Watermarking Your Chip Design

Design costs have been driven up by the complexity of modern chips. A Gartner/Dataquest 2003 study showed that transistors/ die are growing at a 68% compound annual growth rate while productivity (transistors/person-month) was growing at 21%. The result is larger, more expensive design teams. In addition, mask sets are priced at $0.75 million in 90 nm and growing. Simultaneously, in the art world in 2005, the New York auction season passed the $1-billion threshold in total sales for the first time. In 2006, sales reached a lofty $1.44 billion. In another measure of the health of the art market, some 106 works sold for over $1 million each in just two evenings.
What do these two seemingly unrelated worlds have to do with each other? Consider the march of ever-increasing chip-design costs and estimates:
A 180-nm application-specific integrated circuit (ASIC) averages $4 million in design costs.
A 130-nm ASIC averages $10 million in design costs.
A 90-nm ASIC averages $25 million in design costs.
Costs for a 45-nm average design could range up to $50 million.
In 2009, 32-nm design costs could be $75 million.
Now, consider the top prices paid for fine art in 2005 (Reference 1):
An abstract canvas by Willem De Kooning sold for $27.1 million.
“Green Car Crash (Green Burning Car I)�? by American pop artist Andy Warhol sold for $71.7 million.
“White Center (Yellow, Pink and Lavender on Rose)” by Rothko sold for $72.8 million.
We now have a situation where average chip designs are approaching the top prices of collectible, famous pieces of art. And the value of a chip design is not just measured in design cost, but in total revenue generation. Such revenue generation should greatly exceed the design cost (at least for successful designs).
Given the money at stake, how can a chip design be protected? Again, let’s look at the same question in the digital art world. A company that sells digital versions of valuable art must protect its product from copying in direct analogy with chip companies, which must prevent thieves from cloning their designs and reselling them. This is where watermarking enters the picture (no pun intended) (see Figure 1).

Back in the chip-design world, chip and IP protection are becoming more important as designs move toward large “system-on-a-chip�? (SoC) implementations. With the reuse of logic cores across multiple designs and with differing licensing restrictions, protection becomes much more complicated than just owner versus cloner.
Until recently, the technology of watermarking has been concerned with embedding a (typically hidden) digital signature within multimedia data for the purposes of identification. The methods that are used borrow from the fields of communication and coding as well as encryption. For example, protecting a picture with a hidden watermark might involve making slight (lowest-order-bit) changes in some of the color pixel values in a pre-arranged pattern. That pattern is controlled by an encryption key. Not knowing the key, a copier would be forced to change too many pixels in order to destroy the watermark, thus destroying the picture itself. Hence, there is a tension between the level to which a watermark is hidden and the reliability of reading it. That same tension is present in spread-spectrum communications and forward error correction (FEC). There is an obvious analogy between a jamming signal and the thief trying to destroy the watermark.
These same factors apply to chip design. However, there are many important differences as well. In the chip-design world, a number of different types of theft might occur:
Making superficial changes to the look of the chip before reselling it
Complete reverse-engineering by deconstruction, which results in a full transistor netlist or even a higher-level description
Copying/using a piece of IP that is improperly licensed
Obtaining a copy of the final GDSII file sent to the foundry
Obtaining a copy of the Verilog source code used to create the chip
A chip/IP designer may choose to protect the design at many different levels to handle a variety of theft scenarios. In order to do this, it’s important to understand the second piece of the watermarking process: proving that a theft has occurred. This typically involves reverse-engineering a possible clone chip on the market. The watermark must be visible to the reverse-engineering process on each physical chip sold.
Surprisingly, in spite of the difficulties of reverse-engineering dozens of layers consisting of millions of objects as small as 45 billionths of a meter in size, the commercial reverse-engineering market has grown into an important part of chip design. Obviously, it fulfills the desire for patent and copyright defense. Yet it also spurs innovation and investigates chip failures. Reference 2 gives a fascinating look at this process.
Here is a list of 10 ideal attributes of chip watermarks:
Multiple layers of watermarking: This aspect protects from a single-layer attack, such as changing a physical design but not the underlying gate design.
Multiple techniques of watermarking: This attribute protects against future discoveries and technology advancements that make attacks against any one watermarking technique easier.
Modular design of watermarking methods: This aspect allows watermarking to be incorporated into the design flow independent of existing IC design software.
Difficult to efface: A determined adversary must have additional hidden knowledge (such as an encryption key) in order to efface a watermark without destroying the function of the chip.
Robust against manufacturing variations: A watermark must be reliably read in the reverse-engineering process from a physical chip back to the design in order to prove theft.
Proof of ownership: The watermark must provide a secure and unique identification of the original designer/ owner of the chip so that no other parties could also claim ownership based on the same watermark.
Watermarks are orthogonal to chip design and operation: In other words, a watermark cannot extend the design process timeline or affect the operation of the chip. Different watermarks are orthogonal to each other: Watermarks can be overlaid and read reliably. Separate watermarks can be put on each piece of the design independently by different companies. In addition, all can be read reliably by their owners or by independent reverse-engineering companies for proof of theft.
Watermarks adhere to globally defined standards: Watermarks can be read by independent parties without proprietary knowledge, but only decoded by the owner. In doing so, they allow independent proof of existence and obviate dueling parties–each claiming that they can read their own watermark on a contested chip.
Watermarks show time of insertion: Each watermark is registered through some global agency. That registration is time-tagged so that in case of a multiple watermark dispute, the prior watermarks are clearly indicated over subsequent ones.
As is apparent, these requirements often conflict with each other. And some cannot be met in the strictest sense, so compromises are required. For example, making a watermark robust has the normal side effect of making the design larger. After all, redundancy must typically be added–just as redundancy must be added for error correction in a communications signal. Also, any change to the physical design of a chip has the potential (hopefully small) of altering the operational parameters of that chip. Both of these factors can have a chilling effect on watermark adoption by nervous companies, which cannot afford the possibility of destroying a multimillion-dollar design through the insertion of a tiny watermark at the last step.

Watermarking Methods

Watermarks live in a conflicted world. They must be both visible and hidden, “useful�? and “useless,�? easy to add and hard to remove. Another way of describing the useless aspect of watermarks is to say that watermarks are designed to be “orthogonal�? to whatever portion of the design is being protected. Being orthogonal to the chip design means that the watermark must not change the designed function of the chip. In other words, the watermark is in a sense a “useless�? tweak of the design. But it must simultaneously be difficult to remove and this implies that it looks like a necessary, functional part of the design. Placing a watermark, like a normal logo or signature, in the corner of the chip defeats the whole purpose of watermarking.
There are three main branches of watermarking techniques relevant to IC design: software, firmware, and hardware. Software approaches include changes in the on-board ROM code for onchip microprocessors. These software-watermarking techniques hide data using various techniques that can include interspersing encrypted constants throughout the code in multiple locations. When combined, a single encrypted bit sequence is then formed that only the designer can decrypt. This is made further robust through FEC techniques. Obviously, the contents of the ROM can be read through non-destructive means by a thief. Certainly, making cosmetic code changes is easily possible. It is more difficult to ascertain which constants are not used. The designer could even go ahead and access their locations without actually using them in operation. In addition, there are watermarking methods that try to change machine-code instructions in a defined manner without changing its final function. For example, there are several different methods to accomplish the same IF-THEN logical test using typical machine instructions.
These techniques will not come into wide usage until they can be done automatically and painlessly with guaranteed non-interference to the original code. In most cases, the cost to this watermarking is a small increase in code space and a negligible increase in processing time. The main objection to these methods is that even slight changes to code can cause serious timing and verification problems if they’re done within critical sections in tight loops or interrupt handlers. This isn’t an easy objection to overcome by an automatic process.
Firmware approaches apply to reconfigurable logic, such as fieldprogrammable gate arrays (FPGAs), and include encoding unused lookup-table (LUT) bits in FPGA configuration memory and unused interconnects in configurable logic blocks (CLBs). Essentially, firmware approaches to watermarking are very similar to software approaches in spirit. Their properties and objections also are similar. The watermarking of FPGAs and watermarking of software in general are big topics in their own right that are beyond the scope of this short article.
Hardware approaches are our main emphasis here. There are many different methods to watermark a chip. The reader can find papers in the references (3-8) illustrating each of the examples below:
Modify the routing using left/right bends in certain patterns.
Use a particular sequence of even/odd number of vias.
Use fake (unconnected) vias to try to fool the reverseengineering process.
Use substrate connections in certain places and patterns.
Use a variable number of fingers to implement a given width/length ratio in a transistor.
Add constraints to the design cycle for synthesis, place and route, etc.
Add circuitry in some ad-hoc fashion that looks useful, but does nothing.
Create filter coefficients that have encoded special sequences embedded within them, but still meet their specification.
Encode a sequence in the ripple pattern of a digital filter’s frequency response.
Encode a filter architecture by modifying each stage of the filter.
These watermarks can be added at the various stages of IC design. Some examples are shown in Figure 2.

Contraint-based methods: These methods are probably the most widely used watermarking techniques available. They can be used in a wide variety of ways at different levels of the design process. The goal is to hide a watermark within a design by incorporating extra design conditions (beyond the ones necessary to meet the design goals). Those extra design conditions are used to encode a watermark. The steps are to create a standard translation from watermark bit sequence to design constraint, add watermark constraints to design constraints, and optimize this new modified design (typically an NP-hard problem). Constraints can be added to logic synthesis, place and route, floor planning, etc. Constraint-based methods are widely applicable and certainly do hide the watermark within the design while making the watermark difficult to extract. They have some downsides because of the difficulty of adding constraint-based methods to the traditional tools in the design process. In addition, they alter the design in ways that may not be at all obvious. They do, however, work hand in hand with polygon methods to offer a more complete watermarking solution across the design cycle.
Watermarking the layers (polygon methods): Aside from looking at watermarking as a time-sequential process following the design cycle, it also can be seen from the purely physical-layer point of view. In Table 1, the basic design layers are listed for a (relatively) simple 2- poly, 6-metal process.

Watermarking could be applied to any of these polygons, which have a visible physical realization subject to design-rule constraints. On all of the arcs (wires), for example–when a bend occurs and space is available–a small nub could be added in one of several directions. It would be controlled by the underlying secret watermarking sequence. Assuming that only metal and poly are used, this gives eight layers for manipulation at every available corner (or for that matter, every point at which design-rule constraints allow). The effect of such small changes would be to slightly change the capacitance of the wire. In most of the design, this would have a negligible effect. As with any watermarking method, however, there is the potential for unintended side effects.
Vias and contacts are constructed from the 10 contact-node layers. Again, where design rules allow, they could be single or double in size based on a secret binary sequence and design constraints. Even an orientation strategy could be used as appropriate to position a dual via horizontally or vertically.
In general, there are many geometric ways to encode a sequence into the physical polygons that make up a design–beyond the specific methods mentioned above. All that is required is that the function is not affected. Position methods would slightly reposition a polygon horizontally, the width or length could be slightly altered, and the orientation could be changed. Even the polygon count could be altered by the duplication of some particular piece.
If the watermark is restricted to the top layer of metal, it becomes easy to insert in the design cycle and especially easy to read by third parties to prove a theft has occurred. After all, no etching/ grinding is required to read the lower layers. Yet it also becomes easier to clone. A thief only needs to re-route the top layer and the watermark will disappear.
Spreading techniques: Spreading techniques provide a method to ensure that watermarks are actually invisible, rather than simply unobvious. Like WiFi and CDMA for cell phones, slight changes in the GDSII polygon geometry (below the design process parameter lambda) could be used to hide a bit sequence within the chip. By using correlation against the known key, the watermark could then be detected. While spreading would provide the ideal method to hide a watermark, this technique is not likely to come into immediate use for several reasons. For one, it would require a very detailed characterization of both the lithographic process as well as the inverse methods to extract chip information. In the communications world, noise is assumed to be Gaussian and white. But chip process variations can be far from Gaussian and white in nature. Another reason is that most design houses actually snap a design to a lambda grid, so the hidden watermark would be immediately erased. Even if the polygon watermark survives the lambda grid problem, there are many additional foundry processing steps where it could be erased or altered beyond recognition.
Modularized watermarking within the design cycle: It would be ideal in the near term if watermarking were a separate set of modularized processes that take in agreed-to file formats at each stage of chip design and produce a new file with watermarks embedded for the next design stage. That way, existing design tools and processes could be used without modification. In addition, any problem with the watermarking software could be isolated to a particular stage of the design process. Eventually, the forces of standardization would subsume the watermarking into existing tools that could interoperate across the design cycle as well as across companies involved in the design.
Numbering/reference schemes: Watermarks would be meaningless without some way of knowing how to pick out the watermark from a physical layout or design. Doing this requires a reference and numbering scheme so that the apparently meaningless set of chip alterations can be mapped to bit sequences. This is actually one of the most difficult parts of watermarking. The reference scheme must be robust to chip size, orientation, process parameters, process variation, etc. Marks near the pad ring can be used for coarse orientation and 2D location reference. But the fine details of referencing—say, which bend of which wire has a 0 or 1 nub–require a much more detailed technique. After the physical reference is determined, it must be tied to a higher-level reference at the transistor and gate level to handle higher-level watermarks.
Digital signatures: Encryption, in particular public-key encryption, is a critical piece of any watermarking scheme. It provides the underlying methodology for several of the previous watermarking criteria including proof of ownership. Here is an example showing how such encryption could be used for digital signatures within watermarks: A designer has both a public and private key. The private key is used for all internal watermarking by creating a hash of the watermark bit sequence and then encrypting the hash. Suppose the design is then sent to a foundry for final place and route. The company would also send along any additional signed messages for the final watermarking of the physical layers. In the case of IP dispute, a third party can read the watermarks and–using the public key–verify the digital signature and present this evidence to the court. No other company could have created the correct signature because it lacks the private key. this example, a public-key method provides many additional benefits over a strictly private-key method. The company can hand out the public key to both the foundry and the third-party investigators without giving away its private key.
Although there are several methods to implement the actual encryption, they all use a one-way function. This function is relatively easy to compute, but hard to invert. One such function involves factoring. Two primes are chosen and multiplied together to become your key or signature (these are typically a small multiple of 1K in length). This can be made public, but your private key (the factors) are kept secret. You prove that this is your signature by your ability to factor the key. Of course, a watermark bit sequence would be more complex and have encrypted data, such as company name, date, registration key, etc.
Communications capacity of a watermark: We have alluded to the watermarking bit sequence, but what is the information capacity possible for such a chip watermark? Clearly, it depends both on the lambda from the process ( ) and the size of the die ( ). But it also depends on the watermark density (Di), the coding/signature overhead (Ci), and any spreading factor (Si) used to make the watermark invisible. Here then is the bit-capacity formula where the sum is over all watermarked layers:

We can get a rough feel for the watermark density that’s possible using polygon alteration by looking at watermarking a NAND gate. Figure 3 shows 10 possible locations where small changes in one of the layers could be affected without violating design rules. If we assume a 1-x-1-cm die, a 100-by-NAND gate, and 10 watermark bits per NAND gate density, we can get results at different process nodes (see Table 2). This is not counting any higher metal layers.

Clearly, the watermarking capacity of a chip is large enough to handle multiple IP owners and a large number of bits of information.

Further Watermarking Issues

Incorporating watermarking in IP: A watermark can be incorporated into IP (not just by the final chip designer) at all of the various stages by the owner of that IP (who is primarily interested in making sure that royalties are being paid). Consider the three kinds of IP:
The levels of watermarking that have been discussed are available to the IP owner–from low-level layout to highlevel design watermarks.
Firm – A netlist prevents the routing and layout-based methods, but all higher ones are available.
Soft – Synthesizable RTL could only use gate-level and above watermarking techniques (as well as software/ firmware schemes to protect the code itself ).
Now, there is a flip side to this discussion because the SoC user might have very good reasons to want to protect his or her architecture. Part of that involves protection of the IP involved. The watermarking options are mainly the inverse of those of the IP owner. Soft IP will have all options from gate level down to layout. In contrast, firm IP will have routing and layout options available while hard IP will have only low-level layout options.
Globally defined standard: One of the best reasons for having a globally defined standard for watermarking is in the case of legal disputes. Suppose that a legal situation arises where the issue is theft of IP through chip cloning. It is now up to both parties to prove their respective positions in court. Let’s suppose that company A has priority in time and is bringing the lawsuit against company B. It hires reverse-engineering laboratory C to prove there has been copying of IP. Then, company B would hire reverse-engineering specialist D to testify just the opposite–that the designs are different enough to not constitute copying. This situation is entirely possible in a courtroom, where technical lawsuits often become battles of opposing expert witnesses. And there is always the possibility of collusion between A and C or B and D because of other business arrangements.
How can a jury without a deep technical background in reverseengineering decide correctly? It would be much better if watermarks were completely standardized and the task of a court-appointed reverse-engineering lab was simply to extract watermarks from all levels of both physical chips on the market. Then, a verification of the digital signatures would be a powerful witness to the truth.
Of course, there is always a downside to standards (aside from the usual case of having too many from which to choose). If watermarks have been standardized, they will in some ways be easier to attack and efface. Knowing exactly what in a design has been changed makes it easy to add further changes in order to efface it. The thief doesn’t need to reproduce it to destroy it. And being modular in the design cycle just makes it that much easier. I believe, however, that the benefits of standardization greatly exceed the costs.
Ghost watermarks: A ghost watermark is an unintentional watermark that a cloner can look for and claim as his own. In other words, it’s like looking for meaning in a bowl of alphabet soup. Clearly, the protection against this is having a globally defined watermark standard and use of a public key. While the cloner could produce random strings embedded in the chip that he claims are his intentional watermarks, they could not be decrypted using standardized watermarking decryption methods.
Second watermarks: The cloner could insert a second watermark on top of the first. Without some means of proving priority, it would be difficult to say who is the owner and who is the cloner because both watermarks are valid. A solution is to have an independent registration facility where initial manufacturing could be time-tagged. This could be similar in spirit to the one for PGP e-mail athttp://www.itconsult.co.uk/stamper.htm.
Other uses for watermarks: Embedded watermarks can have purposes other than protection against copying and forgery:
They can provide unique fingerprints to indicate when or where the product was manufactured.
They may identify the entire set of design owners rather than just the final SoC designer.
They can tag batches of chips to allow tracking the source of low-yield die or other manufacturing problems.
The Intellectual Property Protection (IPP) DWG was created in 1997 to address the issue of the protection of virtual components (VCs). By late 1999, the VSI Alliance (VSIA) had established eight Development Working Groups (DWGs) supporting the VSIA vision: “To dramatically accelerate system chip development by specifying open standards that facilitate the mix and match of virtual components (VCs) from multiple sources.�?
What then is the future of the adoption of watermarking technologies for VLSI? Quoting from the VSI Alliance White Paper (IPPWP1 1.1) issued by the Intellectual Property Protection Development Working Group: Promising recent work suggests that efficient tools and methods are emerging to make the cost of both implementation and detection of watermarks economically feasible in the not-too-distant future.
The full document is available for download on the alliance website:www.vsi.org. Unfortunately, on July 9th of last year, the VSI Alliance announced that it would close operations, leaving no standards body (to the author’s knowledge) focused on the issues being discussed. The interested reader can learn more about chip watermarking from references 9 and 10.

Reference

• Kumagai, J., “Chip Detectives,” IEEE SPECTRUM, pp. 43-48, November 2000.
• Charbon, E., “Hierarchical Watermarking in IC Design,” IEEE 1998 Custom Integrated Circuits Conference, pp. 295-298, 1998.
• Charbon, E. and Torunoglu, I., “Watermarking layout topologies,” ASPDAC, pp. 213-216, 1999.
• Qu, G., “Keyless Public Watermarking for Intellectual Property Authentication,” 4th Information Hiding Workshop, pp. 103-118, LNCS Vol. 2137, Springer-Verlag, April 2001.
• Qu, G., “Publicly Detectable Techniques for the Protection of Virtual Components,” 38th ACM/IEEE Design Automation Conference Proceedings, pp. 474-479, June 2001.
• Oliveira, A.L., “Robust Techniques for Watermarking Sequential Circuit Designs,” 36th ACM/IEEE Design Automation Conference Proceedings, pp. 837-842, June 1999.
• Ohbuchi, R., Masuda, H., and Aono, M., “Watermarking Three Dimensional Polygonal Models Through Geometric and Topological Modifications,” IEEE Journal on Selected Areas in Communications, Vol. 16, No. 4, pp. 551-560, April 1998.
• Charbone, E. and Torunoglu, I., “Watermarking Techniques for Electronic Circuit Design,” Digital Watermarking: First International Workshop, Springer-Verlag, Vol. 2613/2003, pp. 347-374.
• Qu, G. and Potkonjak, M., Intellectual Property Protection in VLSI Design: Theory and Practice, Springer, 2003.