1. Introduction
Security concerns regarding the integrity and privacy of Integrated Circuits (IC) designs are becoming more and more prominent as the IC supply chain becomes globalized and designers outsource fabrication to potentially untrusted foundries. In this process, the threat of the design being revealed to the untrusted parties, insertion of hardware Trojans [
1], or overproduction of the IC are possible. Reverse engineering by endusers using everimproving IC delayering and imaging techniques [
2] is a growing concern as well.
Logic locking, first introduced in [
3], is based on making the design semiprogrammable by inserting additional key inputs into the logic before sending it to the untrusted foundry. Postfabrication, the circuit will be inoperable and unintelligible without the correct configuration of the key inputs. Besides logic locking,
IC camouflaging and
splitmanufacturing are two other ways to partially hide the design of an IC from untrusted endusers or foundries, respectively. IC camouflaging is based on inserting nanodevice structures into the chip that are difficult to disambiguate using conventional microscopybased reverse engineering by endusers. In split manufacturing, the upper metal layers are fabricated in a trusted facility to hide the design from the foundry. Both methods introduce ambiguity into the design from an attacker’s perspective.
The task of retrieving the original circuit given the ambiguous view by an attacker is typically referred to as circuit deobfuscation/learning in this context. In many realworld scenarios, it is possible for an attacker to access a functional/unlocked instance of the obfuscated circuit and use it as an oracle to obtain correct inputoutput pairs. Deobfuscation in the presence of such an oracle is referred to as oracleguided deobfuscation.
In 2015, a generic powerful oracleguided attack, since termed the SAT attack, was proposed. In the attack, a satisfiability (SAT) solver is used to iteratively mine for input patterns on which to query the oracle, while simultaneously searching for a key that satisfies the observed inputoutput behavior of the oracle [
4,
5]. The original SAT attack was limited to combinational circuit deobfuscation. If the oracle circuit has uncontrollable flipflops, a sequential oracleguided attack is needed. Such attacks were later developed in [
6,
7] using boundedmodelchecking (BMC) techniques. Here, the query location and the correct key are mined using a modelchecker instead of a SAT solver. This is typically a more computationally intensive process than the combinational case.
Existing oracleguided sequential attacks assume that there is a single clock signal that is shared by all flipflops in the obfuscated circuit. Some existing work has targeted timing ambiguous circuits. In [
8] authors introduce timing ambiguous elements into combinational logic leading incorrect keys to create timing violations in fabricated chips. In [
9] incorrect keys lead to much slower sequential performance. Both works, however, remain consistent with the sequentialoracleguided singleclock threat model and as such can be fed to existing SAT or BMC attacks (even though instances of them might overwhelm said attacks). However, an important case that to the best of our knowledge has not been studied in prior work and does not fit directly into existing attack models, is when the clock signal itself is ambiguous (keydependent) in some way. In this paper, we explore this case. We present the following contributions:
We discuss several generic schemes for clock obfuscation. These include obfuscating the choice of clock frequency for a flipflop among a set of multiples of a known or unknown base frequency, plus using dummy clockambiguous flipflops.
We discuss the security of these clock obfuscation schemes in the context of formal notions of functional security.
We discuss how clock obfuscation can take advantage of the inherent clock uncertainty in some asynchronous circuit designs.
We present generic techniques for deobfuscating clockobfuscated circuits using techniques derived from multirate modelchecking.
We present experimental deobfuscation runtime data on the ISCAS [
10] sequential benchmark circuits and compare it to traditional XOR/XNORbased locking.
The paper is organized as follows:
Section 2 presents preliminaries and background.
Section 3 explains different methods of clock obfuscation, and
Section 4 explains how to model and attack clock obfuscated circuits. In the
Section 5, we present the experimental data and discuss our findings. Finally, in
Section 6, we conclude our paper.
2. Preliminaries
Circuit Locking [11]. Formally we can define circuit locking as an algorithm that transforms an original circuit
${c}_{o}\left(i\right):I\to O$ where
I and
O are the input and output space respectively, to a locked/obfuscated circuit
${c}_{e}(i,k):I\times K\to O$ with
l added key inputs and key space
K. There must exist a correct key
${k}_{*}\in {K}_{*}\subset K$, that when loaded into
${c}_{e}$ will make it functionally equivalent to
${c}_{o}$:
$\forall x\in X\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}{c}_{e}({k}_{*},x)={c}_{o}\left(x\right)$. The original circuit is chosen from a distribution/family of circuits
${\mathcal{C}}_{o}$, known to the attacker which can be used to capture the attacker’s a priori knowledge of the original circuit
${c}_{o}$. Changing the key induces a possible obfuscated circuit function space
${\mathcal{C}}_{e}=\left\{{c}_{e}(k,.)\rightk\in K\}$. The basic goal here is to make it hard for an attacker to recover the unseen original circuit
${c}_{o}$ from the obfuscated circuit
${c}_{e}$ which the attacker can see.
OracleGuided (OG) Attacks. In an oracleguided (OG) attack (or attack model), the attacker, in addition to access to the structure of the obfuscated circuit ${c}_{e}$, has access to a blackbox that implements the original circuit ${c}_{o}$, which is called the oracle. The attacker can query this oracle adaptively on chosen points to help identify a correct key for ${c}_{e}$. An attacker with no oracleaccess is called an oracleless attacker (or attack model).
Sequential OracleGuided (SOG) Attacks. In the case of a sequential obfuscated circuit, if the attacker has an original functional circuit (oracle), but he for any reason cannot control or observe all the internal state elements (flipflops or latches) of the oracle [
12,
13] this we refer to as the sequential oracleguided attack model. The attacker only controls primary inputs and observes primary outputs and has a way to reset the oracle to its known reset state. An unknown reset state of
s bits here can be modeled by
s extra (virtual) key inputs, an extra flipflop, and some multiplexer logic.
Security Definitions. Formal definitions of security are routinely used in modern cryptography to reason about the security of protocols. A longoverdue effort to use a similar approach in circuit obfuscation has been initiated [
11,
14,
15]. We state the security properties from [
11], as they are used later on in the context of clock obfuscation:
Approximate Functional Secrecy (AFS). A locking scheme is said to be $(t,q,\u03f5,\sigma )$$\mathsf{AFS}$$\mathsf{OG}$ secure if the success probability (advantage) of any adversary A that has the locked circuit ${c}_{e}$, and can make up to q chosen adaptive input queries to the oracle of ${c}_{o}$, who has to return an $\u03f5$approximation of ${c}_{o}$, is no more than $\sigma $ better than an adversary ${A}^{\prime}$ that makes q queries to the original circuit ${c}_{o}$ and randomly guesses the remaining ${2}^{n}q$ truthtable entries of ${c}_{o}$.
Exact Functional Secrecy (EFS).
$(t,q,\sigma )$
$\mathsf{EFS}$
$\mathsf{OG}$≡
$(t,q,0,\sigma )$
$\mathsf{AFS}$
$\mathsf{OG}$. i.e.,
$\mathsf{EFS}$ is satisfied as soon as the attacker is not able to recover the precise functionality of the original circuit. It turns out that for many families of circuits, an
$\mathsf{OG}$ attacker can disregard the obfuscated circuit
${c}_{e}$ and try to “blackboxlearn/approximate” the oracle circuit
${c}_{o}$ with the circuit family
${C}_{o}$ as the a priori function space, making
$\mathsf{AFS}$
$\mathsf{OG}$ impossible for such families. More relaxed notions of approximation resiliency can avoid this result [
11].
$\mathsf{EFS}$ with exponential query complexity on the other hand is satisfiable with comparator logic for many circuit families [
11].
Clock Domain. If a circuit has state elements such as latches or flipflops then it may have one or more clock signals (see
Figure 1 and
Figure 2). The input and output of the circuit are related to the incoming sequence of the clock signal. The elements of the circuit, which are dependent on a particular clock signal, are in the
domain of that clock. Hence a circuit with multiple clock signals will typically have multiple clock domains.
Clock Sources. A clock signal may come from outside the chip via dedicated clock pins, or be generated internally using an onchip oscillator. An LC (inductorcapacitor) circuit along with an amplifier can be used to generate periodic signals. Such an onchip oscillator is constrained by the available device technology (inaccurate R/C (resistor/capacitor) values available, while L components can take up a large onchip area), whereas an external clocksource can use discrete crystals that produce higher accuracy clock waves.
Setup Time. The input data to a flipflop needs to be stable for more than a certain amount of time before a clock edge arrives. This time is known as setup time.
Hold Time. The input data to a flipflop needs to be stable for more than a certain amount of time after a clock edge has arrived. This time is known as hold time.
Combinational SAT Attack. The combinational SAT attack, as presented in [
4,
16] is a generic oracleguided attack. Given an arbitrary keyed circuit
${c}_{e}(k,x)$ and an oracle
${c}_{o}\left(x\right)$, it begins by formulating a
miter circuit
$M=[{c}_{e}({k}_{1},x)\ne {c}_{e}({k}_{2},x)]$. This circuit is converted to a conjunctive normal form (CNF) formula through the Tseitin transform and asserted using a SATsolver to obtain
$\widehat{x},\widehat{{k}_{1}},\widehat{{k}_{2}}$.
$\widehat{x}$ is called a discriminatinginputpattern (DIP), as it leads to different outputs under two different keys
$\widehat{{k}_{1}},\widehat{{k}_{2}}$ (uncertainty sampling). The oracle is queried on this DIP
$\widehat{y}={c}_{o}\left(\widehat{x}\right)$. This inputoutput (IO) observation will be inconsistent with at least one of
$\widehat{{k}_{1}}$ or
$\widehat{{k}_{2}}$ and is hence guaranteed to prune the key space. This IO condition
${F}_{i}$ is added back to
M as a constraint and the process is repeated until
$M\wedge {F}_{i}$ is no longer satisfiable. At this point solving
${F}_{i}$ alone is guaranteed to return a functionally correct key as long as
${c}_{o}\in {C}_{e}$.
ModelChecking Sequential OracleGuided Attack. The above SATattack cannot be formulated directly for a stateful circuit. However, a solverbased sequential oracleguided deobfuscation attack can be built with the same paradigm as above [
6,
12]. We first extend the locking model to sequential circuits by defining sequential locking as transforming the sequential original circuit
${c}_{o}(x,{s}_{o}):I\times S\to O\times NS$ with
S and
$NS$ being the current and next state spaces respectively, and
${s}_{o}$ is an
${s}_{o}$bit state register, to the obfuscated circuit
${c}_{e}(k,x,{s}_{e}):I\times S\to O\times NS$ for which
${s}_{e}$ is an
${s}_{e}\ge {s}_{o}$ bit state register where a correct key
$k\ast \in {K}_{*}$ exists such that for all sequential
traces $\widehat{x}=\langle {\widehat{x}}^{0},{\widehat{x}}^{1}\dots ,{\widehat{x}}^{u}\rangle \in {I}^{\infty}$ we have
${c}_{e}({k}_{*},{s}_{e}^{i},{\widehat{x}}^{i})=\widehat{{y}_{e}},\widehat{n{s}_{e}}$ and
${c}_{o}({\widehat{x}}^{i},{s}_{o}^{i})=\widehat{{y}_{o}},\widehat{n{s}_{o}}$ and
$\widehat{{y}_{e}}=\widehat{{y}_{o}}$. We can assume that
${c}_{e}$ is initialized to zero
${s}_{e}^{0}=00\dots 0$. An unknown reset state for
${c}_{o}$ can be modeled with extra virtual keybits. This allows modeling finitestatemachine (FSM) obfuscation [
17] with the above scheme as well.
Under the above model, the sequential attack can proceed by unrolling the obfuscated sequential circuit ${c}_{e}$ up to a given clock cycle bound u. From this we get ${c}_{e}^{u}$ which takes u inputs and produces u outputs. Since such an unrolled circuit is going to be combinational, it can be directly passed to a combinational SAT attack. The DIP extracted from this unrolled miter will now contain a sequence of input patterns and hence is called a discriminatinginputsequence (DIS). The DIS can be queried on the sequential oracle. An unrolled inputoutput constraint can then be extracted and appended to the unrolled miter and the process can be repeated.
Once the above process concludes (miter unsatisfiable) for a particular bound
u, the recovered key will be a functionally correct key for up to this round. The attack can terminate early by checking for certain termination conditions, such as the combinational equivalence of the nextstate functions, or checking whether the miter is unsatisfiable for an unconstrained reset state. The attack can in fact be modeled entirely using the modelchecking problem. Modelchecking is the task of (dis)proving properties over sequential transition systems represented by FSMs or stateful circuits. Unrolling a circuit and passing it to a SAT solver is a common fast approach to solving modelchecking problems called boundedmodelchecking (BMC). Algorithm 1 shows the overall flow of the BMCbased sequential oracleguided attack.
Algorithm 1 Given oracle access to sequential circuit ${c}_{o}$ and structure of sequential obfuscated circuit ${c}_{e}$ return a correct key ${k}_{*}$ 
 1:
functionSeqDecrypt(${c}_{e}$, ${c}_{o}$ as blackbox)  2:
$j\leftarrow 0$, $b\leftarrow 1$  3:
$M\leftarrow {c}_{e}({k}_{1},{s}_{e}^{0},x)\ne {c}_{e}({k}_{2},{s}_{e}^{0},x)$  4:
${F}_{j}\leftarrow true$  5:
while !Termination(${F}_{j}$) do  6:
if Bmc(${F}_{j}\wedge M,b$) is $SAT$ then  7:
${\widehat{\mathrm{I}}}_{j}\leftarrow \mathrm{S}\mathrm{a}\mathrm{t}\mathrm{i}\mathrm{s}\mathrm{f}\mathrm{y}\mathrm{i}\mathrm{n}\mathrm{g}\mathrm{T}\mathrm{r}\mathrm{a}\mathrm{c}\mathrm{e}\left({F}_{j}\right)$  8:
${\widehat{\mathrm{O}}}_{j}\leftarrow {c}_{o}^{b}\left({\widehat{\mathrm{I}}}_{j}\right)$  9:
${c}_{e}^{b}\leftarrow b\mathrm{round}\mathrm{unrolled}\phantom{\rule{4.pt}{0ex}}{c}_{e}$  10:
${F}_{j+1}\leftarrow {F}_{j}\wedge ({c}_{e}^{b}({k}_{1},{s}_{e}^{0},{\widehat{\mathrm{I}}}_{j})={\widehat{\mathrm{O}}}_{j})\wedge ({c}_{e}^{b}({k}_{2},{s}_{e}^{0},{\widehat{\mathrm{I}}}_{j})={\widehat{\mathrm{O}}}_{j})$  11:
$j\leftarrow j+1$  12:
else  13:
$b\leftarrow b+1$  14:
end if  15:
end while  16:
satisfy ${F}_{j}$ with ${\widehat{k}}_{1}$ and ${\widehat{k}}_{2}$  17:
return${\widehat{k}}_{1}$  18:
end function

3. Clock Obfuscation
In this section we discuss how an ambiguous clock may be created in the view of an oracleguided attacker. The baseline threat model here is similar to SOG where the attacker lacks full scanchain access, and additionally is uncertain about the frequency of some the clocks in the designs. Note that a nonSOG/OG/combinational attacker (one with full and immediate state observability) can easily recover clock frequencies by simply observing changes in the state and hence not the focus of our discussion.
We will discuss various technical aspect of this clock obfuscation process ranging from clock sourcing and keydependent programming to stateelement selection, and finally designs that are inherently multiclock as prime candidates for this form of obfuscation.
3.1. External Clock Sources
In the conventional lockingenhanced supply chain, the key is never shared with an untrusted party as such a party can collaborate with the untrusted foundry to learn the functionality of the original circuit. Instead, the secret key is programmed onto the chip by a trusted party in a trusted facility, and then one has to ensure that the programmed key is nonvolatile/persistent and tamperresistant. For instance, if the state of keybits can be recovered via optical/electrical probing the security of locking obviously falls apart [
18].
This also means that placing the key outside the chip is difficult. An offchip key will need to be transmitted securely to the locked chip. This itself may require encryption and hence another encryption secret key with exactly the same key management issues. Similarly, in the case of clock obfuscation, securing an external source will be very difficult. An attacker can easily probe an external clock signal and record its frequency. Hence except for the case of trusted endusers, clock obfuscation should focus primarily on ambiguating internal clock sources.
Note that regardless of the origin of the clock the attacker can try to bound its upperfrequency limit. The attacker can study the layout and transistor technology of the locked circuit and use timing analysis to get an estimate of the maximum clock frequencies as dictated by setup/holdtime constraints. Finding a minimum clock frequency bound that is larger than zero will be harder if not impossible.
3.2. Internal KeyProgrammable Clock Sources
Given that external clocks are hard to obfuscate, the defender has to produce clock ambiguity onchip which we discuss herein.
The first approach is to use internal keyprogrammable oscillators. There are a myriad of ways to implement frequency controllable onchip oscillators. Modern processors require such oscillators to implement dynamic voltage/frequency scaling (DVFS) to reduce power consumption during lowintensity computational periods. For instance, ref. [
8] implements a programmable clock source via a ring oscillator with variable/controllable capacitors inserted in the ring to tune its oscillation frequency.
Since the frequency needs to be programmed onchip there are some limitations. Typically, digital bits are used to tune such oscillators. This will make it such that for l key bits there will exist at most ${2}^{l}$ different possible frequencies. For the purposes of locking, however, it is possible to imagine a chip that has programmable continuous RLC elements that are configured using an external analog voltage/current. In such a setting, it may seem that the number of possible frequencies can become infinite. However, the attacker can use a bounded number of frequency “bins” to place the continuous variable into, capturing the inevitable imprecision in the defender’s configuration process. There is obviously a limit here on the number of different frequency possibilities in the attacker’s view that the defender can create. Onchip oscillators cannot be tuned with infinite precision. Moreover, the infinite precision may not translate into infinite Boolean function possibilities for ${c}_{e}$.
Another approach is to use an external fast master clock, the frequency of which will be known to the attacker (represented by the smallest period T). This fast clock can be slowed down by integer multiples by adding a programmable digital clock divider. A counter circuit can be used to count the number of positive edges on the clock. The value of the counter d is compared to a key vector ${k}_{d}$ and a tick is generated in case of a match. The attacker can produce a ${k}_{d}\times T$ clock period in addition to the Tperiod master clock using such logic. The overhead here will be a function of the bit width of ${k}_{d}$ and will consist of comparator and counter logic. The maximum possible period (slowest frequency) above zero will be ${2}^{{k}_{d}}T$.
3.3. Frequency Fractions
Using the above various clock generation approaches, given the assumption that the number of different clock frequencies in the design is finite, we can model this with t different possible clock frequencies/periods $\mathcal{T}=\{{T}_{1},\dots ,{T}_{t}\}$. The relationship between these clocks can vary creating different scenarios that lead to somewhat different threat models:
Integer Multiples of a Single Base Period. The somewhat simplest case here is when $\mathcal{T}$ includes a single base minimum period T, plus integer multiples of it. e.g., $\mathcal{T}=\{T,2T,3T,7T\}$. For instance given a clockdivider with a programmable nbit divisionfactor controlled by the nbit key ${k}_{d}$, we will have $\mathcal{T}=\{T,2T,3T,\dots ,{2}^{n}T\}$.
Integer Multiples of Multiple Base Periods. The more complicated case is when there are multiple base frequencies and their integer multiples. This corresponds to the case where one uses several onchip controllable oscillators to produce more than one base period ${T}_{1}\in \mathcal{T}$ and ${T}_{2}\in \mathcal{T}$, where ${T}_{1}$ and ${T}_{2}$ are completely independent. Multiples of these periods can then appear in $\mathcal{T}$ as well. In this work, we do not directly present a generic deobfuscation algorithm for this case. Such cases will have to be modeled with a single base period alternative.
To transform the multiple base period case to a single base period, one can pick a small single base period ${T}_{b}$ and use it to express both ${T}_{1}$ and ${T}_{2}$. i.e., ${T}_{1}={n}_{1}{T}_{b}$ and ${T}_{2}={n}_{2}{T}_{b}$. In a realworld scenario, absent external unknown clock frequencies, ${T}_{1}$ and ${T}_{2}$ can take a finite number of different values. One can extend this to more than two base periods.
Note that in model checking research, when dealing with multirate transition systems, a similar approach is often used [
19]. i.e., a single global minimum step size is used to express the different rates. However, it is possible to imagine truly independent clock rates. Take the case of asynchronous transmitter and receiver logic. Here the frequencies on both sides can be completely independent and the system must perform correctly regardless. Unrolling the circuit to capture its behavior, in this case, is not straightforward. Formal analysis of such fully asynchronous circuits is a topic of ongoing research [
20] and outside the scope of this paper.
Rational Multiples of a Single Base Period. Here
$\mathcal{T}$ can include noninteger multiples of the base period. i.e.,
$\mathcal{T}=\{T,1.3T,\dots ,2.4T\}$. In this paper, we avoid deobfuscating such cases directly. As for the deobfuscation, we will model obfuscated circuits with the multirate modelchecking [
19] method, we need to convert this noninteger multiples to the case of integer multiples by finding a
${T}_{b}$ that is small enough to express all the periods in
$\mathcal{T}$. For instance
${T}_{b}=0.1T$, can be used to express
$1.3T=13{T}_{b}$ and
$2.4T=24T$. As for the defender he can implement such a setting by using a fast master clock of
${T}_{b}$ and dividing the frequency down to the other periods, or by using
$\left\mathcal{T}\right$ different tunable oscillators that can be tuned in steps of size
${T}_{b}$.
We will explore these scenarios further in
Section 4.
3.4. State Element Clock Ambiguation
Clock signals are primarily routed to state elements in digital logic. Hence, subsequent to the generation of different clock frequencies, the defender has to create in the view of the attacker an ambiguity in which clock frequency is used for a particular state element.
We can assume that the previous step results in the generation of
t different clock frequencies/periods
$\mathcal{T}=\{{T}_{1},\dots ,{T}_{t}\}$. These frequencies can be implemented on a single wire. For instance, a singleended programmable oscillator or clockdivider will have a single clock signal output that can be programmed to oscillate at different frequencies. By routing this signal to a state element, an ambiguity is immediately created in the attacker’s view on the clock frequency of that particular element. Different clock frequencies can also be implemented on different wires. One can build a fixed (keyindependent) clock frequency divider that generates a
$3T$period clock in addition to the
Tperiod master clock. Then, a keycontrolled MUXgate can be used to select one of the two known frequencies as the clock source of a particular DFF. This is shown in
Figure 3. While this is functionally equivalent to the singlewire case, the hardware overhead may be different. The MUX approach requires both clock signals to be routed to the state element. The singleended programmable clock on the other hand can take on only a single frequency, meaning that if routed to multiple DFFs, they will all take on the same frequency postconfiguration and hence does not lead to DFFspecific ambiguity (captured by virtual keys) in the attacker’s view.
In the functional secrecy paradigm of logic locking, one can model a given ambiguity in the locked circuit with alternative key structures. Given a precise locked circuit netlist ${c}_{e}(k,x)$, a functional attacker can replace it with ${c}_{e}^{\prime}({k}^{\prime},x)$ as long as the possible function set of ${c}_{e}^{\prime}$ is a superset of the possible function set of ${c}_{e}$. We use this approach by introducing virtual keybits that model the attacker’s ambiguity over the behavior of the circuit in our attacks later on.
3.5. State Element Selection
Once a set of different frequencies is generated one has to select which state elements in the design to obfuscate with what subset of frequencies. The space of possible ways to select state elements here would be prohibitively large. In our experiments on benchmark circuits, we select a random subset of flipflops and obfuscate them with a choice of different frequencies. However, one can perform the selection to optimize metrics such as area/timing/routing/congestion or security metrics.
One important issue that needs addressing here is that of
OracleLess (OL) attacks [
21]. An OL attacker has to determine the frequency of a particular flipflop by studying the structure of the obfuscated circuit alone. For instance, if the transistor technology and DFF structure dictate a certain setup/holdtime requirement, that can be discerned from the obfuscated circuit layout itself, then the attacker can discard frequency values that are high enough to violate setup/holdtime requirements. i.e., a clock frequency where the period
$T<min(st,ht)$ where
$st$ is the setup time and
$ht$ is the hold time can be removed from the set of possible frequencies for that particular clock. Note that holdtime requirements that are satisfied by adding delay to timing paths do not help in determining the clock frequency beyond the abovediscussed point.
Another potential oracleless vulnerability is the fact that the flipflops that are closer to one another in the physical layout or the netlist graph are more likely to have the same frequency. The defender can try to alleviate this by ensuring that clusters of nearby flipflops are clockobfuscated simultaneously.
One more OL vulnerability in clock obfuscation is the fact that given the distribution of realworld original circuits modules, those with finegrained multiple clock rates per DFF are less common. This bias in the original circuit space
${\mathcal{C}}_{o}$, means that an attacker will have a nonnegligible advantage in correctly recovering the circuit by just assuming that all clocks run at the same frequency. It is better therefore to target clock obfuscation towards circuits that inherently exhibit some sort of clock gating or frequency control. We discuss some of these special cases in
Section 3.7.
3.6. Dummy (ConstantClock) State Elements
One can insert a flipflop in the circuit that has a
constant clock signal:
An edgesensitive Dflipflop with a zero clock signal will remain forever in its reset state. This can serve as a constant in the circuit. Constants can be mixed with AND/OR/XOR gates to create “phantom” sequential behavior in the attacker’s view of the circuit.
A levelsensitive latch with an alwayson/off clock signal can serve as a buffer/constant. This can be inserted on wires or replace existing buffers/inverters. The above cases can be seen in
Figure 4.
Implication for $\mathsf{EFS}$. Achieving
$\mathsf{EFS}$ with exponential security is possible for many combinational circuit classes by inserting for instance detachable comparator logic to the circuit [
11]. A detachable comparator/pointfunction
$P(x,k)=\left(x{=}^{?}k\right)\wedge {k}_{act}$ can convince the attacker that there may be an activating pattern
k in the input space of the circuit. Since such a comparator can be disabled by setting
${k}_{act}=0$, the attacker will have to explore a significant proportion of the input space of the circuit in order to be able to rule out the existence of this activating pattern with high confidence.
A similar phenomenon can happen with dummy clock obfuscated state elements. The attacker suspects that the dummy state element is going to make a transition at some point, ruling out of which requires querying and waiting for a time ${T}_{max}$ that is the longest noninfinite potential period of a clock signal in the circuit. Generating a ${T}_{max}={2}^{n}{T}_{b}$ with a clockdivider from a base clock period of ${T}_{b}$ will require a comparator of size n but can create $\mathsf{EFS}$ with $O\left({2}^{n}{T}_{b}\right)$ time complexity.
3.7. Inherently Asynchronous Circuits
The attacker’s a priori knowledge of the original circuit is captured in ${\mathcal{C}}_{o}$: the original circuit distribution. It is not straightforward to precisely describe ${\mathcal{C}}_{o}$. This is similar to the plaintext distribution problem in cryptography. English text has a distribution, but describing the distribution is not easy. Modern ciphers are designed to not lose their security as the distribution of the plaintext changes. This is not the case unfortunately for circuit locking. A locking scheme can go from information theoretically secure to completely broken by just changing ${\mathcal{C}}_{o}$. In the case of clock obfuscation, applying the obfuscation to original circuits that are inherently multiclocked will ensure that an attacker that simply decides that all state elements are running at the same frequency will be wrong in at least some instances, i.e., instances where the original circuit itself was multiclocked rather than the clock ambiguity being exclusively artificially introduced via the locking scheme.
We discuss two common asynchronous circuit examples below that can be locked manually with clock obfuscation. This can be extended to other asynchronous circuits.
Digital PLL. Phaselocked loops (PLL) are feedback control systems that adjust the phase of a locally generated signal to match the phase of an input periodic signal automatically. This is done by detecting the difference in phase between the two signals and adjusting the local oscillator based on this difference.
A common PLL design paradigm is to use the following stages: a phase detector measures phase differences between the internal and external signal. A lowpass loop filter filters this difference signal producing a voltage that tunes a voltagecontrolled oscillator (VCO). The output of the VCO is then fed back to the phase detector after going through a feedback divider. One can implement the above with analog or mixedsignal components. One common mixedsignal way to design the phase detector is to feed the input and oscillator signals to the clock port on a pair of DFFs. This can allow for clock obfuscation.
In a Digital PLL (DPLL), these blocks can be converted to digital blocks (see
Figure 5). The loop filter is converted to digital loop filter, the phase detector to a timetodigital converter (TDC), and the VCO to a digitallycontrolled oscillator (DCO) [
22].
A TDC block design is shown in
Figure 6. As can be seen, the
$ref$ timed signal is passed as the clock signal to a series of DFFs capturing a series of consecutively delayed signals. Since this
$ref$ signal is not the common master clock in the system, it can be obfuscated via keycontrolled MUX gates. One has to ensure that the precision of the TDC is not harmed by trying to reduce the mismatch induces by the insertion of MUX gates.
Oracleless resiliency may be harder to maintain as the TDC block has a very particular structure without additional interconnect and structural obfuscation. Oracleguided resiliency will depend heavily on the controllability/observability of its input/output in a larger design.
Digital Counter. A digital
nbit counter can be built with a sequence of DFFs. The frequency of the rising edges on the clock signal that is shared among these DFFs will reduce by half after each stage of DFFs creating a binary counter function at the
${Q}_{i}$ outputs. One can use MUX gates here to confuse the attacker in the choice of clocks as seen in
Figure 7. It is also possible to take any sequence of
n DFFs in a design, and use keycontrolled MUX gates to create a “potential digital counter” in the attacker’s view among them by creating a scenario where there will exist a key under which the DFFs will act as a counter.
The oracleless resiliency here will depend on how undiscernible the counter logic can become from the rest of the circuit which will depend on the density and topology of inserted MUX gates. The oracleguided $\mathsf{EFS}$ resiliency for counter logic can increase exponentially, as the last bit (most significant bit) of the counter has exponentially small observability, which can lead to exponentially high query counts or wait times.
4. Clock Deobfuscation
Up until now, we have discussed clockbased obfuscation techniques and their possible implementation in circuit designs. Sequential circuits are considered to be harder than the combinational circuit in the deobfuscation process. As mentioned in preliminaries, the deobfuscation of sequential circuits is possible with the sequential oracleguided attack with bounded model checking. Here we show that it is possible to adapt these attacks to the case of deobfuscating clockambiguous circuits.We use a common technique used in multirate modelchecking [
19]. The idea here is to try to model the multirate semantics with a singlerate model with the same functionality that can then simply be passed to a traditional singlerate modelchecking attack.
4.1. Clocks with Known Integer Multiples of a Base Period
The first and simplest case here is when the attacker is faced with a set of DFFs, where for each DFF the clock signal is a choice among a subset of known multiples of a base period T. For instance, some DFFs will be connected to a clock signal $cl{k}_{1}$, while for another DFF in the circuit the clock signal is picked using keycontrolled MUXs among $cl{k}_{1}$ and $cl{k}_{2}$. If $cl{k}_{2}$ is generated by a clockdivider from $cl{k}_{1}$ with a public division ratio of 2, then the attacker knows that the DFF can be running at either T or $2T$.
Formally speaking, the attacker is given ${c}_{e}$, where ${c}_{e}$ will include ${s}_{e}$ DFFs, each driven by a clock running at a period given by a keycontrolled choice of a subset of $\mathcal{T}=\{T,{a}_{1}T,\dots ,{a}_{t}T\}$, where the ${a}_{i}$ are known integers. We begin describing the modeling process by imagining two DFFs running at two different known clock rates. If one DFF is running at a period of $2T$ while the other DFF is running at a period of T, this simply means that the one running at a faster clock rate (T) will be getting updated twice as often. One can capture this behavior by simply inserting a second “virtual” DFF in the path of the slow DFF. i.e., Given a DFF $n{s}_{T}=DF{F}_{1}(s,cl{k}_{T})$, $n{s}_{T}$ will get updated on each tick of $cl{k}_{T}$ which occurs every T seconds. By adding a second DFF we create $n{s}_{2T}=DF{F}_{2}(n{s}_{T},cl{k}_{T})=DF{F}_{2}(DF{F}_{1}(s,cl{k}_{T}),cl{k}_{T})$. Now for the value at s to reach the output at $n{s}_{2T}$ it will take not one but two ticks of $cl{k}_{T}$. Effectively, $n{s}_{2T}$ ends up getting updated with s at half the rate, i.e., as if it were driven by a clock with half the frequency (twice the period), i.e., $cl{k}_{2T}$.
It is possible to extend this to the case of clocks running at ${a}_{i}T$ for ${a}_{i}>2$. For a clock running with a period of $aT$, a many backtoback flipflops can be inserted to slow down the fast data moving at a period of T, to the data that moves with the atimes slower $aT$. These signals can then be used as functional equivalents of a DFF nextstate signal that is running at a slower clock.
If the above model is passed to a model checker, it will get unrolled into a combinational circuit in which the state to nextstate connections may effectively end up skipping some intermediate unrolled frames. This also means that instead of modifying the sequential circuit by adding slowdown DFFs, one can implement the same behavior as part of the unrolling subroutine of the modelchecker. In our experiments however, we avoid this as modifying the internals of the BMC engine is somewhat more difficult than simply inserting slowdown flipflops in ${c}_{e}$.
With the above technique, we can generate a series of nextstate signals each being updated at a fixed integer ratio of the base clock rate. If the clock rate for a particular DFF is known, we can then just select the nextstate signal that corresponds to this. However, in the case of deobfuscation, this choice may be unknown for some DFFs. Per our usual arrangement in deobfuscation, we may model this uncertainty/ambiguity using introduced virtual key bits. We create a keycontrolled MUX that will select one of the nextstate signals that are running at different rates. i.e.,
$n{s}_{o}=MUX(k,n{s}_{T},n{s}_{{a}_{1}T},\dots ,n{s}_{{a}_{i}T})$. If passed to a sequential deobfuscation routine, the value of the virtual key
k learned from the attack represents a choice of which clock rate the particular DFF is running at.
Figure 8 shows this.
4.2. Clocks with Unknown Integer Multiples of a Base Period
Now we come to the case where the clock choices are integer multiples of a base period $\mathcal{T}=\{T,{a}_{1}T,\dots ,{a}_{t}T\}$, yet the ${a}_{i}$ can be unknown to the attacker.
Since the ${a}_{i}$ here are still integers and are all greater than 1 (slower versions of the base period T), we can use the slowdown DFFs discussed previously. While we know how many slowdown DFFs to insert for a known multiple of T, for an unknown multiple, we are uncertain about exactly how many to insert, i.e., by how much to slow down the nextstate signals. This is a true uncertainty on the side of the attacker. An uncertainty that nonetheless cannot escape being modeled by added virtual key bits.
For a DFF that may be running at an unknown multiple period $aT$, we go ahead and slowdown the nextstate signal of the DFF by inserting ${a}_{max}$many slowdown DFFs. Using keycontrolled MUX gates we allow the circuit to pick any of the slowed down signals $\left\{n{s}_{{a}_{i}T}\right\}$ for ${a}_{i}\le {a}_{max}$. If we now set ${a}_{max}$ to an integer value that is higher than the maximum expected period multiplier in the attacker’s hypothesis, we will effectively end up modeling clocks that can be arbitrarily slower than the base clock within some reasonable range.
With the above approach, the overhead in the model of the multirate circuit grows linearly with ${a}_{max}$. Hence if the attacker can truly expect some clocks in the circuit to be running at exponentially slower than the base period, this can create an exponential blow up in the size of the multirate model. This directly ties the slowdown in the multirate obfuscation to the resiliency against our proposed attack. This is somewhat analogous to the relationship between observability and query complexity. Slower clocks produce less observable circuits in time.
The attacker can bound the value of ${a}_{max}$ by studying the clock source. For instance, if the clock is driven by an nbit digital clockdivider that can divide the base frequency by up to ${2}^{n}$, then ${a}_{max}$ will have to be greater than ${2}^{n}$. If an onchip LC oscillator is used, the attacker may be able to use the LC variables limit in the given technology or the digital bits used to program them to get an idea of how slow of a signal they can produce.
Note that the unrolled version of the above model of the circuit will include possible updates of nextstate in each frame. This can be seen in
Figure 9. Note that for constant dummy DFFs, the possible connection between the nextstate in frame
u and the reset state
$Rs$ through the keycontrolled MUX captures the possibility of some DFFs never changing from their reset state in
u rounds.
A combination of known and upto
${a}_{max}$ clock obfuscation is possible and can be seen in
Figure 10. The single rate equivalent model is seen in
Figure 11.
4.3. NonInteger Multiples of a Base Period
The clock period choices can be noninteger multiples of a base period, e.g.,
$1.2T$,
$2.4T,\dots $. be As we briefly mentioned in
Section 3.3, in this paper we do not directly attack this case. Instead, such cases have to be converted to an integer multiple period equivalent model. This can be done by trying to find the smallest period
${T}_{b}$, which can be used to describe all the noninteger periods in the circuit.
First, we consider the case where the noninteger periods are known. i.e., $1.2T,2.4T$. We can first multiply both numbers by a decimal factor to turn them into integers $12T=10\times 1.2T$, $24T=10\times 2.4T$. We can then take the greatestcommondivisor of $12T$ and $24T$ which will be $12T$ here. We then reverse our early transform by dividing $12T$ by 10 obtaining $1.2T$. We now take ${T}_{b}=1.2T$, which allows us to express the other periods $1.2T={T}_{b}$, and $2.4T=2{T}_{b}$. This returns us to the known integer multiple case and allows for applying the previous deobfuscation routines.
If the noninteger multiples are unknown, similar to the case of integer multiples we pick an ${a}_{max}$ that represents the maximum multiple of the base period that could occur in the circuit and allow for a choice between all slowed down versions of $ns$ using virtual key bits and MUX gates.
As for identifying
${a}_{max}$ one can follow the same procedure as before. If the clock is generated by a digital clock divider, the maximum
${a}_{max}$ is visible. If the clock is sourced via a finegrained oscillator, per our discussion in
Section 3.3 the smallest step in the oscillator frequency range can still be taken as
${T}_{b}$ and the attack can proceed.
4.4. Finding the Base Period
As discussed above, in all cases, in order to deobfuscate the circuit with our proposed approach one needs to express the potential clock period choices as multiples of a symbolic base period T.
The oracleguided attacker, however, needs to have some idea of the concrete value of this symbolic base period too. This is required for trying to make sense of the sequential oracle output behavior. Recall that in the conventional sequential OG attack, the clock period is known to the attacker or the attacker is assumed to have direct control of the clock signal. Hence when querying the sequential oracle, the attacker will restart it, pass the first input pattern to the circuit, tick the clock or wait for period T, read the output, then repeat the process. Even if an output bit is not changing for several input patterns, the attacker knows that the unchanging output bits belong to different frames, simply from knowing/controlling the clock period.
For a clockambiguous circuit, however, this may not work. Here, the attacker, not knowing the base period of the clock, will not know precisely how to attribute the different outputs observed on the oracle to the unrolling of the different frames in the modelchecking attack. Hence a first step in the attack must be to identify the base period T itself too.
If the locked circuit has an external master clock and there are no frequency boosters in the circuit, the attacker can assume that the fastest clock in the circuit is the external clock. If however, the fastest clock in the circuit is generated internally, the attacker may not directly observe this fast clock’s period T. Instead, the only manifestation of T will be that at rates of $aT$ where a may be unknown, the output of the circuit may change. The attacker can hence try to measure the time it takes for an output to exhibit change while the inputs are kept the same to identify $aT$.
We can in fact devise a miter condition to capture this. This is shown in
Figure 12. The circuit condition
$M\equiv {\bigvee}_{0\le u<t}({c}_{e}^{t}(k,rs,x)\left[u\right]\ne {c}_{e}^{t}(k,rs,x))[u+1]$ where
${c}_{e}^{t}\left[u\right]$ is the
tround unrolled obfuscated circuit’s output at the
uth frame. This condition captures input patterns
x and key patterns
k for which a transition in the output may occur if the internal unknown clock keeps ticking. The attacker can then pass such an input to the oracle and wait for a change in the output and measure the time as an estimate of some multiple of
T. Note that since the key is unknown, this is not guaranteed to happen on the oracle. Thus, the attacker must repeat the process in theory for every possible
x that can satisfy
M. Also keep in mind that, during the attack, if the attacker observes any change at the outputs that occurs at a rate faster than
$1/T$, the attacker can downgrade his measure of the lowest period
T and restart the attack.
5. Experiments
We present proofofconcept implementations of the ideas discussed in the paper. We use the sequential ISCAS benchmarks seen in
Table 1. These benchmark circuits are single clock circuits.
For obfuscation, we do not implement the fullfledged multiclock tapeoutready circuits with oscillators. Instead, we model the multiclock obfuscation by inserting slowdown DFFs plus MUX gates following our discussions in
Section 4 using Python scripts to evaluate security. For deobfuscation we pass these multirate equivalent model circuits to the opensource sequential deobfuscation tool
neos [
23].
neos is written in C++ and uses the Glucose SATsolver along with an internal unrollingbased BMC solver for sequential doebfuscation.
We primarily report on deobfuscation runtime. Runtime is collected as the wall clock time for neos excluding the modeling part which is insignificant. Tests are run on a 128thread dualCPU EPYC AMD server with 256 GB. Each process is given 2 GB of memory and 30 min of time.
Table 1 and
Table 2 report deobfsucation time for circuits obfuscated with a choice of 2 different known clocks. i.e., a given percentage of the DFFs in the circuit are picked randomly and obfuscated with the 2choice clock. The clock choices are known integer multiples of the base period (
$\{T,2T\}$ and
$\{T,3T\}$). We observe from the data in
Table 1 and
Table 2 for 2choice clocks that the majority of benchmarks with less than 240 DFFs can be deobfuscated in the 30min time window. We also compare this to random XOR/XNOR insertion with a key size the same as the number of DFFs that are clockobfuscated.
Figure 13 shows the runtime for clockbased obfuscation versus XOR/XNOR, versus a combination of both with twice the key size. As can be seen the runtime of clockbased locking can be in the same range as XOR/XNOR locking. We do not observe a clear winner in terms of SATattack time. In both schemes, the runtime tends to increase as the key width increases. In some instances, it can be observed that increasing the DFF clock obfuscation rate may not result in a higher runtime. This could be because in one instance the obfuscated DFFs happened to be inserted in a location that does not produce as much deobfuscation difficulty.
We can also create cases where there are more than 2 clock signals available in the circuit. We tested the benchmarks with 3 choice clock obfuscation.
Table 3 shows the runtime for 3choice clock deobfuscation. We can present similar observations that we made for the 2choice obfuscation method.
For deobfuscation given unknown multiples of the base period, we present the data in
Figure 14. Here we report the deobfuscation runtime for small circuits that can be attacked in minutes as a function of increasing
${a}_{max}$.
${a}_{max}$ is the maximum number of rounds that the attacker has to unroll the circuit to capture the unknown multiple
${a}_{i}T$ clock behavior where
${a}_{i}\le {a}_{max}$. As can be seen one can increase the runtime somewhat superlinearly as
${a}_{max}$ increases. An
nbit clock divider can create an
${a}_{max}\in O\left({2}^{n}\right)$ and lead to exponential blowup of the deobfuscation circuit model. We verified this results against a simple counter circuit with
n bits.
We also performed a test of dummy flipflop insertion on a few of the benchmark circuits. As predicted from our theoretical analysis, in these cases, as soon as the sequential output is dependent on the dummy state element, the attack will continue unrolling indefinitely and not terminate, as it suspects that the dummy element could awaken at some unknown clock cycle and input pattern in the future. In some cases, this dependency can fall apart and termination can be reached earlier. This is primarily a function of where the dummy state element happens to be inserted.