Close
About
FAQ
Home
Collections
Login
USC Login
Register
0
Selected
Invert selection
Deselect all
Deselect all
Click here to refresh results
Click here to refresh results
USC
/
Digital Library
/
University of Southern California Dissertations and Theses
/
Security-driven design of logic locking schemes: metrics, attacks, and defenses
(USC Thesis Other)
Security-driven design of logic locking schemes: metrics, attacks, and defenses
PDF
Download
Share
Open document
Flip pages
Contact Us
Contact Us
Copy asset link
Request this asset
Transcript (if available)
Content
SECURITY-DRIVEN DESIGN OF LOGIC LOCKING SCHEMES: METRICS, ATTACKS, AND DEFENSES by Yinghua Hu A Dissertation Presented to the FACULTY OF THE USC GRADUATE SCHOOL UNIVERSITY OF SOUTHERN CALIFORNIA In Partial Fulfillment of the Requirements for the Degree DOCTOR OF PHILOSOPHY (ELECTRICAL ENGINEERING) December 2022 Copyright 2023 Yinghua Hu Dedication To my parents, Hongxiu and Huijun, and grandparents, Nonghou and Jinlian, who have always believed in the power of knowledge and inspired me. To my lovely wife, Meiying, for being my best soulmate and cheerleader throughout the doctorate program and guiding me home. ii Acknowledgments This dissertation would not have been made possible without the mentorship and support of my Ph.D. advisor and committee chair, Professor Pierluigi Nuzzo, and my committee members, Professor Peter A. Beerel and Professor Chao Wang. I have always aspired to become a researcher in hardware security, and it is truly a privilege of a lifetime to have received my doctoral training at the University of Southern California. With utmost gratitude, I would like to acknowledge the unwavering support and guid- ance of Professor Pierluigi Nuzzo. I joined his lab at USC five years ago as one of his first Ph.D. students. At that time, I did not have much hardware security experience and was uncertain whether I would ever become a good researcher in this field. I still remember my first in-person meeting with Professor Nuzzo, during which he was very patient and thoroughly introduced the background of hardware security to me. Since then, Professor Nuzzo has not only given me advice on tackling specific research problems but also kept sharing his philosophy of conducting scientific research, which further propelled me to- ward completing this dissertation. Although not every exploration attempt will indeed lead to great outcomes in academic research, I was still frustrated, sometimes depressed, about not having much progress on my projects in my first two years at USC. I sincerely iii appreciate that Professor Nuzzo gave me enough space to explore, falter at times, and eventually find my way through this journey. I also sincerely appreciate Professor Peter A. Beerel’s guidance and mentorship. He has been my invaluable committee member, mentor, and collaborator during my Ph.D. studies at USC. Professor Beerel has cultivated a warm, collaborative environment be- tween our groups. I feel very fortunate to have worked with him on many research projects and benefited from his feedback on my research. In addition, I am very grateful for all his words of encouragement along the way, which helped me move through the most challenging time of my Ph.D. journey. My gratitude also goes to Professor Sandeep Gupta, Professor Shahin Nazarian, Pro- fessor Akhilesh Jaiswal, and Professor Chao Wang for their valuable suggestions on my research. Their expertise in hardware security, VLSI, and formal verification helped mo- tivate and guide this dissertation’s development. My Ph.D. study would not have succeeded without the generous sponsorship from the Air Force Research Laboratory (AFRL) and the Defense Advanced Research Projects Agency (DARPA). These institutions have provided the ultimate support and encourage- ment to our team’s research. Moreover, my research projects have also benefited tremen- dously from collaborating with Matthew French, Vivek V . Menon, Andrew Schmidt, and Joshua Monson from the Information Sciences Institute, USC. The fruitful discussions with these brilliant minds constantly informed me about how to produce cutting-edge security research and encouraged me to pursue my career goals. iv In all my projects, I have always benefited from close collaborations with my peers. A big shout-out to Kaixin Yang and Yuke Zhang. You always trusted me when I had crazy ideas and tackled all the problems with me. You also generously offered so many talented ideas that solved numerous problems that we never thought we could have done. Without you having my back, I wouldn’t have survived all the tortuous peer review processes. I am also profoundly grateful to Subhajit Dutta Chowdhury, Dake Chen, Xuan Zhou, and Chanwook Oh, who have provided invaluable input to my research. Last but not least, I want to thank my family. My best time at USC was when I met my wife, Meiying. She gave me a warm and supportive home. She always has the power to cheer me up when I am down, inspire me to see good things out of bad things, and keep me down to earth when praises surround me. Also, many thanks to my parents, who have always trusted me and provided me with all the love and support. I also want to take the time and thank my grandma, who raised me when I was young. I miss her forever. This dissertation marks the official completion of my journey as a student. Never- theless, as the Chinese idiom says, there is no end to learning. I will carry on all the knowledge I learned and the kindness I received in my future life, career, and studies. Yinghua Hu October 2022 v Table of Contents Dedication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ii Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii List of Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x List of Figures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi Abstract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv Chapter 1: Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.1 Security Threats in the Integrated Circuit (IC) Supply Chain . . . . . . 1 1.2 Countermeasures Against IC Reverse-Engineering . . . . . . . . . . . . 3 1.2.1 Split Manufacturing . . . . . . . . . . . . . . . . . . . . . . . . 4 1.2.2 IC Camouflaging . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.2.3 IC Watermarking . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.2.4 Logic Locking . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.3 Challenges for Secure Logic Locking Development . . . . . . . . . . . 8 1.3.1 Evolution of Logic Locking Methods . . . . . . . . . . . . . . 8 1.3.2 Dilemma Between Security and Cost . . . . . . . . . . . . . . . 10 1.4 Dissertation Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 1.5 Major Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 1.5.1 Theory: Formalisms for Logic Locking . . . . . . . . . . . . . 14 1.5.1.1 Modeling and Metrics for Combinational Logic Locking 14 1.5.1.2 Correlating Functional Corruptibility With Progress of SAT-Based Attacks . . . . . . . . . . . . . . . . . . 15 1.5.2 Attacks: Accelerating SAT-Based Attacks With Guidance by Functional Corruptibility . . . . . . . . . . . . . . . . . . . . . 16 1.5.3 Defenses: Risk-Aware Mitigation . . . . . . . . . . . . . . . . 17 1.5.3.1 Sporadic-Authentication-Based Sequential Logic Locking . . . . . . . . . . . . . . . . . . . . . . . . . 17 1.5.3.2 Enhancing Logic Locking Against Machine Learning- Based Attacks . . . . . . . . . . . . . . . . . . . . . 18 vi 1.5.4 Security-Aware Design Space Exploration . . . . . . . . . . . . 19 1.6 Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Chapter 2: Background and Related Work . . . . . . . . . . . . . . . . . . . . 22 2.1 Combinational Logic Locking . . . . . . . . . . . . . . . . . . . . . . 22 2.2 Sequential Logic Locking . . . . . . . . . . . . . . . . . . . . . . . . . 23 Chapter 3: Risk-Aware Design Space Exploration of Combinational Logic Locking 27 3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 3.2 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 3.2.1 Circuit Representation . . . . . . . . . . . . . . . . . . . . . . 30 3.2.2 Attack Assumptions . . . . . . . . . . . . . . . . . . . . . . . . 31 3.3 Security Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 3.3.1 Functional Corruptibility . . . . . . . . . . . . . . . . . . . . . 31 3.3.2 SAT Attack Resilience . . . . . . . . . . . . . . . . . . . . . . 32 3.4 A Notion of Risk for Logic Locking . . . . . . . . . . . . . . . . . . . 33 3.4.1 Boolean Learnability Risk . . . . . . . . . . . . . . . . . . . . 33 3.4.2 Isolation Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 3.4.3 Repetition Risk . . . . . . . . . . . . . . . . . . . . . . . . . . 36 3.4.4 Identification Risk . . . . . . . . . . . . . . . . . . . . . . . . 38 3.5 Obfuscation Design Space Exploration Engine . . . . . . . . . . . . . . 39 3.5.1 Problem Formulation . . . . . . . . . . . . . . . . . . . . . . . 39 3.5.2 Two-Level Optimization-Based Algorithm . . . . . . . . . . . . 41 3.6 Optimization Results . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 3.6.1 Validation of the Methodology . . . . . . . . . . . . . . . . . . 44 3.6.2 Locking the Common Evaluation Platform . . . . . . . . . . . . 45 3.7 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Chapter 4: On the Security of Sequential Logic Locking Against Oracle-Guided Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 4.2 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 4.2.1 Sequential Logic Locking . . . . . . . . . . . . . . . . . . . . . 53 4.2.2 SAT-Based Attacks . . . . . . . . . . . . . . . . . . . . . . . . 55 4.3 Bounded-Depth Functional Corruptibility . . . . . . . . . . . . . . . . 59 4.3.1 FC and Unrolling Depth . . . . . . . . . . . . . . . . . . . . . 59 4.3.2 FC and Key Search Progress . . . . . . . . . . . . . . . . . . . 63 4.4 Functional Corruptibility-Guided SAT-Based Attack . . . . . . . . . . . 65 4.4.1 Attack Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 4.4.2 Attack Termination Conditions . . . . . . . . . . . . . . . . . . 67 4.4.2.1 Unique Key . . . . . . . . . . . . . . . . . . . . . . . 68 4.4.2.2 Model Checking Equivalence . . . . . . . . . . . . . 69 4.4.3 Complexity Analysis . . . . . . . . . . . . . . . . . . . . . . . 71 vii 4.5 Fun-SAT+: A Key-Length-Agnostic Attack . . . . . . . . . . . . . . . 72 4.5.1 Attack Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 4.5.2 Approximate Termination Condition . . . . . . . . . . . . . . . 76 4.6 Evaluation Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 4.6.1 Evaluation Setup . . . . . . . . . . . . . . . . . . . . . . . . . 78 4.6.2 Operation ofFun-SAT: A Case Study . . . . . . . . . . . . . . 80 4.6.3 Evaluation ofFun-SAT . . . . . . . . . . . . . . . . . . . . . . 81 4.6.4 Evaluation ofFun-SAT+ . . . . . . . . . . . . . . . . . . . . . 84 4.6.5 Enhancing KC2 with Fun-SAT . . . . . . . . . . . . . . . . . . 88 4.7 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 4.8 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Chapter 5: Sporadic-Authentication-Based Sequential Logic Locking . . . . . . 94 5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 5.2 Multi-Authentication-Based Sequential Logic Locking . . . . . . . . . 97 5.2.1 Threat Model . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 5.2.2 Authentication Protocol . . . . . . . . . . . . . . . . . . . . . . 98 5.2.3 Overview of the Locking Scheme . . . . . . . . . . . . . . . . 99 5.2.4 Back-Jumping Module . . . . . . . . . . . . . . . . . . . . . . 101 5.2.5 Encryption Finite State Machine (ENC-FSM) . . . . . . . . . . 103 5.2.6 Guaranteeing Real-Time Operation . . . . . . . . . . . . . . . . 104 5.2.6.1 High-Priority Task Triggered in the Encrypted Mode (CaseÀ). . . . . . . . . . . . . . . . . . . . . . . . . 107 5.2.6.2 High-Priority Task Triggered in the Functional Mode (CaseÁ). . . . . . . . . . . . . . . . . . . . . . . . . 107 5.3 Security and Performance Analysis . . . . . . . . . . . . . . . . . . . . 109 5.3.1 Brute-Force Attack . . . . . . . . . . . . . . . . . . . . . . . . 109 5.3.2 Sequential SAT-Based Attack . . . . . . . . . . . . . . . . . . . 111 5.3.3 FSM Extraction and Structural Analysis . . . . . . . . . . . . . 113 5.3.4 Cycle Delay Analysis . . . . . . . . . . . . . . . . . . . . . . . 114 5.4 Simulation Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 5.4.1 Functional Verification . . . . . . . . . . . . . . . . . . . . . . 117 5.4.2 Sequential SAT-Based Attacks . . . . . . . . . . . . . . . . . . 118 5.4.3 Impact of High-Priority Tasks . . . . . . . . . . . . . . . . . . 118 5.4.4 Implementation Overhead . . . . . . . . . . . . . . . . . . . . 120 5.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 Chapter 6: Enhancing Logic Locking Against Machine Learning-Based Attacks 123 6.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 6.2 Background and Related Work . . . . . . . . . . . . . . . . . . . . . . 126 6.2.1 Threat Model of ML-Based Attacks . . . . . . . . . . . . . . . 127 6.2.1.1 Reference Netlist Generation . . . . . . . . . . . . . 128 6.2.1.2 Training Data Extraction . . . . . . . . . . . . . . . . 128 viii 6.2.1.3 Model Training . . . . . . . . . . . . . . . . . . . . . 129 6.2.1.4 Model Inference . . . . . . . . . . . . . . . . . . . . 130 6.2.2 Countermeasures to ML-Based Attacks . . . . . . . . . . . . . 131 6.3 Proposed Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 6.3.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 6.3.2 Altering the Mapping Between Circuit Function and Correct Key 134 6.3.3 DECOR: Structure-Key Decorrelation Method . . . . . . . . . . 138 6.3.3.1 Algorithm 4 returns the same locked circuit function . 140 6.3.3.2 Algorithm 4 returns the same correct key . . . . . . . 141 6.4 Validation Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 6.4.1 Experiment Setup . . . . . . . . . . . . . . . . . . . . . . . . . 143 6.4.2 XBI vs. DECOR-XBI . . . . . . . . . . . . . . . . . . . . . . . 144 6.4.3 SARLock vs. DECOR-SARLock . . . . . . . . . . . . . . . . 146 6.4.4 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 6.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 Chapter 7: Conclusions and Future Work . . . . . . . . . . . . . . . . . . . . . 150 7.1 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 7.2 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 7.2.1 Design Space Exploration for Sequential Logic Locking . . . . 153 7.2.2 Incorporating Low-Risk Solutions for Design Automation . . . 154 7.2.3 Security Analysis of Reconfigurable-Logic-Based Locking . . . 155 Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 Appendices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 A Proofs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 A.1 Proof of Theorem 2 . . . . . . . . . . . . . . . . . . . . . . . . 166 A.2 Proof of Lemma 3 . . . . . . . . . . . . . . . . . . . . . . . . . 167 A.3 Proof of Theorem 4 . . . . . . . . . . . . . . . . . . . . . . . . 168 A.4 Proof of Theorem 5 . . . . . . . . . . . . . . . . . . . . . . . . 169 ix List of Tables 3.1 Error tables withjIj=jKj= 3 (6 and4 mark incorrect and correct output values, respectively). . . . . . . . . . . . . . . . . . . . . . . . 31 3.2 Specification Options for Security and Risk . . . . . . . . . . . . . . . 44 3.3 Boolean Learnability Risk for the Five Largest IIR Logic Cones . . . . 45 4.1 Overview of the Selected Benchmark Circuits[75, 76] . . . . . . . . . . 78 4.2 Percentage of locked circuits successful attacked byFun-SAT+(App) . . 86 4.3 Runtime of KC2 with different update rules and Fun-SAT-enhanced KC2 on RLL-locked circuits . . . . . . . . . . . . . . . . . . . . . . . 89 4.4 Runtime of KC2 with different update rules versus Fun-SAT-enhanced KC2 on CBL-locked circuits . . . . . . . . . . . . . . . . . . . . . . . 90 5.1 Truth Table for a 3-Bit enc out Array . . . . . . . . . . . . . . . . . . 104 5.2 Overview of the Selected Benchmark Circuits . . . . . . . . . . . . . . 117 5.3 SAT-based attack runtime for finding the first 7 key sequences . . . . . 118 5.4 ADP Overhead Results for Full Locking . . . . . . . . . . . . . . . . . 118 5.5 ADP Overhead Results for Partial Locking . . . . . . . . . . . . . . . . 121 6.1 Comparison of different countermeasures to ML-Based attacks. . . . . . 130 6.2 Overview of the selected benchmark circuits . . . . . . . . . . . . . . . 141 x List of Figures 1.1 IC design and manufacturing flow. . . . . . . . . . . . . . . . . . . . . 2 1.2 A hardware Trojan that, once activated, freezes the clock of Module 3. 3 1.3 The gate-level view of a small combinational circuit (a) before and (b) after being locked by XOR/XNOR-based insertion [14, 29, 30]. . . . . 6 1.4 State transition diagram of a circuit locked by HARPOON [13]. . . . . 7 2.1 State transition diagrams for different sequential logic locking techniques. 24 3.1 Schematic of (a) a generic logic locking scheme, (b) XBI, and (c) SFLL-HD. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 3.2 Fourier spectrum of (a) 5-input AND function and (b) 5-input pseudo- random function. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 3.3 Two-level optimization-based methodology. . . . . . . . . . . . . . . . 42 3.4 (a) Optimization traces for two specification sets on c5315. (b) Predicted versus simulated area overhead. (c) Primitives used for optimal IIR core protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 4.1 The SAT instance, visualized as a circuit diagram, formulated at the first iteration of COMB-SAT. . . . . . . . . . . . . . . . . . . . . . . . . . 54 4.2 Diagram of (a) a sequential circuit and (b) its unrolled version. . . . . . 55 4.3 Distribution of the output errors of a small locked circuit (t k = 2 and jIj= 1) for the first two and three clock cycles. . . . . . . . . . . . . . 62 xi 4.4 Illustration of the evolution of FC b with b in three different examples (DFC b = FC b FC b1 ). . . . . . . . . . . . . . . . . . . . . . . . . . 66 4.5 Circuit representation of the unique key (UK) condition. . . . . . . . . 68 4.6 Diagram of the model used for checking the termination condition of Fun-SAT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 4.7 Schematics of (a) a regular D flip-flop and (b) a modified D flip-flop with the scan-in feature. . . . . . . . . . . . . . . . . . . . . . . . . . . 73 4.8 Diagram of (a) a modified locked sequential circuit and (b) its b-unrolled version. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 4.9 Diagram of the model used for checking the termination condition of Fun-SAT+. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 4.10 The number of correct keys,jK cand j, found by Fun-SAT as a function of the assumed key length. . . . . . . . . . . . . . . . . . . . . . . . . . . 77 4.11 (a) The simulation results of five FC b (under different b) as a function of the simulation sample size S. (b) FC b vs. b for an Interlocking-locked s38584. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 4.12 Distributions of (a) the attack runtime and (b) the minimum required unrolling depth for the circuits locked with HARPOON. . . . . . . . . 82 4.13 Runtime ofFun-SAT and the reference attack on all circuits locked with Interlocking. (The key bit-length can be computed as t k jIj.) . . . . . . 83 4.14 The runtime of successful Fun-SAT+ versus the effective key bit-length jK is j of the corresponding locked circuit. . . . . . . . . . . . . . . . . . 84 4.15 The runtime of successful Fun-SAT+(App) versus the effective key bit-lengthjK is j of the corresponding locked circuit. . . . . . . . . . . . 86 4.16 Histogram of FC 10b max for all the successfully attacked circuits when evolving according to the approximate initial states. . . . . . . . . . . . 87 5.1 Conventional (a) and proposed (b) authentication protocols for logic locking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 xii 5.2 State transition diagram ofSANSCrypt. . . . . . . . . . . . . . . . . . 99 5.3 Schematic view ofSANSCrypt. . . . . . . . . . . . . . . . . . . . . . . 100 5.4 Flowchart of BJ-FSM. . . . . . . . . . . . . . . . . . . . . . . . . . . 102 5.5 enc out controls the original circuit via XOR gates. . . . . . . . . . . . 103 5.6 Flowchart of EBJ-FSM. . . . . . . . . . . . . . . . . . . . . . . . . . 105 5.7 Examples of high-priority tasks triggered in (a) the encrypted mode and (b) the functional mode. Both tasks require 5 clock cycles to finish with BJ-FSM and EBJ-FSM. . . . . . . . . . . . . . . . . . . . . . . . . . 108 5.8 An unrolled version of the locked circuit which requires n clock cycles to find the key sequence. . . . . . . . . . . . . . . . . . . . . . . . . . 113 5.9 Circuit mode switching for an authenticated user. . . . . . . . . . . . . 114 5.10 Average cycle delay as a function of PRNG bit length when the key sequence cycle length t a is 8, 16, 64, and 128. . . . . . . . . . . . . . . 115 5.11 The average HD for different node coverage: (a) 5%, (b) 10%, (c) 15%, and (d) 20%. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 5.12 Number of authentications required within 10;000 clock cycles on s38584 for different priority task loads L. The PRNG length is (a) 5 and (b) 20. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 5.13 Area, timing, power overhead increase, compared with the original SANSCrypt scheme, after the implementation of EBJ-FSM under different coverage ratios on s38584. . . . . . . . . . . . . . . . . . . . 121 6.1 The schematics of a simple circuit (a) before and (b) after being locked by XOR/XNOR-based insertion [14, 29, 30]. . . . . . . . . . . . . . . 124 6.2 Flowchart of an ML-based attack. . . . . . . . . . . . . . . . . . . . . 127 6.3 An example of feature vector extraction and encoding inSnapshot [46]. 129 xiii 6.4 (a) Many-to-one and (b) one-to-many mappings from features, associated with different locked circuit functions and netlist structures, to correct keys. Each cofactor in blue is equivalent to the original circuit function. Otherwise, the cofactor is in red. . . . . . . . . . . . . . . . . 137 6.5 Functional models of (a) the intermediate locked circuit function f int [38, 48] and (b) the locked circuit function f l after adding additional correct keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 6.6 Key prediction accuracy ofSnapshot onXBI andDECOR-XBI. . . . . . 141 6.7 Key prediction accuracy ofOMLA onXBI andDECOR-XBI. . . . . . . . 142 6.8 Area overhead for different circuits locked byXBI andDECOR-XBI. . . . 144 6.9 Key prediction accuracy ofSnapshot onSARLock andDECOR-SARLock. 144 6.10 Key prediction accuracy ofOMLA onSARLock andDECOR-SARLock. . . 145 6.11 Area overhead for different circuits locked by SARLock and DECOR-SARLock. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 6.12 PCA results of the training data set extracted from c2670, which is locked by (a) SARLock and (b) DECOR-SARLock. The two colors denote different labels, i.e., 0 and 1. . . . . . . . . . . . . . . . . . . . . . . . 147 6.13 SAT attack resilience on b17 C when it is locked with SARLock and DECOR-SARLock (N= 16) with different key sizes. . . . . . . . . . . . 147 xiv Abstract Logic locking has gained significant attention, over the past decade, as a promising so- lution to prevent the reverse-engineering of integrated circuits (ICs) by malicious third- party players on the IC supply chain. The goal of logic locking is to modify the logic of a circuit by infusing programmability in the design, e.g., by adding extra logic components and a set of input ports, called key ports, such that the circuit’s original functionality can be restored only if the correct key is applied. Unfortunately, however, the advances in logic locking methods have primarily been driven by the need to circumvent increasingly stronger attacks, possibly leaving unattended channels of sensitive information leakage exploitable by new “attack vectors”. Consequently, it has been challenging to design a logic locking scheme that provides concrete security guarantees for a reasonably long time. Recently, researchers have proposed a new group of logic locking schemes based on “redacting” the entire circuit design with reconfigurable logic, which is believed to achieve minimum information leakage and significantly cut the exploitable attack sur- face. However, implementing these locking schemes tends to be costly and impractical for most IC design scenarios. xv This dissertation addresses the challenge of providing sufficient, guaranteed security at reasonable cost by proposing a path toward principled, security-driven design methods for logic locking, where the design of a logic locking scheme is not only driven by known attacks but also guided by fundamental security metrics that help quantify the likelihood of leaking sensitive information from the implementation of the locking scheme. We start with modeling the effect of a class of logic locking methods called combinational logic locking and define security metrics that formalize notions of attack resilience and the protection level. Motivated by basic notions from learning theory, we then define an additional set of risk metrics, which can quantify the likelihood that a set of information channels, such as the original circuit’s function and the function and structure of a locked circuit can leak sensitive information. We then present an Obfuscation Design Space Exploration Engine (ODSEE) for com- binational logic locking which can efficiently search for secure, cost-effective locking strategies out of a library of existing locking primitives, guided by security and risk metrics along with traditional overhead metrics. ODSEE can provide novel combina- tional logic locking schemes, constructed by layering multiple locking primitives, which achieve significantly higher security and lower risk than any individual locking primitive with the same implementation cost. Guided by the risk metrics above, we further develop more efficient attacks as well as lower-risk defenses that have not been broken to date. Sequential logic locking is an- other category of logic locking schemes that protect the sequential logic, e.g., finite state xvi machines (FSM), of the circuit. In sequential logic locking, we identify, for the first time, a critical source of information leakage that can accelerate attacks based on Boolean sat- isfiability (SAT) solving. Our improved SAT-based attack, Fun-SAT, can break known sequential logic locking schemes, calling for the design of more secure defenses. In light of our analysis, we propose SANSCrypt, a sequential logic locking scheme based on a sporadic authentication protocol, which, for the first time, requires attackers to figure out not only the correct unlocking key but also the right time to provide the key. We demonstrate that the temporal uncertainty added by the new authentication protocol sig- nificantly helps decrease the risk of both functional and structural information leakage and prevent state-of-the-art attacks. Finally, we conclude by addressing a common risk factor in combinational logic locking schemes that can be exploited by state-of-the-art machine learning (ML)-based attacks. We propose a generic enhancement method that can be applied to all combina- tional logic locking schemes to alter the function of the locked circuits via a randomized algorithm, reducing the correlation between the netlist structure and the correct key. xvii Chapter 1 Introduction This chapter provides the background and motivation for the work in this dissertation, as well as a preview of the main results. We first discuss the major challenges in the design of secure and cost-effective logic locking. We then summarize our approaches to address those challenges. Finally, we highlight the key contributions and their organization. 1.1 Security Threats in the Integrated Circuit (IC) Supply Chain The ever-increasing costs for the design and manufacturing of modern VLSI systems have boosted a decentralized global integrated circuit (IC) supply chain, as shown in Fig. 1.1, where several essential services, such as verification, fabrication, testing, and packaging, are outsourced to different third-party contractors. Under this scenario, pro- prietary chip design information, i.e., intellectual property (IP), is inevitably leaked from 1 IC Design Specifications Fabrication Synthesis and Verification Testing Packaging System Integration End user Untrusted Trusted Figure 1.1: IC design and manufacturing flow. the original IP holder to third-party contractors. Any malicious contractors could apply various reverse-engineering techniques, e.g. [1–5], to help successfully reconstruct the chip design and understand its secret. Consequently, the recovered design could be massively produced and sold for illegal profit, which diminishes the financial interest of the original IP holder [6]. Malicious contractors may also insert a hardware Trojan (HT) to the design during the chip manu- facturing process. For most of the time, an HT stays dormant and inactive, which does not affect the normal operation of the host circuit. It can only be activated when a pre- defined rare event is satisfied. An activated HT can then cause severe consequences to the host circuit, such as causing denial of service to disrupt the normal circuit operation (DoS HT) or leaking sensitive information via secretive channels (Leakage HT) [7, 8]. An example of DoS HT is illustrated in Fig. 1.2, where the clock signal of Module 3 will be frozen once the HT is activated. DoS HT can be extremely destructive for safety- critical applications that require real-time response to user’s input, such as autonomous driving vehicles and implanted medical devices. On the other hand, Leakage HT might help attackers break hardware crypto engines more easily with the leaked information, 2 HT Trigger Clock Signal A Signal B Module 1 Module 2 Module 3 Figure 1.2: A hardware Trojan that, once activated, freezes the clock of Module 3. which could result in the breach of confidentiality in secure communication scenarios. The success of an HT lies in the fact that its triggering condition is an extremely rare event, such that the HT can avoid being easily triggered and detected during post-silicon testing. With the assistance of various reverse-engineering techniques, an attacker can better understand the original design and, thus, properly identify a rare event that can be used to activate an HT. 1.2 Countermeasures Against IC Reverse-Engineering Over the past decades, various methods have been proposed to prevent successful IC reverse-engineering that occurs on the IC supply chain, aiming to ensure the IP integrity for chip designers. Examples of these countermeasures include split manufacturing [9, 10], IC camouflaging [11], IC watermarking [12], and logic locking 1 [6, 13–26]. Among these, logic locking has received significant attention as a promising, low-overhead coun- termeasure against IC reverse-engineering. In the rest of this section, we provide a brief 1 Some papers also use the terms “logic encryption” and “logic obfuscation”. 3 introduction of the first three countermeasures, followed by a detailed discussion on the mechanism of logic locking. 1.2.1 Split Manufacturing Split manufacturing [9, 10] allows IC designers to split the design into several layers before passing each layer to a different foundry. For example, the design layout can be split into the front-end-of-line (FEOL) layers and back-end-of-line (BEOL) layers. FEOL contains only the transistors and lower-level metals, while BEOL contains the rest of the design. This method is expected to protect the design integrity as the foundry can only have a portion of the original design. After the fabrication, all layers can be aligned and integrated together. 1.2.2 IC Camouflaging IC camouflaging does not change the functionality of the protected circuit. Instead, it is a layout-level modification technique that prevents successful recognition of certain gates or modules. Different types of gates, after being camouflaged, are expected to look alike. Therefore, attackers will have to guess the correct gate type for each camouflaged gate before extracting the whole design correctly. Traditional methods to achieve IC camouflaging include adding filler cells in the unused space of a chip layout [27] and using dummy contact to fake a connection between metal layers [28]. 4 1.2.3 IC Watermarking IC watermarking is a passive IP protection scheme, meaning that does not actively make reverse-engineering the chip more difficult. Instead, it embeds a “digital signature” [12] to the design that are only known to the original IC designer. The IC designer can then use such signatures to claim ownership in a potential IP lawsuit. For example, in Chap- ter 1.2.4, we briefly discuss the use of watermark states in the finite state machine of the protected circuit. Only the IC designers know the input sequence to enter the watermark states and the expected output of the finite state machine at those states. 1.2.4 Logic Locking Logic locking achieves IC protection by properly modifying the original circuit design at the logic level, such that the modified circuit, called the locked circuit, displays a different function from the original one. To access the original function, an authorized user should follow a specific procedure to configure and “unlock” the circuit. Even if attackers successfully recover the locked circuit, they still need to know the correct unlocking procedure to access the functionality of the original design. Therefore, it is hard to further perform malicious actions, such as pirating critical IP blocks and inserting a hardware Trojan. A class of logic locking methods, namely, combinational logic locking [6, 14–17, 21–23, 25, 29, 30] aims to insert programmable elements and extra key ports into a portion of a circuit’s combinational logic, such that the correct circuit functionality can 5 G1 G2 G3 G4 I1 I2 I3 I4 O1 (a) G1 G2 G3 G4 I1 I2 I3 I4 O1 K1 KG1 K2 KG2 (b) Figure 1.3: The gate-level view of a small combinational circuit (a) before and (b) after being locked by XOR/XNOR-based insertion [14, 29, 30]. only be accessed by applying the correct key. Fig. 1.3 illustrates a simple example of an early combinational logic locking method, where an XOR gate and an XNOR gate, both denoted in red, are inserted in the original circuit. For each inserted gate, the dangling input port is regarded as a key port. Only when the two key ports, i.e., K 1 and K 2 , are assigned the value of zero and one, respectively, will the locked circuit be functionally equivalent to the original circuit. Otherwise, the signals passing through the inserted gates will be flipped, which could potentially lead to corrupted values on the circuit output. On the other hand, sequential logic locking targets the finite state machine (FSM) of the original circuit and usually involves creating new states in the original FSM and mod- ifying its transitions [13, 18, 26, 31–34]. The correct functionality is typically retrieved by either providing a key sequence, i.e., a sequence of input patterns, via the primary input ports during the first few clock cycles [13, 31] or by setting a set of key ports, if any, to fixed values throughout the circuit operation time [26, 33, 34]. Fig. 1.4 shows the state transition diagram of an FSM locked by HARPOON [13], one of the earliest 6 S e,0 S e,1 S e,3 S e,2 S f,0 S f,1 S f,2 S f,3 S f,4 S e,4 S e,5 S e,6 ∗ ∗ ∗ watermark states Figure 1.4: State transition diagram of a circuit locked by HARPOON [13]. sequential logic locking methods. The states denoted in blue represent the states in the original FSM, while the states denoted in red are the additional states created by the logic locking scheme. When powered on, the locked circuit starts in a wrong reset state S e;0 and exhibits an incorrect functionality. The authorized user must apply an appropriate sequence of input patterns, i.e., k 0 ! k 1 ! k 2 , during the first three clock cycles to enter the correct reset state S f;0 , from which the correct functionality is restored. To claim ownership of the design, HARPOON also creates a set of watermark states, i.e., S e;4 , S e;5 , and S e;6 , which can be entered when another unique sequence of input patterns, only known to the designer, is applied. Anyone who pretends to be the original designer will fail to prove so, since they do not know how to enter the watermark states and the expected circuit output behavior at those states. 7 1.3 Challenges for Secure Logic Locking Development Despite the idea of logic locking being promising, we discuss several challenges on de- veloping secure and cost-effective logic locking schemes. 1.3.1 Evolution of Logic Locking Methods Although the advancement in logic locking to address the increasingly more complicated attack vectors is ongoing, logic locking developers seem to have trapped themselves in an inefficient cat-and-mouse game, where new logic locking techniques are primarily driven by the conception of increasingly stronger attacks and the need to circumvent them, possibly leaving unattended channels of sensitive information leakage exploitable by new attack vectors. Let us take as example the history of the development of combinational logic lock- ing. Early combinational logic locking methods, e.g., [14, 29, 30], are based on in- serting XOR/XNOR gates as key gates in the original circuit, such that the locked cir- cuit can display a reasonably high output error rate unless the correct key is provided to the key ports. However, those XOR/XNOR-based insertion (XBI) techniques have later been found to be vulnerable to many attacks, among which the SAT attack [35] is the most efficient that can prune out wrong keys of an XBI-locked circuit based on solving a series of satisfiability (SAT) problems. To prevent the SAT attack, a num- ber of SAT-resilient combinational logic locking methods have been proposed, such as SARLock [15] and Anti-SAT [17], which insert point-function structures to the original 8 circuit, such that the SAT attack is forced to solve a significantly large number of SAT problems. However, these SAT-resilient logic locking methods often suffer from a low output error rate, which makes it possible for attackers to obtain a close approximation of the original circuit function even when the correct key is unknown [36]. To fix the low output error rate, researchers then propose to simply combine an XOR/XNOR-insertion- based locking method with a point-function-based locking method, which turns out to be still vulnerable in the following sense. Since a point-function has a distinct AND- tree structure, attackers may first use this structural signature to recognize and remove the point-function structure [37], hence the removal of the point-function-based locking. Attacker can then perform the SAT attack on the modified circuit to break the vulnera- ble XOR/XNOR-insertion-based locking. As a countermeasure to the potential removal attack, stripped-function logic locking (SFLL) [16] locks the circuit by first stripping a portion of the original circuit’s functionality and then inserting a point-function-like restoration module to restore the previously stripped functionality upon the application of the correct key. However, SFLL is later shown to be vulnerable to the SAT attack [38] and many other customized attacks [39, 40] based on exploiting specific functional or structural signatures in the implementation of SFLL. The example above certainly demonstrates the deficiency of the attack-driven design style of logic locking. Developers with such a mindset will most likely design new logic locking methods that are still likely to leak critical information to help attackers break it sooner. Consequently, a lack of trust may occur between logic locking developers and IC 9 designers who look forward to concrete security guarantees of any implemented locking scheme to protect their chips for a reasonably long time. A more principled, security- driven design methodology is then needed, which is not only driven by the prevention of known attacks but also guided by fundamental security metrics that help quantify the likelihood of leaking sensitive information from the implementation of the locking scheme. 1.3.2 Dilemma Between Security and Cost Among publications that propose new logic locking techniques, we often see a thorough security analysis of the proposed locking scheme, where the locking configuration, e.g., the key size, indicates the specific level of attack resilience. The overhead analysis, if any, seems to be a standalone part of the paper and does not explicitly reveal the relation between the implementation overhead of the locking scheme and its achieved security level. Without a trade-off analysis between the achieved security level and the implementation cost, it becomes difficult to select a logic locking scheme appropriate enough for IC designers who aim to achieve a high security level while maintaining a low overhead constrained by other design requirements. In fact, existing logic locking schemes may fail to achieve high security and low cost at the same time. Let us recall the development history of combinational logic locking discussed in Section 1.3.1. Most of the logic locking methods are based on inserting additional components, such as XOR/XNOR gates [14, 29, 30], multiplexers [14], and 10 point-functions [15–17], to the original circuit, which does not significantly increase the implementation overhead. However, the limitation of these “light-weight” logic lock- ing schemes is the exploitable functional or structural signatures on the locked circuits, which helps attackers break the logic locking scheme faster. On the other hand, those signatures can be largely hidden by recently proposed logic locking schemes that di- rectly redact all or parts of the original circuit with reconfigurable logic, such as look-up table (LUT) structures [21, 41, 42] and FPGA fabrics [43], leaving attackers with fewer chances to successfully develop an efficient attack. Preliminary results that support this claim have been recently advocated in the literature [37, 44], as well as in Chapter 3 of this dissertation. However, the use of reconfigurable logic blocks tends to be expensive and, in most cases, far exceeds the allocated implementation budget set by the IC design- ers. Under this circumstance, a security-driven design method for logic locking, which simultaneously considers the achieved security and the implementation cost, is needed to facilitate the development of secure, cost-effective logic locking schemes. 1.4 Dissertation Overview This dissertation presents a path toward a more principled, security-driven design method- ology for logic locking, where the development of logic locking is not only driven by the need to circumvent existing attacks, but also guided by several fundamental security metrics that can quantify the impact of sensitive information leakage from the implemen- tation of the locking scheme. Specifically, we start with providing a detailed modeling of 11 combinational logic locking, on top of which we formalize several security metrics that are deemed major concerns in the literature. Such security metrics can generically be ap- plied to measure the security of all combinational logic locking methods. Furthermore, we define an additional set of security metrics, called risk metrics, which can quantify the likelihood that a set of channels, such as the original circuit’s function and the function and structure of a locked circuit can leak sensitive information. The core of the risk met- rics is rooted in basic notions from learning theory. Although the risk measured by these metrics does not directly indicate the numerical value of any specific attack resilience, a low risk level means that the available attack surface is small for any attackers to exploit. In addition to measuring the risk of existing combinational logic locking schemes, we further develop an Obfuscation Design Space Exploration Engine (ODSEE) for combina- tional logic locking, which can be guided by our risk metrics and traditional overhead metrics, and efficiently search for secure, cost-effective logic locking strategies out of a library of existing locking primitives. ODSEE demonstrates the practicability of our risk metrics and makes it possible to automatically discover more efficient logic locking so- lutions that have not been previously found and outperform existing defenses with the same implementation cost. In addition to applying the risk metrics to guide the design space exploration in com- binational logic locking, we extend our metrics to sequential logic locking, a more com- plex category of logic locking, for which there has been fewer security analysis in the literature. Specifically, we discover, for the first time, a critical functional information 12 leakage that exists in all sequential logic locking methods. Based on this vulnerability, we develop an efficient attack, Fun-SAT, that can break most of the known sequential logic locking schemes, calling for logic locking developers to rethink the security of sequential logic locking. Considering our attack and other known attacks against se- quential logic locking, we further present a low-risk solution, SANSCrypt, a sporadic- authentication-based sequential logic locking, which is the first locking method to adopt a multi-authentication protocol, rather than the traditional single-authentication proto- col, which requires attackers to figure out not only the correct unlocking key but also the right time to provide the key. We demonstrate that the temporal uncertainty added by the new authentication protocol significantly helps decrease the risk of both functional and structural information leakage and prevent state-of-the-art attacks. Finally, we discuss the impact of machine learning (ML) on the security of logic locking. In a case study, we use our risk metrics to explain the success of the recently proposed ML-based attacks, e.g., [45–47], which exploit the strong correlation between the correct unlocking key and the locked netlist structure. We then present a low-risk enhancement method, i.e., DECOR, which can be applied to all combinational logic lock- ing techniques to significantly reduce the aforementioned correlation. Validation results show that DECOR can significantly raise the resilience against the state-of-the-art ML- based attacks. 13 1.5 Major Contributions This dissertation provides contributions in the areas of modeling and security metrics of logic locking, as well as several applications inspired by the proposed metrics, including a security-driven design space exploration engine for logic locking, efficient attacks that exploit high-risk information leakage, and low-risk defenses that can resist state-of-the- art attacks. We detail these contributions as follows. 1.5.1 Theory: Formalisms for Logic Locking 1.5.1.1 Modeling and Metrics for Combinational Logic Locking This dissertation presents a path toward a principled, security-driven design method for logic locking. As we mention in Section 1.3, previous development of logic locking was driven by the goal of preventing only the existing attacks. New defenses designed under this methodology tend to be soon broken by attackers who exploit new channels of infor- mation leakage on the implementation of the locking scheme. Our approach addresses this limitation by proposing a set of formally defined security metrics, which not only capture the traditional security metrics, such as attack resilience, but also systematically measure the sensitive information leakage that exposes intrinsic vulnerabilities about the original circuit and the locking scheme. Specifically, in Chapter 3, we first present a universal model of combinational logic locking, a category of logic locking methods that specifically protect the combinational 14 logic portion of integrated circuits. Based on the universal model, we formalize notions of attack resilience and protection level that have been regarded as critical concerns in the literature. In addition, we define four risk metrics that are developed from basic notions from learning theory. The risk metrics can quantify the likelihood that a set of particu- lar information channels, such as the original circuit’s function, and the functional and structural signatures of a locking scheme, can leak sensitive information to the attackers. 1.5.1.2 Correlating Functional Corruptibility With Progress of SAT-Based Attacks Sequential logic locking is a category of locking methods that protect the sequential part, i.e., the finite state machines, of integrated circuits. Due to its intrinsic complexity, there has been little evaluation of its security level. We take the first step of measuring the confidentiality, i.e., the protection level, achieved by sequential logic locking. Specifi- cally, in Chapter 4, we formally define a notion of b-unrolled functional corruptibility (b-unrolled FC) for locked sequential circuits to quantify how much the sequential logic locking corrupts the circuit function with respect to the correct one in the first b clock cycles. SAT-based attacks refer to a class of attacks against sequential logic locking, which can prune out wrong keys by iteratively solving a series of NP-hard problems, i.e., sat- isfiability (SAT) problems and unbounded model checking, on the b-unrolled circuit that represents the function of the sequential circuit for the first b clock cycles. The attack usually starts with a small unrolling depth b and gradually increases it until all the wrong 15 keys have been pruned out. We call the minimum b on which the attack successfully terminates as the minimum required unrolling depth b req . In Chapter 4, we demonstrate that the number of NP-hard problems to solve in the SAT-based attack is proportional to the minimum required unrolling depth b req . Furthermore, we find that knowing b req could help attackers identify and skip many unnecessary SAT solving and model check- ing problems during the attack. Obtaining the exact value of b req may be computationally hard, hence we aim to develop efficient methods to estimate it. To this end, we present and prove the relation between the b-unrolled FC and the set of pruned wrong keys for the unrolling depth b, which can be used to indicate the progress of the SAT-based at- tack. Consequently, attackers can then make predictions on b req based on the knowledge of b-unrolled FC that can be efficiently approximated via logic simulation. The proved relation holds for any sequential logic locking scheme. To the best of our knowledge, we are the first to extend a notion of functional corruptibility for sequential circuits and use it to accelerate a SAT-based attack, hence challenging the security of existing sequential logic locking methods. 1.5.2 Attacks: Accelerating SAT-Based Attacks With Guidance by Functional Corruptibility Based on the proved relation between the b-unrolled FC and the progress of the SAT- based attack, we present an FC-guided SAT-based attack that can efficiently predict the minimum required unrolling depth and, therefore, significantly reduce unnecessary SAT 16 and model checking tasks. In Chapter 4, we present two versions of this improved attack, namely, Fun-SAT and Fun-SAT+, based on whether the attacker has a priori knowledge of the cycle length of the key sequence. Fun-SAT aims to find the correct key sequence, while Fun-SAT+ aims to retrieve the correct initial state of the circuit. Numerical eval- uation shows that Fun-SAT can be, on average, 90 faster than previous attacks against state-of-the-art sequential logic locking methods. On the other hand, when using an ap- proximate termination condition, Fun-SAT+ can find an initial state that leads to at most 0.1% FC in 76.9% instances that would otherwise time out after one day. As we mention earlier, the notion of functional corruptibility for sequential circuits and its relation with the minimum required unrolling depth are independent of the specific locking scheme, so the Fun-SAT series can effectively be used as a method for evaluating the security of existing sequential logic locking schemes. 1.5.3 Defenses: Risk-Aware Mitigation 1.5.3.1 Sporadic-Authentication-Based Sequential Logic Locking The functionality of sequential circuits is more complicated to analyze than that of com- binational circuits due to the introduction of time, i.e., the temporal dimension. In Chap- ter 5, we leverage this fact by further exploiting the temporal dimension for the design of sequential logic locking. Specifically, inspired by multi-factor authentication (MFA), we develop a sporadic authentication protocol that can be used in sequential logic locking 17 to boost its security. With this new protocol, the locked circuit is pseudo-randomly (dy- namically) reconfigured multiple times during the operation time and requires users to re-authenticate themselves. Consequently, any attackers must figure out both the correct unlocking key sequence and the correct time to feed the key to the sequential circuit. We prototype a new sequential logic locking, called SANSCrypt, based on the new authen- tication protocol. Our validation results on SANSCrypt show that the attack complexity significantly increases with almost the same implementation overhead as most existing sequential logic locking methods. We further provide an improved design ofSANSCrypt that is amenable to time-sensitive applications, as it ensures that the real-time execution of time-critical and safety-critical tasks is not disrupted. 1.5.3.2 Enhancing Logic Locking Against Machine Learning-Based Attacks Machine learning (ML) is particularly suitable to learn correlations in data. When prop- erly used, an ML approach could endanger any logic locking method that has a high risk of information leakage. In Chapter 6, we show a case study from the recently pro- posed ML-based attacks against combinational logic locking [45–47], which exploit the strong correlation between the locked netlist structure and its correct unlocking key. The emergence of such ML-based attacks can be well explained by one of our risk factors in Chapter 3. To address this risk factor, we present DECOR, a logic locking enhancement method based on randomized function alterations to achieve decorrelation between the netlist structure and the correct key. To the best of our knowledge, DECOR is the first 18 generic logic locking enhancement method that can be efficiently applied to any locking scheme to improve its resilience to ML-based attacks exploiting the correlation between circuit structure and key. We validate the effectiveness of our approach against two state- of-the-art ML-based attacks, namely, Snapshot [46] and OMLA [47], showing its ability to reduce the key prediction accuracy (KPA) to around 50%, providing ML-based attacks with negligible advantage over random guessing. 1.5.4 Security-Aware Design Space Exploration In Chapter 3, we present the Obfuscation Design Space Exploration Engine, ODSEE, which is the first design space exploration (DSE) framework for combinational logic locking. Out of a library of locking primitives, ODSEE can efficiently search for optimal combinational logic locking strategies under a user-defined cost function that considers the risk metrics, along with the traditional attack resilience metrics and overhead met- rics. Case studies on the applicability ofODSEE show the potential of novel combinational locking schemes, constructed by layering multiple locking primitives, for achieving sig- nificantly higher security and lower risks than any individual locking scheme does with the same implementation cost. 1.6 Organization This chapter provided background and motivation for our research, including the mech- anism of both combinational logic locking and sequential logic locking. We outlined 19 several challenges in the design of secure and cost-effective logic locking. We summa- rized our strategy to tackle these challenges and highlighted our main contributions. The remainder of the dissertation is organized as follows. Chapter 2 provides more back- ground on existing logic locking techniques and related efforts toward secure logic lock- ing design. Chapter 3 presents our work on modeling combinational logic locking, based on which we formalize several security metrics that capture the “attack resilience” and “protection level” of a logic locking method. In addition, we present four risk metrics to quantify the functional and structural information leakage from different channels. We then present, in Chapter 3, the first design space exploration (DSE) framework for com- binational logic locking that systematically captures security properties, implementation overhead, and risk of leaking sensitive information. In Chapter 4, we presentFun-SAT, a functional corruptibility-guided SAT-based attack on sequential logic locking, which ex- ploits sensitive information leaked from an easy-to-obtain functional property, i.e., func- tional corruptibility, and significantly improves the speed of SAT-based attacks, making existing sequential logic locking more vulnerable. Motivated by the need to design new sequential logic locking methods in Chapter 4, we present, in Chapter 5, a sporadic- authentication-based sequential logic locking scheme,SANSCrypt, which adopts a com- pletely different authentication protocol than that of the previous methods and signifi- cantly increases the attack complexity with almost the same overhead. Chapter 6 pro- vides a case study of combinational logic locking with high repetition risk, where ma- chine learning (ML) has been applied to attack such locking schemes. We presentDECOR, 20 the first generic logic locking enhancement method that can be efficiently applied to in- crease resilience against ML-based attacks. Chapter 7 draws the conclusions of this dissertation and discusses some future directions that emerge from this work. 21 Chapter 2 Background and Related Work In this chapter, we provide the background of existing logic locking techniques as well as related efforts toward secure logic locking design. Based on the type of the logic locking scheme, we first review combinational logic locking, followed by sequential logic locking. 2.1 Combinational Logic Locking A class of methods, such as fault analysis-based logic locking (FLL) [14], mostly focuses on providing high output error rates when applying a wrong key, for example, by ap- propriately inserting key-controlled XOR and XNOR gates in the circuit netlist. Another class of techniques, based on one-point functions, such as SARLock [15], aims, instead, to provide resilience to the SAT attack, an attack using satisfiability (SAT) solving to efficiently prune the space of possible keys [35]. These methods require an exponential number of SAT-attack iterations in the size of the key to unlock the circuit, but tend to 22 expose a close approximation of the correct circuit function. Efforts toward a compre- hensive locking framework have only started to appear. Stripped functionality logic locking (SFLL) [16] has been recently proposed as a scheme for provably secure logic locking with respect to a broad set of quantifiable secu- rity concerns, including error rate, resilience to the SAT attack, and resilience to removal attacks, aiming to remove the locking-related modules from the circuit. However, while the average number of SAT-attack iterations is shown to grow exponentially with the key size, the worst-case SAT-attack duration can become unacceptably low [38], which calls for mechanisms to explore the combination of concepts fromSFLL with other schemes. Zhou [48] has provided a theoretical analysis of the contention between error rate and SAT-attack resilience in logic encryption, drawing from concepts in learning theory [49]. Along the same direction, Shamsi et al. [50] develop diversified tree logic (DTL) as a scheme capable of increasing the error rate of SAT-resilient protection schemes in a tun- able manner. A recent effort [42] adopts a game-theoretic approach to formalize notions of secrecy and resilience that account for the impact of learnability of the locked function and information leakage from the circuit structure. 2.2 Sequential Logic Locking A first sequential logic locking method based on locking the finite state machine (FSM) of a circuit is HARPOON [13]. After being locked by HARPOON, the resulting FSM ex- hibits two main modes of operation, namely, an encrypted mode and a functional mode, 23 Figure 2.1: State transition diagrams for different sequential logic locking techniques. as shown in Fig. 2.1 (top left). When powered on, the circuit starts in the encrypted mode and exhibits incorrect functionality. The user must apply an appropriate sequence of in- put patterns during the first few clock cycles to enter the functional mode, in which the correct functionality is recovered. To claim ownership of the circuit, HARPOON also creates a set of watermark states in the encrypted mode that can be entered only when another unique sequence of input patterns, known to the circuit designer, is applied. However, due to the simple mechanism of HARPOON, there is only one transition con- necting the encrypted mode portion to the functional mode portion of the state transition diagram (STG) of the FSM. This distinguishable feature may help attackers locate and bypass the encrypted mode by FSM extraction and analysis methods [51]. Several tools [2, 3, 52] have been recently developed to facilitate FSM extraction by identifying the state registers from the circuit netlist. The increasing accuracy and 24 efficiency of these methods call for locking techniques that are more robust in the way they manipulate and obfuscate the STG of the circuit. Interlocking [31] improves HARPOON by modifying the circuit FSM such that mul- tiple transitions are available between the states of the encrypted mode FSM and the ones of the functional mode FSM, as shown in Fig. 2.1 (bottom left), making it harder for the attacker to detect the boundary between the two modes. However, in both HARPOON and Interlocking, once the circuit enters the functional mode, it remains there unless it is powered off or reset. Moreover, because the correct circuit function can only be accessed when the correct key sequence is applied, attacks based on Automatic Test Pattern Gen- eration (ATPG) [53] can be successfully mounted most of the times. ATPG-based attacks are based on the assumption that many stuck-at faults can only be triggered and detected when the circuit is in the functional mode. Therefore, the correct key sequence can be efficiently retrieved by analyzing common sub-sequences in the test patterns generated by ATPG tools. Dynamic State Deflection [32] adds another level of protection by requiring an ad- ditional key input verification step in the functional mode. If the additional key input is incorrect, the FSM transitions to a black-hole state cluster which can no longer be left, as shown in Fig. 2.1 (top right). However, since the correct value for the extra key input is fixed over time, the scheme becomes more vulnerable to SAT-based attacks [54, 55]. While most of the logic locking techniques mentioned above corrupt the circuit func- tion immediately after reset unless the correct key sequence is applied, DESENC [33], 25 shown in Fig. 2.1 (bottom right), determines the cycle for transitioning to the encrypted mode by counting the number of occurrences of a user-defined rare event in the circuit, unless the correct key sequence is applied. After the number of occurrences reaches a given threshold, the circuit enters the encrypted mode. This scheme is more resilient to sequential SAT-based attacks [56] because it requires unrolling the circuit FSM a large number of times to find the key. However, the initial transparency window may still expose critical portions of the circuit functionality. More recently, CBL [34] has been proposed as a state-of-the-art implementation of a variant of sequential logic locking, which requires a fixed, static key to be fed during the entire circuit operation via a set of additional key ports. While CBL follows a different unlocking mechanism from the above methods, its goal is to also delay the time at which the impact of a wrong key is observed, by appropriately inserting a counter FSM in the original circuit. 26 Chapter 3 Risk-Aware Design Space Exploration of Combinational Logic Locking In this chapter, we focus on combinational logic locking and provide a generic method to model its effect on the original circuit to be locked. Based on this model, we formally capture several important security metrics, e.g., attack resilience and the protection level, which have already been deemed essential criteria for designing a logic locking scheme. Furthermore, we propose four risk metrics, namely, Boolean learnability risk, isolation risk, repetition risk, and identification risk, which can capture the likelihood that a set of information channels, such as the original circuit’s function and the function and struc- ture of a locked circuit can leak sensitive information. Finally, we present an Obfuscation Design Space Exploration Engine (ODSEE) for combinational logic locking, which can be guided by our risk metrics and traditional overhead metrics, and efficiently search for secure, cost-effective logic locking strategies out of a library of existing logic locking primitives. 27 3.1 Introduction Logic Locking has gained significant attention as a promising solution against reverse engineering of integrated circuits (ICs) by mistrusted, third-party players. The goal of logic locking is to modify the logic of a circuit by infusing programmability in the design, e.g., by adding extra components and a set of key inputs, such that the circuit function- ality can be retrieved only if the correct configuration key is applied. The mechanisms to achieve programmability have become increasingly more sophisticated and resilient over the years, from XOR/XNOR-based insertion [14, 29] to point-function-based inser- tion methods [15–17, 50, 57]. However, these advances have mostly been driven by the conception of increasingly stronger attacks, and the need to circumvent them, possibly leaving on the table other sources of vulnerability that could be still exploited by newer attacks. Recently, a set of rigorous threat models and security-driven metrics [16, 38, 42, 44] has been introduced as a foundation to guide the design of resilient logic locking methods, by rigorously capturing design objectives such as the “protection level” and the “attack resilience.” However, in the absence of the certainty about the level of se- curity of a given construction, these models fall short of characterizing residual sources of vulnerability and “information leakage” associated with the functional and structural “signatures” of the circuit and the locking scheme upon deployment. On the other hand, these “signatures” can be better obfuscated, and attack hardness increased, by replacing portions of the original circuit with look-up tables (LUTs) or similar structures [41, 42, 28 44]. These structures, however, tend to be expensive, calling for new design methods that can appropriately balance the implementation cost with the desired protection level, attack resilience, and risk. This chapter takes a first step toward addressing this challenge. By drawing from con- cepts in Boolean analysis and learning theory, we define a set of risk metrics that quan- tify the likelihood that a circuit or logic locking scheme disclose information about their function or structure, exposing intrinsic circuit vulnerabilities which can be exploited by an existing or hypothetical attack. Based on these metrics, we present an Obfuscation Design Space Exploration Engine (ODSEE), combining simulated annealing (SA) [58] and mixed integer linear programming (MILP) [59] to find an optimal logic locking con- struction, out of a library of logic locking primitives, that satisfies a set of security- and risk-driven requirements while minimizing a cost function. To the best of our knowl- edge,ODSEE is the first automated optimization-based framework for the design of logic locking schemes that systematically captures security-driven properties, implementation overhead, and residual risk. Optimization results on a set of ISCAS benchmark circuits as well as a case study on the Common Evaluation Platform (CEP) [60] show the effec- tiveness of the proposed approach. 3.2 Background We first provide background concepts on the threat models and security metrics adopted in this chapter. 29 f(i) g(i, k) I K O flip XOR (a) G1 G2 G3 G4 i1 i2 i3 i4 o1 k1 KG (b) f(i) Res(i, k) I K O Strip(i) HD(i,k*) HD(i,k) (c) Figure 3.1: Schematic of (a) a generic logic locking scheme, (b) XBI, and (c) SFLL-HD. 3.2.1 Circuit Representation Given a combinational circuit with primary input port set I and primary output port set O, the circuit function f :B jIj !B jOj maps input vectors to the corresponding output vectors. A logic locking scheme changes f to a new function f 0 :B jIj B jKj !B jOj by adding extra key input ports K to the circuit. A key vector k is the correct key if8 i2 B jIj , f(i)= f 0 (i;k ) holds. A generic functional model for logic locking decomposes f 0 (i;k) as f 0 (i;k)= f(i) g(i;k); where g(i;k) represents the effect of the logic locking scheme [38]. A schematic of a locked circuit is shown in Fig. 3.1a, where the f lip signal is the output of g(i;k). If g(i;k)= 1, the circuit output value for input i and key k is incorrect, i.e., f 0 (i;k)6= f(i). Otherwise, the circuit output is correct, i.e., f 0 (i;k)= f(i). A circuit netlist can be modeled as a labelled directed graph G=(V;E), where V is the set of graph vertices, representing input-output (I/O) ports, logic gates, or sub-modules, and E is the set of edges, representing interconnections. The edges have directions indicating the order of signal propagation during logic simulation. 30 Table 3.1: Error tables withjIj=jKj= 3 (6 and4 mark incorrect and correct output values, respectively). (a)SARLock [15] K0 K1 K2 K3 K4 K5 K6 K7 I0 6 4 4 4 4 4 4 4 I1 4 4 6 4 4 4 4 4 I2 4 6 4 4 4 4 4 4 I3 4 4 4 6 4 4 4 4 I4 4 4 4 4 6 4 4 4 I5 4 4 4 4 4 4 4 4 I6 4 4 4 4 4 6 4 4 I7 4 4 4 4 4 4 4 6 (b)SFLL-HD0 [16] K0 K1 K2 K3 K4 K5 K6 K7 I0 6 4 4 4 4 4 4 4 I1 4 6 4 4 4 4 4 4 I2 4 4 6 4 4 4 4 4 I3 4 4 4 6 4 4 4 4 I4 4 4 4 4 6 4 4 4 I5 4 4 4 4 4 6 4 4 I6 6 6 6 6 6 6 4 6 I7 4 4 4 4 4 4 4 6 3.2.2 Attack Assumptions In line with the literature on logic locking, we assume the following two resources are available to attackers: (i) the netlist of the locked circuit, and (ii) a black-box circuit, i.e., an oracle, providing the I/O pairs for the correct circuit function. 3.3 Security Metrics We can describe how the circuit output is affected by logic locking via an error table, such as the ones shown in Table 3.1. Based on the general functional model, shown in Fig. 3.1a and the associated error table, we define a set of security-diven metrics that capture the quality and resilience of the logic locking scheme. 3.3.1 Functional Corruptibility Functional corruptibility quantifies the amount of output error induced by logic locking to protect the circuit function. Consistently with the literature [50], we define the functional 31 corruptibility E FC as the ratio between the number of corrupted output values and the total number of primary input and key configurations (the entries in the error table), i.e., E FC = 1 2 jIj+jKj å i2B jIj å k2B jKj 1( f(i)6= f 0 (i;k)); (3.1) where 1(A) is the indicator function, evaluating to 1 if and only if event A occurs. 3.3.2 SAT Attack Resilience The SAT attack [35] assumes that the attacker has access to the locked netlist and an operational (unlocked) circuit, used as an oracle, to query for correct input/output pairs. The goal is to reconstruct the exact circuit function by retrieving a correct key. At each iteration, the attack solves a SAT problem to search for a distinguishing input pattern (DIP), that is, an input pattern i that provides different output values for different keys, i.e., such that9 k 1 6= k 2 : f 0 (i;k 1 )6= f 0 (i;k 2 ). The attack then queries the oracle to find the correct output f(i) and incorporate the DIP and its correct output in the original SAT formula to constrain the search space for the following iteration. Therefore, all the keys leading to an incorrect output value for the current DIP will be pruned out of the search. Once the SAT solver cannot find a new DIP, the SAT attack terminates, marking the remaining keys as correct. Consistently with the literature [15, 16], we quantify the hardness of the SAT attack, t SAT , using the number of SAT queries, hence the number of DIPs, required to obtain the circuit function. Computing this number in closed form is, however, challenging, since 32 it relates to solving a combinatorial search problem, in which the search space generally depends on the circuit properties and the search heuristics of the specific solver or algo- rithm adopted. Existing approaches [16] adopt probabilistic models, where the expected number of DIPs is computed under the assumption that the input patterns are searched according to a uniform distribution. We adopt, instead, a worst-case conservative model and use the minimum number of DIPs to quantify the guarantees of a logic locking tech- nique in terms of SAT-attack resilience. The duration of the attack also depends on the circuit size and structure, since they affect the runtime of each SAT query. In this chap- ter, we regard the runtime of each SAT query as a constant and leave a more accurate modeling of the duration of the attack for future work. 3.4 A Notion of Risk for Logic Locking A logic locking scheme that is resilient to attacks and provides sufficient protection, i.e., high functional corruptibility, can still exhibit sources of vulnerability stemming from the circuit function or structure. We characterize these sources via the following risk models. 3.4.1 Boolean Learnability Risk A worst-case brute-force attack needs to perform 2 jIj queries to the oracle to reconstruct the correct circuit function. However, some Boolean functions can be well approxi- mated with much fewer queries. We quantify the risk associated with the learnability 33 of a Boolean function by resorting to the “concentration” of its Fourier spectrum from Boolean analysis. Any Boolean function f :f1;1g n !f1;1g, redefined, with a slight abuse of no- tation, on the setf1;1g n and with values inf1;1g, where1 and 1 denote false and true, respectively, can be uniquely represented by its Fourier expansion as a real, multi-linear polynomial [61] f(x)= å S[n] ˆ f(S) Õ i2S x i ; (3.2) where[n]=f1;2;:::;ng. The collection of all Fourier coefficients is the Fourier spectrum of f . The square of a Fourier coefficient is a Fourier weight. The sum of all Fourier weights of f is always 1. Informally, if the Fourier spectrum is concentrated over a small collection of subsets S[n], then learning those coefficients is enough to get a close approximation of f . This notion is formalized by the following results [61]. Definition 1 (Spectrum Concentration). SupposeS is a collection of subsets S[n] and e a non-negative real number. Then, the Fourier spectrum is e-concentrated onS ifå S[n];S= 2S ˆ f(S) 2 e: Theorem 1. Assume a learning algorithmA has (at least) random query access to the target f :f1;1g n !f1;1g. IfA can identify a collectionS of subsets such that the Fourier spectrum of f is e=2-concentrated, then, by using poly(jSj;n;1=e) additional time,A can with high probability provide a hypothesis h that ise-close to f . 34 0 5 10 15 20 25 30 Coefficient index 0.0 0.2 0.4 0.6 0.8 1.0 Fourier weight (a) 0 5 10 15 20 25 30 Coefficient index 0.0 0.2 0.4 0.6 0.8 1.0 Fourier weight (b) Figure 3.2: Fourier spectrum of (a) 5-input AND function and (b) 5-input pseudo-random function. We are now ready to define the Boolean learnability risk. Definition 2 (Boolean Learnability Risk). Given a logic cone (single-output combina- tional circuit) function f and a support parameter s, letS be a collection of Fourier coefficients, we define the Boolean learnability risk as R b;s = max jSj=s ( å S2S ˆ f(S) 2 ) : (3.3) If there exists someS with (small) cardinality s, on which the spectrum of f is e-concentrated, then R b;s is at least 1e. R b;s can be computed by using the Goldreich- Levin algorithm [61] to find the most significant Fourier coefficients of f . Fig. 3.2 com- pares the Fourier spectrum of a 5-input AND function with a 5-input pseudo-random function. Suppose s= 1; then, R b;1 for the AND function and the pseudo-random func- tion are 0:86 and 0:15, respectively. Intuitively, The AND function has a highly concen- trated spectrum, which makes it easier to approximate than the pseudo-random function. 35 3.4.2 Isolation Risk Logic locking creates functional corruptibility via the addition of key-controlled logic blocks capable of influencing the values of some of the nodes in the original circuit. The isolation risk R i quantifies the difficulty of retrieving the correct circuit function by isolating those key-controlled blocks from the locked circuit. Definition 3 (Isolation Risk). Given a locked circuit, suppose c is the number of nets connecting the key-controlled blocks to the original circuit block. We define the isolation risk as R i =(1 E FC;r )2 c , where E FC;r is the residual functional corruptibility (error rate) after isolating the key-controlled logic and 2 c is the probability of finding the correct assignment of the c control signals, under the assumption that they are uniformly distributed. For example, in SARLock [15], whose schematic is similar to the one in Fig. 3.1a, there is only one wire connecting the output of the key-controlled block to the original circuit, so R i = 0:5, suggesting high risk for removal attacks. Conversely, SFLL [16] pre-corrupts some of the outputs of f(i) in Fig. 3.1a and relies on g(i;k) to restore them, so E FC;r is larger than zero, which makes R i of SFLL lower than the one of SARLock. 3.4.3 Repetition Risk The implementation of a logic locking scheme and, specifically, the key-controlled block can reveal critical information about the correct key. The repetition risk aims to quantify 36 the likelihood that different key ports with similar structure can be correlated to narrow down the range of possible key values. Definition 4 (Repetition Risk). Given a locked circuit f 0 (i;k), suppose that an algorithm A can efficiently group the key input ports K into m clusters, i.e., G 1 ;G 2 ;:::;G m , based on structural similarities in the fan-out cones of different key input ports. Let w i , i2 f1;:::;mg, be the weight of cluster G i . If the correct key bits for all key ports in G i are the same, which means that similar structures correlate to the same correct key values, then w i is one. Otherwise, we assign w i to bejG i j. We then define the repetition risk R r as R r = 2 å m i=1 w i . For example, XOR or XNOR gates can be inserted as key gates in the XOR-based insertion (XBI) method [14, 29], as shown in Fig. 3.1b. However, all the key ports can be grouped into two clusters based on whether the key gates are XOR or XNOR, lead- ing to a correct key bit of zero or one, respectively. In this case, w 1 = w 2 = 1, hence R r = 0:25. While performing logic re-synthesis can decrease the structural correlation observed in Fig. 3.1b by using different implementations for the XOR/XNOR gates, the transformation performed by commercial synthesis tools may be partially reverted [45], or it may be possible to identify and correlate the logic function of the fan-out cone of each key port [3]. On the other hand, in SFLL-HD [16], shown in Fig. 3.1c, two Ham- ming Distance (HD) comparators are implemented as part of the logic locking scheme. Since the only block in the fan-out cone of the key ports is Res(i;k) and there is no a priori correlation between the structure of each key port and the correct key value, we 37 can only report one cluster containing all the key ports, with a weight ofjKj. In this case, the repetition risk is lower than that of XBI. 3.4.4 Identification Risk The identification of the circuit structure can disclose important details about the circuit, which allow limiting the number of Boolean functions that can be represented by the specific structure. However, if multiple circuit structures can be obtained for different key values, it becomes harder for the attacker to efficiently limit the space of possible functions that can be represented by the original circuit. We capture this aspect via the identification risk. Definition 5 (Identification Risk). For a given locked circuit netlist the identification risk R id is inversely proportional to the number of circuit structuresjCj achievable by key-configurable routing of the locked netlist, i.e., R id = 1 jCj : For example, the XOR gate KG in Fig. 3.1(b) decides whether to flip the value of G1 but does not affect the routing configuration of the circuit. Hence, the identification risk for XBI is 1. On the other hand, given a universal circuit with d layers, each layer containing m 2-input LUTs, it is possible to achieve w 2wd different structures, a much higher number than that in XBI, by also programming the routing configuration. 38 3.5 Obfuscation Design Space Exploration Engine We detail the obfuscation design space exploration engine (ODSEE). The core part of ODSEE formulates and solves an optimization problem that can balance security objec- tives and residual risk with overhead. 3.5.1 Problem Formulation We assume that a libraryL of logic locking primitives is available, where each primitive l is described by a set of configuration parameters p l , and a set of models providing the security metrics q l , risk metrics r l , and overhead metrics o l as a function of p l via the following mappings: q l = m q;l (p l ); r l = m r;l (p l ); o l = m o;l (p l ): (3.4) For example, p SARLock includes the key size and m q;SARLock computes E FC and t SAT as a function of the key size. Since multiple instances of the same primitive can be used in the design, we define a binary variable matrix s2B jLjn such that n is the maximum allowed number of instances of any primitive in the design, and s i j = 1 if and only if the j-th instance of primitive i is used. Correspondingly, we use p i j , q i j , r i j , o i j 1 to define the configuration parameters, security, risk, and overhead metrics for instance j of primitive i, respectively. 1 We use p as a compact notation for the setfp i j ji2f1;:::;jLjg; j2f1;:::;ngg, and adopt the same convention for q, r, and o. 39 Primitives are composed according to pre-defined rules. For example, the cumulative effect of multiple point-function-based primitives can be obtained by computing the log- ical disjunction of all output signals of the different primitives and connecting it to the original circuit. LUT-based primitives replace a portion of a circuit, hence they can only be layered on top of other primitives. For brevity, we denote by M q (s;q), M r (s;r), and M o (s;o) the mappings used to compute the compositional security, risk, and overhead metrics, respectively, for an aggregation of primitives. The actual expressions of those mappings depend, however, on the specific type of metrics. Risk metrics, for example, compose by taking the product of the single contributions, under the assumptions that they are independent. Therefore, by considering the logarithm of each risk variable r i j , r i j = log 2 (r i j ), the following summation rule holds: log 2 (M r (s;r))= jLj å i=1 n å j=1 s i j r i j : (3.5) A conservative estimate of the SAT-attack resilience takes, instead, the maximum over all the instantiated primitives, i.e., M q (s;q)= jLj max i=1 n max j=1 s i j q i j : (3.6) The products between binary and continuous variables in (3.5) and (3.6) can be expanded into mixed integer linear constraints via additional auxiliary variables. 40 Given the above library, composition rules, and a set of system-level requirements in terms of minimum accepted security level q l and maximum risk r u , we can then formulate our design problem as the following optimization problem: minimize s;p;q;r;o C(s; p;q;r;o) s:t: 8 > > > > > > > > > > > > > > > > < > > > > > > > > > > > > > > > > : M q (s;q) q l ; M r (s;r) r u p li j p i j p ui j ;8i2f1;:::;jLjg;8 j2f1;:::;ng q i j = m qi (p i j );8i2f1;:::;jLjg;8 j2f1;:::;ng r i j = m ri (p i j );8i2f1;:::;jLjg;8 j2f1;:::;ng o i j = m oi (p i j );8i2f1;:::;jLjg;8 j2f1;:::;ng (3.7) The cost C is defined by the user and, in this chapter, it is the total area overhead. If the mappings m q , m r , and m o are non-linear, they are approximated by piece-wise linear functions and encoded as sets of mixed integer linear constraints. 3.5.2 Two-Level Optimization-Based Algorithm A compact expression for the mapping from p to q, r, and o for an aggregation of prim- itives may not always be available (or tractable) in closed form, and would be better computed by simulation. Therefore, we adopt a two-level optimization-based methodol- ogy to solve (3.7), leveraging MILP in a loop with an SA routine, as shown in Fig. 3.3. Our algorithm receives as inputs the original netlist and the user specification, and returns 41 Sample SA-level primitive configuration Implement and evaluate SA-level primitives Decide to accept the cost Generate constraints Solve MILP Next iteration Cost Evaluation result Netlist User Specification Locked netlist SA-level MILP-level Logic Locking Library Figure 3.3: Two-level optimization-based methodology. the netlist locked with an optimal construction. The logic locking library stores compact models for mapping primitive configurations to security, risk, and overhead metrics. The outer optimization loop is driven by the SA routine and includes three major steps, that is, variable sampling, cost function evaluation, and cost acceptance. These are repeated until the maximum iteration count is achieved. When it is not feasible to compute the metrics in closed form for a set of primitives, we let the SA routine sample a configuration vector ˆ p SA for those primitives, which is then implemented to evaluate the current security level, risk, and overhead. Both ˆ p SA and its performance vector are then passed to the inner MILP solver, which instantiates a version of (3.7) to account for the effect of ˆ p SA , and solves it to obtain a new cost estimate. A cost acceptance function in the SA routine determines whether to accept this cost. If the MILP problem is, instead, infeasible, a very large cost is returned to discourage the SA routine from accepting that 42 0 10 20 30 40 50 Iteration Index 50% 100% 150% 200% 250% 300% Cost (Area Overhead) with risk constraints w/o risk constraints (a) 0% 100% 200% 300% 400% Synthesized area overhead 0% 100% 200% 300% 400% Predicted area overhead c1355 c1908 c432 c5315 c880 s5378 s9234 (b) 2 0 2 −1 2 −2 2 −4 2 −8 2 −16 2 −32 2 −64 Risk require ent 0.00% 0.03% 0.05% 0.08% 0.10% 0.12% 0.15% 0.18% Cost (area overhead) XBI SARLock DTL SFLL UC (c) Figure 3.4: (a) Optimization traces for two specification sets on c5315. (b) Predicted versus simulated area overhead. (c) Primitives used for optimal IIR core protection. configuration. Finally, when the optimization terminates, the netlist will be locked based on the configuration parameter p with the lowest accepted cost. 3.6 Optimization Results The optimization runs were executed on a 2:1-GHz processor with 500-GB memory. The algorithm in Section 3.5 is implemented in PYTHON and uses CPLEX [62] to solve the MILP problem. The logic locking library includes XBI [14], point-function-based techniques (SARLock [15], DTL [50], and SFLL-HD [16]), and LUT-based techniques (universal circuit (UC) [42]). The configuration for XBI and UC is determined by the SA routine, while the others are decided via MILP. Area overhead models were obtained by fitting overhead data from more than 20;000 synthesized configurations out of the available logic locking primitives. The designs were synthesized using a 45-nm Nangate Open Cell Library [63]. 43 Table 3.2: Specification Options for Security and Risk Security/Risk E FC t SAT R i R r R id High Threshold 0:5 10 7 ¥ ¥ ¥ Low Threshold 0:1 10 3 2 64 2 64 2 64 3.6.1 Validation of the Methodology 7 ISCAS benchmark circuits are selected to validate our optimization methodology. We set the maximum iteration count of the SA loop to 50 and use an exponential multiplica- tive cooling schedule [58]. For each circuit, we generate 32 different user specifications by permutation of the values in Table 3.2 and run our algorithm on the largest logic cone of the circuit. Fig. 3.4a shows the evolution of the cost for c5315 when we require that E FC 0:5, t SAT 10 7 with (blue) and without (orange) the constraint that R i , R r , R id be 2 64 . Both the costs settle to a significantly lower value in 40 iterations. We validate the achieved security levels by estimating E FC via simulations and t SAT via the execution of the SAT attack [35] with a one-day timeout time. Simulation results show that only 3:6% of the locked netlists fail to meet the E FC requirement. The violation is observed when a small key-size DTL primitive is selected, due to the fact that the model adopted is less accurate in this scenario. Most of the designs reach the timeout of the SAT attack, whose duration is accurately predicted by our models [38]. Fig. 3.4b compares the ac- tual area overhead with our prediction, showing a relative prediction error smaller than 0.5 in 87.5% of the cases. The execution time of an optimization run is dominated by 44 Table 3.3: Boolean Learnability Risk for the Five Largest IIR Logic Cones PO Index Cone Size R b;10 1 1439 0.14 2 1434 0.10 3 1409 0.16 4 1388 0.04 5 1371 0.01 the MILP portion, which takes at most 8 minutes. Overall, our approach allows effec- tive exploration of large design spaces in terms of functional corruptibility and attack resilience. 3.6.2 Locking the Common Evaluation Platform We illustrate the effectiveness of our approach on Common Evaluation Platform (CEP) [60], designed for testing different hardware security primitives. Specifically, we focus on the IIR filter core, with more than 16;000 gates, 2724 primary input, and 2673 primary out- put ports, including the output and input ports of the flip-flops, respectively. Among the five largest logic cones in the circuit, we select the third cone, which has the highest Boolean learnability risk R b;10 (with s= 10), as reported in Table 3.3. We run our al- gorithm with high security requirements (E FC 0:5 and t SAT 2 90 ) and 8 different risk requirements, ranging from no risk constraint to a tight bound of 2 64 . Fig. 3.4c shows the locking primitives used to achieve optimal protection for differ- ent risk requirements. When no risk constraints are imposed, the optimal construction (leftmost bar) consists of two DTL blocks with key-size of 2 and 92, respectively. We find the smaller DTL block contributes to the high E FC while the larger one provides the 45 required t SAT . This demonstrates the ability of our approach to explore the space and find new logic locking constructions via combination of primitives capable of providing security levels that are not achievable with a single existing technique. As we move to- ward the right of Fig. 3.4c, the risk decreases significantly at a large area overhead. The increase in area is due to the partial replacement of the cone with a UC structure. For example, in the tightest risk configuration, the circuit is partially replaced, including part of a 93-bit key SARLock block, with a 7-input 5-layer universal circuit to mitigate the high isolation risk of SARLock. 3.7 Summary Our formal security metrics and risk notions have shown to be useful in the systematic and efficient design space exploration of combinational logic locking. Validation results of ODSEE show it can generate novel locking strategies by layering a set of combina- tional logic locking primitives which outperform existing methods used in isolation. The remainder of this dissertation covers more applications of our risk notions, including developing more efficient attacks (Chapter 4) and low-risk defenses that have not been broken to date (Chapters 5 and 6). 46 Chapter 4 On the Security of Sequential Logic Locking Against Oracle-Guided Attacks In this chapter, we extend our modeling effort in Chapter 3 to sequential logic locking, a less explored category of logic locking. Inspired by the risk of information leakage of combinational logic locking, we exploit, for the first time, a critical information leakage point that exists in most known sequential logic locking schemes. We provide theoretical results on how this information leakage can help significantly expedite the traditional SAT-based attack [54, 55] and further present an improved attack, Fun-SAT, which is shown to be, on average, 90 faster in finding the correct key, calling for researchers to rethink the security of known sequential logic locking techniques. Finally, we present and discuss several variants ofFun-SAT which can be applied to slightly different threat models. 47 4.1 Introduction As we discussed in Chapter 1, logic locking has gained significant attention over the past decade as a promsing solution to mitigate the threats of IC reverse-engineering. In Chapter 3, we focused on a particular class of logic locking methods, namely, combina- tional logic locking [6, 14–17, 21–23, 25, 29, 30], which aims to insert programmable components and extra key ports into selected locations of a circuit’s combinational logic, such that the original circuit functionality can only be accessed by applying the correct key. On the other hand, sequential logic locking, e.g., [13, 31], usually targets some of the circuit finite state machines by usually creating new states, referred to as encrypted states, and modifying their transitions. One of the encrypted states is then selected as the new reset state of the locked circuit. A user must feed the authentication key, i.e., a predefined input sequence, to the input ports for the first few clock cycles before the circuit transitions to the original reset state. Over the years, many attacks have also been developed to restore the correct function- ality of a circuit locked using combinational locking methods, the most notable being the SAT attack [35], based on Boolean satisfiability (SAT) solving. By assuming the avail- ability of a locked netlist and a functional chip, i.e., an oracle that provides the correct output response for each input, the SAT attack efficiently rules out all the wrong keys by solving a series of SAT problems. Unless the internal state of a circuit can be accessed as a part of its input/output response, the SAT attack cannot be directly applied to a sequen- tial circuit, e.g., when the internal state cannot be scanned or is protected using a secure 48 scan chain [64]. However, in these cases, a SAT-based attack [54, 55] can still be crafted by unrolling the sequential circuit to construct a larger combinational circuit that repre- sents the behavior of the original circuit over a number of clock cycles. Circuit unrolling has indeed been applied to formulate SAT-based attacks against sequential logic locking under the assumption that the key length (in cycles) is known [18, 51, 65]. A major limitation of SAT-based attacks originates from the possibility that a large unrolling depth is needed to eliminate all the wrong keys, hence the large size of the unrolled circuits to be analyzed. To address this limitation, the attack usually starts by running a SAT attack with a small unrolling depth. Once the SAT attack is finished, how- ever, there is no guarantee that the set of candidate keys, obtained by matching the oracle response over a bounded unrolling depth, will also match the circuit response for longer time horizons. A key verification, often formulated as a model checking problem, will then check whether all the remaining keys generate the same response over an infinite time span, whose confirmation allows concluding that all the remaining keys are cor- rect and the attack can terminate. The attack must then increase the unrolling depth and perform the SAT attack on the unrolled circuit until all incorrect keys are ruled out and model checking terminates with the correctness of the remaining keys. Solving many SAT attacks and model checking problems for increasing unrolling depths can be costly and severely impact the feasibility of the overall attack. This chapter shows that an attacker can leverage the functional corruptibility (FC) of a locked circuit to efficiently estimate the minimum unrolling depth needed to prune 49 out the wrong keys. We provide a mathematical characterization of the relation between the minimum required unrolling depth and a notion of FC for sequential circuits, which can be efficiently estimated from a locked circuit. Based on this analysis, we design Fun-SAT, a functional corruptibility-guided SAT-based attack that is able to significantly reduce both (i) the SAT-attack effort needed to recover the set of candidate keys and (ii) the model checking effort needed to prove the correctness of the candidate key set. Fun-SAT follows a threat model that is predominant in the literature [18, 54, 55], which assumes that the key length is known a priori. When the key length is unknown, we also propose a novel version of Fun-SAT, namely, Fun-SAT+, whose goal is to restore the original circuit functionality by finding the correct initial state of the locked circuit rather than the correct key. Our contributions can be summarized as follows: We introduce a notion of functional corruptibility for sequential circuits and for- mally describe its relation with the set of incorrect keys that are ruled out by a SAT attack at each unrolling depth. We develop Fun-SAT, an FC-guided SAT-based attack that leverages the above concept of functional corruptibility to efficiently predict the minimum unrolling depth required to prune out all the wrong keys and significantly reduce the overall attack time. 50 We develop Fun-SAT+, a key-length-agnostic counterpart of Fun-SAT, which, for the first time, attacks a sequential locking scheme by directly searching for the cor- rect initial state of the circuit. Fun-SAT+ also includes an approximate termination condition to improve its efficiency in practice. We evaluateFun-SAT andFun-SAT+ on three representative sequential logic lock- ing methods. We show that Fun-SAT can be, on average, 90 faster in finding the correct key than a reference SAT-based attack [54]. On the other hand, when using an approximate termina- tion condition, Fun-SAT+ can find an approximately correct initial state which achieves a maximum FC of 0:1% in 76:9% of the experiments that would otherwise time out after one day. A preliminary version of the results of this chapter appeared in our previous publi- cation [66], where we first presented the formal framework underlying Fun-SAT. In this chapter, we expand on our previous formulation by providing a complete mathematical description of one of the termination conditions for Fun-SAT, called Model Checking Equivalence (MCE), which was previously illustrated only on a specific example. We then introduce Fun-SAT+, which operates under weaker assumptions than Fun-SAT, but equally helps restore the original circuit functionality. Fun-SAT+ is constructed with the different goal of finding the correct initial circuit state of the locked circuit and does not require an attacker to know the key sequence length. We present an approximate termi- nation condition to further account for certain attack scenarios where restoring a close 51 approximation of the circuit function is sufficient to jeopardize the integrity of the cir- cuit. We perform extensive validation of Fun-SAT+ and show the improved efficiency achievable with the approximate termination condition. Finally, we consider the appli- cation of the Fun-SAT approach to KC2 [55], an optimized SAT-based attack which is effective against locking schemes that require additional key ports to inject the key. Our results show that, on locking methods that are known to be resilient to KC2, Fun-SAT can enhance KC2 and achieve, on average, 10:6 faster execution time. The remainder of the chapter is organized as follows. Section 4.2 introduces three representative sequential logic locking methods and reviews the assumptions and mech- anism of the SAT-based attack on sequential locking. Section 4.3 discusses the notion of functional corruptibility and its implications for expediting SAT-based attacks. Sec- tion 4.4 and Section 4.5 detail the attack flow and the implementation of Fun-SAT and Fun-SAT+. In Section 4.6, we assess the effectiveness of the proposed attacks in com- parison with a previous SAT-based attack. Conclusions follow in Section 4.8. 4.2 Preliminaries We provide an overview of sequential logic locking, including three examples of repre- sentative locking schemes, and the mechanism of existing SAT-based attacks. 52 4.2.1 Sequential Logic Locking As mentioned in Chapter 2.2, sequential logic locking methods aim to hide the correct functionality of a sequential circuit by adding new states and transitions to the original finite state machine (FSM) [13, 31, 32, 51]. One of the newly added states is selected to be the reset state of the modified FSM. After reset, the locked circuit exhibits a different functionality than the original circuit. A user is required to provide a specific sequence of inputs, i.e., a correct key sequence, via the primary input ports for the first few clock cycles to transition to the correct reset state, after which the original circuit functionality is restored. We say that the locked circuit operates in the encrypted mode before it transi- tions to the correct reset state. Once this transition occurs, the circuit enters the functional mode. In the following, we introduce three representative sequential logic locking meth- ods, namely, HARPOON [13], Interlocking [31] and Counter-based locking (CBL) [34], which will be used to evaluate the proposed attacks in Section 4.6. HARPOON [13], one of the first sequential logic locking methods, whose mechanism has been inherited by most of the subsequent schemes, designs a single transition path for the locked circuit to enter the functional mode. However, the fact there is only one transition path can be potentially exploited by attacks that analyze the state transition diagram of the locked FSM to locate the boundary between states belonging to the two modes [51]. If such attacks are successful, attackers can modify the locked netlist to bypass all the states in the encrypted mode. 53 Cl Cl I K1 K2 O1 O2 K1 K2 F1 SAT/UNSAT F2 Figure 4.1: The SAT instance, visualized as a circuit diagram, formulated at the first iteration of COMB-SAT. Interlocking [31] addresses this vulnerability by designing multiple transition paths from the encrypted mode to the functional mode so that the boundary between the states in the two modes is less distinguishable. Adding multiple transition paths to enter the functional mode does not necessarily increase an attacker’s chance of accessing the cor- rect circuit functionality, as only one of those paths is the correct one. A user must still provide the associated key sequence to make the circuit transition to the functional mode through the correct path. Otherwise, errors at the circuit output will still occur at a later moment despite the circuit enters the functional mode. More recently, CBL [34] has been proposed as a state-of-the-art implementation of a variant of sequential locking, which requires a fixed, static key to be fed during the entire circuit operation via a set of additional key ports. While CBL follows a different unlocking mechanism from the above methods, its goal is to also delay the time at which the impact of a wrong key is observed, by appropriately inserting a counter FSM in the original circuit. 54 Combinational Logic Registers I O (a) Combinational Logic Combinational Logic Combinational Logic I I I O O O Combinational Logic I O tk b=1 (b) Figure 4.2: Diagram of (a) a sequential circuit and (b) its unrolled version. 4.2.2 SAT-Based Attacks The SAT attack [35] and its variants [67, 68] aim to find the correct key to restore the original function of a locked circuit C l . These attacks assume the availability of two re- sources: (i) the gate-level netlist of the locked circuit C l , potentially obtained by reverse- engineering from the GDSII file sent to the untrusted manufacturer [4], and (ii) an oracle for the original circuit C o , i.e., an activated chip, potentially purchased from the market, which provides black-box access to the correct input/output response. The SAT attack [35], which we denote by COMB-SAT, can find the correct key of a locked combinational circuit without combinational loops. At the beginning, COMB- SAT formulates a SAT problem as visualized in Fig. 4.1, where I denotes the input ports, 55 O1 and O2 the output ports, and K1 and K2 the key ports of the locked circuits. Upon solving the SAT problem and obtaining a satisfying assignment, the attack effectively detect an assignment i for I, for which two different keys k 1 and k 2 generate different outputs. We call this input i a distinguishing input pattern (DIP). The DIP and its cor- responding correct output, obtained by querying the oracle C o , will then be encoded as a set of clauses that are appended to the current SAT instance. Suppose that i dip is the DIP found in the current iteration. The updated SAT instance effectively rules out a set of incorrect keys K as follows, K=fkj f 0 (i dip ;k)6= f(i dip )g; where f and f 0 are the circuit functions implemented by C o and C l , respectively. COMB- SAT repeats the above process and terminates when the updated SAT instance becomes unsatisfiable, meaning that all the incorrect keys have been excluded, and any remaining key can be returned as correct. We can apply COMB-SAT to the combinational logic of a sequential circuit by as- suming that its internal state can also be obtained from the oracle as part of the in- put/output response [69]. However, this assumption is unrealistic when the internal state is not scanned or protected using a secure scan chain [64]. Similarly, COMB-SAT can- not be directly applied to sequential logic locking. However, an attacker can attempt an extension of COMB-SAT by unrolling a sequential circuit, as shown in Fig. 4.2, to form a larger combinational circuit that represents the behavior of the sequential circuit over a 56 Algorithm 1 Reference SAT-Based Attack [51, 54] Input: Locked netlist C l , oracle C o , key length t k Output: Correct key sequence k 1: b 1 2: while True do 3: k ;L dip ;L odip DIP Search(C o ;C l ;t k ;b) 4: if !key veri f y(k ;L dip ;L odip ) then 5: b update(b) 6: else 7: break 8: end if 9: end while 10: return k fixed number of clock cycles [18, 51, 65]. Such an attack is usually performed under the assumption that the cycle length of the key sequence t k is known. The circuit is then un- rolled for t k cycles to simulate the insertion of the key, followed by a minimum unrolling depth b= 1, needed to start a COMB-SAT attack. The input ports of the circuit replicas in Fig. 4.2b are marked in blue or red based on whether they act as the input ports or the key ports, respectively, of the unrolled circuit. The output ports in blue are regarded as the output of the unrolled circuit. Algorithm 1 offers a conceptual framework for a SAT-based attack. The unrolling depth b is initially set to a small value (e.g., to 1 in line 1) to avoid unnecessary unrollings that would produce large problem instances for DIP 1 search (line 3) and the key verifica- tion step (line 4). COMB-SAT can then be performed on the unrolled circuit in Fig. 4.2 (line 3) to search for DIPs that can rule out incorrect keys. However, once COMB-SAT terminates on the unrolled circuit, there is no guarantee that the set of candidate keys, 1 For sequential circuits, a DIP can also be called a distinguishing input sequence (DIS) [55]. 57 obtained by matching the oracle response over b clock cycles, will also match the correct response after b clock cycles. A model checking problem [54] is then formulated (line 4) to verify whether this is the case, by taking as input one of the candidate keys k , the list of DIPs L dip and the list of their corresponding outputs L odip generated by the DIP search in line 3. Otherwise, the attack will try a different unrolling depth b determined according to an update function (line 5) and repeat this process until all the remaining keys, returned by the DIP search in line 3, are proven correct. DIP search (line 3) can also be formulated and solved as a bounded model checking (BMC) problem, where the update function usually increments or multiplies the un- rolling depth b by a constant number [54, 55] to accelerate the search. However, without any guidance on the minimum unrolling depth that is required to eliminate all the wrong keys, Algorithm 1 tends to still solve a large number of COMB-SAT and model check- ing instances, especially when the minimum required unrolling depth is large. Recent advances, including incremental solving methods, SAT learned-clause preservation, and stronger termination checks, have shown to significantly mitigate the burden of solving these problems. However, the large number of problem instances that need to be solved can still adversely affect the overall attack efficiency [34]. Following the same threat model as the attack in Algorithm 1, we develop Fun-SAT, an enhanced SAT-based at- tack that can directly estimate the minimum unrolling depth required to prune out all the wrong keys. 58 4.3 Bounded-Depth Functional Corruptibility In this section, we introduce a notion of functional corruptibility (FC) for sequential circuits and discuss how it can be used to estimate the minimum unrolling depth required for the SAT-based attack to rule out all the wrong keys. Aligned with the attack model discussed in Section 4.2.2, we assume that the attacker has access to the black-box oracle C o and the locked netlist C l , as well as the key cycle length t k . However, the definitions and theorems discussed in this section can be adapted to the case in which t k is not known, as further detailed in Section 4.5. For the rest of this chapter, we say that the unrolling depth is b for C o and C l to mean that the circuit is unrolled for b and t k + b cycles, respectively. 4.3.1 FC and Unrolling Depth We denote by b req the minimum unrolling depth required to prune out all the wrong keys for a SAT-based attack. Let I and O be the sets of input and output ports of both C o and C l , respectively. Let f b :B bjIj !B bjOj be the function implemented by the b-unrolled version of C o , i.e., the function represented by the combinational circuit C b o obtained after unrolling C o for b cycles. We also say that C b o has a depth of b. Similarly, we denote by f 0 b :B bjIj B t k jIj !B bjOj the b-unrolled version C b l of C l . We also denote by SAT(b) the COMB-SAT attack on C b l and by K b the set of wrong keys pruned out by SAT(b). Finally, we denote byjpj the length of a sequence p and recall that a partial order can be defined over sequences as follows. 59 Definition 6 (Partial Order Over Sequences). Let p and q be two sequences withjpj<jqj. We say that p (strictly) precedes (or is less than) q, written p q, if and only if the following holds: p i = q i ;8i2f1;2;:::;jpjg; where p i is the i-th element of p, that is, if and only if p is a prefix of q. Otherwise, we say that p does not precede q, i.e., p q. For example, 1001 100111 holds while 0010 100111. We introduce a notion of functional corruptibility for a sequential circuit by resorting to its b-unrolled version as follows: Definition 7 (b-Depth Functional Corruptibility). The b-depth functional corruptibility of a circuit pair(C o ;C l ) is the ratio between the number of corrupted output values of C b l with respect to C b o and the total number of primary input and key combinations for C b l , i.e., FC b = 1 2 (b+t k )jIj å i2B bjIj å k2B t k jIj 1( f b (i)6= f 0 b (i;k)); where 1(:) is the indicator function. To study how FC b evolves with b, we associate a tag to the errors introduced by f 0 b , the function implemented by the b-unrolled version C b l of the locked circuit. 60 Definition 8 (Error Tag). We can associate a tag to an input-key pair(i;k) via the map T b :B bjIj B t k jIj !N[f?g defined as follows: T b (i;k)= 8 > > > > > > > > > > > > > > > > < > > > > > > > > > > > > > > > > : ?; if f 0 b (i;k)= f b (i); 1; if f 0 b (i;k)6= f b (i) and b= 1; b; if f 0 b (i;k)6= f b (i); b> 1; and f 0 b1 ( j;k)= f b1 ( j); T b1 ( j;k); otherwise; where j i and j2B (b1)jIj . When f 0 b (i;k)6= f b (i), the error tagT b (i;k) indicates the index of the earliest clock cycle in which the outputs of C b l and C b o differ. For example, Fig. 4.3 includes two tables marking the errors introduced by f 0 b for b= 2 and b= 3, withjIj= 1 and t k = 2. Each entry is indexed by an input value i and a key value k. If f 0 b (i;k)6= f b (i), we mark the corresponding entry with an “x.” By Definition 8, the errors marked in red are tagged with 3, while the blue ones depend on errors that were already introduced by f 0 2 and will be tagged based on the error tags in f 0 2 . We can now state our first result describing the evolution of FC b with respect to b. Theorem 2. For all b> 1, FC b = FC b1 holds if and only ifT b (i;k)< b holds8 i2B bjIj , 8 k2B t k jIj , that is, if and only if no new errors, i.e., errors tagged by b, are introduced by f 0 b . 61 Key (k) Input (j) 00 01 10 11 00 X 01 X 10 X 11 X ErrorTable 1 (b = 2) Key (k) Input (i) 00 01 10 11 000 X 001 X 010 X X 011 X 100 X 101 X X 110 X 111 X !" ! = 1 4 !" " = 1 4 + 2 32 = 5 16 X: Errors with tag of+ ! (-, /) X: Errors with tag of 3 1 # = 2, 2 = 1 Correct key sequence: 1 0 ErrorTable 2 (b = 3) Key (k) Input (j) 00 01 10 11 00 X 01 X 10 X 11 X ErrorTable 1 (b = 2) Key (k) Input (i) 00 01 10 11 000 X 001 X 010 X X 011 X 100 X 101 X X 110 X 111 X !" ! = 1 4 !" " = 1 4 + 2 32 = 5 16 X: Errors with tag of+ ! (-, /) X: Errors with tag of 3 1 # = 2, 2 = 1 Correct key sequence: 1 0 ErrorTable 2 (b = 3) Figure 4.3: Distribution of the output errors of a small locked circuit (t k = 2 andjIj= 1) for the first two and three clock cycles. Proof. Check Appendix A.1 for details. Based on Theorem 2 and its proof, we conclude that FC b can only remain constant or increase with b as new errors, tagged by b, are observed at the output of the b-unrolled circuit. This leads to the following result, stating that FC b monotonically increases with b, independently of the sequential locking method adopted. Corollary 2.1. For all b> 1, FC b FC b1 holds. 62 4.3.2 FC and Key Search Progress We show, with the following results, that the evolution of the b-depth functional corrupt- ibility can be correlated with that of the set K b of incorrect keys that are pruned out by SAT(b). To establish this relation, we first provide a characterization of K b using the following lemma. Lemma 3. Let K b be the set of wrong keys pruned out of the search space upon termi- nation of SAT(b). Then,8 i2B bjIj , the following holds: fkj f b (i)6= f 0 b (i;k)g K b : Proof. Check Appendix A.2 for details. Lemma 3 implies that a key k 0 is in K b if f b (i)6= f 0 b (i;k 0 ) holds, even if i is not explic- itly found as a DIP by SAT(b). In fact, k 0 can also be ruled out by another input j, which is instead found as DIP, and such that f b ( j)6= f 0 b ( j;k 0 ), after augmenting the SAT prob- lem instance with a clause encoding the oracle output f b ( j) for input j. The following theorems characterize the relation between FC b and K b , stating that K b monotonically increases with FC b and remains the same if FC b remains constant. Theorem 4. For all b> 1, let FC b = FC b1 hold. Let K b1 and K b be the sets of wrong keys pruned out by SAT(b 1) and SAT(b), respectively. Then, K b1 = K b holds. Proof. Check Appendix A.3 for details. 63 Theorem 5. For all b> 1, let FC b > FC b1 hold, and let K b1 and K b be the sets of wrong keys pruned out by SAT(b1) and SAT(b), respectively. Then, K b1 K b holds. Proof. Check Appendix A.4 for details. Theorems 4 and 5 directly relate the behavior of K b , hence the progress made by the attack, to the behavior of FC b , which can be efficiently approximated via logic simu- lation. Therefore, by efficiently analyzing the sequence of FC b , we can make informed predictions about whether solving a COMB-SAT instance and a model checking problem for a certain unrolling depth b can be avoided to rapidly progress with the attack. Specifically, if FC b = FC b1 holds, we conclude that it is sufficient to execute SAT(b 1), which is a smaller and usually faster instance than SAT(b). In fact, we know from Theorem 4 that SAT(b) cannot exclude any more wrong keys other than those already pruned out by SAT(b 1). On the other hand, when FC b > FC b1 holds, we conclude that SAT(b) is at least as effective as SAT(b 1), or even more effective, in narrowing down the search for the correct key. We can then move forward and directly execute SAT(b) by skipping the execution of SAT(b 1) and the additional model checking problem needed to verify the termination on C b1 l . We incorporate both of these insights intoFun-SAT, as detailed in the next section. 64 4.4 Functional Corruptibility-Guided SAT-Based Attack We describe the attack flow ofFun-SAT and discuss its termination conditions that allow us to conclude that all the wrong keys are pruned out. 4.4.1 Attack Flow Algorithm 2 shows the attack flow ofFun-SAT, whose input arguments include a set of circuit-related and attack configuration parameters. Circuit-related parameters include the oracle C o , the locked netlist C l , and the key cycle length t k . Configuration parameters consist of the FC analysis window t win , the simulation sample size S, the FC difference thresholdd, and the FC hold thresholdD. We discuss the function of each configuration parameter below. Fun-SAT consists of two phases. The first phase (line 3 to line 19) analyzes a se- quence of FC values for a range of unrolling depths and predicts the optimal unrolling depth b to be used in the second phase (line 20 to line 26), where DIP search is executed on the b -unrolled circuit. To start the first phase, we specify the initial range of unrolling depths to be[1;t win ] in line 1 and compute FC b via a logic simulation function, in line 6, which simulates both C o and C l with random inputs and keys for S times and calculates an estimate of FC b according to Definition 7. As discussed in Section 4.3.2, if FC b > FC b1 holds, we promote b as the desired unrolling depth for the second phase (based on Theorem 5). Otherwise, if FC b = FC b1 holds, we choose b 1 (based on Theorem 4). We incorporate this rule when analyzing 65 FC ! ∗ ∆#$ FC b ! ∗ ∆#$ FC ∆#$ Example1 Example3 Example2 ∆ Earlybreak ! " % ! " ! # ! ∗ ! # ! " ! # b b b b b !" #" #" !" !" #" Figure 4.4: Illustration of the evolution of FC b with b in three different examples (DFC b = FC b FC b1 ). the sequence of FC values (line 7 to line 18) as follows. We assign the upper bound of the FC analysis window b ub to b if FC b keeps increasing, as shown in the first example of Fig. 4.4. Due to the approximation error introduced by the FC simulation (line 6), we relax the equality condition, i.e., FC b = FC b1 , by checking whether(FC b FC b1 )d holds for a small d, such as 0:01. Moreover, we also consider the scenario when the relaxed equality condition holds only for a limited number of occurrences before FC b starts to increase again, as shown in the third example of Fig. 4.4. We will only terminate the FC analysis phase with an early break when the relaxed equality condition is satisfied for at least D times. This early break prevents unnecessary FC simulations when FC stops increasing at an early stage, as shown in the second example in Fig. 4.4. 66 In the second phase, DIP search is performed (line 21) with the suggested unrolling depth b . At this point, we may only conclude that the resulting candidate key k is correct for the b -unrolled circuit, i.e., up to b clock cycles after reset. Therefore, an additional key verification step is needed to check whether k is indeed the correct key (line 22) for an infinite time frame. The candidate key k , the list of found DIPs L dip , and the list of the corresponding correct output values L odip are all used in this step, further described in Section 4.4.2. When the key verification fails, Fun-SAT revisits the FC analysis phase and search for a new unrolling depth with an updated FC analysis window (line 23). This loop terminates when a candidate key is found and proven correct. 4.4.2 Attack Termination Conditions The last step before the successful termination of the attack in Algorithm 2 is the key verification function (line 22). In this step, because the netlist of the oracle is assumed unavailable in the attack model (see Section 4.2.2), we cannot directly perform equiva- lence checking between the oracle C o and the locked netlist C l configured with the candi- date key k . We therefore build on the literature on SAT-based attacks [54] to formulate two key verification conditions specific to sequential logic locking, namely, unique key (UK) and model checking equivalence (MCE). 67 Cl Cl Ldip[1] k* K Cl Cl Ldip[n] k* K AND K SAT/ UNSAT k* b b b b Figure 4.5: Circuit representation of the unique key (UK) condition. 4.4.2.1 Unique Key If k is the only remaining key that makes the locked circuit C l generate the same re- sponse as the oracle C o over the first b clock cycles, then k is the correct key for C l . This condition can be verified by showing that the set fk 0 j f 0 b (i;k 0 )= f 0 b (i;k );8i2 L dip gnfk g is empty. Alternatively, we can execute COMB-SAT on a modified version of the current SAT instance, by appending a clause that excludes k to query for another correct key. This effectively reduces to the SAT instance shown in Fig. 4.5, where C b l is the b-unrolled version of C l and L dip [n] is the n-th DIP in L dip . The UK condition is satisfied if this SAT instance is unsatisfiable (UNSAT), and Fun-SAT can terminate successfully with the correct key k . 68 4.4.2.2 Model Checking Equivalence When the UK condition is not satisfied, multiple candidate keys can match the behavior of the oracle over the first b clock cycles, but may eventually generate different circuit responses over longer time spans. We detect these spurious keys in the candidate key set using model checking to look for cases where two keys in the candidate set lead to dif- ferent circuit responses on the locked circuit C l , that is, whether the following condition holds, 9 b 0 b;i2B b 0 jIj ;k 1 ;k 2 2K cand ; s:t: f 0 b 0(i;k 1 )6= f 0 b 0(i;k 2 ); (4.1) where K cand is the set of candidate keys, expressed as follows, K cand =fk2B t k jIj j f 0 b (i;k)= f b (i);8i2 L dip g: We observe that, due to the operation of DIP search, it is sufficient to require that a key k in K cand generate the correct output (over b cycles) for all the DIPs in L dip to guarantee that k generates the correct output also for the other inputs. Fig. 4.6 shows the model used to check the MCE condition for a specific example, where t k = b=jL dip j=jL odip j= 2. For clarity, we represent the unrolled locked circuit C 2 l as a cascade of t k + b, i.e., four, copies of the combinational logic of C l . The model checker is configured to process the values at the IO ports in blue as constant, those in red as free binary variables, and those in grey as ‘don’t care’ variables. K a and K b are the input variables for the two keys, denoted by k 1 and k 2 in (4.1), respectively. K a;1 and 69 Combinational Logic Combinational Logic Combinational Logic Combinational Logic Combinational Logic Combinational Logic Combinational Logic Combinational Logic Ka,1 Ka,2 Kb,1 Kb,2 Ldip[1]1 Ldip[1]2 Lodip[1]1 Lodip[1]2 Combinational Logic Combinational Logic Combinational Logic Combinational Logic Cl Cl INa INb Initial State Sa Initial State Sb OUTa OUTb Don’t care IO ports X Model variable X Y Model constant Y Linking two variables Legend: Ldip[1]1 Ldip[1]2 Lodip[1]1 Lodip[1]2 Ldip[2]1 Ldip[2]2 Lodip[2]1 Lodip[2]2 Ldip[2]1 Ldip[2]2 Lodip[2]1 Lodip[2]2 Figure 4.6: Diagram of the model used for checking the termination condition of Fun-SAT. K a;2 are the portions of K a in the first and the second clock cycle, respectively. Similar subscript indices are used for K b and the elements of L dip and L odip . The circuits on the left side of Fig. 4.6, whose inputs and outputs are assigned all the DIPs and the corresponding correct outputs, model the constraints that limit the values for K a and K b to the candidate key set K cand . On the right side of the model, we instantiate the locked circuit C l twice and configure both instances to receive the same input at IN a and IN b , as marked by the dashed orange lines linking two variables in the figure. Importantly, we link the initial states S a and S b of the two instances of C l to the corresponding initial states obtained after applying K a or K b to the left-side circuit, respectively, which ensures that the two C l instances on the right side are configured as if they were provided with K a or K b . 70 We check the MCE condition by solving a model checking problem that verifies whether OUT a = OUT b holds for an unbounded time frame. If the model checker returns false, it means that condition (4.1) holds and there exists one or more keys in the candi- date set that will eventually trigger the wrong circuit response on C l . Therefore,Fun-SAT should not terminate until it prunes out all those spurious keys in the candidate set. In Fun-SAT, the MCE condition is checked in two steps. We first perform bounded model checking (BMC) with bound b+ 1. If BMC returns false, we can already conclude that the SAT-based attack should continue. Otherwise, we perform unbounded model check- ing to verify the correctness of the candidate key set beyond b+ 1 cycles. The outcome of unbounded model checking will determine whether to conclude or continue the attack. 4.4.3 Complexity Analysis We first analyze the attack in Algorithm 1. By assuming an update rule such that b b+ 1 and a minimum required unrolling depth b req , the attack will require b req iterations of DIP search and termination condition checks before finding the correct key. Each DIP search and termination condition check requires solving several SAT problems, which are NP-complete. With Fun-SAT (Algorithm 2), multiple expensive DIP search steps and termination condition checks can be avoided. Specifically, Fun-SAT only requires db req =t win e, rather than b req , iterations of DIP search and termination condition checks, at the additional cost of estimating the b-unrolled FC (from FC 1 to FC b req ) for b req times using logic simulations. The advantage ofFun-SAT then hinges on the runtime advantage 71 of executing b req iterations of FC estimation over (b req db req =t win e) iterations of DIP search and termination condition check. 4.5 Fun-SAT+: A Key-Length-Agnostic Attack Fun-SAT is based on a common attack model adopted in the literature, in which the key length t k of the locked circuit is available to the attacker. In this section, we remove this assumption and propose an extension of Fun-SAT, termed Fun-SAT+, that can be mounted even if t k is unknown. As also alluded to in the literature [54, 55], we observe that the effect of providing the correct key sequence to the locked circuit is to configure it to the correct initial (reset) state in the functional mode by providing the corresponding signals via the connections from the t k -th to the (t k + 1)-th circuit replica in Fig. 4.2b. It is then possible to redesign Fun-SAT with the goal of finding the correct initial state, rather than the key sequence, which does not require knowledge of the key length t k . We detail below the complete attack flow. 4.5.1 Attack Flow Fun-SAT+ first pre-processes the locked netlist C l by substituting all the D flip-flops (DFFs) in the design with a modified structure that enables a scan-in feature, as shown in Fig. 4.7. When scan en is high, the output of each register at the next clock edge, is given by scan data. By setting scan en to high only in the first clock cycle after reset, we can then configure the initial circuit state via the scan data ports, denoted as 72 Combinational Logic CLK D Q Clock (a) Combinational Logic CLK D Q Clock scan_en scan_data 1 0 (b) Figure 4.7: Schematics of (a) a regular D flip-flop and (b) a modified D flip-flop with the scan-in feature. K is . The diagram of the modified netlist C l and its b-unrolled version C b l for the DIP search step are shown in Fig. 4.8a and Fig. 4.8b, respectively. In Fig. 4.8b, besides the regular IO ports marked in blue, K is act as the effective key ports and are marked in red. The proposed modification only affects the key bit-length. All the results in Section 4.3 can then be applied to the modified design with minor modifications. For example, the b-depth functional corruptibility can be rewritten as follows, FC b = 1 2 bjIj+jK is j å i2B bjIj å k2B jK is j 1( f b (i)6= f 0 b (i;k)); (4.2) where the effective key bit-length is now equal to the number of DFFs in the locked circuit. In particular, the conclusions drawn from Theorem 4 and Theorem 5 hold. Algorithm 3 illustratesFun-SAT+, which follows the same flow ofFun-SAT, as spec- ified in Algorithm 2, with the following changes. Fun-SAT+ no longer requires the key length t k as an input, since the effective key length is the number of registers in C l . In the FC analysis phase, the FC simulation function (line 6) computes the FC based on (4.2). 73 Combinational Logic Modified Registers I O Kis (a) Combinational Logic Combinational Logic Combinational Logic I I I O O O Combinational Logic I O b Kis (b) Figure 4.8: Diagram of (a) a modified locked sequential circuit and (b) its b-unrolled version. In the SAT attack phase, DIP search (line 21) is executed on the b-unrolled version of the modified locked netlist, as shown in Fig. 4.8b. Once DIP search is finished, we verify the correctness of the remaining keys (line 22) according to the two termination con- ditions discussed in Section 4.4.2. For the UK condition, we may continue to use the SAT instance as visualized in Fig. 4.5, in which C b l is replaced by the b-unrolled ver- sion in Fig. 4.8b. To verify the MCE condition in (4.1), we update the model to reflect the change in key length, while the set of candidate effective keys, i.e., candidate initial states, K cand , is re-written as follows, K cand =fk2B jK is j j f 0 b (i;k)= f b (i);8i2 L dip g: 74 Combinational Logic Combinational Logic Combinational Logic Combinational Logic Ldip[1]1 Ldip[1]2 Lodip[1]1 Lodip[1]2 Combinational Logic Combinational Logic Combinational Logic Combinational Logic Cl Cl INa INb Initial State Kis,a Initial State Kis,b OUTa OUTb Don’t care IO ports X Model variable X Y Model constant Y Linking two variables Legend: Ldip[1]1 Ldip[1]2 Lodip[1]1 Lodip[1]2 Ldip[2]1 Ldip[2]2 Lodip[2]1 Lodip[2]2 Ldip[2]1 Ldip[2]2 Lodip[2]1 Lodip[2]2 Kis,a Kis,b Figure 4.9: Diagram of the model used for checking the termination condition of Fun-SAT+. For example, the updated model for a circuit with b=jL dip j=jL odip j= 2 is visualized in Fig. 4.9. This model consists of fewer combinational logic modules than in Fig. 4.6. As in Fig. 4.6, the left-side diagram of Fig. 4.9 is used to model the constraints that limit the search space of K is;a and K is;b to the candidate initial state set K cand . Both K is;a and K is;b are linked to the initial state ports of the two instances of C l , respectively. We use a model checker to check whether OUT a = OUT b holds over an unbounded time horizon, which determines whether the candidate initial states are all correct. The new attack further lowers the threshold for an attacker. Once a correct initial state is found, an attacker may bypass the key insertion process and modify the locked 75 netlist as in the pre-processing step above to directly provide the correct initial state to the array of registers and eventually retrieve the original circuit functionality. 4.5.2 Approximate Termination Condition The effective key bit-lengthjK is j inFun-SAT+ can be much larger than that inFun-SAT. Proving its correctness via model checking can then be computationally prohibitive. To improve the scalability ofFun-SAT+, we introduce an approximate termination condition that can be used as an alternative to the model checking equivalence (MCE) condition. The resulting attack variant, which we callFun-SAT+(App), produces an initial state that leads to a close approximation of the original circuit function. In the approximate termination mode, two additional configuration parameters are specified at the beginning of the attack, namely, a desired functional corruptibility thresh- old T f c and the maximum observation window b max . Each time the key verification step (line 22) of Algorithm 3 is called, logic simulation is instead executed to obtain an ap- proximation of the b max -depth functional corruptibility FC b max . If FC b max T f c holds for the candidate key k , the attack terminates with k as the result. As an example, an attacker may gather insights about a possible value for b max by estimating the depth D of the locked FSM using another FSM reverse-engineering method [70, 71]. We finally observe that, when t k is not known, an attacker may also repeat Fun-SAT with different key lengths until the correct key (and key length) is found. However, using the outcome ofFun-SAT to implement an efficient key length search strategy is, in 76 0 5 10 15 20 25 Key length 0 1 2 |K cand | Figure 4.10: The number of correct keys,jK cand j, found byFun-SAT as a function of the assumed key length. general, ineffective. For example, Fig. 4.10 shows the response ofFun-SAT on a sample circuit locked using Interlocking with a key of length 20. When Fun-SAT is applied with key lengths different than 20, all the keys are pruned out of the search space, i.e., jK cand j= 0. In fact, keys of different lengths generally set the unrolled model of the circuit and the oracle in different initial states. The SAT attack is then likely to eliminate all the candidate keys, since the outputs of the unrolled model and the oracle for the same inputs in different states will be different, in general, independently of the key. Fun-SAT will then return an empty set of candidate keys, which provides no information about the progress in the search. 4.6 Evaluation Results We implement both Fun-SAT and Fun-SAT+ with Python. Both calculating the FC in the FC analysis phase and querying the oracle in the SAT attack phase are simulated by 77 Table 4.1: Overview of the Selected Benchmark Circuits[75, 76] Benchmark s27 s526 s1488 s9234 s15850 s38584 b10 b12 b15 b19 Inputs 4 3 8 19 14 12 11 5 36 24 Outputs 1 6 19 22 87 278 6 6 70 30 DFFs 3 21 6 228 597 1452 17 121 449 6642 Gates 10 193 653 5597 9772 19253 214 1217 8169 190213 Synopsys VCS. Using the logic simulation time to estimate the actual hardware query- ing time is deemed reasonable, if not conservative, as software simulation is generally slower than the actual hardware. DIP search is adapted from the literature [35] and leverages MINISAT [72] as the SAT solver while model checking is performed using the interpolation-based algorithm [73] implemented by the NUXMV [74] model checker. Unless otherwise stated, all experiments in this section are executed on a server with 500-GB memory and 48 2:1-GHz cores, operated by Ubuntu 18:04:6. 4.6.1 Evaluation Setup We implement the reference SAT-based attack in Algorithm 1 by starting with an additive rule [54] for updating the unrolling depth, i.e., b b+ 1. We then explore the effect of multiplicative update rule [55], i.e., b 2 b, which may speed up both the reference attack andFun-SAT. We select ten benchmarks from ISCAS’89 [75] and ITC’99 [76], as detailed in Table 4.1, which are often used as reference benchmarks in the literature [18, 54, 55]. 78 We implement the two sequential logic locking methods introduced in Section 4.2 as described in the reference papers [13, 31]. In addition to the key cycle length t k , we need to also specify some configuration parameters specific to each locking scheme. HARPOON inserts a special circuitry, called Modification Kernel Function (MKF), to the original circuit. The MKF flips the signals on its neighboring wires when a wrong key is applied. In general, more MKFs inserted to the original circuit can lead to a larger functional corruptibility. In this chapter, we use the ratio R mk f between the number of MKFs and the number of gates in the original circuit to specify the MKF insertion. On the other hand, Interlocking deliberately allows a group of wrong keys to bring the circuit to the functional mode without triggering output errors immediately. Only when the circuit enters a certain number of pre-selected states in the functional mode will those wrong keys trigger output errors. Based on the distance from the correct reset state in the functional mode to one such state s pre , the occurrence of output errors may be delayed for a few cycles. In our experiments, we use D max to denote the maximum number of state transitions between the correct reset state in the functional mode and a state s pre in which output errors are triggered for the first time. We randomly assign s pre to a wrong key k w , such that an output error occurs in s pre when k w is applied. The simulation sample size S for both Algorithm 2 and Algorithm 3 is empirically determined as reported in Fig. 4.11a, where we simulate, with different sample sizes, the FC of the second largest benchmark s38584, locked with a randomly selected Interlock- ing configuration. We choose S= 1000 for the rest of this section, since it leads to a 79 0 250 500 750 1000 S 0.00 0.25 0.50 0.75 1.00 FC b=3 b=6 b=9 b=12 b=15 (a) 1 3 5 7 9 b 0.00 0.25 0.50 0.75 1.00 FC (b) Figure 4.11: (a) The simulation results of five FC b (under different b) as a function of the simulation sample size S. (b) FC b vs. b for an Interlocking-locked s38584. reasonable approximation error for the FC. The FC hold thresholdD and FC difference threshold d are instead set to 5 and 0:01, respectively, which provide empirically suffi- cient accuracy to detect when the FC remains constant. A lower value of d and higher values of S andD can further improve the accuracy in predicting the minimum unrolling depth at the cost of increased simulation time. 4.6.2 Operation ofFun-SAT: A Case Study We demonstrate howFun-SAT progresses on s38584, locked with Interlocking with t k = 4, corresponding to a key bit-length of 48, and a D max of 5. Fig. 4.11b shows the relation between FC b and the unrolling depth b. Fun-SAT starts by analyzing FC b from b= 1. FC b starts to stabilize when b increases to 5, and the difference between two consecutive FC values is within d. After examining the next D 1 FC values, Fun-SAT exits the 80 FC analysis phase and suggests 5 as the unrolling depth used in the SAT attack phase. Fun-SAT then executes DIP search on the 5-unrolled circuit and successfully verifies the correctness of the found keys. The above process takes 507 seconds to complete. In contrast, the reference attack in Algorithm 1 starts with an unrolling depth of one (b = 1) and performs 8 more checks of the termination condition (four UK and four MCE checks), which costs 2:64 hours and is 18:7 slower thanFun-SAT. 4.6.3 Evaluation ofFun-SAT We select the first 9 benchmarks in Table 4.1 and lock them using HARPOON with different configurations. Specifically, we adopt four different key cycle lengths for t k , ranging from 1 to 4, and four MKF ratios for R mk f , namely, 5%, 10%, 15%, and 20%. We then apply both Fun-SAT and the reference attack in Algorithm 1 on all the 144 locked circuits. Both attacks successfully terminate on all HARPOON configurations within 20 minutes. Fig. 4.12a shows the histogram for the attack runtime. The average attack time for Fun-SAT and the reference attack are 83 seconds and 97 seconds, respectively. The small average runtime for both the attacks is mostly motivated by the small minimum unrolling depths required by the circuits locked with HARPOON, as shown in Fig. 4.12b, which are designed to achieve a high functional corruptibility. We then lock all the benchmark circuits with Interlocking using the same range of key cycle length as for HARPOON and a D max range from 4 to 20. Both Fun-SAT and the reference attack are applied on all these locked circuits with a time-out threshold of 81 0 100 200 300 400 500 600 700 800 900 1000 1100 Runtime (s) 0.0 0.2 0.4 0.6 0.8 Frequency Fun-SAT Previous attack (a) 1 2 3 4 Min. unrolling depth 0.0 0.1 0.2 0.3 0.4 0.5 Frequency (b) Figure 4.12: Distributions of (a) the attack runtime and (b) the minimum required un- rolling depth for the circuits locked with HARPOON. one day. Unlike HARPOON, Interlocking generally requires larger minimum unrolling depths and can exhibit a higher resilience to the reference SAT-based attack. The attack runtime results are illustrated in Fig. 4.13. For the reference attack, the runtime drasti- cally increases with D max on all the benchmarks, while the runtime of Fun-SAT is less sensitive to D max . 19% of the reference attacks reach the one-day time-out threshold and the rest have an average runtime of 7 hours. In contrast, Fun-SAT reaches time-out on only 0:7% of the circuits and 91% terminate successfully within one hour. Whenever both the attacks do not reach time-out, Fun-SAT is, on average, 90 faster in finding the correct key than the reference attack. We further select locked versions of three rep- resentative benchmarks, s1488, s15850, and s38584, using Interlocking and apply both Fun-SAT and the reference attack with the “b 2 b” update rule. Results show that Fun-SAT can still report 62, 76, and 10 faster execution than the reference attack, 82 10 1 10 2 10 3 10 4 10 5 R untime (s) s27 (|I| = 4) s526 (|I| = 3) s1488 (|I| = 8) s9234 (|I| = 19) s15850 (|I| = 14) 5 10 15 20 10 1 10 2 10 3 10 4 10 5 R untime (s) s38584 (|I| = 12) 5 10 15 20 b10 (|I| = 11) 5 10 15 20 D max b12 (|I| = 5) 5 10 15 20 b15 (|I| = 36) 5 10 15 20 b19 (|I| = 24) Ref. attack t k = 1 Ref. attack t k = 2 Ref. attack t k = 3 Ref. attack t k = 4 Fun-SAT t k = 1 Fun-SAT t k = 2 Fun-SAT t k = 3 Fun-SAT t k = 4 timeout Figure 4.13: Runtime of Fun-SAT and the reference attack on all circuits locked with Interlocking. (The key bit-length can be computed as t k jIj.) 83 10 20 30 40 50 60 70 |K is | 10 2 10 3 10 4 10 5 R untime (s) s27 s1488 b10 timeout Figure 4.14: The runtime of successfulFun-SAT+ versus the effective key bit-lengthjK is j of the corresponding locked circuit. respectively, while being challenged by those benchmarks that exhibit a significantly deeper hidden corruptibility, hence a lager required unrolling depth. 4.6.4 Evaluation ofFun-SAT+ We first execute Fun-SAT+ without applying the approximate termination condition on the set of circuits locked using Interlocking in Section 4.6.3. For three out of ten bench- marks, namely, s27, s1488, and b10, Fun-SAT+ successfully attacks 96%, 79%, and 26% of the locked circuits, respectively, before reaching time-out. This demonstrates the feasibility of an attack that searches for the correct initial state of a locked sequential circuit. Fig. 4.14 is a scatter plot showing the runtime of these successful attacks versus the effective key bit-lengthjK is j of the locked circuit. 84 The performance degradation of Fun-SAT+ with respect to Fun-SAT is mostly due to the larger size of the search space, which scales exponentially with the effective key bit-length. In Fun-SAT, the key bit-length is the product of the primary input size and the key cycle length, ranging from 1 to 4 in our tests. Based on the benchmark in- put sizes in Table 4.1, the key bit-length ranges from 3 to 144. On the other hand, in Fun-SAT+, the effective key bit-length equals the number of DFFs in the locked circuit, the maximum of which can be around 7000, and which can be much larger than the actual locking key. Finally, the specific circuit function or FC pattern can also impact the performance of Fun-SAT+, as is the case for b10, for which only 26% of the locked netlists are successfully attacked, despite the small key bit-length. In this case, the degra- dation in performance is mostly motivated by the inaccuracy of FC estimations. In fact, an initial estimate FC 1 that is too close to one can make it harder to accurately detect whether the FC curve is increasing and require additional iterations of DIP search and model checking. We implement Fun-SAT+(App) to attack the locked versions of the seven bench- marks that could not be successfully attacked by Fun-SAT+. We set the functional cor- ruptibility threshold T f c to be 0:001. The maximum observation window b max depends, in general, on the structure of the circuit FSM. For our benchmarks, we set b max to 100, which is much larger than the estimated depth ( 8) available from the literature on FSM reverse-engineering [1]. Table 4.2 shows the percentage of locked circuits that 85 Table 4.2: Percentage of locked circuits successful attacked byFun-SAT+(App) Benchmark s526 s9234 s15850 s38584 b12 b15 b19 Percentage (%) 100 100 93 51 100 94 0 0 200 400 600 800 1000 1200 1400 |K is | 10 2 10 3 10 4 10 5 R untime (s) s526 s9234 s15850 s38584 b12 b15 timeout Figure 4.15: The runtime of successful Fun-SAT+(App) versus the effective key bit- lengthjK is j of the corresponding locked circuit. are successfully attacked without reaching time-out. WhileFun-SAT+(App) can signifi- cantly reduce the time spent on key verification and successfully terminate on many more locked circuits, SAT solving remains the bottleneck, which may cause the attack runtime to increase exponentially withjK is j, as suggested by Fig. 4.15. Following this exponen- tial trend, we predict an attack runtime on b19, whose locked circuits contain more than 6000 registers, on the order of 10 14 seconds, far exceeding the one-day time-out limit. IfFun-SAT+(App) terminates successfully, it returns an approximate initial state that can achieve close-to-zero b max -depth functional corruptibility within the selected obser- vation window of 100 clock cycles. We further examine the quality of the approximate 86 0.0 0.001 0.002 0.003 0.004 0.005 0.006 0.007 0.008 FC 10 ⋅ b max 10 0 10 1 10 2 10 3 F requency 359 1 0 4 2 0 0 0 1 Figure 4.16: Histogram of FC 10b max for all the successfully attacked circuits when evolv- ing according to the approximate initial states. initial states by computing the(10b max )-depth functional corruptibility, covering a time window 10 times as large as the one used for the attack. Fig. 4.16 shows the histogram of the resulting FC for all the successfully attacked circuits. Even in the extended ob- servation window, the approximate initial states returned byFun-SAT+(App) are able to maintain a functional corruptibility below or equal to T f c = 0:001 for 98% of the locked circuits. In fact, in most cases, the decrypted circuits can achieve zero FC, meaning that no errors are observed during FC simulation. According to the construction of Fun-SAT+, the number of registers provides the effective key bit-length, which is typically large in a sequential circuit. However, ad- ditional information about the type of registers can be used to reduce the effective key bit-length. For example, the initial state of a data path register of a complex circuit may not be part of the initial state of the circuit FSM. We can then use methods from FSM 87 reverse-engineering [3, 5] to expediteFun-SAT+, by only focusing on state (control-path) registers. We leave such extensions for future work. 4.6.5 Enhancing KC2 with Fun-SAT We finally show that Fun-SAT can be extended to attack variants of sequential lock- ing schemes that require additional key ports to inject the key, by combining it with KC2 [55], which integrates incremental solving methods, SAT learned-clause preserva- tion, and a stronger termination check to further enhance SAT-based attacks [54]. We compare the Fun-SAT-enhanced KC2 with its conventional version, which adopts the two update rules, b b+ 1 and b 2 b. We execute the above attack variants on the benchmarks used by Shamsi et al. [55], implementing Random Logic Locking (RLL) [29] that inserts XOR and XNOR gates to random locations of the circuit. We adopt two dif- ferent area overhead thresholds, i.e., 5% and 10%, for the locked circuits. In addition, we also apply the attacks on CBL [34], a recent sequential locking method reported as being resilient to KC2. In CBL, an internal counter FSM is added, which controls the minimum required unrolling depth via a threshold parameter C t . We assign C t to two values, i.e., 40 and 50, and select a key bit-length of 24 for all benchmarks. Tables 4.3 and 4.4 show the runtime results for a set of ISCAS’89 benchmarks locked with RLL and CBL, respectively. The performance of Fun-SAT for RLL is similar to the one of KC2 [55]. When compared with the b+ 1 rule, the average runtime improvement for Fun-SAT is limited, i.e., 1:4 and 1:1 for a 5% and 10% overhead, respectively. 88 Table 4.3: Runtime of KC2 with different update rules and Fun-SAT-enhanced KC2 on RLL-locked circuits Overhead 5% 10% Circuit b+1 2b Fun-SAT Advantage b+1 2b Fun-SAT Advantage b+1 2b b+1 2b s27 0.056 0.055 0.038 1.5 1.4 0.086 0.142 0.072 1.2 2.0 s526 1.251 2.535 1.194 1.0 2.1 86400 86400 86400 1.0 1.0 s1488 4.469 1.364 1.537 2.9 0.9 4.341 4.897 2.478 1.8 2.0 s9234 13023 86400 20668 0.6 4.2 86400 86400 86400 1.0 1.0 s15850 1176.3 22967 1185.8 1.0 19.4 698.4 86400 1281.6 0.5 67.4 Average 2841 21874 4371 1.4 5.6 34701 51841 34817 1.1 14.7 Attack times out after one day. All attacks on s38584 time out. The 2 b rule, on the other hand, seems less efficient in the RLL benchmarks and even leads to time-out in two benchmark circuits, where the b+ 1 rule and Fun-SAT succeed. With respect to the 2 b rule,Fun-SAT achieves up to 67:4 runtime improvement. As shown in Table 4.4 for CBL, we observe large runtime for the b+1 rule, primarily due to the KC2-resilient mechanism of CBL. For instance, for the smallest circuit, s27, when C t = 40, the b+ 1 rule takes as long as 3 hours. In most benchmarks, the 2 b rule is more efficient than the b+ 1 rule, which is to be expected. However, both the rules can lead to time-out on large benchmark circuits, such as s38584, where Fun-SAT can successfully terminate within 4 hours. When compared with the b+1 rule,Fun-SAT can achieve, on average, 7:9 and 13:2 improvement when C t = 40 and 50, respectively. While the 2 b rule narrows this advantage, we still observe an improvement from 2:2 to 3:4 when the threshold C t increases. We expect that a larger C t can lead to a more significant advantage ofFun-SAT, even when using the multiplicative update rule. 89 Table 4.4: Runtime of KC2 with different update rules versus Fun-SAT-enhanced KC2 on CBL-locked circuits Threashold C t 40 50 Circuit b+1 2b Fun-SAT Advantage b+1 2b Fun-SAT Advantage b+1 2b b+1 2b s27 11481.0 1600.2 1124.5 10.2 1.4 46358.3 5905.5 2655.9 17.5 2.2 s526 8919.4 1044.0 895.3 10.0 1.2 45199.6 6139.6 1985.8 22.8 3.1 s1488 10302.7 1946.0 2015.4 5.1 1.0 47061.7 6706.2 3689.9 12.8 1.8 s9234 9068.0 1797.0 878.1 10.3 2.0 36820.0 14540.9 2935.6 12.5 5.0 s15850 11873.3 3252.8 2113.4 5.6 1.5 48364.5 8848.9 6900.4 7.0 1.3 s38584 86400 86400 13749.4 6.3 6.3 86400 86400 12907.4 6.7 6.7 Average 23007.4 16006.7 1405.3 7.9 2.2 51700.7 21423.5 3633.5 13.2 3.4 Attack times out after one day. 4.7 Discussion As demonstrated in Section 4.6.5, theFun-SAT approach can be also applied to schemes that use additional ports to inject the key. Like other SAT-based attacks, Fun-SAT and Fun-SAT+ can time out for large circuit sizes. Nevertheless, our largest benchmark cir- cuit, b19, which contains two copies of the VIPER processor and i386 processor, can still be attacked byFun-SAT, as shown in Fig. 4.13. One possible way to challengeFun-SAT is to embed “deep” circuit errors so that the minimum unrolling depth increases. As shown in Section 4.6.4, more registers in a circuit may lead to longer runtime for Fun-SAT+. This is also the case for AES-256, a modern crypto module which in- cludes around three thousand DFFs. While its size is small and may not challenge Fun-SAT, When locked with the same configurations of Interlocking as in other bench- marks. Fun-SAT+ times out on all the locked AES-256. As a future direction, we may leverage novel FSM reverse engineering techniques to break large FSMs into smaller 90 sub-FSMs, whereFun-SAT+ can be applied to each sub-FSM and save the overall attack time. 4.8 Summary We formally defined the b-unrolled functional corruptibility, which is the first step to quantifying the protection mechanism and effectiveness of sequential logic locking. We then proved the relation between the b-unrolled FC and the set of pruned wrong keys with the unrolling depth b in a SAT-based attack, which led us to develop the functional corruptibility-guided SAT-based attack, Fun-SAT. Fun-SAT can efficiently estimate the minimum required unrolling depth based on the information leaked from the b-unrolled FC and achieves, on average, two orders of magnitude runtime improvement compared with a previous reference attack. We also developed Fun-SAT+, a variation of Fun-SAT that is agnostic of the key length and shifts the attack goal from finding the key to recover- ing the initial state of the circuit. The invention ofFun-SAT and its variants demonstrates the risk of information leakage on known sequential logic locking schemes and calls for researchers to develop better defenses with lower risks. In Chapter 5, we provide a low-risk sequential logic locking solution that is not only resilient to Fun-SAT but also prevents other state-of-the-art attacks known to date. 91 Algorithm 2Fun-SAT Input: Circuit-related parameters: Oracle C o , locked netlist C l , key cycle length t k . Configuration parameters: FC analysis window t win , simulation sample size S, FC difference thresholdd, FC hold thresholdD Output: Correct key sequence k 1: b lb 1; b ub t win 2: while True do 3: // ++++++ FC analysis phase ++++++ 4: count 0 5: for b b lb to b ub do 6: FC b simulate(C o ;C l ;b;t k ;S) 7: if b> 1 then 8: if FC b FC b1 d then 9: count count+ 1 10: else 11: count 0 12: end if 13: end if 14: b b 15: if count=D then 16: b b D 17: break 18: end if 19: end for 20: // ++++++ SAT attack phase ++++++ 21: k ;L dip ;L odip DIP Search(C o ;C l ;t k ;b ) 22: if key veri f y(k ;L dip ;L odip )= False then 23: b lb b + 1; b ub b +t win 24: else 25: break 26: end if 27: end while 28: return k 92 Algorithm 3Fun-SAT+ Input: Circuit-related parameters: Oracle C o , locked netlist C l . Configuration pa- rameters: FC analysis window t win , simulation sample size S, FC difference thresh- oldd, FC hold thresholdD Output: Correct initial state k 1: b lb 1; b ub t win 2: while True do 3: // ++++++ FC analysis phase ++++++ 4: count 0 5: for b b lb to b ub do 6: FC b simulate(C o ;C l ;b;S) 7: if b> 1 then 8: if FC b FC b1 d then 9: count count+ 1 10: else 11: count 0 12: end if 13: end if 14: b b 15: if count=D then 16: b b D 17: break 18: end if 19: end for 20: // ++++++ SAT attack phase ++++++ 21: k ;L dip ;L odip DIP Search(C o ;C l ;b ) 22: if key veri f y(k ;L dip ;L odip )= False then 23: b lb b + 1; b ub b +t win 24: else 25: break 26: end if 27: end while 28: return k 93 Chapter 5 Sporadic-Authentication-Based Sequential Logic Locking In light of the continuing development of more advanced attacks against sequential logic locking, such asFun-SAT, presented in Chapter 4, this chapter presents a low-risk coun- termeasure,SANSCrypt, a sporadic-authentication-based sequential logic locking, which is the first locking method to adopt a multi-authentication protocol, rather than the tradi- tional single-authentication protocol. SANSCrypt requires attackers to figure out not only the correct unlocking key but also the right time to provide the key. We demonstrate that the temporal uncertainty added by the new authentication protocol significantly helps decrease the risk of both functional and structural information leakage and prevent state- of-the-art attacks. 94 5.1 Introduction In Chapter 4, we illustrated the mechanism of sequential logic locking and demonstrated that it is vulnerable to Fun-SAT. Furthermore, another attack based on automatic test pattern generation (ATPG) [53] uses concepts from excitation and propagation of stuck- at faults to search the key sequence among the test patterns generated by ATPG. The ATPG-based attack assumes that most stuck-at faults can only be triggered and detected in the functional mode. Therefore, the correct authentication key sequence must appear in most of the test patterns generated by ATPG tools. Furthermore, when the attackers have some knowledge of the topology of the locked FSM, then they can extract and analyze the state transition graph and bypass the encrypted mode [51]. Overall, the continuous advances in FSM extraction and analysis tools tend to challenge any of the existing sequential logic locking schemes and call for approaches that can significantly increase their robustness. This chapter presents a novel Sporadic-Authentication-based Sequential Logic Lock- ing scheme (SANSCrypt), which raises the attack difficulty via a multi-authentication protocol, whose decryption relies on retrieving a set of correct key sequences as well as the time at which each sequence should be applied. Our contributions can be summarized as follows: A robust, multi-authentication-based sequential logic locking method that for the first time, to the best of our knowledge, systematically incorporates the robustness of multi-factor authentication (MFA) [77] in the context of hardware encryption. 95 An architecture for sporadic re-authentication where key sequences must be ap- plied at multiple times, determined by a random number generator, to access the correct circuit functionality. A design of the multi-authentication protocol that is suitable for time-sensitive applications, as it ensures that the real-time execution of time-critical and safety- critical tasks is not disrupted. Security analysis and empirical validation of SANSCrypt on a set of ISCAS’89 benchmark circuits [75], showing exponential resilience against existing attacks, including SAT-based attacks, and reasonably low overhead. Analysis and validation results show that SANSCrypt can significantly enhance the re- silience of sequential logic locking under different attack assumptions. A preliminary version of the results of this chapter appeared in our previous publication [65], where we first introducedSANSCrypt. In this chapter, we present an improved architecture and protocol design that are specifically amenable to time-sensitive applications, by allowing the authentication task to be interrupted or postponed upon request from higher-priority tasks. Moreover, we extend our analysis of the brute-force attack resilience to account for the attack difficulty brought by the timing uncertainty about when to apply the correct key sequences. Finally, we offer an extensive validation of the proposed construction, showing its ability to protect time-sensitive applications without affecting the execution of time-critical tasks. 96 The rest of the chapter is organized as follows. In Section 5.2, we present a multi- authentication protocol applicable to sequential logic locking and introduce the basic design and implementation details ofSANSCrypt. We then describe an enhanced design that is compatible with time-sensitive applications. The security level of SANSCrypt is analyzed in Section 5.3, while Section 5.4 reports the results from functional testing and the overhead after synthesis. Conclusions are drawn in Section 5.5. 5.2 Multi-Authentication-Based Sequential Logic Locking We introduce the design and implementation details for SANSCrypt, starting with the underlying threat model. 5.2.1 Threat Model SANSCrypt assumes a threat model that is consistent with the previous literature on se- quential logic locking [13, 51, 55]. The goal of the attack is to access the correct circuit functionality, by either finding the correct key sequence or reconstructing the correct cir- cuit function. To achieve this goal, the attacker can leverage one or more of the follow- ing resources: (i) the locked netlist; (ii) a working circuit providing correct input-output pairs; (iii) knowledge of the locking technique. In addition, we assume that the attacker has no access to the scan chain and cannot directly observe or change the state of the circuit. 97 Encrypted Mode Functional Mode Authenticate (a) Encrypted Mode Functional Mode Authenticate Jump back (b) Figure 5.1: Conventional (a) and proposed (b) authentication protocols for logic locking. 5.2.2 Authentication Protocol As shown in Fig. 5.1a, existing sequential logic locking techniques are mostly based on a single-authentication protocol, requiring users to be authenticated only once before accessing the correct circuit function. After the authentication, the circuit remains func- tional unless it is powered off or reset. To attack the circuit, therefore, it is sufficient to discover the correct key sequence that must be applied to the locked circuit upon reset. We adopt, instead, the authentication protocol in Fig. 5.1b, where the circuit can “jump” back to the encrypted mode from the functional mode. Once the back-jumping occurs, another round of authentication is required to resume the normal operation. The back-jumping can be triggered multiple times and involves a different key sequence for each round of re-authentication. The hardness of attacking this protocol stems from both the increased number of the key sequences to be applied and the uncertainty on the time at which each sequence should be applied. A new temporal dimension adds to the difficulty of the decryption procedure, which poses a significantly higher threshold to the attackers. 98 Figure 5.2: State transition diagram ofSANSCrypt. 5.2.3 Overview of the Locking Scheme SANSCrypt is a sequential logic locking scheme which supports random back-jumping, as represented in Fig. 5.2. When the circuit is powered or reset, the circuit falls into the reset state E0 of the encrypted mode. Like other sequential logic locking schemes, the user must apply at startup the correct key sequence at the primary input ports for the circuit to transition to the initial (or reset) state N0 of the functional mode. Once the circuit enters the functional mode, it can deliberately, but randomly, jump back, as denoted by the blue edges in Fig. 5.2, to a state s b j in the encrypted mode, called back-jumping state, after a designated number of clock cycles t b j , called back-jumping period. The user then needs to apply another key sequence to return to the state right before the back-jumping operation and resume normal operations, as shown by the red 99 Sequential Logic Combinational Logic Serial Compatator CLK RST PI PO Key Mask MUX 0 Signal Flip Scheduler Figure 5.3: Schematic view ofSANSCrypt. arrows in Fig. 5.2. Both the back-jumping state s b j and the back-jumping period t b j are determined by a pseudo-random number generator (PRNG) embedded in the circuit. Therefore, when and where the back-jumping operation happens is unpredictable unless the attacker is able to break the PRNG given the resources described in Section 5.2.1. An in-package key management circuit will be in charge of automatically applying the key sequences from a tamper-proof memory at the right time, as computed from a hard-coded replica of the PRNG. The schematic of SANSCrypt is shown in Fig. 5.3 and consists of two additional blocks, that is, a back-jumping module and an encryption finite state machine (ENC-FSM), besides the original circuit. We discuss each of these blocks in the following subsections. 100 5.2.4 Back-Jumping Module The back-jumping module consists of an n-bit PRNG, an n-bit Counter, and a Back- Jumping Finite State Machine (BJ-FSM). BJ-FSM continually checks the output from the PRNG and the counter, and determines the back-jumping operations, as summarized by the flowchart in Fig. 5.4. Upon circuit reset, BJ-FSM keeps checking the authentication status. Once the authentication is successful and the circuit enters the functional mode, BJ-FSM samples the current PRNG output and stores this value as the back-jumping period t b j . At the same time, the counter is set to zero. The counter increments its output at each clock cycle until it reaches t b j , when BJ- FSM samples again the PRNG output r. By taking the PRNG outputs at different clock cycles, r and t b j are generally not the same. The BJ-FSM then implements a function of r to determine the back-jumping state, i.e., s b j = f(r): For example, if s b j is an l-bit binary number, BJ-FSM can arbitrarily select l bits from r and assign the value to s b j . If the first l bits of r are selected, we have f(r)= r[0 : l 1]: Meanwhile, BJ-FSM sends a back-jumping request to the other blocks of the circuit, such that the circuit back-jumps to s b j in the encrypted mode, where it keeps checking 101 Circuit Authenticated? Start Sample RNG output as tbj Reset the counter Counter reaches tbj? Request back-jumping Yes Yes No No Sample RNG output r and calculate sbj = f(r) Figure 5.4: Flowchart of BJ-FSM. the authentication status of the circuit. SANSCrypt does not set any specific requirement on the PRNG. Any PRNG architecture can be used based on the design budget and the desired security level. For example, linear PRNGs, such as Linear Feedback Shift Registers (LFSRs), provide higher speed and lower area overhead but tend to be more vulnerable than cipher-based PRNGs, such as AES, which are, however, more expensive. 102 [2] [0] [1] n1 n1_mod n2 n2_mod n3 n3_mod n4 n4_mod n5 n5_mod n6 n6_mod enc_out Original Circuit Figure 5.5: enc out controls the original circuit via XOR gates. 5.2.5 Encryption Finite State Machine (ENC-FSM) The Encryption Finite State Machine (ENC-FSM) determines whether the user’s key sequence is correct and, if it is not correct, takes actions to corrupt the functionality of the original circuit. Without creating extra input ports for the authentication, the input of the ENC-FSM is provided via the primary input ports. The output enc out of ENC-FSM is an n-bit-long array, which can be used, together with a set of XOR gates, to corrupt the circuit function [14]. For example, in Fig. 5.5, a 3-bit array enc out is connected to six nodes in the original circuit via XOR gates. In this chapter, XOR gates are inserted at randomly selected nodes. However, any other combinational logic locking technique is also applicable. As a design parameter, we denote by node coverage the ratio between the number of inserted XOR gates and the total number of combinational logic gates in the circuit. 103 Table 5.1: Truth Table for a 3-Bit enc out Array State E0 E1 E2 E3 E4 Auth enc out[0] 0 1 1 1 1 0 enc out[1] 1 0 1 1 0 0 enc out[2] 1 1 1 0 0 0 Only one state of ENC-FSM, termed auth, is used in the functional mode. In auth, all bits in enc out are set to zero and the original circuit functionality is not corrupted. In the other states, the value of enc out changes based on the state, but at least one bit is set to one to guarantee that the circuit output is incorrect. A sample truth table for a 3-bit enc out array is shown in Table 5.1. When the circuit is not in auth, i.e., in the encrypted mode, enc out changes its value based on the state of the encryption FSM. Such an approach makes it difficult for signal analysis attacks, aiming to locate signals with low switching activity in the encrypted mode, to find enc out and bypass ENC-FSM. After a successful authentication, the circuit resumes its normal operation. Additional registers are, therefore, required in the ENC-FSM to store the circuit state before back-jumping so that it can be resumed after authentication. 5.2.6 Guaranteeing Real-Time Operation Unlike previous sequential logic locking methods, SANSCrypt requires the user to spo- radically be re-authenticated amid the circuit’s normal operation. As discussed in Sec- tion 5.3, this feature can significantly raise the attack difficulty. However, it can also cause timing overhead and impact the performance in time-sensitive applications that 104 Start Functional mode entered? Prioritized task requested? Yes No Sample RNG output as tbj Reset the counter No Yes Counter reaches tbj? Yes No tbj = deadline() Request back-jumping Sample RNG output r and calculate sbj = f(r, i) tbj = max{tbj, deadline() + counter()} ! " Figure 5.6: Flowchart of EBJ-FSM. require prompt, real-time response, or guarantees that a time-critical or safety-critical task meets a pre-defined deadline. For example, upon detection of a vehicle collision, authentication tasks should be preempted by the airbag control in the attempt to protect passengers. In this Section, we present an enhanced back-jumping FSM (EBJ-FSM) design that delivers precise, guaranteed, and predictable timing for real-time operation. 105 We denote by V I and V S the set of all possible primary input patterns and states of a circuit, respectively. We then assume without loss of generality that any input pattern in a set I p =fi 1 ;i 2 ;:::;i n g; where I p V I , can trigger a time-critical task whose execution should immediately start or be queued after the ongoing time-critical task. Such tasks should be completed, with- out interruption, within a number of clock cycles given by a function deadline. We assume that a task deadline depends, in general, on the triggering input and the current state of the circuit, i.e., deadline : V I V S !N: When a time-critical task is requested by an input pattern in I p , the deadline function returns the remaining number of clock cycles required without interruption to finish this task and the ongoing time-critical tasks, if any, based on the current state s. When the circuit is in an idle state, i.e., no time-critical task is being executed, and the current input pattern i satisfies i = 2 I p , the deadline function returns zero. The deadline function models the scheduling algorithm determining the priority among tasks and can be customized based on the desired application. Fig. 5.6 shows the flowchart of EBJ-FSM for time- sensitive applications. On top of the basic back-jumping feature, two locations in the flow chart handle task prioritization in the encrypted mode (À) and the functional mode (Á), respectively. 106 5.2.6.1 High-Priority Task Triggered in the Encrypted Mode (CaseÀ). The enhanced BJ-FSM (EBJ-FSM) allows the circuit to enter the functional mode in two scenarios: (1) upon a successful authentication, and (2) when a high-priority task is triggered. EBJ-FSM monitors these two events at each clock cycle. Once the functional mode is entered, EBJ-FSM checks whether the second scenario occurred, i.e., a high- priority task was triggered. If this is the case, meaning that the authentication process was interrupted, EBJ-FSM sets the back-jumping time t b j to the time required to complete the task execution as computed by the deadline function. When the high-priority task terminates and there are no new task requests with high priority, the circuit back-jumps to the encrypted mode and the authentication procedure is resumed. 5.2.6.2 High-Priority Task Triggered in the Functional Mode (CaseÁ). In the functional mode, EBJ-FSM continually checks whether the counter output has reached the threshold t b j . If so, it will request back-jumping as is the case for the BJ- FSM design in Fig. 5.4. However, in this case, the back-jumping time t b j is updated at each clock cycle via the following formula, t b j;k := maxft b j;k1 ;deadline()+ counter()g; where counter() returns the current counter output and t b j;k refers to the stored back- jumping time at time k. Effectively, the back-jumping time t b j is prolonged if a high- priority task cannot be completed before the next designated back-jumping operation. 107 Clock BJ-FSM Encrypted mode Functional mode Task 1 starts Task 1 finishes late EBJ-FSM Task 1 finishes on time (a) Clock BJ-FSM Encrypted mode Functional mode EBJ-FSM Task 2 starts Task 2 finishes late Task 2 finishes on time (b) Figure 5.7: Examples of high-priority tasks triggered in (a) the encrypted mode and (b) the functional mode. Both tasks require 5 clock cycles to finish with BJ-FSM and EBJ- FSM. Fig. 5.7 shows the timing diagrams for two high-priority tasks triggered in two dif- ferent modes. While the basic SANSCrypt protocol causes delays to the task execution, the EBJ-FSM guarantees that there is no delay in the execution of the critical tasks and no impact on the real-time performance of the circuit. As a further enhancement, we observe that the function that determines the back- jumping state s b j can also be modified by adding the current input value i as an argu- ment. We propose this modification to mitigate a potential vulnerability associated with 108 FSM structural analysis of the basic SANSCrypt architecture, as further illustrated in Section 5.3. 5.3 Security and Performance Analysis We analyzeSANSCrypt’s resilience against existing attacks and estimate its timing over- head due to the multi-authentication protocol. 5.3.1 Brute-Force Attack We assume that the number of primary inputs used as key inputs isjij and a round of authentication requires c clock cycles to apply the correct key sequence. If the attacker has no a priori knowledge of the correct key sequence, then the average number of attempts needed to find the correct key sequence for each authentication step, t, can be computed as follows: t =(2 jijc + 1)=2 2 jijc1 ; where we use t to represent the expected value of the random variable t. This amounts to the same brute-force attack complexity of HARPOON, where the locked circuit needs only one round of authentication. Due to the multi-authentication protocol implemented in SANSCrypt, the attacker needs to find the correct key sequences for more than one round of authentication. Each correct key sequence depends on the back-jumping states that are determined by the PRNG output. To achieve maximum protection, a designer 109 can associate each PRNG output value with a unique back-jumping state, hence a unique key sequence for the authentication. Therefore, the average brute-force effort to guess all the correct key sequences T is T = N r t = N r 2 jijc1 ; where N r is the number of possible values of the PRNG output. For a 10-bit PRNG, if jij= 32 and c= 8, this average attack effort reaches 5:8 10 79 . Even if all the key sequences are known, it still remains challenging to infer when each key sequence should be applied, as the attacker should find the back-jumping time associated with the sequence, and this is independent of the sequence itself. To account for the time uncertainty, we first estimate the effort for guessing the back-jumping time for one authentication round. The back-jumping time ranges from one to N r cycles fol- lowing a uniform distribution. Therefore, the average brute-force effort to correctly guess the time is t b j = N r 2 ; while the average effort to correctly find both the key sequence and the time at which to apply it becomes t b f = E[tt b j ]=tt b j = N r 2 2 jijc1 : Suppose the attacker needs to perform at least m rounds of authentication, where m N r and all N r key sequences are used for the authentication at least once. The expected 110 value for m can be calculated as follows, using a result from the coupon collector’s prob- lem [78]: m= N r 1 1 + 1 2 ++ 1 N r 1 + 1 N r : In our previous example, where N r = 1024, we have m= 7689. The average brute-force attack effort to find the back-jumping times and the key sequences for m authentication steps would then be T b f = E t b j t m = E m E[ t b j t m m] = E m N r 2 2 jijc1 m m : For simplicity, we provide a lower bound for the expectation above. Since m N r and N r 2 2 jijc1 > 1, we have the following lower bound for T b f : T b f N r 2 2 jijc1 N r : In our example, the average brute-force effort will be lower bounded by 1:8 10 81379 , which makes a brute-force attack infeasible and exponentially harder than in previous sequential obfuscation methods. 5.3.2 Sequential SAT-Based Attack A SAT-based attack can be carried out on existing sequential logic locking methods by unrolling the sequential circuit [51]. In this chapter, we implement such an attack to 111 validate the resilience of methods such as HARPOON and SANSCrypt by adapting pre- viously proposed attack strategies [54, 55] to a setting in which a dynamic key, i.e., a sequence of keys applied at different clock cycles, is presented via the primary input ports of the circuit. Fig. 5.8 shows the schematic of an unrolled circuit under the assumption that the number of clock cycles, n, required by the locked circuit to enter the functional mode after reset is known. The primary input ports of the first n replicas of the locked circuit, marked in red, act as the key ports K of the unrolled circuit. Starting with the(n+ 1) th circuit replica, the primary input and output ports of the locked circuit, marked in blue and magenta, act, instead, as the primary input ports I and the primary output ports O of the unrolled circuit, respectively. A combinational miter circuit can then be assembled using this unrolled circuit to mount a combinational SAT-based attack and find the correct key. If the SAT-based attack fails to find the correct key with(n+ 1) circuit replicas, the circuit will be unrolled once more to repeat the attack. The attack described above would still be ineffective on SANSCrypt, since it can retrieve the first key sequence but would fail to discover when the next back-jumping occurs and what would be the next key sequence. Even if the attacker knows when the next back-jumping occurs, the attack will fail due to the large number of circuit replicas needed to find all the key sequences, as empirically observed in Section 5.4. 112 Encrypted Encrypted Encrypted Functional I1 I2 In In+1 On+1 K I O Figure 5.8: An unrolled version of the locked circuit which requires n clock cycles to find the key sequence. 5.3.3 FSM Extraction and Structural Analysis As discussed in Section 2.2, a common shortcoming of previous sequential logic locking schemes is the easy separation of states between the encrypted mode and the functional mode due to the fact that only one transition goes though the two modes. SANSCrypt addresses this issue by designing more than one transition between the two modes, as shown in Fig. 5.2. In a basic BJ-FSM design, shown in Fig. 5.4, the back-jumping state is solely determined by the PRNG. Because transitions in FSM are typically determined also by the primary input, attackers can potentially identify all the back-jumping transi- tions by analyzing the transition conditions. The enhanced BJ-FSM design (EBJ-FSM), shown in Fig. 5.6, circumvents this vulnerability by also using the primary inputs to determine the back-jumping state. Without extracting the FSM, an attacker may also try to locate and isolate the output of ENC-FSM by looking for low signal switching activities when the circuit is in the encrypted mode. SANSCrypt addresses this risk by expanding the output of ENC-FSM from one bit to an array. The value of each bit changes frequently with state changing 113 Clock Mode Encrypted mode Functional mode tb ta { { Figure 5.9: Circuit mode switching for an authenticated user. in the encrypted mode, which makes it difficult for attackers to find them based only on signal switching activities. 5.3.4 Cycle Delay Analysis Due to multiple back-jumping and authentication operations in SANSCrypt, additional clock cycles will be required. Suppose that each authentication requires t a clock cycles and the circuit stays in the functional mode for t b clock cycles before the next back- jumping occurs, as shown in Fig. 5.9. Assuming that no higher-priority tasks are trig- gered, the cycle delay overhead can be computed as the ratio O cd = t a =t b . Specifically, for an n-bit PRNG, the average t b is equal to the average output value, i.e., 2 n1 . To illustrate how the cycle delay overhead is influenced by this locking method, Fig. 5.10 shows the relation between average cycle delay overhead and PRNG bit length. The clock cycles (t a ) required for each authentication are set to 8, 16, 64, and 128. When the PRNG bit length is small, the average cycle delay increases significantly as t a increases. However, the cycle delay can be reduced by increasing the PRNG bit 114 5 6 7 8 9 10 11 12 13 14 15 16 PRNG bit length 0% 200% 400% 600% 800% Cycle Delay Overhead t a = 128 t a = 64 t a = 16 t a = 8 Figure 5.10: Average cycle delay as a function of PRNG bit length when the key se- quence cycle length t a is 8, 16, 64, and 128. length. For example, the average cycle delay overhead becomes negligible ( 1%) for all the four cases when the PRNG bit length is 14 or larger. 5.4 Simulation Results We first evaluate the effectiveness of SANSCrypt on seven ISCAS’89 sequential bench- mark circuits of different sizes, as summarized in Table 5.2. All the experiments are executed on a Linux server with 48 2:1-GHz processor cores and 500-GB memory. We implement our technique on the selected circuits with different configurations and use a 45-nm Nangate Open Cell Library [63] to synthesize the locked netlists for area opti- mization under a critical-path delay constraint that targets the same performance as for the original netlists. For the purpose of illustration, we realize the PRNG using Linear Feedback Shift Registers (LFSRs) with different sizes, ranging from 5 to 15 bits. An LFSR provides an area-efficient implementation and has often been used in other logic 115 s27 s298 s1238 s9234 s15850 s35932 s38584 0.0 0.1 0.2 0.3 0.4 0.5 Average HD Coverage 5% Case 1 Case 2 Case 3 (a) s27 s298 s1238 s9234 s15850 s35932 s38584 0.0 0.1 0.2 0.3 0.4 0.5 Average HD Coverage 10% (b) s27 s298 s1238 s9234 s15850 s35932 s38584 0.0 0.1 0.2 0.3 0.4 0.5 Average HD Coverage 15% (c) s27 s298 s1238 s9234 s15850 s35932 s38584 0.0 0.1 0.2 0.3 0.4 0.5 Average HD Coverage 20% (d) Figure 5.11: The average HD for different node coverage: (a) 5%, (b) 10%, (c) 15%, and (d) 20%. locking schemes in the literature [10, 79]. We choose a random 8-cycle-long key se- quence as the correct key, and select 5%, 10%, 15%, and 20% as node coverage levels. Finally, we use the Hamming distance (HD) between the correct and the corrupted out- put values as a metric for the output corruptibility. If the HD is 0.5, the effort spent to identify the incorrect bits is maximum. 116 Table 5.2: Overview of the Selected Benchmark Circuits Circuit s27 s298 s1238 s9234 s15850 s35932 s38584 Input 4 3 14 36 77 35 38 Output 1 6 14 39 150 320 304 DFF 3 14 18 211 534 1728 1426 Gate 10 119 508 5597 9772 16065 19253 5.4.1 Functional Verification First, we simulate all the locked circuits with (case 1) and without (case 2) the correct key sequences, by applying a randomly generated input vector that is 1000-cycle long. We then compare the circuit output with the golden output from the original netlist and calculate the HD between the two. Each simulation is repeated for 1000 times to obtain the average HD. Moreover, we demonstrate the additional robustness of SANSCrypt by simulating a scenario (case 3) in which the attacker assumes that the logic locking is based on a single-authentication protocol and, thus, provides only the first correct key sequence upon reset. Fig. 5.11 shows the average HD in these three cases. For all the circuits, the average HD is zero only in case 1, when all the correct key sequences are applied at the right clock cycles. Otherwise, in case 2 (orange) and case 3 (green), we observe a significant increase in the average HD. The average HD in case 3 is always smaller than that of case 2 because, in case 3, the correct functionality is recovered for a short period of time, after which the circuit jumps back to the encrypted mode. The longer the overall runtime, the smaller will be the impact of this transparency window in which the circuit exhibits the correct functionality. 117 Table 5.3: SAT-based attack runtime for finding the first 7 key sequences Key Seq. Index 1 (HARPOON) 2 3 4 5 6 7 Runtime [s] 4 123 229 1941 1301 2202 25571 Table 5.4: ADP Overhead Results for Full Locking Circuit s27 s298 s1238 s9234 Node Coverage 5% 10% 15% 20% 5% 10% 15% 20% 5% 10% 15% 20% 5% 10% 15% 20% Area [%] 1418.5 1418.5 1403.2 1403.2 413.0 427.3 425.2 453.8 144.8 165.7 176.0 189.2 114.6 131.7 144.5 160.1 Power [%] 1627.7 1627.7 1627.5 1627.5 385.7 390.6 389.9 402.8 217.8 232.1 235.0 249.8 179.8 197.5 188.0 190.6 Delay [%] 0.0 0.0 1.4 1.4 0.0 0.0 0.0 0.5 0.0 0.0 0.0 5.8 0.0 0.0 0.9 3.6 Circuit s15850 s35932 s38584 Average Node Coverage 5% 10% 15% 20% 5% 10% 15% 20% 5% 10% 15% 20% 5% 10% 15% 20% Area [%] 92.9 112.1 120.1 133.9 116.3 129.5 139.4 151.6 133.5 140.9 158.7 165.6 120.4 136.0 147.8 160.1 Power [%] 127.4 142.3 153.2 163.0 98.4 101.9 101.2 103.0 123.9 128.8 142.0 140.3 149.5 160.5 163.9 169.4 Delay [%] -0.3 0.0 0.1 0.6 -0.4 0.0 4.3 5.3 0.6 2.0 0.4 4.9 0.0 0.4 1.1 4.0 Excluding s27 and s298. 5.4.2 Sequential SAT-Based Attacks We apply the sequential SAT-based attack in Section 5.3 to circuit s1238 with a 5-bit LFSR and 20% node coverage, under a stronger attack model, in which the attacker knows when to apply the key sequences. Table 5.3 shows the runtime to find the first set of 7 key sequences. The runtime remains exponential in the number of key sequences, which makes sequential SAT-based attacks impractical for large designs. 5.4.3 Impact of High-Priority Tasks We further characterize the behavior ofSANSCrypt in the presence of high-priority tasks. We consider the largest ISCAS benchmark s38584 and assume, without loss of gener- ality, that all the high-priority tasks to be executed on the locked circuit have the same deadline t d . For a sequence of input patterns, we define the high-priority task load L 118 0.00 0.05 0.10 0.15 0.20 0.25 0.30 L 0 100 200 300 400 500 600 Number of authentications PRNG length: 5 t d = 5 t d = 10 t d = 15 t d = 20 (a) 0.00 0.05 0.10 0.15 0.20 0.25 0.30 L 5 10 15 20 25 Number of authentications PRNG length: 10 t d = 5 t d = 10 t d = 15 t d = 20 (b) Figure 5.12: Number of authentications required within 10;000 clock cycles on s38584 for different priority task loads L. The PRNG length is (a) 5 and (b) 20. as the ratio between the number of high-priority task requests in the sequence and the sequence length. Fig. 5.12a and Fig. 5.12b show simulation results under different task loads and deadlines for 10;000 clock cycles, when the PRNG length is 5 and 10, re- spectively. L ranges from 0 to 0:3, while the task deadline takes four different values within 5 and 20. When L= 0, no high-priority tasks are requested and the numbers of authentications within 10;000 clock cycles are 480 and 25 for the two different PRNG lengths, respectively. When L or t d increases, it is more likely for a high-priority task to either interrupt or postpone the authentication step, leading to a decreasing number of authentications, as shown in Fig. 5.12a. However, in a scenario in which the number of authentications is already as low as 25 without execution of high-priority tasks, as in Fig. 5.12b, the likelihood that a task needs to interrupt or postpone the authentication process decreases. As a result, increasing L or t d does not significantly affect the num- ber of authentications as in the scenario of Fig. 5.12a. When L= 0:05 and t d = 5 or 119 10, the number of authentications becomes larger than in the absence of high-priority tasks in Fig. 5.12a, an artifact due to the non-ideality of the LFSR used in the design, which disappears when using a higher-quality PRNG. On the other hand, when many time-consuming high-priority tasks need to be executed, i.e., when the task load L is 0:3 and the deadline t d is 20, we observe that 5 and 3 authentications are still required per 10;000 clock cycles in Fig. 5.12a and Fig. 5.12b, respectively, which keeps the multi- authentication protocol effective. Overall, SANSCrypt is capable of delivering security as well as precise, guaranteed, and predictable timing in the execution of time-critical tasks. 5.4.4 Implementation Overhead Finally, Table 5.4 reports the synthesized area, power, and delay (ADP) overhead due to the implementation of our technique. In more than 70% of the circuits, the delay overhead is less than 1%, and exceeds the required clock cycle by at most 5:8%. Except for s27 and s298, characterized by a small gate count, all the other circuits show average area and power overhead of 141:1% and 160:8%, respectively, which is expected due to the additional number of registers required in ENC-FSM to guarantee that the correct state is entered upon re-authentication. However, because critical modules in large SoCs may only account for a small portion of the area, this overhead becomes affordable under partial obfuscation. For example, we locked a portion of state registers in s38584, the largest ISCAS’89 benchmark, using SANSCrypt. We then randomly inserted additional 120 Table 5.5: ADP Overhead Results for Partial Locking Locked registers/Total registers 100% 50% 25% 10% 5% 2.5% 1% Area [%] 133.5 71.6 49.1 33.4 27.8 23.5 22.4 Power [%] 123.9 40.2 9.6 -12.8 -20.5 -22.1 -25.0 Delay [%] 0.6 1.8 2.1 4.2 5.4 3.9 4.6 100% 50% 25% 10% 5% 2.5% 1% Coverage 0% 10% 20% 30% 40% Overhead Increase Area Power Timing Figure 5.13: Area, timing, power overhead increase, compared with the original SANSCrypt scheme, after the implementation of EBJ-FSM under different coverage ra- tios on s38584. XOR gates to achieve the same HD as in the case of full locking. Table 5.5 reports the overhead results after synthesis, when the ratio between the locked state registers and the total number of state registers decreases from 100% to 1%. Locking 10% of the registers will only cost 33:4% of the area while incurring negative power overhead and 4:2% delay overhead. On the other hand, implementing the enhanced design based on the EBJ-FSM on s38584, while using the same settings as in Table 5.5, causes an increase in the ADP overhead with respect to the basic SANSCrypt architecture, as shown in Fig. 5.13. Yet, the increase in both the area and timing overhead is below 4%, with the timing overhead often being lower than in the baseline. The increase in power overhead is substantial, 121 but it is partially compensated by the negative power overhead of the baseline design in Table 5.5, and therefore still acceptable. 5.5 Summary In this chapter, we proposed SANSCrypt, a low-risk sequential logic locking technique relying on a novel sporadic authentication protocol in which re-authentications are car- ried out at pseudo-randomly selected time slots. Unlike the previous methods that adopt a single-authentication protocol, SANSCrypt can significantly increase the difficulty of various available attacks, including Fun-SAT in Chapter 4. Furthermore, by allowing flexible interruption and postponement of authentication tasks upon requests from high- priority tasks, SANSCrypt is capable of guaranteeing reliable timing and seamless oper- ation in real-time and time-sensitive applications. 122 Chapter 6 Enhancing Logic Locking Against Machine Learning-Based Attacks In this chapter, we discuss the potential threat of machine learning (ML) on the security of logic locking. Specifically, we provide a case study on the recently proposed machine learning-based attacks [45–47] against combinational logic locking, whose success can be well explained by our repetition risk metric discussed in Chapter 3. We then present an effective low-risk enhancement method that can be applied to all vulnerable logic locking schemes to raise resilience against state-of-the-art ML-based attacks. 6.1 Introduction Over the past decade, logic locking [14, 15, 29, 30] has gained significant attention as a promising, low-cost countermeasure against IC reverse engineering. Logic locking protects a circuit by modifying its original netlist at the logic level and by adding a 123 G1 G2 G3 G4 I1 I2 I3 I4 O1 (a) G1 G2 G3 G4 I1 I2 I3 I4 O1 K1 KG1 K2 KG2 (b) Figure 6.1: The schematics of a simple circuit (a) before and (b) after being locked by XOR/XNOR-based insertion [14, 29, 30]. new set of input ports, called key ports. The locked circuit will then display a different function from the original one. To “unlock” the circuit and access its hidden function, a user must provide the correct key, i.e., a specific binary pattern, at the key ports. Even if a malicious agent successfully recovers the locked circuit structure from the design layout, its original function will still be hidden without the correct key, which helps prevent IC counterfeiting. For example, the simple circuit in Figure 6.1a is locked, as shown in Figure 6.1b, by using a logic locking technique based on the insertion of XOR/XNOR gates [14, 29, 30]. To restore the original circuit functionality, a user must provide “0” and “1” to key ports K 1 and K 2 , respectively, so that the gates in red act as buffers and do not toggle the signals propagating through them. Unfortunately, several logic locking techniques have recently been reported as being potentially vulnerable, due to the fact that the netlist structure of a locked circuit may leak critical information about the correct key [37, 45, 80]. Unsurprisingly, this vulnerability has shown to be exploitable by a family of attacks leveraging machine learning (ML) [45– 124 47] to identify correlations between the circuit structure and the key, and predict the correct key value with high accuracy. ML-based attacks are expected to become even more powerful due to the continuous advancements in ML algorithms and computing power, calling for further investigation of the information leakage in locked designs as well as methods that help decorrelate the locked circuit structure from the correct key. Previous approaches to robustify logic locking against ML-based attacks have mostly focused on a set of localized, pre-determined transformations of the circuit structure with the goal of reducing the correlation between the circuit structure and the correct key [81]. However, such approaches do not alter the function of the locked circuit and may be prone to “re-synthesis” attacks [23]. This chapter proposes, instead, DECOR, a random- ized algorithm-based construction which involves, instead, strategic modifications to the function of the locked circuit to significantly decrease the correlation between the netlist structure and the correct key, with the goal of reducing the expected advantage of an ML- based attack to be negligible when compared with a random key guessing attack. DECOR can be applied to any logic locking scheme. Our contributions can be summarized as follows: We present a technique to alter the functionality of a locked circuit to create mis- leading training data for ML-based attacks, without preventing a legal user from accessing the original circuit function. We introduceDECOR, a method based on randomized function alterations to achieve decorrelation between the netlist structure and the correct key. To the best of our 125 knowledge, DECOR is the first generic logic locking enhancement method that can be efficiently applied to any logic locking scheme to improve its resilience to ML- based attacks exploiting the correlation between circuit structure and key. We evaluate the effectiveness of our approach against two state-of-the-art ML- based attacks, namely,Snapshot [46] andOMLA [47], showing its ability to reduce the key prediction accuracy to around 50%, providing ML-based attacks negligible advantage over random guessing. The rest of the chapter is organized as follows. Section 6.2 discusses the threat model underlying ML-based attacks considered in this chapter and some related approaches proposed in the literature to counteract them. In Section 6.3, we illustrate the mecha- nism of DECOR and show how any logic locking scheme can be efficiently enhanced by DECOR to achieve resilience to ML-based attacks. We validate the effectiveness of our ap- proach against state-of-the-art ML-based attacks in Section 6.4. Conclusions are drawn in Section 6.5. 6.2 Background and Related Work In this section, we specify the threat model of ML-based attacks and discuss several previous efforts that aim to counteract the threat. 126 Locked netlists Correct keys Generate reference locked netlists Extract feature vectors Extract labels Labeled data Train the model Trained model Target locked netlist Predict the key Extract feature vectors Unlabeled data Predicted key Training Inference Figure 6.2: Flowchart of an ML-based attack. 6.2.1 Threat Model of ML-Based Attacks ML-based attacks, e.g., SAIL [45], Snapshot [46], aim to correctly predict each bit of the key of a locked circuit, called a target circuit. They typically assume that attackers have access to two resources, i.e., (i) the netlist of the target circuit and (ii) the knowledge of the specific logic locking technique used to lock the target circuit. As shown in Fig- ure 6.2, an ML-based attack consists of two phases, namely, training and inference. The training phase includes three steps, that is, (i) reference netlist generation, (ii) training data extraction, and (iii) model training. We detail each step below. 127 6.2.1.1 Reference Netlist Generation By using the same logic locking technique applied to the target netlist, an attacker gen- erates a significant number of reference locked netlists whose correct keys are known. When generating reference netlists, the attacker may choose to lock a generic benchmark suite, i.e., any set of netlists not including the target one [46], an option often referred to as the generalized set scenario (GSS). Alternatively, they may consider the target netlist as the original circuit and re-lock it. The latter option, also called self-referencing sce- nario (SRS), is more commonly used in practice, since it usually achieves better key prediction accuracy [45–47]. 6.2.1.2 Training Data Extraction An important step before training the ML model is to extract, from the reference locked netlists, the training data set that includes both the features (netlist properties) and the labels (correct keys). For instance, Snapshot [46] associates each feature-label pair with a single key port. The feature for the key port is a fixed-length vector that captures information about the function and topology of the neighborhood of the key port. A specific example illustrating the feature encoding of Snapshot is shown in Figure 6.3, where the value and the position of each entry in the feature vector represent the type and the location, respectively, of each gate in the key port neighborhood. To represent the topology of the key port neighborhood with less information loss, another ML-based attack, called OMLA, directly extracts as a feature a subgraph whose topology is identical 128 Key port 5 0 0 2 2 2 2 7 3 5 0 2 0 1 2 0 7 5 0 0 Locality Vector Encoding Extracted Structure Figure 6.3: An example of feature vector extraction and encoding inSnapshot [46]. to that of the key port neighborhood. The label associated with the feature is the correct key bit of the corresponding key port, which is either 0 or 1. All the feature-label pairs extracted from the reference locked netlists constitute the training data set. 6.2.1.3 Model Training An ML model is trained with the training data set. If the features in the data set are in vector form, previous attacks have adopted different ML models, such as random forests (RFs) [45], multi-layer perceptrons (MLPs) [46], and convolutional neural net- works (CNNs) [46]. With features in the form of a graph, a graph neural network (GNN) has shown to be effective and has been adopted to construct the OMLA attack [47], which achieves the best prediction accuracy reported to date. We validate the approach in this 129 Table 6.1: Comparison of different countermeasures to ML-Based attacks. Countermeasure Secure against Applicable to all locking schemes Re-synthesis attack SAIL Snapshot OMLA D-MUX [23] 4 4 4 4 6 UNSAIL [81] 6 4 6 6 6 TRLL [22] 4 4 4 4 6 DECOR (this dissertation) 4 4 4 4 4 chapter on two state-of-the-art attacks, namely, Snapshot and OMLA, which use vector- based features and graph-based features, respectively. 6.2.1.4 Model Inference After the ML model is trained, in the inference phase, the attacker extracts features from the target locked netlist with the same encoding adopted in the training phase, and uses them to predict the corresponding key bits. The success of an ML-based attack is mea- sured by the key prediction accuracy (KPA), which is the percentage of correctly pre- dicted key bits among all the key bits in the target locked netlist [45–47]. Several logic locking schemes have shown to induce strong correlations between the structure of the locked circuit and the correct key, making themselves vulnerable to ML- based attacks. For example, existing ML-based attacks have all reported a high KPA for XOR/XNOR-based insertion (XBI) methods [14, 29, 30], i.e., a category of logic locking schemes that insert XOR and XNOR gates at selected locations (wires) in the original circuit. A simple example of the XBI-locked netlist is shown in Figure 6.1b, where the type of the inserted gates, i.e., XOR or XNOR, may directly indicate the correct key value of 0 or 1, respectively. Logic synthesis may be able to perturb the 130 netlist structure to some degree. However, existing ML-based attacks are still successful in identifying strong correlations in the post-synthesis netlists [45]. Another category of logic locking schemes is based on the insertion of point functions, e.g., [15, 17], as a way to circumvent the powerful SAT attack [35]. Although existing ML-based attacks have not yet been mounted to attack such schemes, they may still exhibit similar vulnerabilities as inXBI, in that they tend to hard-code information about the correct key in the structure of the locked circuit, hence the strong correlation [37, 46]. 6.2.2 Countermeasures to ML-Based Attacks Various methods have been proposed to make logic locking more resilient to ML-based attacks [80]. Deceptive Multiplexer (D-MUX) [23] proposes to lock the circuit by al- ways inserting the same structure, i.e., multiplexers, instead of the distinguishable XOR and XNOR gates, such that the inserted structure is no longer correlated with the cor- rect key. Although D-MUX can successfully eliminate the threat from ML-based attacks, multiplexer-based insertion is still deemed vulnerable to other attack vectors, such as the SAT attack [35]. UNSAIL [81] aims to circumventSAIL [45] by modifying repetitive structural patterns in the XBI-locked netlist to decorrelate the netlist structure from the correct key. The goal is to effectively insert corrupted training data so that the misled ML model can only achieve a low key prediction accuracy. However, the corrupted training data set is crafted based on a specific set of structural netlist transformations. Without a randomized 131 scheme, the effect of such transformations can potentially be reversed by a “re-synthesis” attack [23]. Truly Random Logic Locking (TRLL) [22] overcomes the above shortcoming ofUNSAIL by involving randomness in the key gate selection and implementation, whose effect cannot be reversed by re-synthesis. However, TRLL is specifically designed for the XBI scheme. Differently from previous efforts, which mostly focus on specific attacks and logic locking schemes, we proposeDECOR, a generic logic locking enhancement method that can be used to robustify any existing logic locking scheme against ML-based attacks, by reducing the correlation between netlist structure and correct keys. We summarize bothDECOR and the previous countermeasures against ML-based attacks in Table 6.1. Besides attempting at predicting the correct key, machine learning has also been ap- plied to detect other aspects of a locked circuit that facilitate reverse engineering. For example, GNNUnlock [40] is a recent attack that leverages GNNs to predict whether a gate or module in the locked netlist belongs to a specific block inserted by a particular logic locking scheme, calledSFLL [16], and can be removed. In this chapter, we focus on ML-based attacks that exploit the correlation between the circuit structure and the key. Extensions of the proposed logic locking enhancement method to address correlations between circuit structures and sensitive information other than the key will be subject of future work. 132 6.3 Proposed Method We first discuss how the correlation between the locked circuit structure and the correct key can be reduced via a set of modifications to the locked circuit function without af- fecting the correct operation of the circuit. Inspired by those functional modifications, we illustrateDECOR, which can be generally applied to enhance the resilience of any logic locking scheme to ML-based attacks. 6.3.1 Preliminaries For a circuit C o with sets I and O of primary input ports and primary output ports, respec- tively, we denote by f o :B jIj !B jOj the circuit function. Let K be the set of key ports. We denote by f l :B jIj B jKj !B jOj the function implemented by the locked circuit C l . We use i and k to represent the patterns applied at the primary input ports and the key ports, respectively. We say that key k is correct if and only if the following condition holds: 8i2B jIj ; f o (i)= f l (i;k); (6.1) which is abbreviated as f o f l;k . Any locked circuit must have at least one correct key. 133 6.3.2 Altering the Mapping Between Circuit Function and Correct Key Previous approaches to robustify logic locking against ML-based attacks have mostly focused on a set of localized, pre-determined transformations of the circuit structure that preserve the function of the locked circuit, which often need to be customized for specific logic locking schemes and are vulnelrable to “re-synthesis” attacks. We propose instead that decorrelation between circuit structure and correct key can rather be achieved as an effect of altering the circuit function according to a logic locking-agnostic, randomized procedure that aims to decorrelate the circuit function from the correct key. For convenience, and without loss of generality, we illustrate our approach by as- suming that the circuit has only one output port, and that the circuit function is Boolean. Based on Shannon’s expansion theorem, the function of a locked circuit C l can be de- composed into the disjunction of several Shannon cofactors with respect to the input k as follows, f l (i;k)= _ k c 2K c f l (i;k c )_ _ k w 2K w f l (i;k w ); (6.2) whereK c andK w are the sets of correct keys and wrong keys, respectively. In the special case in which only one correct key k exists, (6.2) can be simplified as follows, f l (i;k)= f l (i;k )_ _ k w 2B jKj nfk g f l (i;k w ); (6.3) 134 where f o f l;k . Remarkably, the information captured by the function in (6.3) is pro- cessed in a different way by a legal user and an ML-based attacker, as detailed below. Since the goal of a legal user is to access the circuit function with the correct key k , only the left-most cofactor of (6.3), f l (i;k ), is relevant to the user. Any functional changes involving the other cofactors of (6.3) do not affect the legal user. We call these cofactors user-don’t-care (UDC) cofactors. An attacker, on the other hand, will analyze the locked netlist that is synthesized from the entire expression in (6.3). Functional changes in any cofactors, including the UDC ones, could potentially affect the structure of the post-synthesis netlist, hence the outcome of an ML-based attack. We can then leverage this information asymmetry to strategically alter the UDC cofactors in (6.3) and confuse an ML-based attacker without affecting the legal user. Specifically, we aim to decorrelate the locked circuit functions from their correct keys by creating two mapping scenarios: (i) The same locked circuit function can be labeled by multiple correct keys (one-to-many mapping), and (ii) multiple different locked circuit functions can share the same correct key as the label (many-to-one mapping). Since the netlist structure of the locked circuit is generated by logic synthesis, it is strongly correlated with the design specification, that is, the circuit function. Therefore, a decorrelation between the circuit function and the correct key also contributes to decorrelate the netlist structure from the correct key, thus increasing the difficulty to conduct a successful ML-based attack. 135 In the following, we show how we modify the UDC cofactors of the locked circuit function to achieve the two mapping scenarios above. Let us focus on the functional ex- pression in (6.3), which can potentially represent a locked circuit function implemented by any logic locking scheme. Suppose that we select two wrong keys, i.e., k 0 and k 00 , and modify their corresponding UDC cofactors, i.e., f l (i;k 0 ) and f l (i;k 00 ), such that both k 0 and k 00 can unlock the original circuit function as well as the correct key k does, i.e., f o f l;k f l;k 0 f l;k 00: (6.4) The modified circuit function can then be written as follows, f l (i;k)= _ k c 2fk ;k 0 ;k 00 g f l (i;k c )_ _ k w 2B jKj nfk ;k 0 ;k 00 g f l (i;k w ): (6.5) The functions in (6.3) and (6.5) are different and will generate different features, i.e., netlist structures, when the associated netlists are used to train an ML model. However, both of these features will be labeled by the correct key k . In fact, for the locked cir- cuit function in (6.3), we can generate many more different functions, each obtained by modifying the UDC cofactors corresponding to one or more arbitrarily selected wrong keys, as shown in Figure 6.4a. All these functions generate different netlist structures (features) that can all be labeled by the shared correct key k , which achieves the many- to-one mapping scenario. 136 ! , = ! , ∗ ∨ ' ! (, ∗∗ ) # ∗∗ ∈ " \{# ∗ } ! , = ! , ∗ ∨ ! ,′ ∨ ! ,′′ ∨ ' ! (, ∗∗ ) # ∗∗ ∈ " \{# ∗ ,# # ,# ## } Features (netlist structures) ! , = ! , ∗ ∨ ! , *** ∨ ' ! (, ∗∗ ) # ∗∗ ∈ " \{# ∗ , # ### } ! , = ! , ∗ ∨ ! , , ∨⋯∨ ! , - ∨ ' ! (, ∗∗ ) # ∗∗ ∈ " \{# ∗ , # $ ,…,# % } … ∗ Labels (correct keys) (a) ! , = ! , ∗ ∨ ! ,′ ∨ ! ,′′ ∨ ) ! (, ∗∗ ) # ∗∗ ∈ " \{# ∗ ,# # ,# ## } Features (netlist structures) ! Labels (correct keys) !! ∗ (b) Figure 6.4: (a) Many-to-one and (b) one-to-many mappings from features, associated with different locked circuit functions and netlist structures, to correct keys. Each co- factor in blue is equivalent to the original circuit function. Otherwise, the cofactor is in red. Symmetrically, a locked circuit function and the resulting synthesized netlist structure can also be associated with multiple labels. As illustrated in Figure 6.4b, a locked circuit implementing the function in (6.5) can be potentially labeled by any of the correct keys, i.e., k , k 0 , or k 00 , depending on which one was regarded as the correct key before the alteration of some of the UDC cofactors. Such a transformation implements the one-to- many mapping scenario. 137 Algorithm 4DECOR-L Input: Original circuit C o , key sizek, maximum allowed number of correct keys N Output: Locked circuit C l , correct key k 1: f int ;k =L(C o ;k) 2: correct key list=[k ] 3: n= random integer gen(range(2;N)) 4: while True do 5: if length(correct key list) n then 6: break 7: end if 8: new key= random key gen(k) 9: if new key not in correct key list then 10: correct key list.append(new key) 11: end if 12: end while 13: f l = alter UDC cofactors( f int ;correct key list) 14: C l = synthesize( f l ) 15: return C l ;k 6.3.3 DECOR: Structure-Key Decorrelation Method In Section 6.3.2, we demonstrated the possibility of creating many-to-one and one-to- many mappings in the training data set to confuse an ML model by only altering a set of UDC cofactors of the locked circuit function. Based on this observation, we introduce DECOR, a structure-key decorrelation method that uses a randomized algorithm to alter the UDC cofactors of the locked circuit function. In this respect, rather than a logic locking scheme,DECOR is an enhancement method that can significantly increase the resilience of any logic locking schemeL to ML-based attacks. For brevity, we denote by DECOR-L the resulting logic locking scheme enhanced byDECOR. Algorithm 4 outlines the flow of DECOR-L . Like any other logic locking schemes, 138 fo(i) g(i, k) I K O XOR (a) fo(i) g(i, k) I K O XOR is_correct(k) (b) Figure 6.5: Functional models of (a) the intermediate locked circuit function f int [38, 48] and (b) the locked circuit function f l after adding additional correct keys. DECOR-L takes as input the original circuit C o and the user-specified key size k. In ad- dition, a user must also specify the maximum allowed number of correct keys N for the locked circuit C l . When the algorithm finishes, it returns the locked circuit C l and one of its correct keys k . DECOR-L starts by locking the original circuit C o with the logic locking schemeL , which generates an intermediate locked circuit function, denoted as f int , and a correct key, denoted as k (line 1). The correct key k is then stored in the list of correct keys in line 2. Next, an integer n is randomly sampled from the range of 2 to N, which determines the number of correct keys that the locked circuit C l should have (line 3). From line 4 to line 12, the algorithm randomly samples n 1 wrong keys and adds them to the list of correct keys. Finally, it modifies the UDC cofactors of f int that correspond to those n 1 wrong keys, such that they can also unlock the original circuit function f o (line 13). Specifically, the intermediate locked circuit function f int , as shown in Figure 6.5a, can be generally modeled as the exclusive-OR of the original circuit func- tion f o and a newly introduced function g which represents the effect ofL [38, 48]. The 139 effect of altering a set of UDC cofactors can then be obtained by inserting a functional module, called “is correct”, as in Figure 6.5b, which outputs zero for all the keys listed in correct key list and restores the original circuit function f o at the circuit output. The UDC cofactor alteration is specified at the behavioral level, e.g., via the Verilog repre- sentation of the intermediate locked circuit function f int . The locked circuit function f l is then synthesized to generate the netlist C l , which is returned as output along with the first correct key k . In the following, we show that DECOR-L generates one-to-many and many-to-one mappings in the training data set with high probability, by analyzing two scenarios, i.e., (1) Algorithm 4 returns for t times the same locked circuit function f l ; and (2) Algo- rithm 4 returns for t times the same correct key k . 6.3.3.1 Algorithm 4 returns the same locked circuit function If the locked circuit functions are identical across the t runs, the t functions must have the same list of correct keys. Suppose the list of correct keys contains n keys. Since each of the n key values has the same probability of being returned by Algorithm 4 as the correct key, the probability that the t runs return the same correct key, hence the same label for ML training, is Pr[Same labelj Same feature]= 1 n t1 1 2 t1 ; (6.6) where the upper bound is due to n ranging from 2 to N. 140 Table 6.2: Overview of the selected benchmark circuits Circuit c1355 c1908 c2670 c3540 c5315 c6288 c7552 b15 C b17 C b21 C b22 C Inputs 41 33 233 50 178 32 207 485 1452 522 767 Outputs 32 25 64 22 123 31 107 449 1447 509 750 Gates 455 880 1193 1669 2307 2661 3512 8367 30777 20027 29162 c1355 c1908 c2670 c3540 c5315 c6288 c7552 b15_C b17_C b21_C b22_C AVG 40% 50% 60% 70% 80% 90% 100% KPA XBI DECOR-XBI (N=8) DECOR-XBI (N=16) Figure 6.6: Key prediction accuracy ofSnapshot onXBI andDECOR-XBI. 6.3.3.2 Algorithm 4 returns the same correct key When t runs return exactly the same key, serving as the label for training an ML model, we denote the number of correct keys for the t generated locked circuit functions as n 1 , n 2 , . . . , n t , respectively. For the t functions of the locked circuits to be identical, they must have the same list of correct keys, hence the same number of correct keys, i.e., n 1 = n 2 = = n t , and the same key values. Given that the number of correct keys is randomly sampled between 2 and N, the probability that the t locked circuit functions have the same number i of correct keys is 1=(N 1) t . Besides the returned key by Algorithm 4, the rest of the i 1 correct keys should also be the same across the t locked circuit functions. Since those i 1 correct keys are randomly sampled from the remaining key space of size 2 k 1, the probability that the rest of the i 1 correct keys is the same across the t locked circuit functions will be 1= 2 k 1 i1 t1 . Finally, the 141 c1355 c1908 c2670 c3540 c5315 c6288 c7552 b15_C b17_C b21_C b22_C AVG 40% 50% 60% 70% 80% 90% 100% KPA XBI DECOR-XBI (N=8) DECOR-XBI (N=16) Figure 6.7: Key prediction accuracy ofOMLA onXBI andDECOR-XBI. probability of t identical correct keys, i.e., labels, being associated with the same locked circuit function can be expressed as follows, Pr[Same featurej Same label] = N å i=2 Pr[Same featurej Same label; n= i] Pr[n= i] = N å i=2 1 2 k 1 i1 t1 1 (N 1) t N å i=2 1 (2 k 1) t1 1 (N 1) t = (N 1) (2 k 1) t1 1 (N 1) t = 1 (2 k 1)(N 1) t1 : (6.7) Both the probabilities in (6.6) and (6.7) decrease exponentially as t increases. Therefore, when a large set of reference locked netlists is generated, it is significantly more likely to see different keys labeling the same netlist structure and different circuit structures being labeled by a common key, hence the prevalence of one-to-many and many-to-one mapping scenarios in the training data set. 142 6.4 Validation Results DECOR can be used to enhance any logic locking scheme. In this section, we select two representative schemes, namely, XBI [29] and SARLock [15], which were conceived to achieve two major security objectives, i.e., confidentiality, by corrupting the circuit function, and SAT-attack resilience, respectively [38, 48]. We focus on these schemes, since their underlying mechanisms have been widely adopted in many other logic locking techniques. XBI has already been broken by ML-based attacks[45–47]. SARLock is also deemed as being vulnerable [37, 46], even if a successful ML-based attack has not yet been reported. In the following, we validate the effectiveness of DECOR-XBI and DECOR- SARLock against state-of-the-art ML-based attacks. 6.4.1 Experiment Setup Both XBI and SARLock, as well as their enhanced versions, DECOR-XBI and DECOR- SARLock, are implemented in PYTHON. We apply these four logic locking schemes to 11 different benchmark circuits selected from ISCAS’85 [82] and ITC’99 [76], as detailed in Table 6.2. For each benchmark circuit and each logic locking scheme, we generate a target netlist with a key size of 64. Each target netlist is then re-locked with the same logic locking scheme and the key size of 64 to generate 100 reference locked netlists used to train the ML model. In this chapter, we adopt 8 and 16 as the maximum number of correct keys N to configure Algorithm 4. All locked circuits are synthesized with a 45-nm Nangate Open Cell Library [63]. 143 c1355 c1908 c2670 c3540 c5315 c6288 c7552 b15_C b17_C b21_C b22_C 0% 50% 100% 150% 200% 250% Area Overhead XBI DECOR-XBI (N=8) DECOR-XBI (N=16) Figure 6.8: Area overhead for different circuits locked byXBI andDECOR-XBI. c1355 c1908 c2670 c3540 c5315 c6288 c7552 b15_C b17_C b21_C b22_C AVG 40% 50% 60% 70% 80% 90% 100% KPA SARLock DECOR-SARLock (N=16) Figure 6.9: Key prediction accuracy ofSnapshot onSARLock andDECOR-SARLock. To test the performance of DECOR, we use two state-of-the-art ML-based attacks, namely, Snapshot [46] and OMLA [47], which extract features as vectors and graphs, respectively, and have the highest key prediction accuracy (KPA) reported to date. For Snapshot, we reconstruct the CNN model structures as reported in the paper [46]. For OMLA, we adopt the open-sourced attack code [83] and use a grid-search approach [47] to find the best model hyperparameters and report the corresponding KPA for each bench- mark circuit. The generation of the locked netlists, synthesis and the ML-based attacks are executed on a server with 48 2:1-GHz cores and 500-GB memory. 6.4.2 XBI vs. DECOR-XBI We first apply Snapshot on XBI and DECOR-XBI and show, in Figure 6.6, the KPAs for all the benchmark circuits. Without the enhancement of DECOR, Snapshot can achieve an average KPA of 64:8% on all XBI-locked netlists. By applying DECOR, the average KPA drops to 56:8% when N = 8, and further down to 50:3% when N is increased 144 c1355 c1908 c2670 c3540 c5315 c6288 c7552 b15_C b17_C b21_C b22_C AVG 40% 50% 60% 70% 80% 90% 100% KPA SARLock DECOR-SARLock (N=16) Figure 6.10: Key prediction accuracy ofOMLA onSARLock andDECOR-SARLock. to 16, giving Snapshot negligible advantage over random guessing. In particular, the three largest benchmark circuits, i.e., b17 C, b21 C, and b22 C, all reach 50% KPAs for DECOR-XBI (N = 16). Similar results can be observed for the other attack, OMLA, in Figure 6.7. Although OMLA can achieve a much higher average KPA, i.e., 75:4%, than Snapshot when attacking XBI, it still fails to make informative key predictions on DECOR-XBI. When N is equal to 8 and 16, the average KPA forOMLA drops to 57:3% and 51:6%, respectively. On b21 C, applyingDECOR and setting N as 16 achieves the highest KPA reduction, where the second largest KPA of 82:4% drops to 51:9%. Figure 6.8 shows the area overhead of all the target locked netlists. For each bench- mark circuit, implementing DECOR on the baseline logic locking scheme, XBI, certainly raises the overhead. However, the overhead is inversely proportional to the size of the original circuit. For example, implementing DECOR-XBI (N = 16) on the largest benchmark circuit b17 C incurs only 3% of area overhead, while the KPA achieved by Snapshot and OMLA is as low as 50% and 55:2%, respectively. In this case, a designer may further choose to implement DECOR with a higher value of N to approach a 50% KPA for OMLA as well, while not significantly increasing the overhead. The area over- head on small benchmarks is relatively high. However, when applying DECOR to critical 145 c1355 c1908 c2670 c3540 c5315 c6288 c7552 b15_C b17_C b21_C b22_C 0% 20% 40% 60% 80% 100% Area Overhead SARLock DECOR-SARLock (N=16) Figure 6.11: Area overhead for different circuits locked by SARLock and DECOR-SARLock. modules in a large system-on-a-chip, the amortized overhead for the system can still be acceptable. 6.4.3 SARLock vs. DECOR-SARLock We demonstrate the performance of DECOR on SARLock, another logic locking scheme that is vulnerable to ML-based attacks. Considering the performance of DECOR for XBI- locked circuits, we directly choose N= 16 as the configuration forDECOR-SARLock. Fig- ure 6.9 and Figure 6.10 show the KPA for each benchmark circuit achieved bySnapshot andOMLA, respectively. Since neither of the two attacks is particularly designed to attack SARLock, they can only achieve an average KPA of 59:9% and 61:2% on the baseline SARLock scheme. On four benchmark circuits, namely, c1355, c1908, c3540, and c6288, we observe KPAs that indicate a good resilience to ML-based attacks. This is because the key size of the reference locked netlists used for training the ML model is 128, which is larger than the primary input size of the original benchmark circuits. Under this con- ditionSARLock itself can already generate more than one correct key [15, 38], achieving a similar effect as DECOR-SARLock. For the other eight benchmark circuits, we apply DECOR-SARLock (N= 16) and the average KPA, achieved bySnapshot andOMLA, drops 146 −4 −3 −2 −1 0 1 2 3 4 Principal component 1 −2 0 2 4 6 Principal component 2 (a) −2 0 2 4 6 8 Principal component 1 −4 −2 0 2 4 Principal component 2 (b) Figure 6.12: PCA results of the training data set extracted from c2670, which is locked by (a) SARLock and (b) DECOR-SARLock. The two colors denote different labels, i.e., 0 and 1. 5 6 7 8 9 10 Key size 2 6 2 8 2 10 #DIPs SARLock DECOR-SARLock Figure 6.13: SAT attack resilience on b17 C when it is locked with SARLock and DECOR-SARLock (N= 16) with different key sizes. to 52:7% and 51:9%, respectively. The area overhead for all the target netlists locked by SARLock andDECOR-SARLock is shown in Figure 6.11, leading to similar considerations as forDECOR-XBI in Figure 6.8. To further demonstrate the effectiveness of DECOR, we extract all the feature vec- tors used in Snapshot for a selected benchmark c2670. Figure 6.12 shows the re- sult from principal component analysis (PCA) of all the 6400 features extracted from 147 the training data sets for both (a) the baseline SARLock and (b) the improved version DECOR-SARLock. The two colors denote different labels, i.e., different correct key bits. ForSARLock, the purple nodes are clustered around the center of Figure 6.12a, while the yellow ones are distributed away from the center, which indicates a strong correlation between features and labels. On the other hand, in Figure 6.12b, the feature distributions for the two labels largely overlap with each other, showing the effectiveness ofDECOR in decorrelating features from labels by efficiently inserting many-to-one and one-to-many mapping data in the training data set. 6.4.4 Discussion We have shown the effectiveness ofDECOR against two state-of-the-art ML-based attacks. A concern can, however, be raised about the impact of increasing the number of correct keys of a locked circuit on the resilience to other types of attacks that search for the correct keys. We observe that such an impact can be made negligible when the number of correct keys is much smaller than the overall search space. For example, we consider the SAT attack [35], which is one of the most efficient search methods to find the correct key of a locked circuit. The resilience to this attack can be captured by the number of distinguishing input patterns (DIPs) needed to eliminate all the wrong keys, which largely depends on the output error distribution of the circuit [38, 48]. In this context, adding a small number of additional correct keys to a locked circuit with a large key length is 148 not expected to significantly perturb the output error distribution, hence the SAT-attack resilience achieved by the baseline logic locking scheme. For instance, Figure 6.13 shows the number of DIPs required by the SAT attack on b17 C when it is locked with SARLock, known for its high resilience to the SAT attack, and its perturbed version DECOR-SARLock (N = 16), using different key sizes. When the key size is 5, the SAT-attack resilience ofDECOR-SARLock is significantly lower than that of the baseline SARLock, because the maximum number of correct keys allowed by DECOR-SARLock, 16, amounts to half of the key search space, i.e., 2 5 . However, as the key size increases, the difference between the SAT-attack resilience of the two schemes decreases and becomes negligible for a key size of 10. If a netlist is locked using 64 key bits, DECOR-SARLock is expected to exhibit even more negligible impact on the SAT- attack resilience. 6.5 Summary We studied the recently proposed ML-based attacks that exploit the strong correlation between the structure of the locked circuit and the corresponding correct key, manifesting the usefulness of our risk metrics in Chapter 3 and the vulnerability of a combinational logic locking scheme incurring a high repetition risk. We then presented DECOR, an efficient and generic structure-key decorrelation method based on randomized circuit function alteration, which can lower the risk of any logic locking scheme and circumvent state-of-the-art ML-based attacks. 149 Chapter 7 Conclusions and Future Work In this chapter, we first summarize the main contributions of this dissertation. Then we discuss several research directions for future work. 7.1 Conclusions Integrated circuit (IC) reverse-engineering, potentially performed by malicious third- party contractors on the IC supply chain, has been regarded as a critical concern that affects the security and integrity of the chip design and manufacturing process. Over the past decade, logic locking has received significant attention as a promising solution to thwart IC reverse-engineering. However, logic locking methods are usually designed with the major goal of preventing existing attacks. Although such logic locking meth- ods can be “secure” against existing attacks, they tend to be broken soon by new attack vectors that exploit new channels of sensitive information leakage. Consequently, it has 150 become challenging to design a logic locking method that provides concrete security guarantees for a reasonably long time. This dissertation addressed this challenge by presenting a path toward a principled, security-driven design method for logic locking. Our approach aims to guide the design of logic locking not only based on known attacks but also based on fundamental secu- rity metrics that help quantify the likelihood of leaking sensitive information from the implementation of the locking scheme. Specifically, in Chapter 3, we started by propos- ing a universal model for combinational logic locking and formalizing several security notions, e.g., attack resilience and the protection level, which have been deemed criti- cal concerns for logic locking design. We then formally defined four risk metrics for combinational logic locking to quantify the likelihood that a set of information channels, such as the original circuit’s function, and the functional and structural information of a locking scheme, can leak sensitive information to the attackers. Moreover, we devel- oped an Obfuscation Design Space Exploration Engine (ODSEE) for combinational logic locking, which can be guided by our risk metrics along with common overhead metrics and efficiently search for secure, cost-effective combinational logic locking strategies out of a library of locking primitives. Validation results of ODSEE show the potential of novel combinational logic locking schemes, constructed by layering multiple locking primitives, for achieving significantly higher security and lower risks than any individual locking primitive with the same implementation cost. 151 In addition to applying the risk metrics to guide the design space exploration in com- binational logic locking, we extended our metrics to sequential logic locking, which has not often been systematically explored in the literature. In Chapter 4, we exploited, for the first time, a critical functional information leakage that exists in all known sequential logic locking methods. We then provided theoretical results on how the vulnerability can benefit the SAT-based attack against sequential logic locking. Consequently, we developed an efficient attack, Fun-SAT, that can break most existing sequential logic locking schemes, calling developers to rethink the security of existing sequential logic locking approaches. In light ofFun-SAT and other known attack vectors against sequen- tial logic locking, we proposed, in Chapter 5, a sporadic-authentication-based sequential logic locking, SANSCrypt, which, for the first time, adopts a multi-authentication proto- col, rather than the traditional single-authentication protocol, to reduce both functional and structural information leakage. SANSCrypt significantly raises the bar for attackers, as they have to figure out not only the correct unlocking key but also the right time to provide the key. The temporal uncertainty added by the new authentication protocol sig- nificantly helps to decrease the risk of both functional and structural information leakage and prevent state-of-the-art attacks, includingFun-SAT. Finally, in Chapter 6, we presented a case study on the recently proposed machine learning (ML)-based attacks against combinational logic locking whose implementation imposes a strong correlation between locked netlists and the corresponding correct keys. We showed that one of our risk factors can explain the success of ML-based attacks. 152 We further presented DECOR, a low-risk method based on randomized circuit function alterations to achieve decorrelation between the locked netlist and the correct key. To the best of our knowledge,DECOR is the first generic logic locking enhancement method that can be efficiently applied to any locking scheme to improve its resilience to ML-based attacks. Validation results show that the proposed approach can significantly increase resilience against state-of-the-art ML-based attacks. 7.2 Future Work Since 80 years ago, the number of transistors in a system-on-chip (SoC) has increased from 16 to hundreds of billions. With this large number of transistors in mind, manually designing the circuit becomes nothing but impossible. Similarly, secure logic locking schemes to protect a modern SoC could also become impractical for human engineers to design, in which case a design automation tool for logic locking is needed. In Chapter 3, we presentedODSEE, which can be regarded as a prototype for such a design automation tool. Our future work is centered on developing complete design automation solution for secure logic locking, starting with the extension ofODSEE. 7.2.1 Design Space Exploration for Sequential Logic Locking We have demonstrated the feasibility of design space exploration (DSE) for combina- tional logic locking in Chapter 3, as well as the benefit of layering different locking primitives to achieve high security, low risk, and reasonable cost. However, researchers 153 have recently discovered several limitations of combinational logic locking. For exam- ple, a dilemma exists between the SAT-attack resilience and functional corruptibility (FC), which makes both high attack resilience and high FC hard to achieve [36, 38, 48]. Moreover, the SAT attack resilience of any combinational locking scheme is upper- bounded by 2 jIj , where I is the set of input ports of the original circuit [38]. Conversely, Zhang et al. [20] have recently proposed a novel sequential logic locking, which is free from the above limitations. Moreover, as demonstrated in Chapter 5, sequential logic locking can include a much larger design space to explore due to the introduced attack complexity in the temporal dimension. Therefore, a promising direction for future re- search would be to extend our DSE framework to sequential logic locking, with the goal of automatically generating secure, cost-effective sequential logic locking schemes. 7.2.2 Incorporating Low-Risk Solutions for Design Automation In Chapter 3, our validation results on ODSEE indicated that novel combinational logic locking schemes, constructed by layering multiple locking primitives, can achieve sig- nificantly higher security and lower risk than any individual logic locking scheme with the same implementation cost. In our future work, we plan to include more novel logic locking primitives in the DSE framework and explore the benefit of layering those new primitives. For example, this dissertation proposed several low-risk defenses in combina- tional and sequential logic locking schemes, which could be modeled and incorporated 154 into the primitive library of the DSE framework. In addition, many more logic lock- ing techniques have been recently proposed and received attention from the research community. For example, latch-based logic locking [24] is a technique that stands in be- tween the two major types, i.e., combinational and sequential, of logic locking covered in this dissertation and has not yet been found to be vulnerable. Logic locking has also been proposed and implemented at the register-transfer level [19], which may be more promising for protecting large-scale system design. We plan to incorporate these new locking techniques in our DSE framework as well. 7.2.3 Security Analysis of Reconfigurable-Logic-Based Locking Reconfigurable-logic-based locking, also known as logic redaction, is a recently pro- posed method that achieves IC protection by redacting all or parts of the original circuit blocks with reconfigurable logic blocks, such as lookup tables [21, 41, 42] and FPGA fabrics [43]. When the circuit is fully redacted, it is assumed that no sensitive infor- mation can be leaked from the locked circuit. However, a full redaction could impose an unacceptable cost in most IC design scenarios. Previous literature on logic redaction techniques, e.g., [21, 41, 43], often resorts to partial redaction to balance the level of information leakage and the cost. For example, they often leverage an iterative method to redact a randomly selected module in the circuit and stop the iteration when the over- head exceeds a user-specified threshold. However, there has been no systematic analysis of how partial redaction affects security and risk. As a result, insightful methodologies 155 making quantitative suggestions on which part of the circuit to redact have yet to be developed. Our DSE framework could potentially serve as an efficient tool to explore and evaluate different strategies of partial redaction. Such exploration is expected to be informative and guide developers to generate better rules for secure partial redaction. 156 Bibliography [1] Travis Meade, Shaojie Zhang, and Yier Jin. “Netlist reverse engineering for high-level functionality reconstruction”. In: 21st Asia and South Pacific Design Automation Conference (ASP-DAC). IEEE. 2016, pp. 655–660. [2] Travis Meade, Yier Jin, Mark Tehranipoor, and Shaojie Zhang. “Gate-level netlist reverse engineering for hardware security: Control logic register identification”. In: IEEE International Symposium on Circuits and Systems (ISCAS). IEEE. 2016, pp. 1334–1337. [3] James Geist, Travis Meade, Shaojie Zhang, and Yier Jin. “RELIC-FUN: Logic identification through functional signal comparisons”. In: 57th ACM/IEEE Design Automation Conference (DAC). IEEE. 2020, pp. 1–6. [4] Rachel Selina Rajarathnam, Yibo Lin, Yier Jin, and David Z Pan. “ReGDS: A reverse engineering framework from GDSII to gate-level netlist”. In: IEEE International Symposium on Hardware Oriented Security and Trust (HOST). IEEE. 2020, pp. 154–163. [5] Subhajit Dutta Chowdhury, Kaixin Yang, and Pierluigi Nuzzo. “ReIGNN: State register identification using graph neural networks for circuit reverse engineering”. In: IEEE/ACM International Conference On Computer Aided Design (ICCAD). 2021, pp. 1–9. [6] Muhammad Yasin, Jeyavijayan (JV) Rajendran, and Ozgur Sinanoglu. Trustworthy hardware design: Combinational logic locking techniques. Springer, 2020. [7] Ramesh Karri, Jeyavijayan Rajendran, Kurt Rosenfeld, and Mohammad Tehranipoor. “Trustworthy hardware: Identifying and classifying hardware trojans”. In: Computer 43.10 (2010), pp. 39–46. 157 [8] Mohammad Tehranipoor and Farinaz Koushanfar. “A survey of hardware trojan taxonomy and detection”. In: IEEE Design & Test of Computers 27.1 (2010), pp. 10–25. [9] Richard Wayne Jarvis and Michael G Mcintyre. Split manufacturing method for advanced semiconductor circuits. US Patent 7,195,931. 2007. [10] Kan Xiao, Domenic Forte, and Mark Mohammed Tehranipoor. “Efficient and secure split manufacturing via obfuscated built-in self-authentication”. In: IEEE International Symposium on Hardware Oriented Security and Trust (HOST). IEEE. 2015, pp. 14–19. [11] Muhammad Yasin, Bodhisatwa Mazumdar, Ozgur Sinanoglu, and Jeyavijayan Rajendran. “CamoPerturb: Secure IC camouflaging for minterm protection”. In: IEEE/ ACM International Conference On Computer Aided Design (ICCAD). 2016, pp. 1–8. [12] Edoardo Charbon. “Hierarchical watermarking in IC design”. In: Proceedings of the IEEE 1998 Custom Integrated Circuits Conference (Cat. No. 98CH36143). IEEE. 1998, pp. 295–298. [13] Rajat Subhra Chakraborty and Swarup Bhunia. “HARPOON: An obfuscation-based SoC design methodology for hardware protection”. In: IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems 28.10 (2009), pp. 1493–1502. [14] Jeyavijayan Rajendran, Huan Zhang, Chi Zhang, Garrett S Rose, Youngok Pino, Ozgur Sinanoglu, et al. “Fault analysis-based logic encryption”. In: IEEE Transactions on Computers 64.2 (2013), pp. 410–424. [15] Muhammad Yasin, Bodhisatwa Mazumdar, Jeyavijayan JV Rajendran, and Ozgur Sinanoglu. “SARLock: SAT attack resistant logic locking”. In: IEEE International Symposium on Hardware Oriented Security and Trust (HOST). IEEE. 2016, pp. 236–241. [16] Muhammad Yasin, Abhrajit Sengupta, Mohammed Thari Nabeel, Mohammed Ashraf, Jeyavijayan Rajendran, and Ozgur Sinanoglu. “Provably-secure logic locking: From theory to practice”. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. 2017, pp. 1601–1618. 158 [17] Yang Xie and Ankur Srivastava. “Anti-sat: Mitigating sat attack on logic locking”. In: IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems 38.2 (2018), pp. 199–207. [18] Yinghua Hu, Kaixin Yang, Shahin Nazarian, and Pierluigi Nuzzo. “SANSCrypt: Sporadic-Authentication-Based Sequential Logic Encryption”. In: VLSI-SoC: Design Trends. Ed. by Andrea Calimera, Pierre-Emmanuel Gaillardon, Kunal Korgaonkar, Shahar Kvatinsky, and Ricardo Reis. Cham: Springer International Publishing, 2021, pp. 255–278. [19] Christian Pilato, Animesh Basak Chowdhury, Donatella Sciuto, Siddharth Garg, and Ramesh Karri. “ASSURE: RTL locking against an untrusted foundry”. In: IEEE Transactions on Very Large Scale Integration (VLSI) Systems 29.7 (2021), pp. 1306–1318. [20] Yuke Zhang, Yinghua Hu, Pierluigi Nuzzo, and Peter A Beerel. “TriLock: IC protection with tunable corruptibility and resilience to SAT and removal attacks”. In: Design, Automation & Test in Europe Conference & Exhibition (DATE). IEEE. 2022, pp. 1329–1334. [21] Subhajit Dutta Chowdhury, Gengyu Zhang, Yinghua Hu, and Pierluigi Nuzzo. “Enhancing SAT-attack resiliency and cost-effectiveness of reconfigurable-logic-based circuit obfuscation”. In: IEEE International Symposium on Circuits and Systems (ISCAS). IEEE. 2021, pp. 1–5. [22] Nimisha Limaye, Emmanouil Kalligeros, Nikolaos Karousos, Irene G Karybali, and Ozgur Sinanoglu. “Thwarting all logic locking attacks: Dishonest oracle with truly random logic locking”. In: IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems 40.9 (2020), pp. 1740–1753. [23] Dominik Sisejkovic, Farhad Merchant, Lennart M Reimann, and Rainer Leupers. “Deceptive logic locking for hardware integrity protection against machine learning attacks”. In: IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems 41.6 (2021), pp. 1716–1729. [24] Joseph Sweeney, V Mohammed Zackriya, Samuel Pagliarini, and Lawrence Pileggi. “Latch-based logic locking”. In: IEEE International Symposium on Hardware Oriented Security and Trust (HOST). IEEE. 2020, pp. 132–141. [25] Hadi Mardani Kamali, Kimia Zamiri Azar, Farimah Farahmandi, and Mark Tehranipoor. “Advances in logic locking: Past, present, and prospects”. In: Cryptology ePrint Archive (2022). 159 [26] Shervin Roshanisefat, Hadi Mardani Kamali, Kimia Zamiri Azar, Sai Manoj Pudukotai Dinakarrao, Naghmeh Karimi, Houman Homayoun, et al. “DFSSD: Deep faults and shallow state duality, a provably strong obfuscation solution for circuits with restricted access to scan chain”. In: IEEE VLSI Test Symposium (VTS). 2020, pp. 1–6. [27] Lap Wai Chow, James P Baukus, Bryan J Wang, and Ronald P Cocchi. Camouflaging a standard cell based integrated circuit. US Patent 8,151,235. 2012. [28] Masoud Rostami, Farinaz Koushanfar, and Ramesh Karri. “A primer on hardware security: Models, methods, and metrics”. In: Proceedings of the IEEE 102.8 (2014), pp. 1283–1295. [29] Jarrod A Roy, Farinaz Koushanfar, and Igor L Markov. “Ending piracy of integrated circuits”. In: Computer 43.10 (2010), pp. 30–38. [30] Muhammad Yasin, Jeyavijayan JV Rajendran, Ozgur Sinanoglu, and Ramesh Karri. “On improving the security of logic locking”. In: IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems 35.9 (2016), pp. 1411–1424. [31] Avinash R Desai, Michael S Hsiao, Chao Wang, Leyla Nazhandali, and Simin Hall. “Interlocking obfuscation for anti-tamper hardware”. In: Proceedings of the eighth annual cyber security and information intelligence research workshop. 2013, pp. 1–4. [32] Jaya Dofe and Qiaoyan Yu. “Novel dynamic state-deflection method for gate-level design obfuscation”. In: IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems 37.2 (2017), pp. 273–285. [33] Yasaswy Kasarabada, Sudheer Ram Thulasi Raman, and Ranga Vemuri. “Deep state encryption for sequential logic circuits”. In: IEEE Computer Society Annual Symposium on VLSI (ISVLSI). IEEE. 2019, pp. 338–343. [34] Amin Rezaei and Hai Zhou. “Sequential logic encryption against model checking attack”. In: Design, Automation and Test in Europe Conference and Exhibition (DATE). IEEE. 2021, pp. 1178–1181. [35] Pramod Subramanyan, Sayak Ray, and Sharad Malik. “Evaluating the security of logic encryption algorithms”. In: IEEE International Symposium on Hardware Oriented Security and Trust (HOST). IEEE. 2015, pp. 137–143. 160 [36] Kaveh Shamsi, Meng Li, Travis Meade, Zheng Zhao, David Z Pan, and Yier Jin. “AppSAT: Approximately deobfuscating integrated circuits”. In: IEEE International Symposium on Hardware Oriented Security and Trust (HOST). IEEE. 2017, pp. 95–100. [37] Yinghua Hu, Kaixin Yang, Subhajit Dutta Chowdhury, and Pierluigi Nuzzo. “Risk-Aware Cost-Effective Design Methodology for Integrated Circuit Locking”. In: Design, Automation and Test in Europe Conference and Exhibition (DATE). IEEE. 2021, pp. 1182–1185. [38] Yinghua Hu, Vivek V Menon, Andrew Schmidt, Joshua Monson, Matthew French, and Pierluigi Nuzzo. “Security-driven metrics and models for efficient evaluation of logic encryption schemes”. In: Proceedings of the 17th ACM-IEEE International Conference on Formal Methods and Models for System Design. 2019, pp. 1–5. [39] Fangfei Yang, Ming Tang, and Ozgur Sinanoglu. “Stripped functionality logic locking with Hamming distance-based restore unit (SFLL-hd)–unlocked”. In: IEEE Transactions on Information Forensics and Security 14.10 (2019), pp. 2778–2786. [40] Lilas Alrahis, Satwik Patnaik, Faiq Khalid, Muhammad Abdullah Hanif, Hani Saleh, Muhammad Shafique, et al. “GNNUnlock: Graph neural networks-based oracle-less unlocking scheme for provably secure logic locking”. In: Design, Automation & Test in Europe Conference & Exhibition (DATE). IEEE. 2021, pp. 780–785. [41] Gaurav Kolhe, Hadi Mardani Kamali, Miklesh Naicker, Tyler David Sheaves, Hamid Mahmoodi, PD Sai Manoj, et al. “Security and complexity analysis of LUT-based obfuscation: From blueprint to reality”. In: IEEE/ACM International Conference on Computer-Aided Design (ICCAD). 2019, pp. 1–8. [42] Kaveh Shamsi, David Z Pan, and Yier Jin. “On the Impossibility of Approximation-Resilient Circuit Locking”. In: IEEE International Symposium on Hardware Oriented Security and Trust (HOST). IEEE. 2019, pp. 161–170. [43] Prashanth Mohan, Oguz Atli, Joseph Sweeney, Onur Kibar, Larry Pileggi, and Ken Mai. “Hardware redaction via designer-directed fine-grained eFPGA insertion”. In: Design, Automation & Test in Europe Conference & Exhibition (DATE). IEEE. 2021, pp. 1186–1191. [44] Hai Zhou, Amin Rezaei, and Yuanqi Shen. “Resolving the trilemma in logic encryption.” In: IACR Cryptol. ePrint Arch. 2019 (2019), p. 918. 161 [45] Prabuddha Chakraborty, Jonathan Cruz, and Swarup Bhunia. “SAIL: Machine learning guided structural analysis attack on hardware obfuscation”. In: Asian Hardware Oriented Security and Trust Symposium (AsianHOST). IEEE. 2018, pp. 56–61. [46] Dominik Sisejkovic, Farhad Merchant, Lennart M Reimann, Harshit Srivastava, Ahmed Hallawa, and Rainer Leupers. “Challenging the security of logic locking schemes in the era of deep learning: A neuroevolutionary approach”. In: ACM Journal on Emerging Technologies in Computing Systems (JETC) 17.3 (2021), pp. 1–26. [47] Lilas Alrahis, Satwik Patnaik, Muhammad Shafique, and Ozgur Sinanoglu. “OMLA: An oracle-less machine learning-based attack on logic locking”. In: IEEE Transactions on Circuits and Systems II: Express Briefs 69.3 (2021), pp. 1602–1606. [48] Hai Zhou. “A humble theory and application for logic encryption”. In: Cryptology ePrint Archive (2017). [49] L. G. Valiant. “A Theory of the Learnable”. In: Proc. ACM Symp. Theory of Computing. 1984, pp. 436–445. [50] Kaveh Shamsi, Travis Meade, Meng Li, David Z Pan, and Yier Jin. “On the approximation resiliency of logic locking and IC camouflaging schemes”. In: IEEE Transactions on Information Forensics and Security 14.2 (2018), pp. 347–359. [51] Travis Meade, Zheng Zhao, Shaojie Zhang, David Pan, and Yier Jin. “Revisit sequential logic obfuscation: Attacks and defenses”. In: IEEE International Symposium on Circuits and Systems (ISCAS). 2017, pp. 1–4. [52] Michaela Brunner, Johanna Baehr, and Georg Sigl. “Improving on state register identification in sequential hardware reverse engineering”. In: 2019 IEEE International Symposium on Hardware Oriented Security and Trust (HOST). IEEE. 2019, pp. 151–160. [53] Danielle Duvalsaint, Zeye Liu, Ananya Ravikumar, and Ronald D Blanton. “Characterization of locked sequential circuits via ATPG”. In: 2019 IEEE International Test Conference in Asia (ITC-Asia). IEEE. 2019, pp. 97–102. [54] Mohamed El Massad, Siddharth Garg, and Mahesh Tripunitara. “Reverse engineering camouflaged sequential circuits without scan access”. In: IEEE/ACM International Conference on Computer-Aided Design (ICCAD). 2017, pp. 33–40. 162 [55] Kaveh Shamsi, Meng Li, David Z Pan, and Yier Jin. “KC2: Key-condition crunching for fast sequential circuit deobfuscation”. In: Design, Automation & Test in Europe Conference & Exhibition (DATE). IEEE. 2019, pp. 534–539. [56] Yasaswy Kasarabada, Suyuan Chen, and Ranga Vemuri. “On SAT-based attacks on encrypted sequential logic circuits”. In: 20th International Symposium on Quality Electronic Design (ISQED). IEEE. 2019, pp. 204–211. [57] Abhrajit Sengupta, Mohammed Nabeel, Muhammad Yasin, and Ozgur Sinanoglu. “ATPG-based cost-effective, secure logic locking”. In: IEEE 36th VLSI Test Symposium (VTS). IEEE. 2018, pp. 1–6. [58] Scott Kirkpatrick, C Daniel Gelatt, and Mario P Vecchi. “Optimization by simulated annealing”. In: science 220.4598 (1983), pp. 671–680. [59] T G¨ onen and IJ Ramirez-Rosado. “Review of distribution system planning models: A model for optimal multistage planning”. In: IEE Proceedings C (Generation, Transmission and Distribution). V ol. 133. 7. IET. 1986, pp. 397–408. [60] MIT Lincoln Laboratory. Common Evaluation Platform. 2018. URL: https://github.com/mit-ll/CEP. [61] Ryan O’Donnell. Analysis of boolean functions. Cambridge University Press, 2014. [62] IBM. IBM ILOG CPLEX Optimizer. Version 12.9. 2018. [63] Silvaco. 45nm Open Cell Library. 2019. URL:https: //www.silvaco.com/products/nangate/FreePDK45_Open_Cell_Library/ (visited on 11/25/2019). [64] Xiaoxiao Wang, Dongrong Zhang, Miao He, Donglin Su, and Mark Tehranipoor. “Secure scan and test using obfuscation throughout supply chain”. In: IEEE Trans. Computer-Aided Design of Integrated Circuits and Systems 37.9 (2017), pp. 1867–1880. [65] Yinghua Hu, Kaixin Yang, Shahin Nazarian, and Pierluigi Nuzzo. “SANSCrypt: A Sporadic-Authentication-Based Sequential Logic Encryption Scheme”. In: IFIP/ IEEE 28th International Conference on Very Large Scale Integration (VLSI-SoC). 2020, pp. 129–134. 163 [66] Yinghua Hu, Yuke Zhang, Kaixin Yang, Dake Chen, Peter A Beerel, and Pierluigi Nuzzo. “Fun-SAT: Functional corruptibility-guided SAT-based attack on sequential logic encryption”. In: 2021 IEEE International Symposium on Hardware Oriented Security and Trust (HOST). IEEE. 2021, pp. 281–291. [67] Hai Zhou, Ruifeng Jiang, and Shuyu Kong. “CycSAT: SAT-based attack on cyclic logic encryptions”. In: IEEE/ACM International Conference On Computer Aided Design (ICCAD). IEEE. 2017, pp. 49–56. [68] Nimisha Limaye, Satwik Patnaik, and Ozgur Sinanoglu. “Fa-SAT: Fault-aided SAT-based attack on compound logic locking techniques”. In: 2021 Design, Automation & Test in Europe Conference & Exhibition (DATE). IEEE. 2021, pp. 1166–1171. [69] M Sazadur Rahman, Adib Nahiyan, Fahim Rahman, Saverio Fazzari, Kenneth Plaks, Farimah Farahmandi, et al. “Security assessment of dynamically obfuscated scan chain against oracle-guided attacks”. In: ACM Transactions on Design Automation of Electronic Systems (TODAES) 26.4 (2021), pp. 1–27. [70] Yiqiong Shi, Chan Wai Ting, Bah-Hwee Gwee, and Ye Ren. “A highly efficient method for extracting FSMs from flattened gate-level netlist”. In: Proceedings of 2010 IEEE International Symposium on Circuits and Systems. IEEE. 2010, pp. 2610–2613. [71] Hyunwoo Cho, Gary D Hachtel, Enrico Macii, Bernard Plessier, and Fabio Somenzi. “Algorithms for approximate FSM traversal based on state space decomposition”. In: IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems 15.12 (1996), pp. 1465–1478. [72] Niklas S¨ orensson and Niklas E´ en. “MiniSat—a SAT solver with conflict-clause minimization”. In: Eighth International Conference on Theory and Applications of Satisfiability Testing (SAT). V ol. 3569. 2005. [73] Kenneth L McMillan. “Interpolation and SAT-based model checking”. In: International Conference on Computer Aided Verification. Springer. 2003, pp. 1–13. [74] Roberto Cavada, Alessandro Cimatti, Michele Dorigatti, Alberto Griggio, Alessandro Mariotti, Andrea Micheli, et al. “The nuXmv symbolic model checker”. In: International Conference on Computer Aided Verification. Springer. 2014, pp. 334–342. 164 [75] Franc Brglez, David Bryan, and Krzysztof Kozminski. “Combinational profiles of sequential benchmark circuits”. In: IEEE International Symposium on Circuits and Systems (ISCAS). 1989, pp. 1929–1934. [76] Scott Davidson. “ITC’99 benchmark circuits-preliminary results”. In: International Test Conference 1999. Proceedings (IEEE Cat. No. 99CH37034). IEEE. 1999, pp. 1125–1125. [77] Abhilasha Bhargav-Spantzel, Anna C Squicciarini, Shimon Modi, Matthew Young, Elisa Bertino, and Stephen J Elliott. “Privacy preserving multi-factor authentication with biometrics”. In: Journal of Computer Security 15.5 (2007), pp. 529–560. [78] Philippe Flajolet, Daniele Gardy, and Lo¨ ys Thimonier. “Birthday paradox, coupon collectors, caching algorithms and self-organizing search”. In: Discrete Applied Mathematics 39.3 (1992), pp. 207–229. [79] M Sazadur Rahman, Adib Nahiyan, Sarah Amir, Fahim Rahman, Farimah Farahmandi, Domenic Forte, et al. “Dynamically obfuscated scan chain to resist oracle-guided attacks on logic locked design”. In: Cryptology ePrint Archive (2019). [80] Dominik Sisejkovic, Lennart M Reimann, Elmira Moussavi, Farhad Merchant, and Rainer Leupers. “Logic locking at the frontiers of machine learning: A survey on developments and opportunities”. In: 2021 IFIP/IEEE 29th International Conference on Very Large Scale Integration (VLSI-SoC). IEEE. 2021, pp. 1–6. [81] Lilas Alrahis, Satwik Patnaik, Johann Knechtel, Hani Saleh, Baker Mohammad, Mahmoud Al-Qutayri, et al. “UNSAIL: Thwarting oracle-less machine learning attacks on logic locking”. In: IEEE Transactions on Information Forensics and Security 16 (2021), pp. 2508–2523. [82] Mark C Hansen, Hakan Yalcin, and John P Hayes. “Unveiling the ISCAS-85 benchmarks: A case study in reverse engineering”. In: IEEE Design & Test of Computers 16.3 (1999), pp. 72–80. [83] DfX-NYUAD. DfX-NYUAD/OMLA. Available at https://github.com/DfX-NYUAD/OMLA (2021/11/20). 165 Appendices A Proofs A.1 Proof of Theorem 2 Proof. We first prove that FC b = FC b1 holds if f 0 b does not introduce new errors, i.e., errors tagged by b. Suppose that n b1 is the number of errors introduced by f 0 b1 . Assume that an input j2B (b1)jIj and a key k2B t k jIj lead to an output error, i.e., f b1 ( j)6= f 0 b1 ( j;k) holds. By Definition 6, there are 2 jIj inputs i such that i2B bjIj and j i holds. Therefore, f 0 b inherits n b1 2 jIj errors from f 0 b1 . By Definition 7, we obtain FC b = n b1 2 jIj 2 bjIj+t k jIj = n b1 2 (b1)jIj+t k jIj = FC b1 : We now prove that f 0 b does not introduce new errors if FC b = FC b1 holds. Suppose, by contradiction, that FC b = FC b1 holds and f 0 b introduces, instead, new errors. Let 166 n FC b1 holds, f 0 b will introduce new errors, with error tags equal to b. For an arbitrary wrong key k2 K b , we consider the following two cases based on whether the following condition holds (case 1) or does not hold (case 2): 9 i2B bjIj :( f 0 b (i;k)6= f b (i))^(T b (i;k)< b); (A.1) i.e., whether there exists at least one error introduced by f 0 b whose error tag is less than b. Case 1. By Theorem 4, there exists an input i b1 2B (b1)jIj such that f 0 b1 (i b1 ;k)6= f b1 (i b1 ) holds. Therefore, by Lemma 3, the wrong key k is also in K b1 . Case 2. Since k2 K b and condition (A.1) does not hold, the associated errors must all have an error tag b, i.e., T b (i;k)= b;8i : f 0 b (i;k)6= f b (i): 169 By Definition 8, we also conclude: f 0 b1 (i b1 ;k)= f b1 (i b1 );8 i b1 2B (b1)jIj ; i.e., k is not in K b1 . Based on whether all the incorrect keys in K b satisfy (A.1) or not, we conclude that K b can be at least equal to and possibly a superset of K b1 . Therefore, K b1 K b holds. 170
Abstract (if available)
Linked assets
University of Southern California Dissertations and Theses
Conceptually similar
PDF
Graph machine learning for hardware security and security of graph machine learning: attacks and defenses
PDF
Attacks and defense on privacy of hardware intellectual property and machine learning
PDF
Assume-guarantee contracts for assured cyber-physical system design under uncertainty
PDF
Power optimization of asynchronous pipelines using conditioning and reconditioning based on a three-valued logic model
PDF
Custom hardware accelerators for boolean satisfiability
PDF
Learning logical abstractions from sequential data
PDF
Compiler and runtime support for hybrid arithmetic and logic processing of neural networks
PDF
Side-channel security enabled by program analysis and synthesis
PDF
Data-driven and logic-based analysis of learning-enabled cyber-physical systems
PDF
Formal equivalence checking and logic re-synthesis for asynchronous VLSI designs
PDF
Formal analysis of data poisoning robustness of K-nearest neighbors
PDF
Differential verification of deep neural networks
PDF
Circuit design with nano electronic devices for biomimetic neuromorphic systems
PDF
Automatic conversion from flip-flop to 3-phase latch-based designs
PDF
Electronic design automation algorithms for physical design and optimization of single flux quantum logic circuits
PDF
Verification and testing of rapid single-flux-quantum (RSFQ) circuit for certifying logical correctness and performance
PDF
Designing efficient algorithms and developing suitable software tools to support logic synthesis of superconducting single flux quantum circuits
PDF
Advanced cell design and reconfigurable circuits for single flux quantum technology
PDF
Protecting online services from sophisticated DDoS attacks
PDF
Towards efficient edge intelligence with in-sensor and neuromorphic computing: algorithm-hardware co-design
Asset Metadata
Creator
Hu, Yinghua
(author)
Core Title
Security-driven design of logic locking schemes: metrics, attacks, and defenses
School
Viterbi School of Engineering
Degree
Doctor of Philosophy
Degree Program
Electrical Engineering
Degree Conferral Date
2022-12
Publication Date
06/02/2024
Defense Date
10/25/2022
Publisher
University of Southern California
(original),
University of Southern California. Libraries
(digital)
Tag
computer-aided design,design space exploration,formal verification,hardware security,logic locking,OAI-PMH Harvest,supply chain security
Format
theses
(aat)
Language
English
Contributor
Electronically uploaded by the author
(provenance)
Advisor
Nuzzo, Pierluigi (
committee chair
), Beerel, Peter A. (
committee member
), Wang, Chao (
committee member
)
Creator Email
jeff.yhhu@gmail.com,yinghuah@usc.edu
Permanent Link (DOI)
https://doi.org/10.25549/usctheses-oUC112620919
Unique identifier
UC112620919
Identifier
etd-HuYinghua-11370.pdf (filename)
Legacy Identifier
etd-HuYinghua-11370
Document Type
Dissertation
Format
theses (aat)
Rights
Hu, Yinghua
Internet Media Type
application/pdf
Type
texts
Source
20221214-usctheses-batch-997
(batch),
University of Southern California
(contributing entity),
University of Southern California Dissertations and Theses
(collection)
Access Conditions
The author retains rights to his/her dissertation, thesis or other graduate work according to U.S. copyright law. Electronic access is being provided by the USC Libraries in agreement with the author, as the original true and official version of the work, but does not grant the reader permission to use the work if the desired use is covered by copyright. It is the author, as rights holder, who must provide use permission if such use is covered by copyright. The original signature page accompanying the original submission of the work to the USC Libraries is retained by the USC Libraries and a copy of it may be obtained by authorized requesters contacting the repository e-mail address given.
Repository Name
University of Southern California Digital Library
Repository Location
USC Digital Library, University of Southern California, University Park Campus MC 2810, 3434 South Grand Avenue, 2nd Floor, Los Angeles, California 90089-2810, USA
Repository Email
cisadmin@lib.usc.edu
Tags
computer-aided design
design space exploration
formal verification
hardware security
logic locking
supply chain security