctly and the attack target is completed.

4.2 SAT Attack Resistance Analysis under Different Scenarios

We discuss the attack resilience of this work in multiple scenarios, assuming that attackers can bear the cost of accurately locating all rGates with advanced analysis tools and resources. We consider the following situations [11]: Attackers can launch SAT attacks by establishing netlists extracted directly through RE or by creating netlists with added virtual key ports based on the positions of rGates. The attack results can then be applied to ICs that have been manufactured but not activated or used to manufacture entirely new ICs.

Attack Scenario 1: Attackers directly extract the netlist. We first consider the space theory of SAT-based attacks. SAT attacks decompose a problem into two independent spaces: the input space \(\mathbb {IN}\) and the function space \(\mathbb {F}\) (typically the key space \(\mathbb {KEY}\) in key-based designs) and then employ an SAT solver to find a solution \(\overrightarrow{IN_D} \in \mathbb {IN}\) that distinguishes the two functions introduced by the two different keys. As shown in Figure 12(a), since each key corresponds directly to a function and keys are entered through explicit ports, the traversal of \(\mathbb {F}\) is efficient. This theory is expressed and executed as follows: The SAT solver first copies two reverse-engineered netlists and constrains them to have the same input and different keys. If it is possible to solve an input that distinguishes the function difference between two netlists, the input is defined as a DIP, which is the \(\overrightarrow{IN_D}\) . In addition, the strength of the SAT attack is based on the fact that a DIP can distinguish multiple pairs of functions/keys. Therefore, each DIP will rule out several false keys; this rapid pruning ability makes the SAT attack a game changer.

Fig. 12.

Our approach operates on a different principle, which makes \(\mathbb {IN}\) and \(\mathbb {F}\) no longer independent. Initially, we utilize input to configure the module function without using explicit keys, as shown in Figure 12(b). This implies that there is a coupling between the input space \(\mathbb {IN}\) and the function space \(\mathbb {F}\) , rendering them no longer independent. In this scenario, any attempt to decompose the problem into two separate spaces faces significant challenges. Consequently, SAT solvers cannot straightforwardly utilize the input space to represent, analyze, and filter the function space. Based on the above analysis, we next theoretically derive two essential defense strengths that contribute to the exponential factor against the SAT attack.

4.2.1 Function Space Traversal Complexity.

Assume that N gates in the circuit are replaced with rGates. It is noted that the proportion of the correct function state is only \(2^{-N}\) , which decreases exponentially with the linear growth of N. Let’s consider a logic module with a set of internal rGates. Each rGate \(G_i\) has a binary state, either 0 (obfuscation function) or 1 (correct function). Here, we show the difference between the key-based and keyless method.

Using Keys to Control Key Gates: In the traditional approach, key bits directly control the state of key gates. The key space \(\mathbb {KEY}\) consists of all possible combinations of key bits \((K_1,K_2, \ldots ,K_N)\) . Each key bit can take values 0 or 1, resulting in \(2^N\) possible key combinations. Due to the fact that each key bit can be controlled directly through scan chains, the complexity of controlling key gates using keys is \(O(1)\) . It involves directly setting the state of all key gates according to the key values.

Using Inputs to Control Internal rGates: We use input ports of the primary circuit to indirectly control the state of internal rGates. The input space \(\mathbb {IN}\) consists of all possible combinations of input values \(\overrightarrow{IN}=(In_1,In_2, \ldots ,In_M)\) , where M is the number of input bits, which is typically significantly larger than N. Each input bit \(In_i\) can take values 0 or 1, resulting in \(2^M \gg 2^N\) possible input combinations.

The complexity arises from the fact that N rGates must simultaneously be successfully configured, and the relationship between input values and the configuration states of these gates is not straightforward. Unlike key gates, where key bits directly control their states, configuring N rGates through input values involves complex dependencies, ambiguities, and inter-dependencies among the gates.

Let \(\mathcal {C}(G_i)\) represent the configuration state of \(G_i\) controlled by inputs, where \(\mathcal {C}(G_i)\) can be 0 or 1. Hence, \(\mathcal {C}(G_1,G_2, \ldots ,G_N)\) represents the states of all rGates, which also represents the module function and, thus, \(\mathcal {C}(G_1,G_2, \ldots ,G_N) \in \mathbb {F}\) . In this context, the configuration of N rGates is a function of the input values, i.e., \(\mathcal {C}(G_1,G_2, \ldots ,G_N)= \Psi (\overrightarrow{IN})=\Psi (In_1,In_2, \ldots ,In_M)\) . The function \(\Psi\) models the complex relationships, dependencies, and inter-dependencies among the gates and inputs, and the complexity arises from the following aspects.

Inter-dependencies Among rGates: Each rGate configuration condition has a large probability depending on the states of other rGates within the module. Mathematically, this can be represented as \(\mathcal {C}(G_i)= \Psi (In_1,In_2, \ldots ,In_M,G_1,G_2, \ldots ,G_N)\) . It is worth noting that it is precisely because of this dependency that the algorithm presented in Section 3.5 is necessary for the configuration process; otherwise, Section 3.4 would have completed the overall replacement design.

Ambiguities in Configuration: The function \(\Psi\) can have cases in which multiple combinations of input values lead to the same configuration of rGates, introducing ambiguities. Since the correspondence between \(\Psi\) and \(\mathcal {C}\) is not clear, the attempt to obtain a new module configuration \(\mathcal {C}(G_1,G_2, \ldots ,G_N)_new \in \mathbb {F}\) is increasingly difficult as the untraversed space in \(\mathbb {F}\) gets smaller.

Complex Dependencies: Dependencies among gates may involve complex logical conditions, making it challenging to predict the exact configuration states based solely on input values. Furthermore, we note that the space composed of the configuration conditions of each rGate is smaller than the input space of the rGate. That is, during the configuration process, if the input of the rGate does not meet any configuration conditions, the function of the rGate will not change. As a result, the function of an rGate may be different even if the same input is entered into rGate at different times as long as the input cannot configure this rGate.

Therefore, the complexity of controlling internal rGates using inputs can be significantly higher due to the need to ensure the correct configuration of multiple rGates simultaneously and the lack of a clear, direct mapping between input values and the configuration states of rGates.

4.2.2 Point-Function-Like Elimination Characteristic.

In Section 4.2.1, we analyzed the fact that traversing the functional space with input is challenging, especially as the untraversed space gets smaller and smaller. In this section, we assume that the SAT solver has already acquired two different functions and now needs to find a DIP to distinguish between the two functions. The solution process is trivial, but we focus on the finding that the pruning of the function space after finding DIP is similar to a point function defense [42, 43, 45], which is a critical property that contributes to the exponential factor.

According to the definition in Section 4.1, let the two functions be \(\overrightarrow{Y_1}=F_{\overrightarrow{CIP_1}} (\overrightarrow{Input})\) and \(\overrightarrow{Y_2}=F_{\overrightarrow{CIP_2}} (\overrightarrow{Input})\) , where \(\overrightarrow{CIP_1}\) and \(\overrightarrow{CIP_2}\) represent two input patterns that configure two different functions in the function space \(\mathbb {F}\) . SAT solver finds a DIP by solving

\begin{equation*} \overrightarrow{Y_1} \oplus \overrightarrow{Y_2}\ne \overrightarrow{0},\ when\ {\overrightarrow{Y_1}=F}_{\overrightarrow{{CIP}_1}}\left(\overrightarrow{DIP}\right)\ and\ {\overrightarrow{Y_2}=F}_{\overrightarrow{{CIP}_2}}\left(\overrightarrow{DIP}\right) \nonumber \nonumber \end{equation*}

However, while DIPs are easily accessible, DIPs can only distinguish \(F_{\overrightarrow{{CIP}_1}}\) and \(F_{\overrightarrow{{CIP}_2}}\) ; they cannot distinguish between other \(F_{\overrightarrow{CIP}\in {\lbrace \mathbb {F}-\overrightarrow{{CIP}_1}-\overrightarrow{{CIP}_2}\rbrace }}\) in the functional space. The essence of the problem is that there is no relationship between DIP, \(F_{\overrightarrow{DIP}}\) , and CIP1/CIP2; thus, there is no connection between DIP and configuration functions and, therefore, there is no way to identify other functions. In other words, DIP can only identify one pair of functions, which is a property of the point function defense. Compared with traditional jobs without point-function, suppose that there are two different netlists \(F_{\overrightarrow{{Key}_1}}(\overrightarrow{Input})\) and \(F_{\overrightarrow{{Key}_2}}(\overrightarrow{Input})\) . Since the input ports and key ports are independent, \(F_{\overrightarrow{{Key}_1}}(\overrightarrow{Input})=\ F(\overrightarrow{Input},\overrightarrow{{Key}_1})\) and \(F_{\overrightarrow{{Key}_2}}(\overrightarrow{Input})=\ F(\overrightarrow{Input},\overrightarrow{{Key}_2})\) . While the DIP provides the distinguishability between them, the SAT solver can further add DIP to the constraints. Therefore, this DIP can further distinguish the key pairs by analyzing \(F(\overrightarrow{DIP},\overrightarrow{{Key}_m})\) and \(F(\overrightarrow{DIP},\overrightarrow{{Key}_n})\) , where \(\overrightarrow{{Key}_m},\overrightarrow{{Key}_n}\in {\lbrace \mathbb {KEY}-\overrightarrow{{Key}_1}-\overrightarrow{{Key}_2}\rbrace }\) .

This work has a similar feature to point function defense work while alleviating their limitations in circuit structure and output error rate. While sharing similarities with point function defense methods, our approach stands out by avoiding the use of additional circuit modules for point function obfuscation and offering a new implementation. As a result, it remains resistant to bypass and removal attacks. Furthermore, we do not enforce point function restrictions at the output, allowing for a higher tolerance to output error rates. This unique combination of security and flexibility makes our method a robust and practical choice for circuit protection.

4.2.3 Discussion on Other Attack Scenarios.

Attack Scenario 2: Attackers creating the netlist with virtual key ports and applied the keys to inactivated ICs. In Section 4.1, we discussed the characteristic of the solved virtual keys not aligning with actual physical ports. Therefore, even with the knowledge of the values of each key, i.e., the functionality of each rGate, attempting to find a CIP in the IC is not a straightforward process. This is because the algorithm proposed in Section 3.5 is a forward programming process. We first define a CIP and deploy it in the circuit module. Then, by selecting nodes in the module and replacing rGates based on the locations, input–output relationships, and functionality selections, we achieve the desired conversion and configuration. Determining the state of circuit nodes based on inputs is straightforward because it does not involve any solving or uncertain operations. Conversely, if we know the replacement for each rGate first, reversing the algorithm from Section 3.5 is not straightforward. It becomes a problem of reverse solving the primary input CIP from n circuit nodes.

Attack Scenario 3: Attackers creating the netlist with virtual key ports and manufacture entirely new ICs without camouflaged functions. Although attackers face increased time and cost expenses when solving and remanufacturing ICs based on the modified netlist, we believe it remains feasible. Our work aims to advance camouflaged logic towards greater scalability and flexibility in programmability. Consequently, we do not directly address satisfiability attacks in this scenario, similar to [10]. However, preventing SAT attacks requires other SAT-resistance logic circuits, which can easily be integrated with our approach. In the introduction of Section 3, we extensively illustrate the flexibility and feasibility of our designed rGate in terms of functionality and deployment, making it entirely feasible to combine with other works [17, 28, 29, 33, 41, 42, 43, 45]. Furthermore, the capability of logic reconfiguration allows the use of dynamic camouflage techniques that can resist SAT attacks [27].

4.3 Discussion on Invasive Attack and Semi-invasive Attack

In this section, we discuss invasive and semi-invasive attacks on FeFETs. Concerning invasive attacks, a notable characteristic of the rGate family proposed in this work is the absence of a uniform and identical cell structure. This presents an advantage over prior approaches [1, 10, 12, 21, 26] as attackers cannot immediately identify potential camouflaged cells through image recognition from the chip. As for semi-invasive attacks, the proposed rGate introduces minimal alterations to the circuit. As demonstrated in Section 3.3, the replacement of each logic gate requires only a few transistors. Consequently, the use of FeFETs imposes negligible additional power consumption and delay, as reflected in our subsequent evaluations. Therefore, this work exhibits a degree of resilience when confronted with side-channel attacks. Furthermore, FeFETs possess some inherent camouflage properties in terms of layout, as illustrated in Figure 13. Additionally, we believe that the application of electrical shielding, as mentioned in [8], can effectively safeguard the circuit from interference by external electric fields, thereby serving as an optional defensive measure. While we acknowledge that adversaries with advanced techniques could potentially detect the positions of each rGate, this would entail a significantly higher cost. This, to some extent, shows the camouflage characteristics of FeFETs. However, it is important to note that in our previously mentioned attack model, we assumed that attackers have knowledge of rGate positions. This ensures that our approach retains its capability to resist physical probing attacks.

Fig. 13.

5 Evaluation Results

This section first introduces the simulation setup. Next, we show the evaluation of the rGate replacement method. For security performance, we evaluate the function space traversal complexity, resiliency against SAT attack, and the output Hamming Distance. For hardware overheads, we evaluate the gate-level and the module-level power, performance, and area (PPA).

5.1 Simulation Setup

The benchmarks in this work are the selected combinational modules in ISCAS-85 [15] and ITC-99 [7], which are summarized in Table 1. The simulator in [36] is used to launch the SAT attack. At the gate level, we use Cadence Virtuoso and the FeFET model from [4]. At the RTL level, the netlist simulation verification is done by Vivado, and the PPA analysis of the modules is finished with Synopsys DC compiler, where FeFET-related parameters are imported from Virtuoso. At the system level, we use Python to implement the configuration-aware rGate conversion algorithm, state analysis of function space, and Hamming Distance analysis.

Table 1.

Benchmark	Gate Number	Inputs	Outputs
b04	637	77	74
b05	544	35	70
b12	1053	126	127
b14	5493	277	299
b15	7544	485	519
c499 (32-bit SEC)	202	41	32
c880 (8-bit ALU)	383	60	26
c3540 (8-bit ALU)	1669	50	22
c6288 (16x16 Multiplier)	2406	32	32

Table 1. Statistics for Selected Benchmarks

5.2 rGate Replacement Type and Number

In Section 3.5, we illustrate the infeasibility of arbitrary rGate replacement and propose the configuration-aware rGate conversion algorithm. In the algorithm, it should be noted that the replacement type of rGate (described in Section 3.4) needs to be determined by both the current gate input values and configuration conditions. We use the replacement function at the end of the algorithm with two possible type choices (lines 11 and 13 of Algorithm 1). However, this is only a selection range; we show in Figure 14 the replaceable type number R (0 \(\le\) R \(\le\) 2) of the original gate in five ITC-99 modules under 20 different CIP conditions. R=2 means that under the current CIP, this logic gate can have two rGate types to choose from; R=1 means that this logic gate can only be replaced with an rGate of a specific type; R=0 indicates that this logic gate cannot be replaced with an rGate, which is about 5% of the total number of logic gates. This evaluation demonstrates that approximately 95% of logic gates can be replaced with rGates and configured successfully. This proportion of replacement is sufficient for logic locking, as obfuscation logic typically constitutes a small portion of the overall circuit due to hardware cost considerations.

Fig. 14.

5.3 Function Space State Analysis

In Section 4.2.1, we discuss the fact that state traversal of the function space is difficult when the function space and the input space are coupled. Therefore, it is not trivial for an attacker to acquire different functionality at O(1) complexity in each iteration. In particular, when the number of untraversed nodes in the functional space is small, the brute-forced input of a new CIP has a greater probability of corresponding to the traversed nodes in the functional space. We show the results of the evaluation in Figure 15. For each model, we chose three different N and compared them with designs that used scan chains for explicit key control. All rGate replacement strategies follow Algorithm 1 and replace randomly if constraints on position and replacement type are met. Simulation results show similar properties: Configuration with inputs (this work) requires significantly more attempts than configuration with keys, especially in situations in which less than half of the states in the functional space are not traversed. This means that in the mid to late iterations of SAT attacks, iteration times will increase exponentially due to constraints on constructing new features, which will be shown in the next section.

Fig. 15.

5.4 SAT Attack Results and Analysis

In this section, we discuss the first and second attack scenarios from Section 4.2, leaving the third attack scenario as a topic for future work. In each iteration, the SAT solver faces the intricate task of searching a new state of the netlist function. Furthermore, as elaborated in Section 4.2.2, due to the inherent similarity to the point function, it becomes challenging for each DIP to eliminate a substantial number of wrong function states. This difficulty in eliminating states contributes to avoiding rapid pruning and time reduction.

Table 2 presents a detailed analysis of SAT attack execution times and compares this work with a defense scheme based on point functions [42, 43, 45]. Within each module, as the number of rGates N (i.e., the key number in key-based defenses) increases, the attack time exhibits exponential growth. It is noteworthy that compared with the prior works, our work also demands a longer attack time for modules of the same size. This observation also implies that adopting a larger benchmark with more rGates could better utilize the defensive advantage of this work. If there are limitations on hardware resources, our work can also use fewer rGates to achieve the same level of defense as previous work with less hardware overhead compared with prior works.

Table 2.

Technique	Gate Number	Benchmark	N (Key bit)	Execution time
This work	\(\le 1{,}000\)	b04	8	457 s
			10	15,877 s
			14	\(\ge 20 days (estimated)\)
		b05	8	39,480 s
			10	14,757 s
			14	\(\ge 20 days (estimated)\)
	\((1{,}000,5{,}000)\)	b12	8	17,982 s
			10	\(\ge 1 year (estimated)\)
			14	\(\ge 1 year (estimated)\)
	\(\ge 5{,}000\)	b14	8	9,958 s
			10	\(10{,}917\) s
			14	\(\ge 1 year (estimated)\)
		b15	8	19,917 s
			10	\(\ge 20 days (estimated)\)
			14	\(\ge 1 year (estimated)\)
SARLock+SLL [45]	\((1{,}000,5{,}000)\)	s5378	10	54.1 s
		s5378	14	10,250.7 s
		s9234	10	77.2 s
		s9234	14	15,532.3 s
	\(\ge 5{,}000\)	c5315	10	75.4 s
		c5315	14	\(15{,}874.9\) s
		c7752	10	78.3 s
		c7752	14	14,573.1 s
Anti-SAT [42]	\(\le 1{,}000\)	c1355 (Type 0)	8	1.15 s
			10	20.024 s
			14	4,498.03 s
			16	\(\ge 10 hours\)
		c1355 (Type 1)	8	1.06 s
			10	14.612 s
			14	3,658 s
			16	\(\ge 10 hours\)
SFLL-HD [43]	\(\ge 5{,}000\)	b14	11	2,000 s
		b14	14	12,000 s
		b15	11	2,000 s
		b15	14	12,000 s

Table 2. SAT-Based Resistance Results and Comparison on Blackbox Devices under Attack Scenarios 1 and 2 in Section 4.2

5.5 Output Corruption Analysis

This section evaluates the normalized Hamming distance (HD), between 0 and 100%, between the output of the module when rGates are correctly/incorrectly configured at different benchmarks. For the point-function defense model, only one DIP can be found for each incorrect configuration; thus, almost all input patterns exhibit normal behavior and the output corruption rate is close to zero. The remaining defense schemes guarantee output corruption rates but introduce higher hardware overhead. This work shows an improved HD corruption by implementing random-like rGate replacement where rGates have 95% positions to replace with a specific obfuscated type (Sections 3.4 and 3.5). As shown in Figure 16, for the models in ITC-99, when the rGate ratio is close to 40%, the average HD reaches about 20% and the maximum HD reaches about 50%. Compared with the four models of the same scale in ISCAS-85, the average HD reaches about 30%, which is slightly higher than the former. This is because the number of output ports of the latter is much smaller than that of the former.

Fig. 16.

In addition, compared with the logic locking techniques with high output error rates, although this work achieves almost randomization in position, it is slightly lower in HD because the alternative types are fixed and the two obfuscation logics in our proposed rGate are not independent. However, because our work does not require keys and has the characteristics of point-functions-like defense, it has an advantage in resisting algorithmic attacks. Therefore, this work has advantages in both output corruption rate and safety performance.

5.6 Gate-Level and Module-Level Overheads

This work implements logic camouflage by using FeFET-based rGates to replace the original CMOS logic gates. As described in Section 3.3, the proposed rGates is a two-state-only configurable gate without significantly reducing the obfuscation effect. Thanks to this lightweight nature, rGates achieve lower hardware overheads. This section illustrates that this work achieves lower overheads and high hardware efficiency at both the gate level and module level.

As presented in Section 2.3, we introduce rGate to provide nonvolatile logic configuration by exploiting the “always on” state (LVT) and the “always off” state (HVT) of FeFETs. The latency and energy have been evaluated in a 65-nm CMOS process. The FeFET model is from [4]. The results are shown in Figure 17. On the one hand, the latency increases as the number of variables (i.e., the number of transistors) increases, and the HVT rGate latency is about 1 ns higher than the LVT rGate. On the other hand, as the input number increases, the LVT rGate latency is no more than 0.2 ns higher than the CMOS gate, which indicates ultra-low latency overheads. The energy consumption also demonstrates a slight increase of no more than 0.5fJ as the number of variables increases, which indicates ultra-low energy overheads. This slight difference provides insight into resisting side-channel attacks: as long as there is no significant difference in power delay in different configuration states, the attacker cannot crack each rGate individually.

Fig. 17.

We further compare the camouflage cell area with the existing cell-level camouflage works [12, 23, 26, 44], showing the high area efficiency. The proposed rGate is a gate-level modification scheme with good flexibility and achieves higher area efficiency than the traditional camouflage cell based on the identical structure. As shown in Figure 18, this work achieves an area reduction of >6.4%, because only a few transistors are added to the original CMOS gate-level structure. The area savings are more significant in obfuscating logic gates with more inputs. Because prior camouflage works have a fixed gate structure, they are generally targeting implementing more types of two-input logic in one cell. For instance, [23] proposes a camouflage cell with 162 logics. However, when faced with four-input logic, the hardware overheads of the fixed structures are more significant. The proposed scheme can directly modify the four-input logic gate at a lower area cost. As shown in Figure 18, this work achieves 37.4% area reduction, whereas the rest require at least doubled area to implement the 4-input logic.

Fig. 18.

Lower hardware overheads provide a larger design space and facilitate designers to deploy more obfuscated logic under the given hardware resource constraints, which improves the IP protection effect. As for the deployment strategy of the rGates, a simple and effective method of using rGates without affecting the critical path delay is to replace the CMOS gate with an rGate in the non-critical path. For the module-level energy overhead evaluation, because the proportion of rGates is ultra low, the total energy and area overheads are negligible. The authors of [23] propose an algorithm to enhance output corruptibility and achieve a non-resolvable gate position for better camouflage capability, which is also adaptable for this work. It is important to note that high output error rates and avoiding critical path deployment are often trade-offs that require thorough analysis.

We further evaluate the module overheads in Figure 19. This figure illustrates hardware overhead simulations for four ISCAS-85 benchmarks, each containing a different number of rGates (N). First, given the varying sizes of these benchmark circuits, it’s evident that smaller benchmarks incur higher hardware costs for the same N, indicating a positive correlation between hardware cost and the rGate ratio.

Fig. 19.

Furthermore, in terms of latency, except for the smallest C499 benchmark with N up to 16, which exhibits substantial delay costs, the other benchmarks do not show significant latency overheads. This is attributed to our optimization in gate placement, where rGates are strategically added to non-critical paths, mitigating latency issues. Regarding power consumption and area, we also observe a positive correlation with the rGate replacement ratio. When compared with SARLock [45], a method also utilizing the ISCAS-85 dataset, our work demonstrates better hardware efficiency. For larger benchmarks, the hardware efficiency advantage is more prominent, because we do not require additional logic and additional circuit structure for defense function, and we improve the traditional defense pattern from the circuit structure design.

6 Discussions

This section further discusses the features of FeFET and some related issues on logic camouflage/locking.

6.1 Discussions on FeFETs

Generally, the endurance of a non-volatile device affects product performance. However, in the realistic scenario of logic locking, only a one-time authorized activation is required to configure the correct circuit functions. Subsequently, the normal operation of the circuit will not change the function of the circuit and will not affect the endurance of the FeFETs.

This work also introduces some obfuscation characteristics of FeFETs in the face of invasive attacks and semi-invasive attacks but does not deny that attackers can acquire FeFETs’ locations through advanced techniques and more time costs. Therefore, our security theory and analysis are based on the known location of rGates.

There are other FeFET-based camouflage works [10, 48]. However, while there is indeed a similarity in the utilization of FeFET technology in these works, we’d like to highlight a few distinctions that set our research apart: (i) Exploring keyless module-level programming methodology. Our approach introduces a novel feature by utilizing input-configuration, completely eliminating the need for extra keys (control signals). This innovative aspect significantly differentiates our work from the previously published concept, while enhancing the security level (Section 4). (ii) Versatility in configuration. Unlike the previous works, our proposed technique has the theoretical potential to be applied to a wide range of logic functions for reconfigurable gate modification, not restricted to specific functions only. (iii) Comprehensive security analysis. We have conducted an in-depth analysis of the security aspects of our logic locking technique, providing multiple theoretical proofs to validate its robustness and effectiveness.

For FeFET devices, we acknowledge that the practical implementation and scalability to larger and more complex designs is a critical aspect that warrants further investigation. The industry generally believes that the write endurance of FeFETs is a major bottleneck, which leads to reliability problems. However, in the working scenario of logic locking, as mentioned earlier, activation and configuration is a one-time process at the security level, with negligible endurance impacts compared with frequent memory read-and-write operations. At the same time, in this work, FeFET only needs to store 1 bit of information. Therefore, it only needs to ensure that the polarization of the activation process is sufficient; thus, it will not introduce reliability problems. At present, FeFET can already be integrated on a large scale, Samsung/Intel/TSMC in 2022 proposed high-durability FeRAM/3D FeRAM/MFIM FTK, respectively, but mature products are still developing.

6.2 Discussions on Logic Camouflage/Locking

Finally, we discuss the relationship and development trends between logic camouflage and logic locking. Originally, logic camouflage focused on the layout level (physical level) and did not inherently possess post-manufacturing programmability. However, with the emergence of nonvolatile devices and advancements in manufacturing, logic camouflage has improved post-manufacturing programmability, leading to similar characteristics with logic locking. The authors believe that distinguishing between logic camouflage and logic locking from a textual definition perspective is not the core issue. Instead, the crucial aspect lies in the security and resilience elements behind each technique. For logic camouflage, as its inherent programmability is not as strong as logic locking, enhancing programmability is the focus of this work. Our proposed methodology emphasizes keyless programmability, eliminating explicit configuration ports at the module level. This not only provides flexibility against algorithmic attacks but also offers defense against physical attacks [25, 40], as attackers cannot exploit registers connected to static keys to obtain any meaningful information. Our Algorithm 1 demonstrates a certain degree of generality for various programmable camouflage logic and is not confined solely to the FeFET-based rGate. As the research on its defense resilience against SAT attacks has already been demonstrated in the context of logic locking-related work, the next suggested step for researchers is to explore how to integrate this programmability with the latest logic locking techniques.

7 Conclusion

This work introduces a novel approach to enhancing the programmability of logic camouflage at the module level, addressing limitations previously confined to logic cells/gates. By proposing a module-level configuration methodology for programmable camouflaged logic, we eliminate the need for additional hardware ports, making the implementation more resource efficient. The theoretical proof establishes that configuration can be achieved through the inputs and netlist of the original module, laying the foundation for practical implementation. Furthermore, the introduction of a lightweight FeFET-based reconfigurable logic gate (rGate) family shows the flexibility of the proposed methodology. The demonstrated input-only configuration characteristic, coupled with a combination of high output error rate and point-function-like defense, showcases the versatility and security-aware design capabilities of the proposed approach.

Evaluation results highlight the effectiveness of the methodology, with over 95% average alternative rGate location for camouflage, demonstrating its adequacy for security-aware design. The observed exponential complexity in function state traversal and the superior defense capability of the locked blackbox against SAT attacks compared with key-based methods further underscore the strength of the proposed approach. Moreover, the preservation of a clear output Hamming distance and the introduction of negligible hardware overheads in both gate-level and module-level evaluations, conducted under typical benchmarks, affirm the practical feasibility and efficiency of the proposed programmable camouflaged logic. This work presents insights for future research to explore the integration of programmability with cutting-edge logic locking techniques, fostering advancements in security and resilience within the integrated circuit supply chain.

References

[1]

Nail Etkin Can Akkaya, Burak Erbagci, and Ken Mai. 2018. A secure camouflaged logic family using post-manufacturing programming with a 3.6GHz adder prototype in 65nm CMOS at 1V nominal VDD. In 2018 IEEE International Solid-State Circuits Conference (ISSCC’18). 128–130.

Abstract

1 Introduction

2 Background

2.1 Logic Camouflage and Logic Locking

2.2 SAT-Based Attack and Defense

2.3 Nonvolatile Devices and FeFET

3 Proposed Methodology

3.1 Overall Programming and Configuration Flow

3.2 Major Design Challenges and the Proposed Solutions

3.3 Keyless Camouflage Logic Design: FeFET-Based rGates

3.4 Proposed Flexible Gate Replacement Strategy

3.5 Keyless Configuration Design: Configuration-Aware rGate Conversion Algorithm and Module Configuration

3.5.1 Design Goal and Prerequisites.

3.5.2 The Impracticality of Random rGate Replacement.

3.5.3 Proposed Configuration-Aware rGate Conversion Algorithm.

3.5.4 Example of Configuration-Aware rGate Conversion Algorithm.

3.6 Summary

4 Security Analysis

4.1 Attack Model and Target

4.2 SAT Attack Resistance Analysis under Different Scenarios

4.2.1 Function Space Traversal Complexity.

4.2.2 Point-Function-Like Elimination Characteristic.

4.2.3 Discussion on Other Attack Scenarios.

4.3 Discussion on Invasive Attack and Semi-invasive Attack

5 Evaluation Results

5.1 Simulation Setup

5.2 rGate Replacement Type and Number

5.3 Function Space State Analysis

5.4 SAT Attack Results and Analysis

5.5 Output Corruption Analysis

5.6 Gate-Level and Module-Level Overheads

6 Discussions

6.1 Discussions on FeFETs

6.2 Discussions on Logic Camouflage/Locking

7 Conclusion

References

Index Terms

Recommendations

Reduced Overhead Gate Level Logic Encryption

Security Path: An Emerging Design Methodology to Protect the FPGA IPs Against Passive/Active Design Tampering

Reprogrammable network packet processing on the field programmable port extender (FPX)

Comments

Information

Published In

Publisher

Journal Family

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Funding Sources

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

View options

PDF

eReader

Get Access

Login options

Full Access

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations