在 2024 年的今天，半導體製程仍符合摩爾定律在進步，但製作一顆 IC 的成本也越來越高，使得每家公司都透過分工合作來降低成本，但越多人一起參與，隨之而來的安全風險也跟著提高。攻擊者會使用逆向工程觀察佈局來還原電路圖。Camouflaging cell 是一種可以讓兩種以上不同的功能在佈局層面完全看不出差別的 cell，透過將 IC 裡面的常規 cell 替換成 Camouflaging cell，可以有效防禦逆向工程。但後來發展出一種稱為布林滿足性攻擊 (SAT attack) 的攻擊方法，如果沒有好的策略去防禦布林滿足性攻擊，它可以在多項式時間內快速解出每個 Camouflaging cell 實際實現的功能。防禦布林滿足性攻擊可以從增加 SAT 每次迭代的時間或增加 SAT 總共需要的迭代次數下手。舉例來說，加密 AND 樹的輸入端就是一種可以增加 SAT 迭代次數的方法，原因是 AND 樹本身具有點函數的性質。

雖然硬體安全是一個重要的問題，但由於成本考量，在市場上還不夠普及。因此，本篇論文提供了一個在後 APR 階段利用僅改變金屬層設計的方式來提高安全性的方法，通過重新布線，將選定的常規 cell 替換成預先擺放好的 Camouflaging cell。這種做法不僅能以最小幅度更改原本已經設計好的電路並符合時間約束，還能提供足夠的安全性來防禦布林滿足性攻擊，從而在有效控制成本的同時提升電路的安全性。

Up to 2024, semiconductor manufacturing processes continue to advance by Moore's Law, but the cost of producing ICs has also increased significantly. To reduce the costs, companies rely on collaboration, but as more parties get involved, the security risks increase. Attackers use reverse engineering to observe the layout and reconstruct the netlist. Camouflaging cells can make two or more different functions indistinguishable at the layout level. By replacing regular cells in an IC with camouflaging cells, reverse engineering can be effectively thwarted. However, a recent developed SAT attack can still quickly determine the actual function of each camouflaging cell in polynomial time. Defending against SAT attacks can be achieved by increasing the time for each SAT iteration or by increasing the total number of SAT iterations required. For example, encrypting the input of an AND tree is a method to increase the number of SAT iterations because the AND tree itself has the properties of a point function.

Although hardware security is an important issue, it is not yet widely adopted in the market due to the cost overheads. In this paper, we propose a method to enhance security in the post-APR stage using metal-only ECO. By rerouting, it replaces selected regular cells with corresponding pre-placed camouflaging cells. This approach can enhance security to defend against SAT attacks by making minimal changes to the circuit and thus reducing the cost overheads.

Acknowledgements
摘要 i
Abstract ii
1 Introduction 1
2 Related Work 4
3 Motivation and Problem Definition 7
3.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3.2 Problem Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
4 The Proposed Method 10
4.1 Calculate Slack and Controllability . . . . . . . . . . . . . . . . . . . . . . . . 11
4.1.1 Calculate Slack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
4.1.2 Calculate Controllability . . . . . . . . . . . . . . . . . . . . . . . . . 12
4.2 Find Candidate Set and Candidate Cone . . . . . . . . . . . . . . . . . . . . . 14
4.3 Find Independent Node Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
4.4 Select the Better Independent Node Set . . . . . . . . . . . . . . . . . . . . . 18
4.5 Camouflage Circuit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
4.6 Remove Fanout Node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
4.7 Propagate to PO or PPO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
5 Experimental Results 27
5.1 Experimental Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
5.2 Analysis of Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
5.2.1 Proposed Method Analysis . . . . . . . . . . . . . . . . . . . . . . . . 29
5.2.2 Comparison with Existing Method . . . . . . . . . . . . . . . . . . . . 30
5.3 Analysis of Timing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
6 Conclusions and Future Work 34
References 36

[1] R. Torrance and D. James, “The State-of-the-Art in Semiconductor Reverse Engineering,” ACM/EDAC/IEEE Design Automation Conference (DAC), 2011.
[2] SiliconZoo, The layman's guide to ic reverse engineering. [Online]. Available: http://siliconzoo.org/tutorial.html.
[3] J. A. Roy, F. Koushanfar, and I. L. Markov, “EPIC: Ending Piracy of Integrated Circuits,” Design, Automation and Test in Europe, pp. 1069–1074, 2008.
[4] SypherMedia, Syphermedia library circuit camouflage technology. [Online]. Available: https://go.rambus.com/circuit-camouflage-technology-product-brief.
[5] M. Yasin and O. Sinanoglu, “Transforming between logic locking and IC camouflaging,” International Design & Test Symposium (IDT), pp. 1–4, 2015.
[6] M. Yasin, A. Sengupta, M. T. Nabeel, M. Ashraf, J. Rajendran, and O. Sinanoglu, “ProvablySecure Logic Locking: From Theory To Practice,” ACM SIGSAC Conference on Computer and Communications Security, pp. 1601–1618, 2017.
[7] M. Yasin, B. Mazumdar, O. Sinanoglu, and J. Rajendran, “CamoPerturb: Secure IC camouflaging for minterm protection,” IEEE/ACM International Conference on Computer-Aided Design (ICCAD), pp. 1–8, 2016.
[8] J. Rajendran, M. Sam, O. Sinanoglu, and R. Karri, “Security Analysis of Integrated Circuit Camouflaging,” ACM SIGSAC conference on Computer & communications security, pp. 709–720, 2013.
[9] P. Subramanyan, S. Ray, and S. Malik, “Evaluating the security of logic encryption algorithms,” IEEE International Symposium on Hardware Oriented Security and Trust (HOST), pp. 137–143, 2015.
[10] L.-Y. Su and S.-H. Huang, “A Metal-Only ECO Algorithm for Improving Hardware Security with Gate Camouflaging,” 2023 International Conference on Consumer Electronics - Taiwan (ICCE-Taiwan), 2023.
[11] C. Yu, X. Zhang, D. Liu, M. Ciesielski, and D. Holcomb, “Incremental SAT-Based Reverse Engineering of Camouflaged Logic Circuits,” IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, vol. 36, no. 10, pp. 1647–1659, 2017.
[12] M. Yasin, J. J. Rajendran, O. Sinanoglu, and R. Karri, “On Improving the Security of Logic Locking,” IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, vol. 35, no. 9, pp. 1411–1424, 2016.
[13] J. Borgho, A. Canteaut, T. Guneysu, et al., “PRINCE—A low-latency block cipher for pervasive computing applications,” in Proc. Int. Conf. Theory Appl. Cryptol. Inf. Security, pp. 208–225, 2012.
[14] A. Bogdanov, L. Knudsen, G. Leander, C. Paar, A. Poschmann, M. Robshaw, Y. Seurin, and C. Vikkelsoe, “PRESENT: An ultra-lightweight block cipher,” in Proc. Int. Workshop Cryptograph. Hardw. Embedded Syst., pp. 450–466, 2007.
[15] M. Li, K. Shamsi, T. Meade, Z. Zhao, Y. J. Bei Yu, and D. Z. Pan, “Provably Secure Camouflaging Strategy for IC Protection,” IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, vol. 38, no. 8, pp. 1399–1412, 2019.
[16] K. Juretus and I. Savidis, “Characterization of In-Cone Logic Locking Resiliency Against the SAT Attack,” IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, vol. 39, no. 8, pp. 1607–1620, 2020.
[17] A. Sengupta, M. Nabeel, N. Limaye, M. Ashraf, and O. Sinanoglu, “Truly Stripping Functionality for Logic Locking: A Fault-Based Perspective,” IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, vol. 39, no. 12, pp. 4439–4452, 2020.
[18] L. Alrahis, S. Patnaik, M. Shafique, and O. Sinanoglu, “OMLA: An Oracle-Less Machine Learning-Based Attack on Logic Locking,” IEEE Transactions on Circuits and Systems II: Express Briefs, vol. 69, no. 3, pp. 1602–1606, 2022.
[19] N. Limaye, S. Patnaik, and O. Sinanoglu, “Valkyrie: Vulnerability Assessment Tool and Attack for Provably-Secure Logic Locking Techniques,” IEEE Transactions on Information Forensics and Security, vol. 17, pp. 744–759, 2022.
[20] F. Brglez, “On testability of combinational networks,” Proc. IEEE International Symposium on Circuits and Systems, pp. 221–225, 1984.
[21] S. Patnaik, N. Rangarajan, J. Knechtel, O. Sinanoglu, and S. Rakheja, “Spin-Orbit Torque Devices for Hardware Security: From Deterministic to Probabilistic Regime,” IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, vol. 39, no. 8, pp. 1591–1606, 2020.
[22] F. Brglez, D. Bryan, and K. Kozminski, “Combinational profiles of sequential benchmark circuits,” 1989 IEEE International Symposium on Circuits and Systems (ISCAS), pp. 1929–1934, 1989.
[23] F. Corno, M. S. Reorda, and G. Squillero, “RT-level ITC'99 benchmarks and first ATPG results,” IEEE Design & Test of Computers, vol. 17, no. 3, pp. 44–53, 2000.