SMT Attack: Next Generation Attack on Obfuscated Circuits with Capabilities and Performance Beyond the SAT Attacks

. In this paper, we introduce the Satisﬁability Modulo Theory (SMT) attack on obfuscated circuits. The proposed attack is the superset of Satisﬁability (SAT) attack, with many additional features. It uses one or more theory solvers in addition to its internal SAT solver. For this reason, it is capable of modeling far more complex behaviors and could formulate much stronger attacks. In this paper, we illustrate that the use of theory solvers enables the SMT to carry attacks that are not possible by SAT formulated attacks. As an example of its capabilities, we use the SMT attack to break a recent obfuscation scheme that uses key values to alter delay properties (setup and hold time) of a circuit to remain SAT hard. Considering that the logic delay is not a Boolean logical property, the targeted obfuscation mechanism is not breakable by a SAT attack. However, in this paper, we illustrate that the proposed SMT attack, by deploying a simple graph theory solver, can model and break this obfuscation scheme in few minutes. We describe how the SMT attack could be used in one of four diﬀerent attack modes: (1) We explain how SMT attack could be reduced to a SAT attack, (2) how the SMT attack could be carried out in Eager, and (3) Lazy approach, and ﬁnally (4) we introduce the Accelerated SMT (AccSMT) attack that oﬀers signiﬁcant speed-up to SAT attack. Additionally, we explain how AccSMT attack could be used as an approximate attack when facing SMT-Hard obfuscation schemes.


Introduction
The cost of building a new semiconductor fab was estimated to be $5.0 billion in 2015, with large recurring maintenance costs [1] [2], and sharply increases as technology migrates to smaller nodes.To reduce the fabrication cost, most of the manufacturing and fabrication is pushed offshore [1].However, many of the offshore fabrication facilities are considered to be untrusted.Manufacturing in untrusted foundries has raised concern over potential attacks in the manufacturing supply chain, with an intimate knowledge of the fabrication process, the ability to modify and expand the design prior to production, and an unavoidable access to the fabricated chips during testing.Accordingly, fabrication in untrusted foundries has introduced multiple forms of security threats from supply chain including that of overproduction, Trojan insertion, Reverse Engineering (RE), Intellectual Property (IP) theft, and counterfeiting [2].
To counter these threats, various hardware design-for-trust techniques have been proposed, including watermarking, IC metering, split manufacturing, IC camouflaging, and logic locking [3,4,5,6,7,8].The watermarking and IC metering techniques are passive protection models that could be used to detect overproduction or illegal copies, however, they cannot prevent IP theft or overproduction.The Camouflaging techniques use logic gates (or other physical structures such as dummy vias) with high structural similarity, that are indistinguishable from one another to protect against reverse engineering.However, camouflaging is only effective against post-manufacturing attempt(s) of reverse engineering, while it provides no limitations against a foundry's attempt at reverse engineering, as a foundry has access to all masking layers and is not trapped by structural ambiguity for being able to logically extract a netlist.The obfuscation (logic locking) [8] on the other hand, introduce limited programmability by inserting key programmable gates to hide or lock the functionality.By using obfuscation, the target chip produces the correct output only when the key inputs are correct.The purpose of obfuscation is to protect against RE at an untrusted foundry.By using obfuscation, even by having all mask information, the attacker cannot generate the correct functionality of a circuit without the correct key values, and such key values are not shared with the manufacturer.
Shortly after the introduction of first published obfuscation schemes, a new and powerful attack based on Boolean Satisfiability (SAT) was formulated and revealed [9,10].In this attack model, the attacker has access to a reverse engineered but obfuscated netlist, and a functional and unlocked chip.Using this attack model, the formulated Boolean Satisfiability Attack (SAT Attack) can effectively break all previously proposed logic encryption techniques, including random insertion (RLL), fault-analysis (FLL), interference-based logic locking (SLL), and logic barriers [8,11,12,13,14].The SAT solver iteratively eliminates sets of incorrect keys and finds the correct key within a small time, and unlike Brute force attack that requires attack time exponential with respect to the number of inputs, its execution time grows almost polynomially.Existing SAT attack, which can be modeled with query-by-disagreement (QBD) or uncertainty-sampling, minimizes the number of queries (inputs) required to learn (deobfuscate) the target function (obfuscated logic).Also, SAT attack terminates when no more disagreeing inputs can be found, at which time the attack guarantees to find the correct key.However, to defend against powerful SAT attacks, different obfuscation schemes have been proposed, such as SARLock and Anti-SAT [15,16,17].However, further research illustrated that some of these locking schemes are vulnerable to other types of attacks such as Signal Probability Skew (SPS) and removal attacks [18].
In addition, introducing approximate-based attacks, such as AppSAT [28] or Double-DIP [19] worsens the problem.Unlike the existing SAT attack, which needs exact learning model, approximate-based attacks can be modeled using approximate learning problems, such as the probably-approximately-correct (PAC) setting [29,30].Based on the PAC model, an attack A, with a probability of λ, will provide an -approximation (approximately correct) of the target function (obfuscated logic).Note that, an -approximation of the target function is a function with only % ( ∈ O( 12 n )) disagreement with correctly unlocked circuit.Accordingly, the approximate SAT attacks can find an approximate key which produces a very small error (% ) in the behavior of the unlocked circuit in comparison with a correctly unlocked circuit.The approximate attacks are shown to effectively find an approximate key for SAT-resilient defenses including SARLock [16], and Anti-SAT [17].Furthermore, Bypass attack [27] is also proposed for creating an auxiliary circuit that recovers the flipped output(s) while approximate key is applied.Then it adds a bypass circuit to correct the wrong output(s) when input pattern(s) cause incorrect output(s).Consequently, it is able to eliminate even small error in the behavior of the unlocked circuit by approximate key, and behave completely the same compared to correctly unlocked chip.
The SAT attack benefits from the Directed Acyclic Graph (DAG) based nature of input netlist and the ability of SAT-attack to logically model the obfuscation into a satisfiability problem.To counter the SAT attack, recently some design obfuscation schemes have been proposed to violate these assumptions.For instance, in the approach adopted in [21], the DAG nature of netlist is altered by introducing cycles into the netlist for the purpose of trapping a SAT attack.Another example is the approach adopted in [22], where the obfuscation, in addition to logical properties of the netlist, targets the setup and hold properties (timing properties) of the circuit as a locking mechanism.Considering that setup and hold time are not logical properties, they cannot be translated into CNF statements for formulating a SAT attack.However, in this paper, we illustrate that even using these non-logical properties for obfuscation, does not increase the security of an obfuscated netlist, indicating the need for further study and exploration in this domain to generate obfuscation schemes with provable security.The contributions of this paper is as follows: I) Introducing SMT Attack: We present Satisfiability Modulo Theory (SMT)-based attack on obfuscated circuits, that expands the capabilities of previously proposed SAT attack by assigning theory solvers to monitor the behavioral and non-functional properties of the obfuscated circuit.To illustrate the capabilities of SMT attack, we use an SMT solver and invoke a graph-theory solver to break the logic and timing obfuscation scheme introduced in [22].

II) Introducing Accelerated SMT Attack:
We illustrate that by adopting theory solvers, not only we can observe, monitor and learn from the non-functional behavior of an IC during an attack, but also we can significantly reduce the attack time in specific obfuscation schemes.In this paper we use a BitVector theory solver to reduce the execution time of SMT attack (compared to a SAT attack) by means of finding discriminating inputs that have much higher pruning power over the SMT solver's decision tree.

III) Approximate-based SMT Attack:
We further equip our proposed Accelerated SMT attack with logistic to discriminate between SAT-hard and non-SAT-hard obfuscations if a hybrid-obfuscation scheme contains both.Using this approach, we quickly find the non-SAT-hard obfuscation keys, detect the SAT-hard solution and without spending exponential time, we exit and generate the approximate key.In addition, unlike previous approximate SAT attacks, we can guarantee that the approximately unlocked circuit at most have d bits of difference in the worst case (for any given input) with the correctly locked circuit, with d being 1 for all previously proposed SAT-hard solutions.
The rest of the paper is organized as follows: Section 2 presents the background and previous work related to the logic obfuscation and various attack models.The limitation of SAT-based attacks is discussed in section 4. Section 5 explains the overall structure of SMT solvers and their capabilities for attacking obfuscated circuits.Section 6 introduces The SMT attack on obfuscated circuits and study four different modes of the SMT attack.Section 7 captures our experimental and simulation results.Finally, Section 8 concludes the paper.

Boolean Logic Obfuscation
Logic locking and netlist obfuscation schemes introduce limited programmability into a netlist by means of inserting additional key programmable gates at design time.After fabrication, the functionality of the IC is programmed by loading the correct key-values.The key-inputs could be stored in and driven by an on-chip tamper-proof memory [23].The purpose of inserting key-gates is protecting the IC design from untrusted foundries.Since the functionality of a design is locked with a secret key, the attacker cannot learn the functionality of the obfuscated netlist after reverse engineering.Logic locking and obfuscation schemes vary in terms of the usage of different key-gates types and key-gates insertion policies [24,25].For combinational circuits, logic locking can be classified based on key-gates types to different categories.XOR/XNOR based logic locking [12,8], MUX based logic locking, and LUT based logic locking [14,15] are the most common mechanisms.Also, there are different algorithms for inserting the key-gates in the circuit.Some of these policies Sensitization & Justification 2012 [12] SAT Attack 2015 [9,10] 2017 SARLock 2016 [16] Anti-SAT 2016 [17] Removal 2016 [26] SPS 2016 [18] SFLL 2017 [20] CycSAT 2017 [32]
Barrier 2010 [11] LUT-Lock 2018 [15] [21] include random insertion (RLL), fault-analysis (FLL) insertion, and interference-based logic locking (SLL) algorithms, SARLock, Anti-SAT , etc. [8,12,13,16,17].Fig. 1 captures the evolving history of obfuscation defense schemes and attack formulations since the year 2008 to the current date.After introduction of SAT attack, in 2015 in [10,9], as illustrated in this figure, researchers proposed various mechanisms for building SAT hard obfuscation solutions.However, many of such obfuscation schemes were later broken using newer attacks like as SPS, removal, bypass, and AppSAT [18,19,26,27,28], making the current defense schemes unreliable.After 2017, a new breed of obfuscation schemes instead of building logical obfuscation schemes has been introduced, relied on breaking the SAT assumptions for building SAT hard solutions without having the vulnerabilities of the previous SAT-Hard solution.For example, Cyclic obfuscation [31] and its improved defense, the SRCLock [21], by introducing cycles into netlist break the SAT model as the netlist can no longer be represented by a Directed Acyclic Graph (DAG).Alternatively, the Delay Logic Locking (DLL) [22] extends the reach of obfuscation beyond logic and locks the circuit using its delay and timing properties, attempting to build SAT hard solutions.In this paper, we introduce the SMT attack that could break such locking and obfuscation mechanisms by means of parallel invocation of SAT and theory solvers to model the non-logical and behavioral aspects of a circuit operation.

Behavioral logical obfuscation
As previously discussed, the logic-based obfuscation schemes that rely on extending the Boolean behavior of a circuit can be broken by at least one of the state-of-the-art attacks, including SAT, SPS, removal, bypass, and AppSAT [9,10,18,19,26,27,28].Hence, recent researches have been focused on obfuscation schemes that fundamentally violate the assumptions of these attacks with respect to the nature of obfuscated circuit, or use non-logical properties of a netlist to obfuscate its behavior [21,22,31].
For lack of EDA tool support and limited knowledge in designing cyclic Boolean logic, most of all netlists designed and fabricated today are acyclic.One of the first attempts to break the state of the art attacks, including SAT attack, was proposed in [31] which suggested using cycles in combinational circuits, and illustrated that use of cycles results in either a SAT solver being trapped, or it generates incorrect key even after timely termination.This obfuscation scheme, however was shortly after broken by CycSAT attack in [32].In the CycSAT attack, the netlist is first pre-processed based upon which a set of constraining clauses are generated.The CycSAT attack then uses these constraining clauses, in the original SAT attack, allowing the SAT solver to effectively open the cycles without being trapped, or incorrectly terminated.However, the limitation of [31] was addressed in SRCLock [21] to prevent a pre-processor from extracting all needed constraints from a cyclically locked circuit.SRCLock focuses on building an exponential relation between the number of inserted feedbacks and number of generated cycles by means of creating super cycles.
The second obfuscation of interest to this paper is the logic and timing obfuscation scheme in [22].In this obfuscation scheme, the delay properties of a circuit are obfuscated  with the ultimate goal of introducing setup and hold violation if the correct key is not applied.In this case, the obfuscation, in addition to the logical behavior of the netlist, attempts to change its behavioral (timing) properties.Considering that timing is not translatable to CNF, the SAT solver remains oblivious to the keys used for timing obfuscation.Hence using a SAT attack to deobfuscated this circuit, result in a discovery of all keys used for logic obfuscation, but random assignment to all keys used for timing obfuscation and the circuit remains locked.
In this paper, we construct an attack based on Satisfiability Module Theory solvers, and illustrate that the capability of this attack goes far beyond that of SAT attacks.More precisely, with specific formulation, we illustrate that SMT attack on obfuscated circuits could be significantly faster and more efficient compared to SAT attacks on Boolean logic obfuscation.Additionally, it could be used to attack behavioral logic obfuscation schemes, which is not possible by a pure SAT-based attack.To illustrate the second point, we attack and break the timing-logic obfuscation scheme in [22], based on which we generalize and illustrate how other similar SMT attacks could be formulated.

Attack Model
The SMT attack is an oracle-guided attack.We assume that the attacker has the reverse engineered but obfuscated netlist and a functional IC (oracle) that is unlocked.The attacker can query the oracle with any stimuli i, and observe its output o.The purpose of the attack is to find the key inputs, that make the obfuscated netlist logically equivalent to that of the unlocked netlist.
As it can be seen in Fig. 2, IP owner obfuscates the Original Netlist of IP.Assuming that design integration, verification, fabrication, and packaging have been accomplished in untrusted regime, attacker is able to obtain the obfuscated (locked) netlist from (1) the IC design, or by reverse engineering the (2) synthesis/implementation (layout), (3) mask, or (4) a manufactured IC.In addition, the attacker is able to buy the correctly unlocked (activated) IC in the open market.Consequently, the attacker can apply arbitrary input to activated IC and observe its corresponding output.

Limitation of SAT Attack
A SAT attack works perfectly fine if the logic obfuscation is of Boolean nature.This is because any Boolean logic could be easily transformed into its Conjunctive Normal Form (CNF) and be converted into a satisfiability assignment problem.But in case of Behavioral logic obfuscation, the locking mechanism is designed to control aspects of circuit operations that could not be translated to CNF as required by a SAT solver.The delay-locking (DLL) scheme proposed in [22], cyclic-based obfuscation presented in [31], and SRCLock [21] are good instances of such locking mechanism.For the purpose of locking, DLL uses a tunable delay key-gate (TDK) which is illustrated in Fig. 3. TDK consists of a conventional key-gate (XOR/XNOR) with a tunable delay buffer (TDB).The capacitive load of the buffer is controlled by a transmission gate, where activating the transmission gate increases the wire load capacitance of the internal wire, resulting in larger TDK propagation delay.Hence, the functionality and propagation delay of a TDK, both, depends on the value of its key-inputs.
In DLL, the TDK cells are used to control the setup and hold time violations such that only one sequence of activation keys guarantees that circuit operates with no violation.To apply the DLL, a design is first altered such that most timing paths are balanced to be sensitive with respect to small changes in the path delay, such that a small variation in delay causes setup or hold violations.This is achieved by means of carefully engineering the clock skew, cell sizing, and V th swapping.Then the TDK cells are inserted in the common portions of setup and hold critical paths, such that attempting to only fix setup causes hold violation, and attempting to fix hold causes setup violation with the exception of one sequence of correctly configured TDK keys that assures all timing paths meet both setup and hold check timing constraints.Considering that the delay is not a logical behavior, the TDK cell behavior could not be completely captured by CNF, hence the delay locking is not directly attackable by a SAT attack.In [22] it was illustrated that even a mixed integer linear programming (MILP) based attack has up to 39% timing violation ratio (TVR).However, as we will illustrate in this paper, by employing an SMT attack and by instantiating an integrated graph theory solver along with its SAT engine, we could find the keys to this obfuscation problem in few minutes.

SMT Solver
In this section, we first review the usage and capabilities of an SMT solver, and then we illustrate how the SMT solver could be used to form an SMT attack on obfuscated circuits regardless of obfuscation's reliance on logical or non-logical properties of a circuit.

SMT Usage and Capabilities
A Satisfiability Modulo Theory (SMT) is used to solve a decision problem while honoring constraints that could be expressed using first-order theories such as equality, reasoning, arithmetic, graph-based deduction, etc.Hence, it could be considered as a solver for a broad set of problems that could be categorized as Constraint Satisfaction Problems (CSP), which is a superset of Boolean Satisfiability Problems (BSP) that are solvable by SAT solvers.Additionally, the ability to express theories such as inequality (e.g.3x + y < z) provides a much richer Application Programming Interface (API) to the end user to define a problem compared to that of a SAT solver.
In general, there are two different approaches for solving an SMT problem.The first approach is based on translating the problem into a Boolean SAT instances denoted by Eager approach; In this approach the existing Boolean SAT solvers are used as is.However, the SMT solver has to work a lot harder for solving some problems that are otherwise very obvious (e.g. for checking the equivalence of two 32-bit values).However, by deploying a theory solver, this could be achieved in no time.For this reason, many SMT solvers follow another approach which referred to as the Lazy Approach.The Lazy approach integrates the Boolean satisfiability solvers, which are based on the Davis-Putnam-Logemann-Loveland (DPLL) in modern SAT, and theory solvers that decide the satisfiability of formulas over specific theories.Each theory solver provides two capabilities: (1) theory propagation among various theory solvers for checking possible conflicts on partial assignments, and (2) clause learning result of which is shared by the SAT solver to speed-up pruning the decision tree.Additionally, since several applications of SMT deal with formulas involving two or more theories at ones, modern SMT solvers provide the capability of combining theory solvers using Nelson-Oppen [33] or Shostak [34] method to support a more expressive language.In combining theory solvers, if two theories Γ 1 and Γ 2 are both defined axiomatically, their combination can simply be defined as the theory axiomatized by union of the axioms of the two theories, Γ 1 and Γ 2 .For example, Consider Γ 1 and Γ 2 are two different theories, it is possible to define Γ 1 ⊕ Γ 2 as a combined theory of Γ 1 and Γ 2 , where Γ 1 ⊕ Γ 2 is the set of all models that satisfy Γ 1 ∪ Γ 2 .This is adequate if the signatures of the two theories are disjoint.Otherwise, if Γ 1 and Γ 2 have symbols in common, one has to consider whether a shared function symbol is meant to stand for the same function in each theory or not.In the latter case a proper signature renaming must be applied to the theories before taking the union of their axioms.in [36] they have described general conditions for the combination of theories that may have symbols in common.The ability to combine theory solvers proves extremely useful when dealing with applications such as model checking and predicate abstraction-based model check in which we need to check the satisfiability of formulas over several data types.
Theories are defined as classes of models with the same signature.More precisely, a Σ-theory Γ is a pair of (Σ, A) where Σ is a signature and A is a class of Σ-models.In general a theory solver for a theory Γ is a procedure which takes as input a collection of Γ-literals µ and decides whether µ is Γ-satisfiable.A theory (Γ-solver) to be effectively used within an SMT solver should have the following properties [35]: (1) Model Generation: theory solver should be able to produce a Γ-model of the problem description µ. (2) Conflict Set Generation: when the theory solver reaches inconsistency, it should be able to produce a subset η of µ which has caused the inconsistency.The subset η is referred to as theory conflict.( 3) Incrementality: The Γ-solver should be able to save and keep its status across invocation calls to avoid recomputation.(4) Backtrackability: it is important for theory solver to has the ability to undo the step if it is needed.Equality with Uninterpreted Functions (EUF), linear real arithmetic (LRA), linear integer arithmetic (LIA), Mixed Integer and Real Arithmetic, Difference Logic, Bit Vectors, Arrays, etc. are the examples of theories commonly used in SMT.
In this paper, we use an SMT solver and formulate some attacks against specific obfuscated circuits, illustrating the power of adapting various theory solvers for extending the capabilities of attack by constraining and monitoring non-logical properties of a netlist.For this purpose, and to illustrate that SMT attack is a super-set to the SAT attack, we first illustrate that the original SAT attack against obfuscated circuits could be effectively formulated using an SMT solver, resulting in similar performance.Then we illustrate how the SMT solver could be used to attack logic obfuscation problems out of the reach of pure SAT attacks, and for that purpose we break the logic and timing obfuscation in [22] which is not possible by a pure SAT attack.We illustrate that this attack could be achieved using both Eager and Lazy approach of SMT attack.Then we illustrate how the SMT attack could become significantly more efficient than a SAT attack by adopting the capabilities of theory solvers like BitVector, and formulate an accelerated SMT attack, that requires substantially smaller iterations and runtime compared to a SAT attack against specific obfuscation schemes.In addition, we formulate the accelerated SMT attack to be capable of approximate attacks.

SMT Attack
When building an SMT attack on obfuscated circuits, as illustrated in Fig. 4, the SMT attack could be invoked with any number and combination of theory solvers, and a SAT solver.In order to use the SMT solver to formulate an attack, few preliminary steps should be taken.The first step is to make a minor modification to an extracted netlist after reverse engineering, providing the capability of testing various behaviors of the obfuscated circuit to the SAT or SMT solver.The transformation is simply replacing the obfuscated cells with their equivalent Key Programmable Gates (KPG).A KPG performs the same function as the obfuscated cell, however, it allows building a key controlled representation of the logical behavior of the obfuscated cell for the purpose of logical-model building.Fig. 5 Key Gate Translated Gate used in recent literature for the purpose of obfuscation.For example, when attacking a camouflaged cell that could be either an AN D gate or an XOR gate, it is replaced with its KPG which is simply a M U X with each of its input tied to one of the camouflaged cell possibilities.The function performing the KPG replacement in the algorithms described in this paper is ReplaceKPG(N obf ) that replaces all obfuscated cells in an obfuscated module with their KPGs equivalent based on translation table in Fig. 5.
When using an SMT solver, before invoking a theory solver, the input model or input behavior should be translated to a model µ which is understood by that theory solver.As illustrated in Fig. 4, the translation step may be different for each theory solver used.As an example, to break the Delay Logic Locking in [22], we use a graph theory solver and translate the obfuscated netlist to a graph model that is understood by the graph-theory solver.The required translation step (µ ← Netlist) is simply the inversion of the netlist under attack to its graph representation, where each gate is a node in the graph, and each net an edge.We have additionally included the functionality to compute the logical effort in our graph translation routine, that annotate each edge with the logical effort needed to drive that edge as a measure of its delay.We could alternatively use a second theory solver to capture the static timing of the netlist and exchange information with the graph theory solver for more accurate results.The final step before invoking the SMT/SAT attack is the translation of the netlist under attack into its CNF form as described in [10].
After building model µ for each Theory and SAT solver, the SMT attack is formulated based on the flow of information exchange between theory and SAT solver.In General, the formulation of the SAT portion of SMT solver is similar to that of pure SAT attack as described in [10].However, in addition to the SAT solver, each theory solvers is then tuned by declaration of theory constraint.At this stage, invoking the SMT solver returns a satisfiable assignment and a list of learned theory and conflict clauses for theory solver and SAT solver respectively.The SMT attack is then achieved by composing the correct control flow for invocation of theory and SAT solver(s), and by managing the intermediate sequence of CNF-based information exchange.The general flow of information in an SMT X DI (2) . .formulated problem, including that of SMT attack, is illustrated in Fig. 4.

Attack Mode 1: SMT reduced to SAT Attack
As was mentioned previously, the SAT attack finds a functionally correct key for an obfuscated circuit by checking a small subset of all input patterns, hence removing the need for brute-force testing of all input patterns.Considering that SMT solver is a superset of SAT solver and contains a SAT solver, any attack formulated for SAT could be similarly formulated for an SMT solver.
Alg. 1 illustrates the SAT attack that could be similarly implemented in a SMT solver.The formulation of attack remains similar to that of original attack proposed in [9,10].11: 12: 13: 15: The SAT attack in Alg. 1 follows the steps illustrated in Fig. 6.In this algorithm, the obfuscated gates are first replaced with key programmable gates (KPG) to create the Key Programmable Circuit (KPC).Then the CNF representation of the circuit is generated.Two KPCs are then used to generate a Key Differentiating Circuit (KDC).The KDC receives an input and two different keys and determines whether they generate the same output or not.The KDC is then used as the first SMT satisfiability problem represented by SMT LC for the first invocation of SMT solver.Calling the SMT solve function on the posed formula then return an assignment for keys K 1 , K 2 , and the discriminating input X DI such that the formulated SMT LC is satisfied.In addition, the SMT solver returns a list of learned Conflict Clauses (CC).In line 10, the correct output (Y f ) for the discriminating input X DI is found.In the next step, the SMT formula needs to be updated to use the discriminating input and learned clauses to further constrain the satisfiability problem.This is done in multiple steps.In line 11, the discriminating input found in the current iteration is used to create a Discriminating Input Validation Circuit (DIVC) which is illustrated in Fig. 6(d).The DIVC circuits formed at each iteration are ANDed together to create a circuit that checks the correctness of a key for all previously found discriminating inputs.This circuit is referred to as Set of Correct Key Validation Circuit (SKCVC).In line 13, the currently found Conflict Clauses are added to the set of previously found  Learned Clauses (LC).Note that this step is done implicitly for SMT is a stateful solver.Finally, in line 14 the SMT satisfiability problem is constrained by ANDing together the KDC, SCKVC and LC clauses.The SAT attack formulated using SMT solver continues until the SMT solver returns UNSAT.A final call to the SMT solver returns the correct key.Note that this SMT attack is a one-to-one translation of the original SAT attack in [9,10].In the result section of this paper, we illustrate that the formulation of SAT attack using SMT solver results in very similar performance to that of pure SAT attack.However, the SMT attack could further benefit from the usage of SMT solvers to extend its capabilities to attack obfuscation schemes that could not be logically modeled.

Attack Mode 2: Eager SMT Attack
Theory solvers could be used to extend the capabilities and performance of SMT solver compared to that of a SAT solver.This, as illustrated in Fig. 7 could be done by (1) using the theory solver to extract all required clauses that complete the CNF description with respect to the obfuscation scheme and then to perform a SAT attack, referred to as the SMT Eager approach.This could be thought (2) by invoking the theory and SAT solver in parallel to simultaneously model and solve the problem, referred to as Lazy approach.
In this section, we illustrate how the Eager approach of SMT attack could be used to attack the obfuscation schemes that could not be broken or understood by a pure SAT attack.For this purpose, we formulated an SMT attack on the delay-locking (DLL) scheme proposed in [22].Notice that the proposed approach could be used in formulating attacks on other obfuscation techniques that rely on non-logical properties of circuit obfuscation such as timing, power, delay, etc. by using the appropriate theory solvers.
Fig. 8 illustrates the translation steps for converting a DLL [22] obfuscated circuit (using translation table in Fig. 5) to its key programmable circuit and captures its graph representation.As illustrated in Fig. 8(b), K 1 effectively has no impact on the logical behavior of the circuit and only changes its delay properties.Hence, subjecting this obfuscated circuit to a SAT attack results in a random assignment to K 1 .Therefore, by having k TDK cells, which have 2k keys in total, a SAT solver returns one logically correct key sequence among 2 k different set of such logically correct keys that control the TDK cells, however, only one of such keys doesn't result in setup and hold violations.Hence, a correct attack should consider the delay and timing properties of the netlist in addition to its logical correctness.The shortcoming of SAT attack to capture the delay and timing properties of the netlist, when attacking DLL obfuscation, is remedied in an SMT attack by means of using a graph theory solver.To illustrate this, we formulate an Eager and a Lazy SMT attack on DLL obfuscation.In the Eager approach, we use the theory solver as a mean of pre-processing the netlist by which we deduct the complete set of Valid-Path Constraint Clauses (VPCC) between all primary inputs and outputs of the obfuscated netlist.This VPCC is a CNF presentation of all valid assignment of the keys, such that no setup or hold violation is created.Note that among many such possibilities, only one possibility has both the correct timing and the correct logical behavior.
To build the VPCC clauses, we should compute the setup and hold constraints on every timing path.The setup and hold timing checks for a timing path is expressed using the following inequalities: In this equation which uses the notation in Fig. 9, the t cs−lr is the clock source to launch register delay, t cs−cr is the clock source to capture register delay, U is the clock jitter/uncertainty, t clk−q is the clock to q delay of the launch register, t setup is the capture-register setup time, t hold is the hold time requirement for the capture register, t p is the propagation delay through the longest path in the timing path, and finally the t cd is the propagation delay through the shortest pah in the logic.Considering that the DLL logic is only inserted on Data sections a of timing path (according to the tormentingly in Fig. 9), it can only affect the t p and t cd .Note that it is also possible to enhance the DLL obfuscation beyond that described in [22] and use the TDK cells for building clock skew in the clock network, however, a similar attack still could be formulated.For now, let's consider that DLL, as described in [22], only affects the Data section of timing path.The equations 1 and 2 could be re-written as: (3) Before performing any reverse engineering, we know the T CLK from the functional chip purchased on market.Note that a functional chip (the oracle) is needed to perform the SAT or SMT attack as explained in section 3. Now let's consider a netlist obtained after reverse engineering.The end-point and start-point registers for each timing path are known.Hence, by means of spice simulation, the register could be characterized and the t clk−q , t setup and t hold are extracted.Note that there are limited type of registers used in a physical design, and at this step only a handful of registers need to be characterized.Extracting a measure for uncertainty could be also achieved by means of spice simulation.
At this point, considering that a TDK cell can change the delay of a timing path, the delay of each timing path (D j ) could be divided into a constant delay (C j ) and a variable delay (V j (K)), where the variable delay is a function of the number of TDK cells in that timing path, and the key assumed for each TDK.Hence, Delay of Timing path j from start point s to endpoint p (D s→p j ) that passes through N TDK cells each with delay D s→p T DK (i), depending on the value of key K i is obtained from: For a given timing path, and by using the equation 6, we could rewrite the delay constraints in equations 3 and 4 as: These inequalities capture the lower and upper bound delay constrain for every pair of input-output pins in a design, and collectively capture the model µ of the graph theory solver.Based on this formulation, the number of added inequalities is M × N, in which M is the number of primary inputs, and N is the number of primary outputs.However, one inequality bounds all timing paths between the selected input-output pin pair, removing the need to express the inequality for every timing path in the design as needed in MILP-based attack that was suggested in [22].
After writing these inequalities for each input-output pair, a call to the SMT solve function returns all key combinations for which all paths constraints/inequalities are satisfied.In the other word, by assuming any of the returned key combinations, the circuit will not violate its setup and hold timing checks.However, note that only one (or few) of these key values is logically correct.The correct key value then could be extracted by invoking a SAT solver, and by providing the set of key combinations (in CNF format) as a constraint to the logical circuit satisfiability problem.This process is illustrated in Alg. 2. As it can be seen in Alg. 2, function GenT LC is responsible for generating all inequalities.Line 7-8 of GenT LC function generates inequality ( 7) and ( 8) for each input (Sp) to each output (Ep).

5:
for each (Sp in Inputs) do

6:
for each (Ep in Outputs) do

10: return T LC
This algorithm is similar to Alg. 1, with the additional step of using a theory solver for pre-processing the netlist in line 8, extraction of all key combination resulting in correct timing behavior in line 9, and providing these constraints to the SAT solver in the next step in line 10.Note that the solve function in the Eager approach is called in two places; first for generating the timing valid key combination clauses (inside GenTLC function), and then iteratively inside the SAT attack while loop.
For some obfuscation methods, the pre-processing step of Eager approach may become extremely time consuming or computationally impossible.An example of such obfuscation problem is the SRCLock [21].The authors have shown that the obfuscation is SAT hard, since without pre-processing the cycles, the SAT solver will be trapped or produce an incorrect key.Additionally, they have suggested two mechanisms by which the number of cycles in a netlist could exponentially grow with respect to the number of inserted feedbacks.For attacking cyclic logic, as suggested by CycSAT attack [32] we need to pre-process the netlist and extract the No Cycle Conditions to prevent the SAT solver from being trapped.However, in SRCLock [21] the number of cycles grow exponentially, and therefore the runtime of pre-processing step also grows exponentially, preventing us to ever reach the SAT attack.For such problems, the Eager approach that relies on reduction of the problem to a SAT problem does not work.However, the Lazy approach of the SMT attack provides a solution.

Attack Mode 3: Lazy SMT Attack
Using the Lazy approach of SMT attack relaxes the requirement of Eager approach to complete the pre-processing step before invoking the SAT attack.In the Lazy approach the SAT solver and theory solver(s) simultaneously check different models of a unified satisfiability problem, exchange clauses, and check each other's literal assignment.This could significantly prune the decision tree of a SAT solver search space for finding a satisfying assignment and remove the need for a complete and unbounded execution of theory solver as it only has to check the validity of constraints for SAT assigned literals.
Algorithm 3 Overall SMT Attack (Lazy Approach) Learned Clauses

5:
for each (Sp in Inputs) do

6:
for each (Ep in Outputs) do

9:
Range(Sp,Ep)(K) ← Lower(Sp,Ep)(K) ∧ Upper(Sp,Ep)(K); 10: 11: In order to illustrate the Lazy approach of SMT attack, in this section, we formulate an SMT attack to again break the DLL [22] obfuscation.The Lazy approach of SMT attack on DLL [22] is illustrated in Alg. 3. The big difference in the Lazy and Eager approach is that after model generation for theory solver, the SMT solve function is not called.This is illustrated in line 9 of this algorithm, where the constraining expressions are only defined for the theory solver by making a call to GenT CE function.The returned constraining expressions are then duplicated for Key K 1 and K 2 .The SMT solve function is then called to find an assignment for a discriminating input X DI , and two different keys K1 and K2 such that generated outputs are different at least in one bit, however both keys generate a valid timing scenario.Since the SAT model (SATC) and Theory models (T CE (K1, K2)) share literals and are subjected to a unified set of constraints, the decision tree and search space for the SMT solvers is significantly reduced.

Attack Mode 4: Accelerated Lazy SMT Attack (AccSMT)
In this section, we argue that re-formulating the Lazy SMT which benefits from capabilities of BitVector theory solver allows us to build a more efficient attack.

Motivation:
Our modification to the SAT attack is inspired by the observation that higher output corruption, reduces the SAT hardness of an obfuscation scheme.A discriminating input X DI , is an input capable of sensitizing the logic paths of the netlist under study, such that (1) some of the differences in the values of internal nodes in the result of application of two different keys K 1 and K 2 are propagated to at least one output.( 2) none of the previously found DIPs (that were used in building a DIVC) were able to propagate the generated inconsistency to a primary output.This mechanism is continued until the number of sensitized paths, reaches a point where any inconsistency that from application of two different keys is propagated to the primary outputs using the constructed set of DIVC circuits.At this point, the set of previously found X DI s form a complete set of discriminating inputs, such that if a key generates the correct output for all inputs in this set, it will generate the correct output for all other inputs.
Different DIPs have different pruning power.A DIPs strength could be assessed based on the number of inconsistencies that it could sensitize to the primary outputs conditioned that previous DIPs were incapable of doing so.Hence, depending on the pruning power of DIPs, the size of the complete set of DIPs could be different.A minimal complete set of DIPs is the smallest set of DIPs that could de-obfuscate the circuit.In our Lazy approach for SMT attack, we propose a mechanism to reduce the size of the complete set of DIPs pushing it towards the minimal set.Since in each SAT or SMT iteration one DIP is found, having a smaller number of DIPs result in smaller number of iterations.
In SAT attack, it requires only a single bit difference in the output for generation of a DIP.In SMT attack, we could make a stronger requirement for the generation of DIPs.This could be achieved by forcing the SMT solver to find DIPs with the largest possible Hamming distance of primary outputs of the KPC circuits when for the same input, two different keys are applied.Such a DIP has a much higher pruning capability, and is able to sensitize a larger number of key-related inconsistencies to the output.The discovery of such powerful DIPs reduces the number of required DIPs that is needed to form a complete set of DIPs that could de-obfuscate the circuit.This is because when the hamming-distance is larger either the KPC circuits differ in (1) key-bit(s) that are located close to the inputs, or (2) large number of assumed key-bits (in the middle of timing paths or close to primary outputs) are different in two KPC circuits, or (3) the combination of two scenarios.In both cases, the added DIP and the resulting learned clauses eliminate the cause of obtaining such large hamming distance, resulting in the elimination of a large number of inputs as possible future DIPs while eliminating a larger set of keys as potential correct keys.Hence, when such a DIP is added to a DIVC, it poses a much stricter restriction on the requirements for finding the next DIP and reducing the attack time by almost an order of magnitude.

Using BitVector Theory Solver:
Assessing DIPs based on hamming distance of the primary output is easily implementable in SMT solver by using a BitVector theory solver.The bitVector theory solver allows us to perform integer-oriented arithmetic operations such as addition, subtraction, and multiplication.The Hamming Distance (HD) of output Y 1 and Y 2 is obtained using: The HD is then used to write the constraining expressions that are posed on the BitVector theory solver using the formulation: The upper threshold T h U pper is kept constant equal to the size of output pins, but the lower threshold T h Lower is defined as a variable, allowing us to sweep the hamming distance constraint posed on BitVector theory solver from a maximum value of the number of output bits to a minimum value of 1.The lower bound could be reduced every time the SMT solver returns UNSAT, indicating there is no other DIP that satisfies the HD requirement poset on theory solver.The process terminates when the SMT cannot even find a DIP that causes HD of 1. Adaption of this constraint forces the SMT solver to find DIPs with higher pruning power, reducing the size of a complete set of DIPs.

Using TimeOut:
For an SMT or a SAT attack, the execution time is determined based on the formula, N i=1 t(i), where t(i) is the execution time of the i th iteration of an SMT attack.Hence, by just reducing the number of SAT iterations N , we cannot guarantee a shorter execution time, because finding a DIP with tighter constraint may pose a more difficult problem to the SMT solver and increase t(i).For this purpose, we can limit the time allowance for finding a DIP in each iteration.The timeout limit T O prevents the SMT solver from spending a long time for finding a DIP with large HD, when finding such DIP has become excessively difficult.By adapting the timeout feature, during an SMT attack, the HD requirement is reduced when either (1) the SMT solver returns UNSAT, indicating there exist no such input, or when (2) we encounter time-out interrupt.In this case, the HD constraints posed on BitVector theory solver is reduced by one and the SMT solver is called.Note that the time interrupt is supported by MonoSAT [38] used in this paper, and many other freely available SMT solvers.Also, note that use of time interrupt pushes the final solution away from a minimal complete set of DIPs.However, our experiments illustrate that this usually results in considerably smaller execution time.

Enabling Approximate Attacks:
Our objective is to enable the SMT attack to be carried against a netlist similar to that of Fig. 10, which is obfuscated by both SAT Hard (SH) and high Corruption (HC) obfuscation schemes, to find all keys for the HC obfuscation, and to detect the trap of SH obfuscation and exit while generating an approximate key.
The SAT hard obfuscation mechanisms suggested in recent literature, such as SARLock, Anti-SAT, and SFLL [16,17,20], have a very small output corruption, and the SAT hardness is maximized when there is only a single input for a given key that results in an incorrect output.The pruning power of DIPs found in each iteration of the SAT solver for SH obfuscation solutions is very small, and each DIP eliminates a single key value.Hence, the number of SAT or SMT iterations increases exponentially with respect to the key size.This is used as a mechanism to trap the SAT solver.To increase the corruption, the SH obfuscation is combined with a HC obfuscation.The purpose of approximate attacks is to find the correct key for the HC obfuscation without being trapped by SH obfuscation.
The accelerated SMT attack could significantly improve the performance of approximate attacks.Since HC obfuscation schemes result in high output corruption, finding DIPs that lead to larger HD at the output biases the SMT attack to find the HC related obfuscation keys in the earlier iterations.The remaining problem is the design of a termination strategy for the accelerated and approximate SMT attack to detect the trap of SH obfuscation, exit and report the approximate key.For this purpose, we use a constraint on the number of allowed repetitions R when HD is very small (e.g. 1).If the remaining and un-found keys are only the SH keys, the SMT keeps finding weak DIPS (HD of 1) and iterations are completed very quickly.By setting the repetition limit R to an appropriately large value, we can detect the trap and terminate the attack.
The unique feature of accelerated approximate attack is that if we remove the timeout (TO) requirement, then the approximate attack guarantees that the HD of the approximately unlocked circuit and that of the functional circuit is at most HD Low bits different, with HD Low being the hamming distance requirement in which the R repetition is taken place.This could be proven as follows: Suppose that there exists an undiscovered discriminating input and two keys that cause larger than HD Low bit difference (HD Low +D) in the primary outputs.Hence, the SMT solver when constrained by bitVector theory solver expression for finding HD = HD Low +D should return SAT.This contradicts the SMT previous execution control state where the SMT attack for that HD has returned UNSAT, otherwise the HD constraint was not reduced.

Algorithm 4 Accelerated SMT Attack
HD High = Number of output bits; Upper hamming distance limit;

Accelerated SMT attack formulation:
Alg. 4 demonstrates the reformulated Lazy approach of SMT attack on obfuscated circuits.In this algorithm, the HD High , and HD Low are the high and low threshold requirement for hamming distance on primary outputs, T O is the timeout limit per iteration, R is the repetition allowance before exiting and generating an approximate key, and R HD is the hamming distance after which the repetition condition is checked.The BitVector theory solver input model is defined in lines 14 and 15, and converted to theory constraint expressions in lines 16 and 17.The T CE poses an upper and lower bound on the hamming weight difference of the outputs of two instances of the same circuits with the same input, but two different keys.The SMT attack sweeps the hamming distance in the first while loop, while the second while loop formulate the modulo satisfiability theory attack.The SMT solver receives the SM T LC model, the BitVector theory solver constraint T CE and the timeout allowance T O and check whether there is a valid assignment for SM T LC conditioned that T CE is valid withing T O time allowance.If it exists, the while loop is satisfied.Additionally, it returns the discriminating input X DI , the two keys found (K 1 , K 2 ) and a list of learned conflict clauses CC.Then the X DI , similar to the original SAT attack is used to construct additional DIVC and update the satisfiability model SM T LC .At the end of each iteration, the algorithm checks whether the hamming distance is reduced to the limit, where the repetition condition for SH problems is checked.In this  case, if the repetition count reaches the specified threshold value R, the SMT attack is terminated.additionally if for HD of 1, the SMT solver can no longer find a satisfying assignment, the SMT attack is terminated.A final call to SMT solver with the constructed satisfiability module theory model generates the key.

Experimental Results
For evaluating different modes of SMT Attack, we used a farm of desktops with 4-core Intel Core-i5 CPU, running at 1.8GHz, with 8 GB RAM.The operating system on desktops was Ubuntu Server 16.04.3LTS.For a fair comparison, and to reduce the impact of the operating system background processes, we dedicated one desktop to each SMT solver at a time.For benchmarking, we used most of ISCAS-85 benchmarks, characteristics of which is listed in Table 2. Since MiniSAT has been used in the SMT Solver as its built-in SAT solver, we use the default values of resource limits in MiniSAT as resource limits of the SMT attack (68 years for the CPU time limit and ≈ 2147 TB for the memory usage limit).As the baseline for comparing SMT attack performance against a pure SAT attack, we employed the Lingeling-based SAT attack by [10].In addition, for each attack we ran the solvers Five times on SMT and SAT solvers [39] and reported the average runtime.

Evaluation of SMT reduced to SAT Attack
As explained in section 6.1, and explained by Alg. 1 the SMT solver could be used for a SAT attack using the same formulation as the original SAT attack as proposed in [9,10].In this section, we evaluate the performance of SMT attack when used in this mode.The purpose of this sections is to illustrate that attack formulate using the SMT solver is a superset of SAT attacks, and with the same formulation provides similar performance.For this comparison, we employed two obfuscation methods: (1) random XOR/XNOR insertion (RLL) [8], and (2) obfuscation using nets with unbalanced probabilities (IOLTS'14 ) [37].ISCAS-85 benchmarks are obfuscated using these schemes with obfuscation overhead ranging from 1% to 25%.Table 3 compares the execution time of SMT attack and the SAT attack proposed in [9,10] when RLL obfuscation is deployed.As captured in this table, the execution time of the SMT attack when reduced to SAT Attack is approximately equivalent, in terms of number of iteration and execution time, with that of an original SAT attack across all benchmarks and all ranges of obfuscation overhead.Fig. 11 illustrates the same comparison when the IOLTS'14 obfuscation method is deployed.As illustrated, the SMT reduced to SAT, in terms of performance, behaves similar to the SAT attack.

Evaluation of Eager SMT Attack
We used the Delay Logic Locking scheme [22] in our case study to show the extended capabilities of the SMT attack in solving obfuscation problems that cannot be modeled in a SAT attack.The Eager approach of SMT attack is evaluated in this section, and the Lazy approach is evaluated in the following section.Additionally, to increase the obfuscation difficulty and demonstrate the strength of the SMT attack, in addition to obfuscation using DLL, we obfuscated the circuit with additional MUX and XOR gates using gate insertion policy in IOLTS'14 [37], such that 50% of the keys are used for DLL, and 50% for IOLTS'14 obfuscation.Finally, we used some of the keys for both logic and delay obfuscation to create dependencies such that the solvers could not divide and conquer the attack.
The Eager attack against DLL was formulated in Alg. 2. As the algorithm suggests, the Eager approach attacks the obfuscation in two separate phases.In the first phase, the theory solver models and constrains the problem and calls the SMT solver to extract all valid key combinations.The key combinations are converted into CNF statement, which is passed to the SAT solver.In the second phase, the SAT solver attacks the circuit satisfiability problems augmented with these additional CNF clauses on valid key combinations, and make a new round of calls to the SMT solvers.As illustrated in Fig. 7(a), the invocation of theory and SAT solver, and the overall SMT attack is serialized.Accordingly, in order to reflect our experimental results for evaluating of Eager approach, we separate the execution time of theory solver and that of the SAT solver.
Table 4 captures the results of Eager SMT attack for different ISCAS-85 benchmarks with different obfuscation overhead.The theory execution time indicates the time required by graph theory to find the all possible and valid key combinations (where only one of them is valid).Similarly, SAT execution time demonstrates the time taken by SAT solver to find a valid key, given the additional theory solver generated constraining clauses.As illustrated in this table, the SMT attack, in all cases is concluded and reported the correct key.The result of the pure SAT attack is not reported, as it always produces the wrong key for being oblivious to the DLL key values.Hence, the SMT solver in this respect extends the attack capability by means of including various theory solvers.
Note that the execution time of the SAT solver (the x value in each column of reported data in Table 4) depends on the (1) size of the circuit, and (2) the percentage of obfuscated cells.Hence the circuit c7552, for being larger than c1908 has a longer SAT attack time across all percentage obfuscation points.In addition, the increase in the SAT attack time is only slightly super-linear (close to polynomial) with respect to increase in the degree of obfuscation.On the other hand, the execution time of the theory solver (the y value in each column of reported data in Table 4) depends on (1) the number of input, (2) the number of outputs, and (3) the degree of obfuscation.Hence, a circuit with larger number of IOs has a longer execution time for its theory solver, but the execution time is bounded by O(NM), with M and N being the number of inputs and outputs respectively.This indicate that the run-time of theory solver (unlike the MILP-based attack that was suggested in [22]) does not exponentially increase with respect to number of timing paths in a netlist, as it only depends on the number of IOs and not the total number of timing paths.In addition, as illustrated, by increasing the degree of obfuscation, similar to SAT attack, the execution time of theory solver grows slowly with a close to polynomial paste.

Evaluation of Lazy SMT Attack
The Lazy approach of SMT attack, as illustrated in Fig. 7(b), uses the SMT solve function to simultaneously solve the theory and circuit SAT problem.In this approach, the theory model is defined but is not solved.In many applications, the Lazy approach outperforms the Eager solution.In addition, there are situations, where the Eager solution faces exponential runtime if solved separately.As an instance, SRCLock [21] focus on posing exponential runtime on pre-processor needed for detection of cycles, Hence, the Eager approach is not even applicable.However, the parallel invocation of the theory and SAT solver, and the resulting literal exchange, and the additional constraints posed on the solver could result in significant reduction in the time needed to explore the problem's decision tree, and removes the need to complete the pre-processing before starting the SAT attack.Hence, if the execution time of theory solver poses a runtime beyond acceptable, the problem could only be attacked by the Lazy SMT approach.
Table 5 shows the Lazy SMT attack execution time on ISCAS-85 benchmarks that were obfuscated using the process that was explained in the previous section (mixing 50% DLL+ 50% IOLTS).Considering the SAT and theory solver are invoked simultaneously, we have a single execution for the entire SMT problem, and unlike Eager approach we cannot separate the execution time of theory solver and the SAT solver.As illustrated, in comparison with the Eager approach, in most cases the Lazy approach finds the key obfuscation key in shorter time.
In the Lazy approach, the number of iterations decreases drastically compared to the Eager approach.However, the execution time of each iteration increases.This is because  each DIP needs to satisfy both the theory constraints and the circuit SAT formulation.However, when a DIP is found, it is a stronger DIP with higher pruning power.By comparing the results of Eager and Lazy approach of SMT attack in Table 4 and Table 5 we observed that in majority of cases, the Lazy approach outperforms the Eager approach.However, in some cases (e.g. for Benchmark C1908 with 50% overhead), the Lazy approach may become slower than Eager approach, indicating that Lazy approach doesn't always result in the stronger attack.However, note that there exist a set of problems (such as SRCLock [21]), that the Eager approach is not even applicable, since the pre-processing alone (sole invocation of theory solver) cannot conclude in a reasonable amount of time, leaving the Lazy approach as the only solution forward.

Ability to find stronger DIPs:
Before invoking the SMT or SAT attack, any key could be considered as a potentially valid key.The strength of a DIP comes from its ability in reducing the size of this set in each iteration.After finding each DIP, as illustrated in Fig. 12, the size of potentially valid key set reduces.When reaching a complete set of DIPs, any key left in this set is a correct key.As discussed in section 6.4, a stronger DIP could sensitize a larger number of inconsistencies (due to application of a discriminating input and two different keys) to the primary outputs.Hence, its natural for such a DIP to have a higher pruning power in reducing the number of potentially valid keys.To evaluate this claim, we profiled the number of potentially valid key after each iteration of SMT and SAT attack, when working on the same obfuscation problem.Fig. 13 illustrates the key reduction rate in three ISCAS-85 benchmarks obfuscated by RLL [8].In all scenarios the DIPs found by AccSMT solver are stronger, as the number of remaining keys is reduced at a significantly higher rate.As illustrated, the number of iterations is also significantly reduced because the complete set of DIPs, when the pruning power of DIPs is higher, is of smaller size.The stronger DIPs found by the AccSMT attack, result in significant reduction of the number of DIs needed for a complete discriminating input set.Each DI is found in one iteration, Hence, smaller number of DIs indicates a smaller number of iterations.Table 6 compares the execution time and the number of iterations between the SAT solver and the AccSMT solver.The ISCAS-85 benchmarks for this simulation are obfuscated using RLL [8] obfuscation scheme with the overhead of 1% to 5%.As reported in this table, across all attacks, the AccSMT attack is carried in a smaller number of iterations and requires order(s) of magnitude smaller execution time.

Ability to carry approximate attack:
As described in section 6.4.4, the AccSMT attack is able to distinguish between SAT-hard (SH) and high-corruption (HC) obfuscation.It quickly finds the correct keys for HC obfuscation, detects the SH trap, exits, and reports the approximate key.
To evaluate the approximate mode of the AccSMT attack, we have obfuscated the ISCAS-85 benchmarks using SARLock + IOLTS14 as suggested in [16].The overall structure of the obfuscated circuit is illustrated in Fig. 10.In this hybrid obfuscation scheme, the SARLock is the SH obfuscation, and the RLL is the HC obfuscation protocol.The invocation of the original SAT attack in [10] [9] in a timeout, due to SARLock trap.However, the AccSMT can very quickly find all the keys for HC obfuscation, detect the SH trap, and report the approximate key.Table 7 depicts the number of iterations and execution time of AccSMT attack for finding the approximate keys for each instance of the obfuscated circuit under attack.Note that repetition count (R=20 in our case study) is excluded from this table.

Conclusion
In this paper, we introduce a class of Satisfiability Modulo Theory (SMT) attacks on obfuscated circuits.The SMT attack benefits from the expressive nature of theory solvers, that allow the attacker to express constraints that are difficult or even impossible to express using CNF, including timing, delay, power, arithmetic, graph and many other first-order theories.We first illustrated that a SAT attack could be easily implemented using SMT solver to prove that SMT attack is a superset of the SAT attack.Then we proposed two variants of SMT attack on obfuscated circuits using Eager and Lazy approach of SMT solver.We illustrated that using the Eager and Lazy approach, we could break the Delay Logic Locking [22] obfuscation that cannot be broken by a SAT attack, proving that SMT attack's capabilities go beyond a SAT attack.It shows that by only using non-logical properties of a netlist for obfuscation, we not provably increase the security of an obfuscated netlist, indicating the need for further study and exploration in this domain to generate obfuscation schemes with provable security.Then we proposed the Accelerated SMT attack (AccSMT), and we illustrated that by using theory solvers (BitVector theory solver in this paper), we could significantly speed-up the attack against specific obfuscated circuits, and reported significant reduction in the execution time of the AccSMT compared to SAT attack.Finally, we illustrated that with a small modification, the AccSMT could be used as an approximate attack, allowing us to find an approximate key for obfuscation schemes that combine a SAT hard obfuscation with high corruption obfuscation.

Figure 3 :
Figure 3: Overall Structure of Tunable Delay Key-Gate (TDK) used in Delay Logic Locking (DLL)[22].(a) TDK Gate with Two Keys, one for Logic and one for Delay Locking.(b) Layout of TDK with a Tunable Delay Buffer (TDB), (c) Functionality and Delay of the TDK

Figure 4 :
Figure 4: Overall Architecture of SMT Attack for Circuit Deobfuscation.In SMT attack multiple theory solvers could be simultaneously invoked along with a SAT solver to model complex attack scenarios.

Figure 8 :
Figure 8: Converting a (a) netlist obfuscated with TDK cells to a (b) Key Programmable Circuit (KPC), and (c) the representative graph of the netlist annotated with TDK cell delays.

Figure 10 :
Figure 10: A hybrid obfuscation scheme consists of a SAT Hard (SH) obfuscation (SARLock) and a High Corruption (HC) Logic Locking scheme

Figure 13 :
Figure 13: Rate of Reduction in the Number of Potentially Valid Keys (Remaining Keys) in each Iteration of the Original SAT Attack and the AccSMT Attack, when Attacking ISCAS-85 Benchmarks Obfuscated using RLL[8] Obfuscation Scheme: (a) C2670 (b) C7552.

SAT-Resilient Locking Schemes
captures the KPG translation gates for each type of the gates that have previously

Table 4 :
[8]]ution Time of the SMT Attack in the Eager Mode (Attack Mode 2) on ISCAS-85 Benchmarks with Different Overhead when Obfuscated using DLL[22]+ RLL[8](50%-50%) Obfuscation Schemes.SMT execution time = x + y, x : The execution time of the SAT engine of the SMT Solver, y : The execution time of the theory engine of the SMT Solver

Table 6 :
[8]]aring the Execution Time and the Number of Iterations of the Accelerated Lazy SMT Attack (AccSMT) (Attack Mode 4) with that of Original SAT Attack (based on Lingling solver) in[10]on ISCAS-85 Obfuscated Circuits using RLL[8]Obfuscation Policy.