Efficiency Analysis: Algorithm Runtime

Algorithm runtime is a characteristic of circuit variant generation, and not a characteristic of the variant itself. This metric represents the amount of work required

to protect a circuit using an algorithm. Figure 4.23 shows a comparison of the trial runtimes of each algorithm.

4.9.1 Subcircuit Selection-and-replacement. Random subcircuit selection- and-replacement requires time for (1.) selecting a subcircuit, and (2.) selecting a replacement. Time required for random subcircuit selection is usually small because it effectively only involves removal of the subcircuit gates. Replacement, however, requires querying a library of subcircuit replacements in order to retrieve a semanti- cally equivalent subcircuit. It is unknown how to predict the number of semantically equivalent subcircuits there are for a particular circuit, but it is possible to predict the number of possible subcircuits that there are of a given size; the growth of this number was characterized by Simonaire to be hyper-factorial [39]. For the c264 cir- cuit in Table 4.4, note that for an equivalent number of iterations (1000 iterations), select-2 replace-3 requires about one-eighth the runtime of the select-2 replace-4 algo- rithm. In a separate experiment, a single trial of select-3 replace-4 was attempted on c264. 100 iterations of this algorithm required 81718 seconds, more than 336 times the 243 seconds required for 500 iterations of select-2 replace-3 obfuscation. It is pre-

Table 4.9: Expected worst-case gate count for components in the c6288 circuit (Execution of component encryption)

Count Expected Size Expected inverters

13 13.32 2 14 113.83 4.33 14 319.80 5.66 13 981.12 7 1 13.32 2 1 10.66 2 1 286.18 5.66 1 134.62 4.66 182 353.432 5.66

Weighted Average per component: 293.72 5.42 All components: 70493.75 1301.3 Other non-component gates: 241 0

Figure 4.23: Runtime: Relative times required for variant generation trials. *Minimum measurement was 1 second.

dicted that algorithms with selection-and-replacement at sizes greater than select-3, replace-4 would require even longer to execute.

4.9.2 Boundary Blurring. Boundary blurring exhibited significantly shorter runtime than subcircuit selection-and-replacement in these trials, but the runtime of SSR is dependent upon the number of iterations chosen (an experiment variable) while the runtime of boundary blurring algorithms is dependent solely upon the number of boundaries in a test circuit (a constant). For the c264 circuit, select-2, replace-3 SSR took 262 times as long as boundary blurring, and select-2, replace-4 took 2061 times as long.

The execution of boundary blurring in these trials had a runtime that increased approximately linearly (in these test results) with relation to gate count. Despite this correlation, the runtime of boundary blurring most likely dependent upon the number of component boundaries in the circuit, which increases at about the same rate as the number of gates in these test circuits. If more test cases were run, it is likely that boundary blurring algorithms would exhibit runtime linearly related to the number

of boundaries available to blur (and that the number of boundaries would increase on the same order as the number of gates if component size remained constant).

4.9.3 Component Fusion. Component fusion required only a small runtime for the polymorphic full-adder circuit (60 gates), but runtime increased with seemingly exponential growth, increasing runtime 1688 times when executed on c6288 while gate count increased relatively by only 48.8 times. In fact, component fusion required longer to execute on the c6288 circuit than 3000 iterations of select-2, replace-3 SSR did. This is likely due to overhead in the graph library used for implementation because the component fusion algorithm requires a workload in the worst case which is related linearly to the number of components in the circuit and the number of gates not in a component.

4.9.4 Component Encryption. Component encryption required the smallest runtime of all obfuscation algorithms tested. This is probably because the primary graph operation required was insertion and connection of gates, and few large queries on the graph data structure were required. All components were extracted from the circuit, encrypted, and then all components were inserted into the new circuit in succession and reconnected.

4.9.5 Summary of Circuit Algorithm Analysis. To summarize, component encryption consistently ran in shorter time than any other algorithm, and component fusion ran faster than subcircuit selection-and-replacement, but only for small circuits. Component encryption and component fusion tend to produce large circuit vari- ants due to inefficiencies in the circuit synthesis algorithm, which is a modified two- level synthesis algorithm. Variants of c6288 produced by these algorithms consistently contain more gates than variants produced by other algorithms, making component identification difficult.

despite component fusion (CF) and component encryption (CE) algorithms adding more gates to circuit variants. This means that, on average, variants produced by CF and CE will exhibit less overall circuit delay but will require more power and area for implementation than variants produced by Boundary blurring and SSR.

Boundary blurring prevents component identification in every trial where com- ponent identification could be performed on the circuit variant. CF and CE tend to do this as well, improving 37% over select-2 replace-4 SSR, but CF seems to introduce gate patterns that cause 2-1 multiplexors to be identified in the circuit; the imple- mentation of CE does not prevent bad mappings, so occasionally components on the input boundary are identified.

Lastly, signal analysis reveals that CF and CE outperform boundary blurring in creating variants that hide the internal signals of circuits. Both algorithms provide at least 48% signal hiding over all three test cases. This has implications for preventing both structural analysis and side-channel analysis.