Direct answer — A SAT attack is an algorithmic (SAT-solver–guided) method that breaks logic locking by querying a working “oracle” (a functional chip or model) to find distinguishing input patterns and recover the secret key, while an SMT attack extends that idea using richer Satisfiability Modulo Theories reasoning (SMT solvers) or symbolic constraints to handle more complex protections or non-Boolean components.

Quick definitions

  • SAT attack (short): Uses a Boolean SAT solver plus an oracle of the correct circuit to iteratively find input patterns that distinguish different key candidates and eliminate wrong keys until the correct key(s) remain.
  • SMT attack (short): Uses an SMT solver (which reasons about SAT plus theories such as bit-vectors, arithmetic, arrays, etc.) or symbolic constraint solving to defeat schemes that add non-Boolean functions, arithmetic, or other structures that plain SAT solvers handle poorly.

How a SAT attack works (stepwise)

  1. Start with the locked netlist and access to a correct implementation (the oracle).
  2. Build a miter: two copies of the locked circuit with the same primary inputs but different key variables, and an output that indicates when outputs differ.
  3. Ask a SAT solver for an input that makes the two copies disagree (a distinguishing input).
  4. Query the oracle with that input to learn the correct output; add a constraint that any candidate key must produce the oracle’s output for that input.
  5. Repeat: use the SAT solver with accumulated constraints to find new distinguishing inputs until no more exist; remaining key(s) are consistent with the oracle and are returned as the solution.

Why SAT attacks are effective

  • They reduce key search from exponential brute force to a series of SAT problems that often converge quickly in practice.
  • They require only a functioning oracle (e.g., a working chip or golden model), not physical decapsulation or side channels.

When SMT-style attacks are used

  • When the locked design includes constructs not easily expressed as pure Boolean CNF (for example, integer arithmetic, arrays, or bit-level arithmetic optimized in ways that blow up CNF encodings).
  • When defenses intentionally add arithmetic, stateful blocks, parameterized functions, or other structures to defeat plain SAT encodings; SMT solvers can encode richer theories (bit-vectors, linear arithmetic, uninterpreted functions) and may find solutions SAT solvers miss or handle more compactly.

Typical defenses and how the attacks relate

  • Simple logic locking (XOR/XNOR key gates) was broken by SAT attacks; defenses then evolved (e.g., SARLock, Anti-SAT, etc.) to try to increase SAT difficulty or require more oracle queries.
  • Defenses that add arithmetic or high-level constructs can force SAT encodings to explode; SMT-based approaches or hybrid methods (SAT + theory reasoning, incremental solving, or heuristic-guided search) are then used to recover keys or bypass protections.

Practical notes and limitations

  • Both attack types typically require an oracle (a functioning device or golden reference); without an oracle, purely structural attacks are harder.
  • Attack runtime depends on the locking scheme and circuit structure—some defenses make SAT/SMT solving impractical in time or memory, though adversaries often develop tailored heuristics.
  • SMT solvers can be slower per query but may avoid exponential CNF blow-up for certain constructs.

Short illustrative example

  • Imagine a locked adder replaced with a key-controlled adder block that relies on arithmetic properties: encoding that whole behavior into CNF can be large; an SMT attack can reason about bit-vector addition directly and find keys more compactly.

If you want, I can:

  • Provide a concise, cited reading list of foundational papers (e.g., the original SAT-attack paper, follow-ups on Anti-SAT and SAT-resistant schemes) and open-source implementations; or
  • Produce a small diagram or step-by-step pseudo-code showing the SAT-attack loop.

Bottom note: Information gathered from public forums or data available on the internet and portrayed here.