Active Control and Digital Rights Management of Integrated Circuit IP Cores

Yousra Alkabani
CS Department
Rice University
Houston, TX 77005
yousra@rice.edu

Farinaz Koushanfar
ECE and CS Departments
Rice University
Houston, TX 77005
farinaz@rice.edu

ABSTRACT
We introduce the first approach that can actively control multiple hardware intellectual property (IP) cores used in an integrated circuit (IC). The IP rights owner(s) can remotely monitor, control, enable, or disable each individual IP on each chip. The approach introduces a paradigm shift in the microelectronic business model, nurturing smaller businesses, and supporting the design-reuse paradigm. The IPs can be controlled by the original designer or by the designers who reuse them. Each IP has a built-in functional lock that pertains to the unique unclonable ID of the chip. A control structure that coordinates the locking and unlocking of the IPs is embedded within the IC. We introduce a trusted third party approach for issuing certificates of authenticity, in case it is required for the applications. We present methods for safeguarding the approach against two attack sources: the foundry (fab), and the reuser. Experimental results show that our approach can be implemented with low area, power, and delay overheads making it suitable for embedded systems. The introduced control method is also low overhead in terms of the added steps to the current design and manufacturing flow.

Categories and Subject Descriptors
B.7 [Integrated Circuits]: Miscellaneous; B.6 [Logic Design]: Miscellaneous; K.6.5 [MANAGEMENT OF COMPUTING AND INFORMATION SYSTEMS]: Security and Protection

General Terms
Security, Design, Management

Keywords
IP Protection, Security, Active IP Control

1. INTRODUCTION
The state-of-the-art digital ICs are increasingly complex. The progressive demand for multiple applications, performance, and functionality for integrated circuits has resulted in extreme CMOS miniaturization that add to the complexity. Building, operating, maintaining and upgrading silicon fabs for the complex designs is prohibitively expensive, e.g., upgrade to the current technology, 45nm, costs about $4bn [4]. The leading edge design companies are fabless. Even the large semiconductor companies including Texas Instruments (TI) and Freescale that had in-house manufacturing recently started to outsource their fabrication.

Because of the complexity, adapting the design reuse paradigm is the key to address constraints such as low-power, real-time budgets, silicon efficiency, time-to-market, and low cost [14]. A consequence of the current shift towards the fabless business model and design reuse is increased horizontalization of the microelectronic industry. Integration of multiple functionalities, applications, and design techniques has lead to modularity and specialization of design houses.

Many fabless design companies, particularly the specialized IP core designers are small. Their major investment is the technical and engineering staff and human resources who work together to produce the IP product. If the IP is ever exploited the company loses its capital investment. It is also likely that the IPs accidentally or through negligence are misused. For example, a design engineer (who we call a “reuser”) may not take the time to check each core’s license agreement. The IP-core design companies only receive revenue when their core is licensed to reusers, regardless of the volume and profit of the end product(s) that typically include multiple IPs. The presence of smaller companies is essential for a competitive market, but those companies endanger consolidation in the current business model.

We propose a novel approach that allows the IP core providers to gain post-fabrication control over their IPs on each chip. The approach introduces a paradigm shift in the digital rights management (DRM) of integrated circuits IP cores for vendors, designers and foundries. Depending on the application, the method may be used to control the number of chips that implement the IP, to remotely and actively enable or disable the usage. The misuse of the IP products is not only detected, but also prevented. The method works by uniquely locking the functionality of the IP core embedded in the manufactured chips, such that the rights owner is the only entity who can provide the key to unlock it. Our contributions include:

- Introduction of the first architecture and implementation for individual control of each IP core, in a multi-IP design.
- Integration of locking into each IP’s functionality and coordinating the IPs by the reuser’s control core.
Control of the IP cores that may be done by the original core provider, the IP reuser, or both.

Successful integration of the method within the standard synthesis flow, with a minimal addition of steps.

Low-overhead and efficient implementation of the approach on chips containing multiple industrial benchmark IP cores.

Ensuring trustworthiness of the key-exchange protocol by introducing a trusted third party providing certificate of authenticity.

Discussion of attacks and providing safeguards.

Introduction of a number of possible applications that are enabled by the new multi-IP protection method.

**Motivational Example:** Figure 1 presents a reuser’s design which contains multiple IP cores. The cores denoted by IP₁, IP₂, . . ., to IPₖ are the protected ones. The functional control unit of each IP is represented by a finite state machine (FSM). The circuit designer (reuser) includes two new modules in her design. One added part is an identification (ID) circuitry that extracts the unique identification bits for the chip using the silicon variability [10, 18, 17]. The other addition is a control module that is embedded within the central controller of the chip. Each protected IP is directly connected to the the ID circuitry. Each of the protected IPs contains a lock within their functional states.

![Figure 1: A reuser’s design including multiple IP cores. Each IP may be locked/unlocked by the IP designer or the reuser, depending on the application.](image)

In the remainder of the paper we show the details of the new approach, implementation, experiments, and applications.

## 2. RELATED WORK

Methods for digital design reuse and intellectual property trading are emerging [2, 22, 14, 5, 7, 6]. Protection of IPs in the reuse-based design flow is of paramount importance, but the prior work on individual IP protection has been limited. Most of the effort has been focused on FPGA soft IP core protection [25, 24]. A number of watermarking methods for IP identification have been proposed, but unlike our method that is active and uniquely locks each chip, a watermark is passive and is the same on all the chips implementing the same design [20, 21, 26]. A watermark can only be used to solve disputes about illegal usage of a design. It cannot identify, activate or disable individual ICs or IP cores.

The inherent and unclonable silicon manufacturing variability has been used to uniquely identify each chip [16, 6]. Delay-based physically unclonable functions (PUFs) were constructed to extract the variability in circuit timing as a function of input (challenge) bits, generating a unique output (response) that can be used for identification and security [11, 18, 17]. PUFs were implemented in both ASICs and FPGAs [15, 12]. Several applications of PUFs are emerging, including RFID, proof of execution on a specific processor, securing processors, and active metering [10, 11, 12, 7, 8].

Recently, securing IP in an ASIC design by individually tagging each core was proposed [19]. Since the tags are separated from the functionality, they are subject to removal attacks by both the reusers and the foundry. Note that approaches that use traditional implementations of cryptography protocols for securing at the low level are both high overhead and non-secure [23, 1], since the digitally stored keys are subject to physical and side-channel attacks [9].

Our new approach adapts the mechanism in [7], who integrated the unique identifiers of the chip into its control structure. The approach presented here includes several new aspects: First, multiple IP cores are controlled, not just one. Second, we consider interactions among the IP core designers, reusers, and the foundry, whereas the previous work only considered the designer-foundry relation. Third, unlike the previous work that only developed a control mechanism, we create a system-level secure IP integration solution and discuss the supply chain interactions. Fourth, we introduce the role of trusted integrator who will be useful for a secure design flow. Fifth, the reuser’s role and possibilities of attacks are discussed for the first time. Lastly, the new approach directly applies to a number of novel system-level security, protection, and DRM methods that can be very useful for embedded systems (Section 8).

## 3. FLOW OF THE ACTIVE CONTROL FOR IP CORES

Figure 2 shows the overall flow of the new IP protection approach. There are four main entities involved: (i) IP rights owners (IP designers) who design, format and sell the individual IPs, (ii) IC rights owner (reuser) who integrates multiple IPs, including the open IPs and I/O interfaces, into one IC, (iii) The fabrication plant (fab), and (iv) an authorized system verifier; who we call a certificate authority (CA). This entity ensures the trust between hardware IP providers, reusers, and the fab.
While the first three components are commonly present in the IC design cycle, the last component is new. CA is the trusted third party component for many asymmetric cryptography protocols, including several public key infrastructure (PKI) schemes. The new model is an asymmetric security scheme based on the keys provided by the IP designers and system designer. The CA provides trust by authorizing the parties; preventing possible breaches.

The flow can be described as follows. The IP designer forms the FSM of the design by using the high level design description. Then, the lock(s) are strategically embedded in the FSM. The modified finite state machine is called the boosted finite state machine (BFSM). The reuser may integrate multiple locked IPs, in addition to other components, including her own designs, unlocked IPs, I/O peripherals, memory, and the master identification/control parts. The master identification/control consists of a controlling finite state machine (CFSM) and a PUF. The CFSM interacts and controls the various IP(s); it can enable/disable the other components. The PUF provides a mean for identifying each IC implementing the design in a unique and unclonable way. The ready-to-fab designs are shipped to the CA who certifies the consent of the rights owners before sending them to the fab.

The material is then sent to the fab who makes the masks and produces a number of ICs from the same mask [7]. The fabricated ICs are nonfunctional and have locks on them to a multi-IP design to apply the method. The fabricated ICs are nonfunctional and have locks on them to a multi-IP design to apply the method. The PUF input and runs it through the flip flops (FFs) scan chain. The state of the IC will be read out from the FFs and sent to the CA who will in turn supply the state of each chip to the authorized reusers and IP providers. Each of the contacted parties will produce the specific keys to unlock the component. Also, the IP provider computes the error correcting code (ECC) for the lock, to mask the possible few changes caused by the fluctuations in the PUF identifiers. The keys are then sent back to the CA, who certifies the consent of the rights owners before sending them to the fab.

4. IP CONTROL METHOD

In this section, we present the main modifications made to a multi-IP design to apply the method.

4.1 BFSMs

Each of the IP designers need to modify the FSM of their designed IP such that they embed a lock in it. The modified control structure is the BFSM. The BFSM is designed such that both its states and transitions are a function of the unique chip identifiers. The BFSM attempts to form a unique control path on each of the chips, while all the chips are from the same mask.

The BFSM of an IP core should satisfy the following properties:

- It must have incorrect functionality (locked) as long as the key is not provided.
- The key can be easily computed by the party who knows the BFSM structure and difficult to find otherwise.
- Knowing the key for one IC must not help in finding the key for another IC of the same design.
- Once the key is provided, the IP would function correctly.

Note that unlike symmetric cryptography where the keys are used to reverse a trap-door function and revealing the keys tampers the security, the keys here do not convey significant information about the lock. This is because the lock is in the structure of the state transition graph that is only known to the designer.

The same BFSM structure can be exploited to disable the chip during its operation. All what is needed is to modify the locks. For example, changing the PUF challenges will ensure that the functionality is trapped in a locked state.

4.2 CFSM

The overall FSM of the design that is devised by the reuse designer is also manipulated such that it embeds locks that allow the chip designer to lock/unlock her designed parts. Next, some states for controlling the other IPs are also included by the IC designer. We refer to these added IP control signals as CFSM. The CFSM gives the chip designer a level of control over the several IPs that are included in the design. For example, the CFSM receives signals from the IP cores about their locked/unlocked status. The CFSM can also generate control signals that can enable or disable various IPs on the chip. There are many applications that can benefit from the CFSM (see Section 8).
4.3 PUF

PUF is the circuitry which generates random unique values per chip. Figure 3 demonstrates the high level block diagram of a PUF [10]. The PUF circuit generates a unique response (output) for each input vector (challenge) that is applied to it. Even though the response varies from one chip to the next, the response to the same challenge remains the same over time.

PUF has a much larger overhead compared with BFSM and CFSM. Thus, we share it among the IPs to reduce the overhead. There is a need to ensure that the PUF is properly connected to the IPs so that the IP rights owner receives her proper royalties. The trusted third party (authorized system verifier) ensures the proper interface of PUF to the BFSMs before sending the design files to the fab.

5. IMPLEMENTATION

Figure 4 shows the block diagram of the system components described earlier. Let us assume that we have three IPs denoted by IP$_1$, IP$_2$, and IP$_3$. The response of the PUF is connected to the IPs’ BFSM, and the CFSM communicates with the BFSMs to control (lock/unlock) them. We outline the implementation of the BFSM, PUF, and CFSM.

5.1 BFSM Implementation

The implementation of BFSM is inspired by [7] but the BFSM was further adapted and modified to include more states and communications with the CFSM. Figure 5 shows a part of a BFSM on a sample IP core where a state $S_i$ is replicated twice as $S'_i$ and $S''_i$. The transitions to $S_i$, from $S_{i-1}$ are copied to its replicated states such that based on the PUF response, either $S_i$ or one of its replica is reached. The reached state is only a function of the PUF response. However, the transitions from the replicated states to $S_{i+1}$ are a function of both the PUF response and the key. The key and the response are XOR’d; if the output is correct, the valid state $S_{i+1}$ will be reached. Otherwise, a wrong transition (not shown on the figure) will be taken. PI/PO represent the set of primary inputs/outputs to the BFSM. Whenever a wrong transition is taken, the flag signal from the IP’s BFSM is set to 1 to inform the CFSM that the BFSM is still unlocked. The flag value is 0 otherwise. The BFSM implementation steps can be summarized as follows:

1. The $n$ states with the least number of outgoing edges are selected for replication.
2. Each selected state is replicated $m$ times.
3. Transitions to the replicated states are a function of the PUF response and are thus unique to each chip.
4. Transitions from the replicated states are a function of the PUF response and the key. Correct transitions are only taken if the key is properly set. Incorrect random added transitions are taken when the key is wrong.

5.2 PUF Implementations

We implement the delay-based PUF introduced in [11]. The response is found by comparing the delay of two parallel paths that must be the same, but vary because of manufacturing fluctuations. The signal starts at the common starting point of the two paths on the left and ends at an arbiter which is inserted at the right end of the two parallel lines. If the signal on the top path arrived earlier, the arbiter output will be zero; otherwise, its output would be one. The parallel paths are divided into multiple segments, such that each segment is controlled by a switch. Different combinations of the path segments are selected by the switches, causing the racing path pair and also the arbiter output (response bit) to change.

The above PUF is vulnerable to modeling attacks because of its linear structure. Feedforward arbiters are used to alleviate this problem [15]. The added arbiters compare the delays of two partial path pairs and use the arbiter output as the selector line for a forward switch in the circuit. Figure 6 shows an example of a two bit output delay-based PUF with random feedforward arbiters which may also connect different path pairs. Switches $s[1]$ to $s[n]$ represent the cascade of switches for the first output, and $s'[1]$ to $s'[n]$ are the switches for the second output. From each path pair, we randomly select the output of a few switches and connect them to arbiters, then connect the output of these arbiters to selection lines of other switches constructing a feedforward connection. The selection lines of switches that are not connected in a feedforward (not shown in the figure) represent the challenge to the PUF, while $r[1]$ and $r[2]$ represent the response of the PUF.

5.3 CFSM Implementation

The CFSM is implemented as a finite state machine that is embedded and hidden inside the main FSM (BFSM) of the IC. A block diagram of the CFSM control signals is shown in Figure 7. The CFSM inputs can be divided into two groups:
IC designer (reuser) and the foundry do not
have the same knowledge about the design and do not share
tasks especially that the BFSMs are enlarged versions
of the FSMs of the IPs in the system, and the CFSM is
obfuscated by hiding its states within the large state
space of the IC’s main FSM [20].

• PUF emulation. This attack attempts to emulate
the behavior of the PUF of one unlocked IC and replications it on the others. However, this attack is infeasible
in the state-of-the-art manufacturing and software emu-
lation is much slower and can be detected [18, 17].

• Combinational redundancy removal. Using a
combinational redundancy removal software, one can
try to remove all the extra states added to the different
parts of the design. However, since all the modi-
fications are integrated within the functionality of the
different IPs, they are not redundant and this attack
will not be successful.

IC designer level attacks and countermeasures are:

• Bypassing the PUF. The adversarial reuser may try
to bypass the PUF interface to the other IPs so that
only one key is needed to unlock different IPs, main-
taining only the connections of the PUF to the main
BFSM to keep the reuser rights. However, it is the
responsibility of the CA to check the interfaces and
ensure that the PUF is properly connected to the IPs.

• Tampering with the PUF. The designer can tam-
per with the PUF such that one of the racing paths is
much longer than the other. This can cancel out the
effect of MV and produce deterministic output for all
the ICs. However, the trusted system verifier should
also test and certify the PUF’s randomness [18, 17].

7. EXPERIMENTAL RESULTS
The proposed method is implemented and evaluated using
the Berkeley SIS synthesis tool. All the programs are written
in C. MCNC’91 sequential benchmarks are used to represent
FSMs of different IPs. It should be noted that the FSM
that contains the control part of any IP represents a very
small fraction of the overall size of the design [13]. Thus,
even tripling the overall area or power of these FSMs will
not significantly affect the overall area and power of the IP.
However, the delay of the FSM can affect the speed of the
IP and thus, delay is the most important design metric in
our implementation.

We show the overhead for using one and five IPs. Ta-
ble 1 demonstrates the overhead when applying the meter-
ing method on one IP. The overhead number includes the
overhead due to both the BFSM and the CFSM. The first
column represents the name of the benchmark circuit. The second
column represents the number of primary inputs (PIs)
of the benchmark before modification. The fourth, fifth, and
sixth column show the area, delay, and power overheads of
the benchmark before modification. The overhead due to both
the BFSM and the CFSM is much longer than the other. This can cancel out the
per with the PUF such that one of the racing paths is
much longer than the other. This can cancel out the
effect of MV and produce deterministic output for all
the ICs. However, the trusted system verifier should
also test and certify the PUF’s randomness [18, 17].

7. EXPERIMENTAL RESULTS
The proposed method is implemented and evaluated using
the Berkeley SIS synthesis tool. All the programs are written
in C. MCNC’91 sequential benchmarks are used to represent
FSMs of different IPs. It should be noted that the FSM
that contains the control part of any IP represents a very
small fraction of the overall size of the design [13]. Thus,
even tripling the overall area or power of these FSMs will
not significantly affect the overall area and power of the IP.
However, the delay of the FSM can affect the speed of the
IP and thus, delay is the most important design metric in
our implementation.

We show the overhead for using one and five IPs. Ta-
ble 1 demonstrates the overhead when applying the meter-
ing method on one IP. The overhead number includes the
overhead due to both the BFSM and the CFSM. The first
column represents the name of the benchmark circuit. The second
column represents the number of primary inputs (PIs)
of the benchmark before modification. The fourth, fifth, and
sixth column show the area, delay, and power overheads of
the benchmark before modification. The overhead due to both
the BFSM and the CFSM is much longer than the other. This can cancel out the
effect of MV and produce deterministic output for all
the ICs. However, the trusted system verifier should
also test and certify the PUF’s randomness [18, 17].

7. EXPERIMENTAL RESULTS
The proposed method is implemented and evaluated using
the Berkeley SIS synthesis tool. All the programs are written
in C. MCNC’91 sequential benchmarks are used to represent
FSMs of different IPs. It should be noted that the FSM
that contains the control part of any IP represents a very
small fraction of the overall size of the design [13]. Thus,
even tripling the overall area or power of these FSMs will
not significantly affect the overall area and power of the IP.
However, the delay of the FSM can affect the speed of the
IP and thus, delay is the most important design metric in
our implementation.

We show the overhead for using one and five IPs. Ta-
ble 1 demonstrates the overhead when applying the meter-
ing method on one IP. The overhead number includes the
overhead due to both the BFSM and the CFSM. The first
column represents the name of the benchmark circuit. The second
column represents the number of primary inputs (PIs)
of the benchmark before modification. The fourth, fifth, and
sixth column show the area, delay, and power overheads of
the benchmark before modification. The overhead due to both
the BFSM and the CFSM is much longer than the other. This can cancel out the
effect of MV and produce deterministic output for all
the ICs. However, the trusted system verifier should
also test and certify the PUF’s randomness [18, 17].

7. EXPERIMENTAL RESULTS
The proposed method is implemented and evaluated using
the Berkeley SIS synthesis tool. All the programs are written
in C. MCNC’91 sequential benchmarks are used to represent
FSMs of different IPs. It should be noted that the FSM
that contains the control part of any IP represents a very
small fraction of the overall size of the design [13]. Thus,
even tripling the overall area or power of these FSMs will
not significantly affect the overall area and power of the IP.
However, the delay of the FSM can affect the speed of the
IP and thus, delay is the most important design metric in
our implementation.

We show the overhead for using one and five IPs. Ta-
ble 1 demonstrates the overhead when applying the meter-
ing method on one IP. The overhead number includes the
overhead due to both the BFSM and the CFSM. The first
column represents the name of the benchmark circuit. The second
column represents the number of primary inputs (PIs)
of the benchmark before modification. The fourth, fifth, and
sixth column show the area, delay, and power overheads of
the benchmark before modification. The overhead due to both
the BFSM and the CFSM is much longer than the other. This can cancel out the
effect of MV and produce deterministic output for all
the ICs. However, the trusted system verifier should
also test and certify the PUF’s randomness [18, 17].

7. EXPERIMENTAL RESULTS
The proposed method is implemented and evaluated using
the Berkeley SIS synthesis tool. All the programs are written
in C. MCNC’91 sequential benchmarks are used to represent
FSMs of different IPs. It should be noted that the FSM
that contains the control part of any IP represents a very
small fraction of the overall size of the design [13]. Thus,
even tripling the overall area or power of these FSMs will
not significantly affect the overall area and power of the IP.
However, the delay of the FSM can affect the speed of the
IP and thus, delay is the most important design metric in
our implementation.

We show the overhead for using one and five IPs. Ta-
ble 1 demonstrates the overhead when applying the meter-
ing method on one IP. The overhead number includes the
overhead due to both the BFSM and the CFSM. The first
column represents the name of the benchmark circuit. The second
column represents the number of primary inputs (PIs)
of the benchmark before modification. The fourth, fifth, and
sixth column show the area, delay, and power overheads of
the benchmark before modification. The overhead due to both
the BFSM and the CFSM is much longer than the other. This can cancel out the
effect of MV and produce deterministic output for all
the ICs. However, the trusted system verifier should
also test and certify the PUF’s randomness [18, 17].

7. EXPERIMENTAL RESULTS
The proposed method is implemented and evaluated using
the Berkeley SIS synthesis tool. All the programs are written
in C. MCNC’91 sequential benchmarks are used to represent
FSMs of different IPs. It should be noted that the FSM
that contains the control part of any IP represents a very
small fraction of the overall size of the design [13]. Thus,
even tripling the overall area or power of these FSMs will
not significantly affect the overall area and power of the IP.
However, the delay of the FSM can affect the speed of the
IP and thus, delay is the most important design metric in
our implementation.

We show the overhead for using one and five IPs. Ta-
ble 1 demonstrates the overhead when applying the meter-
ing method on one IP. The overhead number includes the
overhead due to both the BFSM and the CFSM. The first
column represents the name of the benchmark circuit. The second
column represents the number of primary inputs (PIs)
of the benchmark before modification. The fourth, fifth, and
sixth column show the area, delay, and power overheads of
the benchmark before modification. The overhead due to both
the BFSM and the CFSM is much longer than the other. This can cancel out the
effect of MV and produce deterministic output for all
the ICs. However, the trusted system verifier should
also test and certify the PUF’s randomness [18, 17].

7. EXPERIMENTAL RESULTS
The proposed method is implemented and evaluated using
the Berkeley SIS synthesis tool. All the programs are written
in C. MCNC’91 sequential benchmarks are used to represent
FSMs of different IPs. It should be noted that the FSM
that contains the control part of any IP represents a very
small fraction of the overall size of the design [13]. Thus,
even tripling the overall area or power of these FSMs will
not significantly affect the overall area and power of the IP.
However, the delay of the FSM can affect the speed of the
IP and thus, delay is the most important design metric in
our implementation.

We show the overhead for using one and five IPs. Ta-
ble 1 demonstrates the overhead when applying the meter-
ing method on one IP. The overhead number includes the
overhead due to both the BFSM and the CFSM. The first
column represents the name of the benchmark circuit. The second
column represents the number of primary inputs (PIs)
of the benchmark before modification. The fourth, fifth, and
sixth column show the area, delay, and power overheads of
the benchmark before modification. The overhead due to both
the BFSM and the CFSM is much longer than the other. This can cancel out the
effect of MV and produce deterministic output for all
the ICs. However, the trusted system verifier should
also test and certify the PUF’s randomness [18, 17].
The number of IPs | % Area overhead | % Power overhead
--- | --- | ---
1 | 100 | 121
2 | 101 | 112
3 | 123 | 135
4 | 139 | 128
5 | 117 | 127
mean | 118 | 126

Table 2: CFSM overhead for integration of five IPs.

Figure 8: The change of the overhead with increasing the number of IPs sharing the PUF.

Detection of misused IP cores in a large design is a very hard problem. With the new method, no IP will be activated without the consent of its original designer.

Interval licensing by remote enabling/disabling of IPs. Runtime disabling/enabling of IPs can be done since the chips that contain the IPs are identified and can be detected online. A possible application is interval licensing, where the product royalty must be frequently paid for continuous usage of the IP; otherwise, the IP is disabled.

Software/content metering. The unique IP identifiers can be further exploited for controlling the software and content running on the hardware.

Ownership proof. The original key for operating an IP core is given only for one set of PUF responses. A way to prove the ownership of the IC is to change the challenge inputs and then ask the designer to provide a new key which renders this device operational. The designer who has the full information of the STG can easily provide the new key, but other entities cannot. Thus, the IP rights owners can assert their ownership by online checking and authentication.

Multiple levels of protection. The approach introduces symmetry to the current asymmetric business model. Not only the reuser, but also the IP designer and the fab are protected by the symmetry. In addition to preventing piracy, the false accusations of overbuilding or overuse are prevented.

Enabling pay-as-you-configure method for the reuser. The chip designer embeds its locks in the functionality of the IP cores. The reuser can design its chips such that the IPs that provide additional functionality are disabled. Only the customers who pay the proper fees may enable those IPs.

Support for the design reuse paradigm. One of the greatest challenges in reuse-based design is protection of the rights of the IP owners. Since the proposed method targets digital rights management of IPs, it supports the design reuse paradigm that is essential to the development and evolvement of the modern designs and semiconductor industry [3].

9. CONCLUSION

We introduced the first approach, architecture and implementation for actively and uniquely controlling the functionality of each IP, in a multi IP core design and reuse paradigm. The approach protects the rights of the IP core owners, reusers, and the foundry by introducing a key exchange mechanism. The IC and each of its embedded IP cores are uniquely locked upon manufacturing. The method enables the designers and reusers to actively and remotely lock/unlock their IPs on each of the ICs post-manufacturing. We discussed a number of possible attacks, and provided countermeasures against them. Experimental evaluations on standard benchmark circuits demonstrate the low overhead and the applicability of the approach on industrial-strength designs. We introduced a number of newly enabled applications in protection, DRM, and security of the IP cores.

Acknowledgment

This work is supported by the Defense Advanced Research Projects Agency (DARPA)/MTO Trust in Integrated Circuits and Young Faculty Awards (YFA) under grant award W911NF-07-1-0198 and NSF CT-0716674.
### 10. REFERENCES


---

**Table 1: The overhead of BFSM modifications for one IP.**

<table>
<thead>
<tr>
<th>C#</th>
<th>circuit</th>
<th>PI states</th>
<th>area</th>
<th>delay</th>
<th>power</th>
<th>area %</th>
<th>delay %</th>
<th>power %</th>
</tr>
</thead>
<tbody>
<tr>
<td>1</td>
<td>planet</td>
<td>7</td>
<td>48</td>
<td>888</td>
<td>186.2</td>
<td>3.087</td>
<td>1752</td>
<td>70.2</td>
</tr>
<tr>
<td>2</td>
<td>s510</td>
<td>19</td>
<td>47</td>
<td>605</td>
<td>47.6</td>
<td>2.280</td>
<td>1426</td>
<td>136</td>
</tr>
<tr>
<td>3</td>
<td>s1494</td>
<td>8</td>
<td>48</td>
<td>859</td>
<td>115.6</td>
<td>2.958</td>
<td>1746</td>
<td>103</td>
</tr>
<tr>
<td>4</td>
<td>s1488</td>
<td>8</td>
<td>48</td>
<td>880</td>
<td>134.9</td>
<td>3.011</td>
<td>2045</td>
<td>132</td>
</tr>
<tr>
<td>5</td>
<td>s298</td>
<td>3</td>
<td>135</td>
<td>2.951</td>
<td>201.5</td>
<td>10.798</td>
<td>5960</td>
<td>102</td>
</tr>
<tr>
<td>6</td>
<td>dk16</td>
<td>2</td>
<td>27</td>
<td>460</td>
<td>101.7</td>
<td>1.662</td>
<td>1970</td>
<td>328</td>
</tr>
<tr>
<td>7</td>
<td>sand</td>
<td>11</td>
<td>32</td>
<td>1.092</td>
<td>74.8</td>
<td>3.917</td>
<td>1092</td>
<td>0</td>
</tr>
<tr>
<td>8</td>
<td>styg</td>
<td>9</td>
<td>30</td>
<td>633</td>
<td>128.2</td>
<td>2.170</td>
<td>2180</td>
<td>244</td>
</tr>
<tr>
<td>Mean</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td>2271</td>
<td>143</td>
</tr>
</tbody>
</table>