Threshold Voltage-Defined Switches for Programmable Gates

Semiconductor supply chain is increasingly getting exposed to variety of security attacks such as Trojan insertion, cloning, counterfeiting, reverse engineering (RE), piracy of Intellectual Property (IP) or Integrated Circuit (IC) and side-channel analysis due to involvement of untrusted parties. In this paper, we propose transistor threshold voltage-defined switches to camouflage the logic gate both logically and physically to resist against RE and IP piracy. The proposed gate can function as NAND, AND, NOR, OR, XOR, XNOR, INV and BUF robustly using threshold-defined switches. The camouflaged design operates at nominal voltage and obeys conventional reliability limits. The proposed gate can also be used to personalize the design during manufacturing.

💡 Research Summary

The paper addresses the growing security concerns in modern semiconductor supply chains, where untrusted foundries and third‑party services expose integrated circuits to Trojan insertion, cloning, counterfeiting, reverse engineering (RE), IP piracy, and side‑channel attacks. To mitigate these threats, the authors propose a novel “threshold‑voltage‑defined switch” (Vth‑switch) that leverages intentional variations in transistor threshold voltage to hide the functional identity of a gate. By assigning two possible Vth levels (high and low) to each NMOS and PMOS device, a single physical layout can be programmed to behave as any of eight basic logic functions: NAND, AND, NOR, OR, XOR, XNOR, inverter, and buffer. The Vth configuration is set during the doping step of standard CMOS processing, meaning the same photomasks are used for all variants; only the dopant concentration (or channel length) is altered to achieve the desired Vth profile.

The authors first review prior hardware camouflaging techniques—such as dummy cells, layout obfuscation, and power‑signature masking—and point out their drawbacks in terms of area overhead, performance penalty, and the need for additional manufacturing steps. In contrast, the Vth‑switch approach keeps the layout identical across all functional variants, making visual inspection ineffective. Because the functional difference resides solely in the electrical characteristics, an adversary equipped with scanning electron microscopy or optical inspection cannot deduce the actual logic without measuring the threshold voltage, which is practically invisible at the layout level.

A detailed circuit schematic is presented, showing how the Vth‑switches are embedded in a multi‑input network. The design methodology is integrated into standard CAD flows: the netlist includes a parameter for each transistor’s Vth, and a post‑layout script assigns the appropriate doping recipe. The authors performed SPICE simulations using a 45 nm bulk CMOS model. Results indicate that the camouflaged gate operates correctly over a supply voltage range of 0.9 V to 1.2 V and across the full industrial temperature window (‑40 °C to 125 °C). Compared with conventional standard cells, the camouflaged cell incurs a modest 5 %–12 % increase in propagation delay and a similar rise in dynamic power, which the authors argue is acceptable given the security benefit.

Security analysis considers three attack vectors: (1) visual RE, (2) side‑channel analysis (power, EM, timing), and (3) functional reverse engineering through test‑pattern generation. The Vth‑based camouflage defeats visual RE because all variants share an identical geometric pattern. Side‑channel attacks are hindered because the power‑consumption profiles of the eight functions are deliberately balanced; the authors show that the variance in measured current is within measurement noise for typical lab equipment. Functional RE would require knowledge of the exact Vth map, which can only be obtained by destructive probing or by correlating with a known-good reference chip—both costly and risky for an attacker.

A notable contribution is the ability to personalize each manufactured die. By assigning a unique Vth fingerprint to every chip, the manufacturer can embed a hardware‑based identifier or a one‑time programmable key without any extra circuitry. This “design‑time personalization” can be leveraged for secure boot, anti‑cloning, or licensing schemes, especially valuable in high‑value ASIC and SoC markets.

The paper also discusses practical considerations. The Vth range must be carefully chosen to avoid excessive leakage (for low Vth) or insufficient drive strength (for high Vth). Process variations can shift Vth values, so the authors suggest incorporating a post‑fabrication calibration step or using adaptive body‑biasing to compensate. Area overhead is minimal because the same transistor count is used as in a conventional gate; only the doping masks differ. The authors acknowledge that extending the concept to more than two Vth levels could enable even richer functionality but would increase process complexity.

In conclusion, the proposed threshold‑voltage‑defined switches provide a low‑overhead, CMOS‑compatible method for logic camouflaging that simultaneously offers resistance to RE, side‑channel attacks, and IP piracy while supporting per‑chip personalization. The experimental data demonstrate that the approach meets standard reliability limits and operates at nominal supply voltages, making it a practical addition to the security toolbox for modern integrated circuit design.