Domenic Forte

David Selasi Koblah, Rabin Yu Acharya, Daniel Capecci et al.

Artificial intelligence (AI) and machine learning (ML) techniques have been increasingly used in several fields to improve performance and the level of automation. In recent years, this use has exponentially increased due to the advancement of high-performance computing and the ever increasing size of data. One of such fields is that of hardware design; specifically the design of digital and analog integrated circuits~(ICs), where AI/ ML techniques have been extensively used to address ever-increasing design complexity, aggressive time-to-market, and the growing number of ubiquitous interconnected devices (IoT). However, the security concerns and issues related to IC design have been highly overlooked. In this paper, we summarize the state-of-the-art in AL/ML for circuit design/optimization, security and engineering challenges, research in security-aware CAD/EDA, and future research directions and needs for using AI/ML for security-aware circuit design.

Gijung Lee, Wavid Bowman, Olivia P. Dizon-Paradis et al.

Federated Learning (FL) is a promising approach for multiparty collaboration as a privacy-preserving technique in hardware assurance, but its security against adversaries with domain-specific knowledge is underexplored. This paper demonstrates a critical vulnerability where available standard cell library layouts (SCLL) can be exploited to compromise the privacy of sensitive integrated circuit (IC) training data. We introduce DECIFR, a novel two-stage Membership Inference Attack (MIA) that requires no auxiliary dataset. The attack employs a guided Gradient Inversion Attack (GIA) to reconstruct a client's training images from intercepted model updates. Our findings reveal that the fidelity of these reconstructions directly correlates with membership status, allowing an adversary to reliably distinguish members from non-members based on image quality. This work exposes a practical threat that overcomes the limitations of conventional attacks and underscores that standard FL protocols are insufficient for securing domains with extensive knowledge. We conclude that robust defenses are essential for the secure application of FL in hardware assurance.

Gijung Lee, Wavid Bowman, Olivia P. Dizon-Paradis et al.

Federated Learning (FL) is an emerging solution to the data scarcity problem for training deep learning models in hardware assurance. While FL is designed to enhance privacy by not sharing raw data, it remains vulnerable to Membership Inference Attacks (MIAs) that can leak sensitive intellectual property (IP). Traditional MIAs are often impractical in this domain because they require access to auxiliary datasets that can match the unique statistical properties of private data. This paper introduces a novel, data-free MIA targeting image segmentation models in FL for hardware assurance. Our methodology leverages Standard Cell Library Layouts (SCLLs) as priors to guide a gradient inversion attack, allowing an adversary to reconstruct images from a client's intercepted model update without needing any private data. We demonstrate that, by analyzing the reconstruction fidelity, an adversary can infer sensitive hardware characteristics, successfully distinguishing between circuit layers (e.g., metal vs. diffusion) and technology nodes (e.g., 32nm vs. 90nm). Our findings reveal that a novel loss term can conditionally amplify the attack's effectiveness by overcoming evaluation bottlenecks for structurally complex data. This work underscores a significant IP risk, challenging the assumption that FL provides inherent privacy guarantees and proving that severe information leakage can occur even without access to domain-specific datasets.

Gijung Lee, Wavid Bowman, Olivia Dizon-Paradis et al.

As microelectronics flourish and outsourcing of the design and manufacturing stages of integrated circuits (ICs) and printed circuit boards (PCBs) becomes the norm, microelectronics stakeholders must also confront a new wave of security challenges, including the threats posed by hardware Trojans, counterfeit electronics, and reverse engineering attacks. Traditional detection and prevention methods like testing and side-channel analysis have limitations in reliability and scalability. Automated reverse engineering by deep learning (DL) models is a foolproof approach to hardware assurance, but faces challenges due to limited data. By pooling data from different stakeholders (competitors in industry, governments, etc.), DL models can be more effectively trained but privacy of intellectual property (IP) is a significant concern. Federated Learning (FL) has been proposed as a potential alternative allowing for the collaborative training of a DL model without sharing raw data. While FL has been widely used in healthcare, IoT, and finance, its application in hardware assurance remains underexplored. This study investigates, for the first time, FL-based DL for hardware assurance, demonstrating that FL outperforms single-client centralized learning in segmentation tasks for reverse engineering. Our results show that increasing the number of clients improves FL performance by collaboratively training the model with more data. However, and more importantly, a major pitfall of FL is also exposed -- it remains vulnerable to gradient inversion attacks. We show that SEM images used in FL can be recovered by attackers, which would therefore expose the sensitive and proprietary IPs that FL was supposed to protect. We highlight these privacy risks and also suggest future research directions to improve security and effectiveness in hardware assurance.

Stephen Wormald, Gilon Kravatsky, Damon Woodard et al.

On-edge machine learning (ML) often strives to maximize the intelligence of small models while miniaturizing the circuit size and power needed to perform inference. Meeting these needs, differentiable Logic Gate Networks (LGN) have demonstrated nanosecond-scale prediction speeds while reducing the required resources as compares to traditional binary neural networks. Despite these benefits, the trade-offs between LGN parameters and resulting hardware synthesis characteristics are not well characterized. This paper therefore studies the tradeoffs between power, resource utilization, inference speed, and model accuracy when varying the depth and width of LGNs synthesized for Field Programmable Gate Arrays (FPGA). Results reveal that the final layer of an LGN is critical to minimize timing and resource usage (i.e. 28\% decrease), as this layer dictates the logic size of summing operations. Subject to timing and routing constraints, deeper and wider LGNs can be synthesized for FPGA when the final layer is narrow. Further tradeoffs are presented to help ML engineers select baseline LGN architectures for FPGAs with a set number of Look Up Tables (LUT).

Junling Fan, David Koblah, Domenic Forte

Semiconductor intellectual property (IP) theft incurs hundreds of billions in annual losses, driven by advanced reverse engineering (RE) techniques. Traditional ``cryptic'' IC camouflaging methods typically focus on hiding localized gate functionality but remain vulnerable to system-level structural analysis. This paper explores ``mimetic deception,'' where a functional IP (F) is designed to structurally and visually masquerade as a completely different appearance IP (A). We provide a comprehensive evaluation of three deceptive methodologies: IP Camouflage, Graph Matching, and DNAS-NAND Gate Array, analyzing their resilience against GNN-based node classification, and Differential Power Analysis (DPA). Crucially, we demonstrate that mimetic deception achieves a novel anti-side-channel defense: by forcing the mis-classification of cryptographic primitives, the adversary is led to apply an incorrect power model, causing the DPA attack to fail. Our results validate that this multi-layered approach effectively thwarts the entire RE toolchain by poisoning the structural and logical data used for netlist understanding.

Mohyeu Hussain, David Koblah, Reiner Dizon-Paradis et al.

Analog-mixed-signal (AMS) circuits are highly non-linear and operate on continuous real-world signals, making them far more difficult to model with data-driven AI than digital blocks. To close the gap between structured design data (device dimensions, bias voltages, etc.) and real-world performance, we propose a causal-inference framework that first discovers a directed-acyclic graph (DAG) from SPICE simulation data and then quantifies parameter impact through Average Treatment Effect (ATE) estimation. The approach yields human-interpretable rankings of design knobs and explicit 'what-if' predictions, enabling designers to understand trade-offs in sizing and topology. We evaluate the pipeline on three operational-amplifier families (OTA, telescopic, and folded-cascode) implemented in TSMC 65nm and benchmark it against a baseline neural-network (NN) regressor. Across all circuits the causal model reproduces simulation-based ATEs with an average absolute error of less than 25%, whereas the neural network deviates by more than 80% and frequently predicts the wrong sign. These results demonstrate that causal AI provides both higher accuracy and explainability, paving the way for more efficient, trustworthy AMS design automation.

Stephen Wormald, David Koblah, Matheus Kunzler Maldaner et al.

Constraining deep neural networks (DNNs) to learn individual logic types per node, as performed using the DiffLogic network architecture, opens the door to model-specific explanation techniques that quell the complexity inherent to DNNs. Inspired by principles of circuit analysis from computer engineering, this work presents an algorithm (eXpLogic) for producing saliency maps which explain input patterns that activate certain functions. The eXpLogic explanations: (1) show the exact set of inputs responsible for a decision, which helps interpret false negative and false positive predictions, (2) highlight common input patterns that activate certain outputs, and (3) help reduce the network size to improve class-specific inference. To evaluate the eXpLogic saliency map, we introduce a metric that quantifies how much an input changes before switching a model's class prediction (the SwitchDist) and use this metric to compare eXpLogic against the Vanilla Gradients (VG) and Integrated Gradient (IG) methods. Generally, we show that eXpLogic saliency maps are better at predicting which inputs will change the class score. These maps help reduce the network size and inference times by 87\% and 8\%, respectively, while having a limited impact (-3.8\%) on class-specific predictions. The broader value of this work to machine learning is in demonstrating how certain DNN architectures promote explainability, which is relevant to healthcare, defense, and law.

Ana Covic, Fatemeh Ganji, Domenic Forte

Side-channel attacks extracting sensitive data from implementations have been considered a major threat to the security of cryptographic schemes. This has elevated the need for improved designs by embodying countermeasures, with masking being the most prominent example. To formally verify the security of a masking scheme, numerous attack models have been developed to capture the physical properties of the information leakage as well as the capabilities of the adversary. With regard to these models, extensive research has been performed to realize masking schemes. These research efforts have led to significant progress in the development of security assessment methodologies and further initiated standardization activities. However, since the majority of this work is theoretical, it is challenging for the more practice-oriented hardware security community to fully grasp and contribute to. To bridge the gap, these advancements are reviewed and discussed in this survey, mainly from the perspective of hardware security. In doing so, a clear taxonomy is provided that is helpful for a systematic treatment of the masking-related topics. By giving an extensive overview of the existing methods, this survey (1) provides a research landscape of circuit masking for newcomers to the field, (2) offers guidelines on which attack model and verification tool to choose when designing masking schemes, and (3) identifies interesting new research directions where masking models and assessment tools can be applied. Thus, this survey serves as an essential reference for hardware security practitioners interested in the theory behind masking techniques, the tools useful to verify the security of masked circuits, and their potential applications.

Rabin Yu Acharya, Fatemeh Ganji, Domenic Forte

Profiled side-channel analysis (SCA) leverages leakage from cryptographic implementations to extract the secret key. When combined with advanced methods in neural networks (NNs), profiled SCA can successfully attack even those crypto-cores assumed to be protected against SCA. Despite the rise in the number of studies devoted to NN-based SCA, a range of questions has remained unanswered, namely: how to choose an NN with an adequate configuration, how to tune the NN's hyperparameters, when to stop the training, etc. Our proposed approach, ``InfoNEAT,'' tackles these issues in a natural way. InfoNEAT relies on the concept of neural structure search, enhanced by information-theoretic metrics to guide the evolution, halt it with novel stopping criteria, and improve time-complexity and memory footprint. The performance of InfoNEAT is evaluated by applying it to publicly available datasets composed of real side-channel measurements. In addition to the considerable advantages regarding the automated configuration of NNs, InfoNEAT demonstrates significant improvements over other approaches for effective key recovery in terms of the number of epochs (e.g.,x6 faster) and the number of attack traces compared to both MLPs and CNNs (e.g., up to 1000s fewer traces to break a device) as well as a reduction in the number of trainable parameters compared to MLPs (e.g., by the factor of up to 32). Furthermore, through experiments, it is demonstrated that InfoNEAT's models are robust against noise and desynchronization in traces.

Sreeja Chowdhury, Ana Covic, Rabin Yu Acharya et al.

Over the past decades, quantum technology has seen consistent progress, with notable recent developments in the field of quantum computers. Traditionally, this trend has been primarily seen as a serious risk for cryptography; however, a positive aspect of quantum technology should also be stressed. In this regard, viewing this technology as a resource for honest parties rather than adversaries, it may enhance not only the security, but also the performance of specific cryptographic schemes. While considerable effort has been devoted to the design of quantum-resistant and quantum-enhanced schemes, little effort has been made to understanding their physical security. Physical security deals with the design and implementation of security measures fulfilling the practical requirements of cryptographic primitives, which are equally essential for classic and quantum ones. This survey aims to draw greater attention to the importance of physical security, with a focus on secure key generation and storage as well as secure execution. More specifically, the possibility of performing side-channel analysis in the quantum world is discussed and compared to attacks launched in the classic world. Besides, proposals for quantum random number generation and quantum physically unclonable functions are compared to their classic counterparts and further analyzed to give a better understanding of their features, advantages, and shortcomings. Finally, seen from these three perspectives, this survey provides an outlook for future research in this direction.

Ronald Wilson, Navid Asadizanjani, Domenic Forte et al.

In the Reverse Engineering and Hardware Assurance domain, a majority of the data acquisition is done through electron microscopy techniques such as Scanning Electron Microscopy (SEM). However, unlike its counterparts in optical imaging, only a limited number of techniques are available to enhance and extract information from the raw SEM images. In this paper, we introduce an algorithm to segment out Integrated Circuit (IC) structures from the SEM image. Unlike existing algorithms discussed in this paper, this algorithm is unsupervised, parameter-free and does not require prior information on the noise model or features in the target image making it effective in low quality image acquisition scenarios as well. Furthermore, the results from the application of the algorithm on various structures and layers in the IC are reported and discussed.

Rabin Yu Acharya, Sreeja Chowdhury, Fatemeh Ganji et al.

Hardware intellectual property (IP) theft is a major issue in today's globalized supply chain. To address it, numerous logic locking and obfuscation techniques have been proposed. While locking initially focused on digital integrated circuits (ICs), there have been recent attempts to extend it to analog ICs, which are easier to reverse engineer and to copy than digital ICs. In this paper, we use algorithms based on evolutionary strategies to investigate the security of analog obfuscation/locking techniques. We present a genetic algorithm (GA) approach which is capable of completely breaking a locked analog circuit by finding either its obfuscation key or its obfuscated parameters. We implement both the GA attack as well as a more naive satisfiability modulo theory (SMT)-based attack on common analog benchmark circuits obfuscated by combinational locking and parameter biasing. We find that GA attack can unlock all the circuits using only the locked netlist and an unlocked chip in minutes. On the other hand, while the SMT attack converges faster, it requires circuit specification to execute and it also returns multiple keys that need to be brute-forced by a post-processing step. We also discuss how the GA attack can generalize to other recent analog locking techniques not tested in the paper

Ulbert J. Botero, Ronald Wilson, Hangwei Lu et al.

In the context of hardware trust and assurance, reverse engineering has been often considered as an illegal action. Generally speaking, reverse engineering aims to retrieve information from a product, i.e., integrated circuits (ICs) and printed circuit boards (PCBs) in hardware security-related scenarios, in the hope of understanding the functionality of the device and determining its constituent components. Hence, it can raise serious issues concerning Intellectual Property (IP) infringement, the (in)effectiveness of security-related measures, and even new opportunities for injecting hardware Trojans. Ironically, reverse engineering can enable IP owners to verify and validate the design. Nevertheless, this cannot be achieved without overcoming numerous obstacles that limit successful outcomes of the reverse engineering process. This paper surveys these challenges from two complementary perspectives: image processing and machine learning. These two fields of study form a firm basis for the enhancement of efficiency and accuracy of reverse engineering processes for both PCBs and ICs. In summary, therefore, this paper presents a roadmap indicating clearly the actions to be taken to fulfill hardware trust and assurance objectives.

M Tanjidur Rahman, M Sazadur Rahman, Huanyu Wang et al.

Logic locking has emerged as a promising solution for protecting the semiconductor intellectual Property (IP) from the untrusted entities in the design and fabrication process. Logic locking hides the functionality of the IP by embedding additional key-gates in the circuit. The correct output of the chip is produced, once the correct key value is available at the input of the key-gates. The confidentiality of the key is imperative for the security of the locked IP as it stands as the lone barrier against IP infringement. Therefore, the logic locking is considered as a broken scheme once the key value is exposed. The research community has shown the vulnerability of the logic locking techniques against different classes of attacks, such as Oracle-guided and physical attacks. Although several countermeasures have already been proposed against such attacks, none of them is simultaneously impeccable against Oracle-guided, Oracle-less, and physical attacks. Under such circumstances, a defense-in-depth approach can be considered as a practical approach in addressing the vulnerabilities of logic locking. Defense-in-depth is a multilayer defense approach where several independent countermeasures are implemented in the device to provide aggregated protection against different attack vectors. Introducing such a multilayer defense model in logic locking is the major contribution of this paper. With regard to this, we first identify the core components of logic locking schemes, which need to be protected. Afterwards, we categorize the vulnerabilities of core components according to potential threats for the locking key in logic locking schemes. Furthermore, we propose several defense layers and countermeasures to protect the device from those vulnerabilities. Finally, we turn our focus to open research questions and conclude with suggestions for future research directions.

Zimu Guo, Xiaolin Xu, Mark M. Tehranipoor et al.

PCBs are the core components for the devices ranging from the consumer electronics to military applications. Due to the accessibility of the PCBs, they are vulnerable to the attacks such as probing, eavesdropping, and reverse engineering. In this paper, a solution named EOP is proposed to migrate these threats. EOP encrypts the inter-chip communications with the stream cipher. The encryption and decryption are driven by the dedicated clock modules. These modules guarantee the stream cipher is correctly synchronized and free from tampering. Additionally, EOP also incorporates the PCB-level obfuscation for protection against reverse engineering. EOP is designated to be accomplished by utilizing the COTS components. For the validation, EOP is implemented in a Zynq SoC based system. Both the normal operation and tampering detection performance are verified. The results show that EOP can deliver the data from one chip to another without any errors. It is proved to be sensitive to any active tampering attacks.

B. M. S. Bahar Talukder, Biswajit Ray, Domenic Forte et al.

Physically Unclonable Functions (PUFs) are potential security blocks to generate unique and more secure keys in low-cost cryptographic applications. Dynamic random-access memory (DRAM) has been proposed as one of the promising candidates for generating robust keys. Unfortunately, the existing techniques of generating device signatures from DRAM is very slow, destructive (destroy the current data), and disruptive to system operation. In this paper, we propose \textit{precharge} latency-based PUF (PreLatPUF) that exploits DRAM \textit{precharge} latency variations to generate signatures. The proposed PreLatPUF is fast, robust, least disruptive, and non-destructive. The silicon results from commercially available $DDR3$ chips from different manufacturers show that the proposed key generation technique is at least $ \sim 1,192X$ faster than the existing approaches, while reliably reproducing the key in extreme operating conditions.

Nima Karimian, Zimu Guo, Fatemeh Tehranipoor et al.

With the emergence of the Internet-of-Things (IoT), there is a growing need for access control and data protection on low-power, pervasive devices. Biometric-based authentication is promising for IoT due to its convenient nature and lower susceptibility to attacks. However, the costs associated with biometric processing and template protection are nontrivial for smart cards, key fobs, and so forth. In this paper, we discuss the security, cost, and utility of biometric systems and develop two major frameworks for improving them. First, we introduce a new framework for implementing biometric systems based on physical unclonable functions (PUFs) and hardware obfuscation that, unlike traditional software approaches, does not require nonvolatile storage of a biometric template/key. Aside from reducing the risk of compromising the biometric, the nature of obfuscation also provides protection against access control circumvention via malware and fault injection. The PUF provides non-invertibility and non-linkability. Second, a major requirement of the proposed PUF/obfuscation approach is that a reliable (robust) key be generated from the users input biometric. We propose a noiseaware biometric quantization framework capable of generating unique, reliable keys with reduced enrollment time and denoising costs. Finally, we conduct several case studies. In the first, the proposed noise-aware approach is compared to our previous approach for multiple biometric modalities, including popular ones (fingerprint and iris) and emerging cardiovascular ones (ECG and PPG). The results show that ECG provides the best tradeoff between reliability, key length, entropy, and cost. In the second and third case studies, we demonstrate how reliability, denoising costs, and enrollment times can be simultaneously improved by modeling subject intra-variations for ECG.

Adib Nahiyan, Mehdi Sadi, Rahul Vittal et al.

Semiconductor design houses are increasingly becoming dependent on third party vendors to procure intellectual property (IP) and meet time-to-market constraints. However, these third party IPs cannot be trusted as hardware Trojans can be maliciously inserted into them by untrusted vendors. While different approaches have been proposed to detect Trojans in third party IPs, their limitations have not been extensively studied. In this paper, we analyze the limitations of the state-of-the-art Trojan detection techniques and demonstrate with experimental results how to defeat these detection mechanisms. We then propose a Trojan detection framework based on information flow security (IFS) verification. Our framework detects violation of IFS policies caused by Trojans without the need of white-box knowledge of the IP. We experimentally validate the efficacy of our proposed technique by accurately identifying Trojans in the trust-hub benchmarks. We also demonstrate that our technique does not share the limitations of the previously proposed Trojan detection techniques.