Toward Efficient Evaluation of Logic Encryption Schemes: Models and Metrics

T owar d Eicient Evaluation of Logic Encr yption Schemes: Models and Metrics Yinghua Hu 1 Vivek V . Menon 2 Andrew Schmidt 2 Joshua Monson 2 Matthew French 2 Pierluigi Nuzzo 1 1 Department of Electrical and Computer Engineering, University of Southern California, Los Angeles, CA, USA, {yinghuah, nuzzo}@usc.edu 2 Information Sciences Institute, University of Southern California, Arlington, V A, USA, {vivekv , aschmidt, jmonson, mfrench}@isi.edu ABSTRA CT Research in logic encryption over the last decade has resulted in various techniques to pr event dierent security threats such as T ro- jan insertion, intellectual property leakage, and reverse engineering. Howev er , there is little agreement on a uniform set of metrics and models to eciently assess the achieved security level and the trade-os between security and overhead. This paper addresses the above challenges by r elying on a general logic encryption model that can encompass all the existing techniques, and a uniform set of metrics that can capture multiple, possibly conicting, security concerns. W e apply our modeling approach to four state-of-the-art encryption techniques, showing that it enables fast and accurate evaluation of design trade-os, average pr ediction errors that are at least 2 × smaller than previous appr oaches, and the evaluation of compound encryption metho ds. 1 1 IN TRODUCTION Integrated circuits (ICs) often r epresent the ultimate r oot of trust of modern computing systems. However , the de centralization of the IC design and manufacturing process over the years, involving multiple players in the supply chain, has increasingly raised the risk of hardware security threats from untrusted third parties. Logic encryption aims to counteract some of these threats by appropriately modifying the logic of a circuit, that is, by adding extra components and a set of key inputs such that the functionality of the circuit cannot be revealed until the corr ect value of the key is applied. Several logic encryption methods have been proposed over the the last decade to protect the designs from threats such as intellectual property (IP) piracy , r everse engineering, and hardware Tr ojan insertion (see, e.g., [ 2 – 6 ]). However , existing techniques are often tailored to specic attack mo dels and security concerns, and rely on dierent metrics to evaluate their eectiveness. It is then dicult to quantify the security of dierent methods, rigorously evaluate the inherent trade-os between dierent se curity concerns, and systematically contrast their strength with traditional area, delay , and power metrics. This pap er introduces a formal mo deling framework for the evaluation of logic encryption schemes and the exploration of the associated design space. W e rely on a general functional model for logic encryption that can encompass all the e xisting methods. Based on this general mo del, we make the following contributions: • W e dene a set of metrics that can formally captur e multiple, possibly conicting, security concerns that are key to the 1 This report is an extended version of [1]. design of logic encryption schemes, such as functional cor- ruptibility and resilience to dierent attacks, thus providing a common ground to compare dierent methods. • W e develop compact models to eciently quantify the qual- ity and resilience of four methods, including state-of-the-art logic encryption te chniques, and enable trade-o evaluation between dierent security concerns. Simulation results on a set of ISCAS benchmark circuits show the eectiveness of our modeling framework for fast and accurate e val- uation of the design trade-os. Our models produce conservative estimates of resilience with average prediction errors that are at least twice as small as previous approaches and, in some cases, improve by two or ders of magnitude. Finally , our approach can pro- vide quantitative support to inform system-le vel decisions across multiple logic encryption strategies as well as the implementation of compound strategies, which can be necessary for providing high levels of protection against dierent threats with limited overhead. The rest of the paper is organized as follows. Section 2 intro- duces background concepts on logic encryption and recent eorts toward the systematic analysis of their security properties. Sec- tion 3 pr esents the general functional mo del for combinational logic encryption and denes four security-driven evaluation metrics. Sec- tion 4 applies the propose d model and metrics to the analysis of the security properties of four encryption te chniques. Our analysis is validated in Section 5 and compared with state-of-the-art charac- terizations of the existing techniques. Finally , Section 6 concludes the paper . 2 BA CK GROUND AND RELA TED W ORK Logic encryption techniques have originally focused mostly on a subset of security concerns, and lacked methods to systematically quantify the level of protection against dier ent (and potentially unknown) hardware attacks. A class of methods, such as fault analysis-based logic locking ( FLL ) [ 3 ], mostly focuses on providing high output error rates when applying a wrong key , for example, by appropriately inserting key-controlled XOR and XNOR gates in the circuit netlist. Another class of techniques, base d on one-point functions, such as SARLock [ 4 ], aims, instead, to provide resilience to SA T -based attacks , a category of attacks using satisability (SA T) solving to eciently prune the space of p ossible keys [ 7 ]. These methods require an exponential number of SA T -attack iterations in the size of the key to unlo ck the circuit, but tend to expose a close approximation of the correct cir cuit function. Eorts toward a comprehensive encryption framework have only started to appear . Stripped functionality logic locking ( SFLL ) [ 8 ] has been recently proposed as a scheme for provably secure encr yption with respect to a broad set of quantiable security concerns, including error rate, resilience to SA T attacks, and resilience to removal attacks, aiming to remov e the encryption logic from the circuit. However , while the av erage numb er of SA T -attack iterations is shown to grow exponentially with the key size, the worst-case SA T -attack duration, as discussed in Sec. 4, can become unacceptably low , which calls for mechanisms to explore the combination of concepts from SFLL with other schemes. Zhou [ 9 ] provides a theoretical analysis of the contention be- tween error rate and SA T -attack resilience in logic encryption, drawing from concepts in learning theory [ 10 ]. Along the same direction, Shamsi et al. [ 5 ] develop div ersied tree logic ( DTL ) as a scheme capable of increasing the error rate of SA T -resilient pro- tection schemes in a tunable manner . A recent eort [ 11 ] adopts a game-theoretic approach to formalize notions of secrecy and re- silience that account for the impact of learnability of the encrypted function and information leakage from the circuit structure . While our approach builds on previous analyses [ 5 , 9 ], it is com- plementary , as it focuses on models and metrics that enable fast and accurate evaluation across multiple encryption techniques and se- curity concerns, eventually raising the le vel of abstraction at which security-related design decisions can be made. W e distinguish be- tween logic encryption, which augments the circuit function via additional components and key bits, and obfuscation [ 12 , 13 ], which is concerned with hiding the function of a circuit or program ( with- out altering it) to make it unintelligible from its structure . In this paper , we focus on the functional aspe cts of logic encryption, and leave the modeling of its interactions with obfuscation for future work. 3 LOGIC ENCRYPTION: MODELS AND METRICS W e denote by | S | the cardinality of a set S . W e repr esent a combi- national logic circuit with primary input (PI) ports I and primary output (PO) ports O by its Boolean function f : B n → B m , where n = | I | and m = | O | , and its netlist, modeled as a labelled directed graph G . Both f and G may be parameterized by a set of congu- ration parameters P , with values in P , related to both the circuit function and implementation. Given a function f , logic encryption creates a ne w function f ′ : B n × B l → B m , where l = | K | and K is the set of key input ports adde d to the netlist. There exists k ∗ ∈ B l such that ∀ i ∈ B n , f ( i ) ≡ f ′ ( i , k ∗ ) . W e call k ∗ the correct key . W e wish to express f ′ as a function of f and the encryption logic. 3.1 A General Functional Mo del W e build on the recent literature [ 8 , 9 , 14 ] to dene a general model, capable of representing the b ehavior of all the existing logic en- cryption schemes, as shown in Fig. 1. The function д ( i , k ) maps an input and key value to a ip signal, which is combined with the output of f ( i ) via a XOR gate to produce the encr ypted PO. The value of the PO is inverted when the ip signal is one. W e assume that д is parameterized by a set Q of conguration parameters, with values in Q related to a specic encryption te chnique. 3.2 Security-Driven Metrics W e can describe how the circuit output is aected by logic encryp- tion via an error table , such as the ones shown in T ab. 1. Based on Figure 1: General functional model for logic encr yption. T able 1: Error tables with n = l = 3 ( ✖ and ✔ mark incorrect and correct output values, respectively). (a) SARLock K0 K1 K2 K3 K4 K5 K6 K7 I0 ✖ ✔ ✔ ✔ ✔ ✔ ✔ ✔ I1 ✔ ✔ ✖ ✔ ✔ ✔ ✔ ✔ I2 ✔ ✖ ✔ ✔ ✔ ✔ ✔ ✔ I3 ✔ ✔ ✔ ✖ ✔ ✔ ✔ ✔ I4 ✔ ✔ ✔ ✔ ✖ ✔ ✔ ✔ I5 ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ I6 ✔ ✔ ✔ ✔ ✔ ✖ ✔ ✔ I7 ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✖ (b) SFLL-HD0 K0 K1 K2 K3 K4 K5 K6 K7 I0 ✖ ✔ ✔ ✔ ✔ ✔ ✔ ✔ I1 ✔ ✖ ✔ ✔ ✔ ✔ ✔ ✔ I2 ✔ ✔ ✖ ✔ ✔ ✔ ✔ ✔ I3 ✔ ✔ ✔ ✖ ✔ ✔ ✔ ✔ I4 ✔ ✔ ✔ ✔ ✖ ✔ ✔ ✔ I5 ✔ ✔ ✔ ✔ ✔ ✖ ✔ ✔ I6 ✖ ✖ ✖ ✖ ✖ ✖ ✔ ✖ I7 ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✖ the general functional model ab ove and the associated error tables, we dene a set of security-driven metrics that captur e the quality and resilience of encryption. Functional Corruptibility . Functional corruptibility quanties the amount of output error induced by logic encr yption to protect the circuit function. Consistently with the literature [ 5 ], we dene the functional corruptibility E F C as the ratio between the number of corrupted output values and the total number of primar y input and key congurations (the entries in the error table), i.e., E F C = 1 2 n + l Õ i ∈ B n Õ k ∈ B l 1 ( f ( i ) , f ′ ( i , k )) , where 1 ( A ) is the indicator function, evaluating to 1 if and only if event A occurs. SA T Attack Resilience ( t S A T ). A SA T attack [ 7 ] assumes that the attacker has access to the encrypted netlist and an operational (deobfuscated) circuit, used as an oracle, to query for correct in- put/output pairs. The goal is to reconstruct the exact circuit function by retrieving a correct key . At each iteration, the attack solves a SA T problem to search for a distinguishing input pattern (DIP), that is, an input pattern i that pro vides dier ent output values for dierent keys, i.e., such that ∃ k 1 , k 2 , f ′ ( i , k 1 ) , f ′ ( i , k 2 ) . The attack then queries the oracle to nd the corr ect output f ( i ) and incorporate this information in the original SA T formula to constrain the search space for the following iteration. Therefore, all the keys leading to an incorrect output value for the current DIP will be pruned out of the search. Once the SA T solver cannot nd a new DIP, the SA T attack terminates marking the remaining keys as correct. Consistently with the literature [ 4 , 8 ], we quantify the hardness of this attack using the number of SA T queries, hence the num- ber of DIPs, required to obtain the circuit function. Predicting this number in closed form is challenging, since it relates to solving a combinatorial search problem, in which the search space generally depends on the circuit properties and the search heuristics on the specic solver or algorithm adopte d. Current approaches [ 8 ] adopt probabilistic models, where the e xpected number of DIPs is com- puted under the assumption that the input patterns ar e searched according to a uniform distribution. W e adopt, instead, a worst- case conser vative model and use the minimum number of DIPs (a) (b) (c) (d) Figure 2: Functional model for (a) SARLock , (b) DTL , (c) SFLL , and (d) FLL . T able 2: Se curity metrics for four logic encryption te ch- niques ( n = | I | , m = | O | , and l = | K | ). E FC t SA T E APP E REM SARLock ≈ 1 2 l min n 2 l , 2 n o 1 2 l 0 DTL ≈  2  2 2 L − 1   N 2 l min  2 l ( 2 ( 2 2 L − 1 )) N , 2 n   2  2 2 L − 1   N 2 l 0 SFLL ( l h ) h 2 l − ( l h ) i 2 2 l − 1 < < exp ( l ) 2 h ( l h ) − 2 ( l − 2 h − 1 ) i 2 n  l h  / 2 l FLL [ 0 . 3 , 0 . 5 ] < < exp ( l ) < < E F C 0 to quantify the guarantees of an encryption te chnique in terms of SA T -attack resilience. The duration of the attack also depends on the circuit size and structure, since they aect the runtime of each SA T query . In this paper , we regard the runtime of each SA T quer y as a constant and leave a more accurate modeling of the duration of the attack for future work. Approximate SA T -Attack Resilience ( E AP P ). Approximate SA T attacks, such as A ppSA T [ 15 ] and Double-DIP [ 16 ], perform a vari- ant of a SA T attack but terminate earlier , when the error rate at the PO is “lo w enough, ” pro viding a sucient appr oximation of the circuit function. In this paper , we take a worst-case approach by assuming that an appro ximate SA T attack terminates in negligi- ble time, and dene the appro ximate SA T -attack resilience ( E AP P ) as the minimum residual error rate that can be obtained with an incorrect key (dier ent than k ∗ ), i.e., E AP P = min k ∈ B l \ { k ∗ } ϵ k 2 n , where ϵ k is the number of incorrect output values for key input k . Removal Attack Resilience ( E R E M ). A removal attack consists in directly removing all the added encryption logic to unlock a circuit, e.g., by bypassing the ip signal [ 8 ] or the key-contr olled XOR/XNOR gates [ 17 ]. W e make the worst-case assumption that all the ke y-related components can be removed fr om the encrypted netlist in negligible time. W e then dene the resilience metric as the ratio of input patterns that are still protected after removal, i.e., E R E M = Í i ∈ B n 1 ( f R E M ( i ) , f ( i )) 2 n where f R E M ( . ) is the Boolean function obtaine d after removing all the key-related components. 4 ENCRYPTION METHODS W e apply the general model and metrics in Sec. 3 to four logic en- cryption te chniques, namely , SARLock , SFLL , DTL , and FLL , showing that it encompasses existing methods, including state-of-the-art techniques. T ab . 2 summarizes the security models with respe ct to the four security metrics described in Se c. 3. The models, including proofs for our results, are discussed in detail below . SARLock. SARLock combines the output of the original circuit f ( i ) with the one-point function 1 ( i = k ) . It can then be mapp ed to the general functional model where д = 1 ( i = k ) , as shown in Fig. 2a. The parameter set Q SARLock includes the key size l = | K | . Consistently with previous work [ 4 ], we derive the closed form expressions in T ab. 2 as stated by the following result. Theorem 4.1. For a circuit encrypted with SARLock , let l and n be the key size and the primar y input size, respectively . Let E F C be the functional corruptibility , t S AT the SA T -attack resilience , E AP P the approximate SA T -attack resilience, and E R E M the removal attack resilience. Then, the following e quations hold: E F C = 1 2 l , t S AT = min n 2 l , 2 n o , E AP P = 1 2 l , and E R E M = 0 . Proof. W e observe that the key size l can be at most equal to the primary input size n , i.e., l ≤ n holds. For an incorrect key k , the output is corrupted only when the input i is equal to k . Therefore, the number of corrupted output patterns is 2 n − l for each incorrect key . Because there are 2 l − 1 incorrect keys, we can compute E F C and E AP P as follows: E F C = 2 n − l · ( 2 l − 1 ) 2 n · 2 l ≈ 1 2 l , (1) E AP P = 2 n − l 2 n = 1 2 l . (2) By denition of SARLock , each input pattern can only e xclude one incorrect key at each iteration of a SA T attack (see , for example, the error table in T ab. 1). Because there are 2 l − 1 incorrect keys to exclude, and the number of SA T attack iterations is bounded ab ove by 2 n , the total number of primary input patterns, we can compute t S AT as follows: t S AT = min n 2 l , 2 n o . (3) Finally , by the denition of removal attack resilience , once the ip signal of the one-point function is recognized and bypassed, the original functionality of the circuit is fully restored, leading to E R E M = 0 . □ The use of a one-point function, especially when the key size l is very large, results in very low functional corruptibility E F C but exponential SA T -attack resilience t S AT , as stated by Theorem 4.1. A moderately high E F C can still be achieved, but this happens with small key sizes. For example, E F C = 0 . 25 can be achieved for l = 2 . Diversied Tr ee Logic (DTL). The one-p oint functions used in SARLock or Anti-SAT [ 18 ] are based on AND-tree structures. An example of a four-input AND-tree is shown in Fig. 3. DTL borrows such structures from SARLock or Anti-SAT and appropriately re- places some of the AND gates with another type of gate, i.e., X OR, OR, or NAND , to obtain a multi-point function д m ( i . k ) , as shown in Fig. 2b. The parameter set Q DTL includes: (1) the key size | K | ; Figure 3: A four-input AND-tree structure. (2) the type of point-function T , e .g., T ∈ { SARLock , Anti-SAT } ; (3) the replacement tuple ( X , L , N ) , where X ∈ { XOR , OR , NAND } is a gate type for the replacement, and L and N denote the layer and number of gates sele cted for replacement, respectively , with 0 ≤ L ≤ ⌈ log 2 ( | K | )⌉ − 1 , 0 ≤ N ≤ 2 ⌈ log 2 ( | K | ) ⌉ − L − 1 , and | K | ≥ 2 . DTL then modies the AND-tree by replacing N gates from layer L with gates of type X . T ab. 2 shows the expressions obtained when T = SARLock , and X = XOR , as stated by the following theorem. Theorem 4.2. For a circuit encrypted with DTL of type T = SARLock and replacement gate X = XOR , let l and n be the key size and the pri- mary input size, respe ctively . Let E F C be the functional corruptibility , t S AT the SA T -attack resilience, E AP P the approximate SA T -attack re- silience, and E R E M the removal attack resilience. Then, the following equations hold: E F C =  2  2 2 L − 1   N 2 l , t S AT = min  2 l ( 2 ( 2 2 L − 1 )) N , 2 n  , E AP P =  2  2 2 L − 1   N 2 l , and E R E M = 0 . Proof. According to the analysis by Shamsi et al. [ 5 ], replacing an AND gate in the rst layer ( L = 0 ) of a SARLock block with a XOR gate changes the onset size of the one-point function from 1 to 2. More generally , replacing N AND gates in lay er L changes the onset size to  2  2 2 L − 1   N . As a result, for each incorrect key (an incorrect column in the err or table), there are 2 n − l ·  2  2 2 L − 1   N incorrect output patterns. E F C and E AP P can then be compute d as E F C = ( 2 l − 1 ) · 2 n − l ·  2  2 2 L − 1   N 2 n · 2 l ≈  2  2 2 L − 1   N 2 l , (4) E AP P = 2 n − l ·  2  2 2 L − 1   N 2 n =  2  2 2 L − 1   N 2 l . (5) From the analysis by Shamsi et al. [ 5 ], the number of SA T queries needed is 2 l ( 2 ( 2 2 L − 1 )) N . Because of the upp er bound due to the maxi- mum number of input patters 2 n , we obtain: t S AT = min ( 2 l ( 2 ( 2 2 L − 1 )) N , 2 n ) . (6) Finally , the ip signal of DTL can be recognized and bypassed, which returns the full functionality of the original cir cuit and leads to E R E M = 0 . □ In DTL , the error table has the same number of errors in each col- umn, except for the correct key column, which makes E F C equal to E AP P . N can b e tuned to increase E AP P and E F C while t S AT decreases. Analogous results as in Theorem 4.2 can be derived for other congurations of T and X [ 5 ]. Sp ecically , for all X and T , we obtain: E F C = E AP P = O  2 N · 2 L − l  (7) t S AT = O  min n 2 l − N · 2 L , 2 n o  . (8) Based on the expressions above, the maximum E F C or E AP P can be achieved when all the AND gates are r eplaced in a given layer . The approximate security levels in this scenario show the follo wing behavior: E F C , m a x = E AP P , m a x = O  2 − l 2  (9) t S AT = O  min n 2 l 2 , 2 n o  . (10) SFLL. Fig. 2c shows the schematic of SFLL , where the value of the primary output is given by f ( i ) ⊕ S t r i p ( i ) ⊕ R e s ( i , k ) . Both the stripping circuit S t r i p ( i ) and the restore cir cuit Re s ( i , k ) are point functions. The stripping block corrupts part of the original function, while the restore unit restores the corr ect value upon applying the correct key . SFLL can be mapped to the general functional model with д ( i , k ) = S t r i p ( i ) ⊕ Re s ( i , k ) . W e fo cus on SFLL-HD where Re s ( i , k ) is a Hamming distance comparator . The parameter set Q SFLL includes | K | and h , repr esenting the key size and the HD parameter for the HD comparator , respectively . The comparator output will evaluate to one if and only if the HD between its inputs is h . The key size must be at most equal to the number of PI ports in the fan-in cone of the protected PO port, i.e., 0 ≤ | K | ≤ | I | , while h is at most equal to | K | . SFLL is the only technique in T ab. 2 that is resilient to removal attacks. In fact, at the implementation level, S t r i p ( i ) can be merged with f ( i ) to form a monolithic block ( e.g., via a r e-synthesis step or modication of internal signals of the original circuit) and, therefor e, it becomes hard to remove . On the other hand, unlike SARLock , it does not guarante e exponential SA T -attack resilience. For example, as shown in T ab. 1b for h = 0 , selecting one input pattern, such as I 6 , is enough to prune out all the incorrect keys and unlock the circuit after one SA T -attack iteration. Previous w ork [ 8 ] proposes a probabilistic mo del in terms of expected number of DIPs , base d on the following assumptions: (i) SA T solvers sele ct input patterns with a uniform distribution; (ii) the probability of terminating a SA T attack is equal to the probability of nding one protected input pattern, i.e., nding one protected input pattern is enough to prune out all the incorrect keys and terminate a SA T attack. Based on this model, the average SA T resilience of SFLL is shown to incr ease exponentially with l . W e nd that the existing probabilistic models tend to become inaccurate when h is dierent than 0 or l , since, in these cong- urations, one protected input pattern is generally not enough to terminate a SA T attack. Moreover , these models tend to ignore the heuristics adopted by state-of-the-art SA T solver to accelerate the Figure 4: The largest #DIPs over all possible values for h with dierent key size returned by the greedy algorithm. search. In this paper , we adopt, instead, a conservative metric in terms of minimum number of DIPs . The following results states the hardness of nding the minimum number of DIPs. Theorem 4.3. Given an encrypte d Boolean function of the primary and key inputs, computing the minimum numb er of distinguishing input patterns (DIPs) for a SA T attack can be reduced to a min-set- cover problem, which is NP-hard [19]. Proof. Given the error table associated with an encrypted Boolean function f ′ , let U be the set of all the incorrect keys, i.e., U = { k | ∃ i ∈ B | I | , f ( i ) , f ′ ( i , k ) } . For each input pattern i , let S i be the set of the incorrect keys that can be eliminated by a SA T -attack iteration using i as a DIP, i.e., S i = { k | f ( i ) , f ′ ( i , k ) } . Finally , let S the collection of all the sets corr esponding to an input pattern, i.e., S = { S i | i ∈ B | I | } . Finding the minimum number of DIPs that are enough to prune out all the incorrect keys can then be reduced to nding the minimum numb er of sets from S whose union equals U , which is a min-set-cover problem. □ Theorem 4.3 shows that nding the minimum number of DIPs is, in general, a hard problem. W e can, however , use greedy algorithms in order to emulate worst-case SA T attacks and provide appro ximate but conservative estimates for their duration, by searching and prioritizing the input patterns that can eliminate the largest number of incorrect keys. Fig. 4 shows the largest number of DIPs over all possible values for h returned by the greedy algorithm with dierent key sizes from 1 to 17. By denition, t S AT should be less than or equal to the results in Fig. 4, which exhibits a sub-exponential behavior . Both the expressions of E F C and E AP P shown in T ab. 2 can be derived as stated by the following theorems. Theorem 4.4. For a circuit encr ypted with SFLL-HD with Ham- ming distance parameter h , let l and n be the key size and the primary input size, respectively , and E F C the functional corruptibility . W e obtain E F C =  l h  h 2 l −  l h  i 2 2 l − 1 . Proof. For the circuit in Figure 2c, the output is corrupted if and only if 1 ( H D ( i , k ∗ ) = h ) ⊕ 1 ( H D ( i , k ) = h ) = 1 . If i is a protecte d input pattern, then we have H D ( i , k ∗ ) = h , while H D ( i , k ) must be dierent from h in order to provide a corrupted output. Therefore , the number of key patterns generating an incorr ect output for each protected input pattern is 2 l −  l h  . Similarly , we can derive the number of key patterns generating an incorrect output for each unprotected input pattern as  l h  . The total number of protected input patterns and unprotected input patterns can b e computed as 2 n − l  l h  and 2 n − l h 2 l −  l h  i , respectively [ 8 ]. By summing up all the incorrect output values over all the input and key patterns, we obtain the following expression for the functional corruptibility: E F C = 2 n − l n  l h  h 2 l −  l h  i + h 2 l −  l h  i  l h  o 2 n · 2 l =  l h  h 2 l −  l h  i + h 2 l −  l h  i  l h  2 2 l =  l h  h 2 l −  l h  i 2 2 l − 1 □ Theorem 4.5. For a circuit encr ypted with SFLL-HD with Ham- ming distance parameter h , let l and n be the key size and the primary input size, respectively , and E AP P the approximate SA T -attack re- silience. W e obtain E AP P = 2 h  l h  − 2  l − 2 h − 1  i 2 n . Proof. W e denote by H D ( a , b ) the Hamming distance between the words (bit strings) a and b and by Di f ( a , b ) the set of indexes marking the bits that are dierent in a and b . W e suppose that the circuit output is corrupted (ipped) for input i and key k , and let the HD between k ∗ (the correct key) and k be H D ( k ∗ , k ) = x , with x ∈ [ 1 , l ] , x ∈ N . Then, by recalling the architecture in Figure 2c, there can only b e an odd number of output inversions and the following equation holds: 1 ( H D ( i , k ∗ ) = h ) ⊕ 1 ( H D ( i , k ) = h ) = 1 , meaning that one and only one of the two HDs is h . W e rst assume that H D ( i , k ∗ ) = h and Di f ( i , k ∗ ) ∩ D i f ( k ∗ , k ) = ∅ , i.e., i and k dier from k ∗ on disjoint sets of indexes. W e then conclude that H D ( i , k ) = h + x . More generally , if the cardinality of the set Di f ( i , k ∗ ) ∩ Di f ( k ∗ , k ) is y , we obtain H D ( i , k ) = h + x − 2 y . W e then consider the following two cases. If x is an odd numb er , then H D ( i , k ) cannot be equal to h for any y , which provides a number of corrupted outputs equal to  l h  . On the other hand, if x is e ven, then H D ( i , k ) will e valuate to h whenever x = 2 y . Since the number of possible k values satisfying this condition is  l − x h − x / 2  ·  x x / 2  , we obtain a total number of corrupted output values equal to  l h  −  l − x h − x / 2  ·  x x / 2  . Since we are interested in the minimum number of these two cases, we choose  l h  −  l − x h − x / 2  ·  x x / 2  as the minimum number of corrupted outputs when H D ( i , k ∗ ) = h . Similar considerations can b e applied for the case when H D ( i , k ) = h , which leads to the same conclusion as above. Therefore , the o ver- all number of corrupted outputs is doubled. The approximate SA T resilience is given by the minimum E F C , i.e., E AP P = min        2 h  l h  −  l − x h − x / 2  ·  x x / 2  i 2 n , ∀ x ≥ 2 , x / 2 ∈ N        , which is achieved for x = 2 , nally leading to E AP P = 2 h  l h  − 2  l − 2 h − 1  i 2 n □ FLL. FLL aims at creating high E F C with low ov erhead by appro- priately adding key-gates in the circuit, as shown in Fig. 2d. While the key-gates are not directly inserted at the primar y output, their combined eect can still be represented by an appropriate д func- tion producing the same error pattern. While E F C depends on the specic circuit and cannot be computed in closed form, FLL can achieve higher values than the other three methods, based on em- pirical r esults. Ho wever , it cannot guarantee exponential t S AT with the key size. Moreover , the XOR/XNOR-based key-gates may be easy to identify , leading to negligible resilience to removal attacks. 5 RESULTS AND DISCUSSION W e evaluated models and metrics on a 2 . 9 -GHz Core-i9 processor with 16 -GB memory . W e rst investigated the eectiveness of our models for fast trade-o evaluation on a set of ISCAS benchmark circuits. The blue areas in Fig. 5a-c pictorially represent, as a con- tinuum, the feasible encr yption space for dierent metho ds and user requirements. For example, Fig. 5a shows that a funtional cor- ruptibility ( E F C ) as high as 0 . 25 can still be achieved with SARLock ; howev er , it can only be implemented for very low , and therefore im- practical, key sizes. Fig. 5b highlights the trade-o between SA T at- tack resilience ( t S AT ) and approximate SA T attack resilience ( E AP P ) in DTL . As expected, DTL is able to increase E AP P and E F C at the cost of decreasing t S AT . The highest possible E F C achieved by DTL is higher than that of SARLock in Fig. 5a over the same range of keys. Finally , Fig. 5c exposes a trade-o between E F C and E AP P in SFLL . It shows that increasing E F C adversely impacts E AP P , pos- sibly due to the fact that, as E F C increases, the error distribution is not uniform; while the peak error rate increases, the error can become signicantly low for some of the incorrect keys. W e further implemented all the encryption congurations ex- plored in Fig. 5a-c on four ISCAS benchmark circuits, generating 1473 netlists in 15 minutes, to compare the model predictions with the measurements. W e used open-source libraries to simulate SA T attacks [ 7 ] and report the actual value of t S AT . W e empirically esti- mated E F C by averaging the functional corruptibility over 500 logic simulations on the encrypte d netlists. By using a similar pr ocedure, an empirical estimate for E AP P was obtained by taking the av erage over 500 logic simulations for each key pattern, and then the min- imum corruptibility value over 100 incorrect key patterns. Fig. 8 reports the r esults for four ISCAS b enchmark circuits, showing that the empirical resilience would always exceed the one predicted by our model (blue bar ) for b oth t S AT and E AP P . For 26% of the design (red bar) the empirical E F C proved to be smaller than the predicted one by a negligible margin ( 4 × 10 − 3 ), which is within the error aecting our simulation-based empirical estimates. T o compare our SA T resilience model for SFLL with the measured number of DIPs, we simulate SA T attacks on the encr ypted netlists of four ISCAS circuits using SFLL -HD . For each combination of key size | K | and HD value h , we generate 10 netlists, by randomly permuting the order of the gates, and compute the average number of DIPs over 10 SA T attacks. As shown in Fig. 6, when h is close to zero, the predictions of the probabilistic model [ 8 ] exhibit an exponential behavior that signicantly dier from the simulate d results, and the maximum error can be as high as 20 , 000% . Instead, the greedy algorithm predicts the simulated numb er of DIPs for all key sizes and h values with relative errors that are less than or equal to 97% , two orders of magnitude smaller than previous approaches. For h > 0 , the average prediction error of the gree dy algorithm b ecomes twice as small as the one of the probabilistic model. Fig. 7a-d show the relation between the numb er of DIPs and the key size | K | when h = 0, 1, 2, and | K | 2 , respectively . In Fig. 7a and Fig. 7b, when h is close to zero, the probabilistic model oers an estimate of the number of DIPs which deviates from the simulated result, while the gree dy algorithm always returns a closer , more conservative prediction. In Fig. 7c, the greedy algorithm shows better accuracy than the probabilistic model when | K | ≤ 7 . For the other key sizes, the probabilistic model outperforms the greedy algorithm. Howev er , the prediction provided by the probabilistic model grows faster than in simulation and tend to ov erestimate the number of DIPs when | K | ≥ 13 . In Fig. 7d, when h = | K | 2 , the prediction from the probabilistic model becomes more conser vative. Conversely , the greedy algorithm estimates an average error twice as small as the probabilistic model. Overall, the afor ementioned results reveal the inherent diculty of achieving high security levels against multiple thr eats using a single technique. Howev er , this challenge may be addr essed by com- bining multiple techniques. T o test this hypothesis, we encrypte d the ISCAS circuit C880 with both SARLock and DTL , by using a logic OR gate to combine their output (ip) signals. W e then com- bined the output of the OR gate with the output of the original circuit via a X OR gate. Fig. 5d shows that the compound strategy signicantly alleviates the trade-os posed by SARLock alone, mak- ing it p ossible to achieve both high functional corruptibility and SA T -attack resilience. For example, the topmost conguration in Fig. 5d achieves t S AT ≥ 2 14 and E F C ≥ 0 . 48 , which cannot be ob- tained with SARLock or DTL alone. The compound scheme, where the SARLock block has key size 13 and the DTL block has key size 4, with two AND gates being replaced by one XOR gate in the rst layer , is able to provide both high t S AT and E F C . Simulation re- sults are, again, in agreement with our model predictions, showing that our models can indeed b e used to capture the performance of compound encryption schemes. 6 CONCLUSIONS Simulation results show the eectiveness of the proposed models and metrics for fast and accurate evaluation of the design trade-os as well as the exploration of compound logic encryption strategies, which may be required for pr otecting against dierent thr eats with small overhead. Future extension of this work include the incor- poration of overhead models as well as support for structural and (a) (b) (c) (d) Figure 5: Trade-o analysis of (a) SARLock , (b) DTL , (c) SFLL , and (d) SARLock and DTL . (a) (b) (c) (d) Figure 6: A verage #DIPs on SFLL encrypted circuits when key size is (a) 10, (b) 11, (c) 12, and (d) 13. (a) (b) (c) (d) Figure 7: A verage #DIPs on SFLL encrypted circuits when h = (a) 0, ( b) 1, (c) 2, and (d) | K | 2 . Figure 8: V erication pass rate on dierent security con- cerns. learning-based attacks. W e plan to also inv estigate the extension of our framework to sequential logic encryption methods. Finally , we plan to further develop an automated design and verication environment [ 20 ] leveraging our models and methods to perform design space exploration and inform system-level design decisions across multiple encryption schemes. A CKNO WLEDGMEN TS This work was partially sponsored by the Air Force Research Labo- ratory ( AFRL) and the Defense Advanced Research Projects Agency (D ARP A) under agreement number F A8560-18-1-7817. REFERENCES [1] Y . Hu, V . V . Menon, A. Schmidt, J. Monson, M. French, and P . Nuzzo, “Security- driven metrics and models for ecient evaluation of logic encr yption schemes, ” in ACM-IEEE Int. Conf. Formal Methods and Models for System Design (MEMOCODE) , 2019. [2] J. A. Roy , F. Koushanfar , and I. L. Markov, “EPIC: Ending piracy of integrated circuits, ” in Proc. Conf. Design, automation and test in Europe (DA TE) , pp. 1069– 1074, 2008. [3] J. Rajendran, H. Zhang, C. Zhang, G. S. Rose, Y. Pino , O. Sinanoglu, and R. Karri, “Fault analysis-based logic encryption, ” IEEE Trans. Computers , vol. 64, no. 2, pp. 410–424, 2013. [4] M. Y asin, B. Mazumdar , J. Rajendran, and O . Sinanoglu, “SARLock: SA T attack resistant logic locking, ” in IEEE Int. Symp. Hardware Oriented Security and Trust (HOST) , pp. 236–241, 2016. [5] K. Shamsi, T . Meade , M. Li, D . Z. Pan, and Y . Jin, “On the appr oximation resiliency of logic locking and IC camouaging schemes, ” IEEE Trans. Information Forensics and Security , vol. 14, no. 2, pp. 347–359, 2019. [6] M. T ehranip oor and F. Koushanfar , “ A survey of hardware trojan taxonomy and detection, ” IEEE Design & T est of Computers , vol. 27, no. 1, pp. 10–25, 2010. [7] P. Subramanyan, S. Ray , and S. Malik, “Evaluating the security of logic encryption algorithms, ” in IEEE Int. Symp. Hardware Oriented Security and Trust (HOST) , pp. 137–143, 2015. [8] M. Y asin, A. Sengupta, M. T . Nabeel, M. Ashraf, J. Rajendran, and O . Sinanoglu, “Provably-secure logic locking: From theory to practice, ” in Proc. ACM SIGSA C Conf. Computer and Communications Se curity , pp. 1601–1618, 2017. [9] H. Zhou, “ A humble theory and application for logic encr yption., ” IACR Cryptol- ogy ePrint A rchive , vol. 2017, p. 696, 2017. [10] L. G. V aliant, “ A theory of the learnable, ” in Proc. A CM Symp. Theor y of Computing , pp. 436–445, 1984. [11] K. Shamsi, D. Z. Pan, and Y . Jin, “On the impossibility of approximation-resilient circuit locking, ” in IEEE Int. Symp. Hardware Oriented Security and Trust (HOST) , pp. 161–170, 2019. [12] B. Barak, O . Goldreich, R. Impagliazzo, S. Rudich, A. Sahai, S. V adhan, and K. Y ang, “On the (im)possibility of obfuscating programs, ” in Int. Cryptology Conf. , pp. 1–18, Springer , 2001. [13] S. Goldwasser and G. N. Rothblum, “On best-possible obfuscation, ” in Theory of Cryptography Conf. , pp. 194–213, Springer , 2007. [14] M. Y asin, B. Mazumdar , J. Rajendran, and O. Sinanoglu, “T TLock: T enacious and traceless logic locking, ” in IEEE Int. Symp. Hardware Oriented Security and Trust (HOST) , pp. 166–166, 2017. [15] K. Shamsi, M. Li, T . Meade, Z. Zhao , D. Z. Pan, and Y . Jin, “AppSA T: Appro ximately deobfuscating integrated circuits, ” in IEEE Int. Symp. Hardware Oriented Security and Trust (HOST) , pp. 95–100, 2017. [16] Y . Shen and H. Zhou, “Double DIP: Re-evaluating security of logic encryption algorithms, ” in ACM Proc. Great Lakes Symp. VLSI , pp. 179–184, 2017. [17] P. Chakraborty , J. Cruz, and S. Bhunia, “SAIL: Machine learning guided struc- tural analysis attack on hardware obfuscation, ” in IEEE Asian Hardware Oriented Security and Trust Symp. (AsianHOST) , pp. 56–61, 2018. [18] Y . Xie and A. Srivastava, “ Anti-SA T: Mitigating SA T attack on logic locking, ” IEEE Trans. Computer- Aided Design of Integrated Circuits and Systems , vol. 38, no. 2, pp. 199–207, 2018. [19] B. Korte and J. V ygen, Combinatorial Optimization , vol. 2. Springer, 2012. [20] V . V . Menon, G. K olhe, A. Schmidt, J. Monson, M. Fr ench, Y . Hu, P . A. Beerel, and P. Nuzzo, “System-lev el framework for logic obfuscation with quantied metrics for evaluation, ” in IEEE Secure Development Conference (SecDev) , 2019.