Close
About
FAQ
Home
Collections
Login
USC Login
Register
0
Selected
Invert selection
Deselect all
Deselect all
Click here to refresh results
Click here to refresh results
USC
/
Digital Library
/
University of Southern California Dissertations and Theses
/
Attacks and defense on privacy of hardware intellectual property and machine learning
(USC Thesis Other)
Attacks and defense on privacy of hardware intellectual property and machine learning
PDF
Download
Share
Open document
Flip pages
Contact Us
Contact Us
Copy asset link
Request this asset
Transcript (if available)
Content
ATTACKS AND DEFENSE ON PRIVACY OF HARDWARE
INTELLECTUAL PROPERTY AND MACHINE LEARNING
by
Dake Chen
A Dissertation Presented to the
FACULTY OF THE USC GRADUATE SCHOOL
UNIVERSITY OF SOUTHERN CALIFORNIA
In Partial Fulfillment of the
Requirements for the Degree
DOCTOR OF PHILOSOPHY
(ELECTRICAL ENGINEERING)
May 2023
Copyright 2023 Dake Chen
Dedication
This dissertation is dedicated to my large and beloved house and family, my
father Qiwei Chen, my mother Liu Zeng, my grandfather Xianghu Zeng for
their continuous love, encouragement, and support.
ii
Acknowledgements
First and foremost, I am deeply indebted to Professor Peter A. Beerel, my
doctoral advisor. He has been giving me endless support since my first day
in graduate school. I especially appreciate his enthusiastic dedication to
my research. Without his guidance and help, I would not have been able
to explore the research directions presented in this dissertation and cannot
become the person I am today.
Besides my advisor, I would also like to extend my sincere thanks to the
rest of my dissertation committee members, Professor Pierluigi Nuzzo and
ProfessorAiichiroNakano, fortheir time, interest, and invaluablecomments.
I am also grateful to the other two members of my qualifying committee,
Professor Sandeep Gupta and Professor Akhilesh Jaiswal, for their time and
insightful questions. Their crucial remarks shaped my final dissertation.
I am extremely grateful to my seniors Yang Zhang and Ramy Tadros
who introduced me to our group and encouraged me to conduct research. In
addition, I would like to thank my seniors Huimei Cheng, Souvik Kundu,
Bo Zhang, Fangzhou Wang, and Jizhe Zhang. They have provided insightful
suggestions and invaluable support to my work. Moreover, I would like to
express my gratitude to my lab mates and co-authors, Yuke Zhang, Xuan
Zhou, Yinghua Hu, Kaixin Yang, Subhajit Dutta Chowdhury, and Chunxiao
Lin. I wish also to thank my lab mates, Mutian Zhu, Gourav Datta, Xi
Li, Matthew Conn, Robert Aviles, Moises Herrerabuitrago, and Yue Hu for
iii
the inspiring discussions related to this dissertation and for making my life
at USC joyful and exciting. I would like to extend my gratitude to our IT
assistant Dylan Hand. He always unblocks me with the tool installation
and license extension. I also appreciate the help of the USC Ming Hsieh
Department of Electrical and Computer Engineering staff, Annie Yu and
Diane Demetras, for their support and help.
I would also be grateful to my girlfriend, Jingyuan Li, thank you for your
company and love over the past years. I also would like to express my grati-
tude to Cheng Jiang, Danyang Zhu, Yongxing Jiang, Lin Jia, Shengzhe Xu,
Zhongheng Li, Qixin Huang, Wenhao Li, Yihe Zhang, Jingyi Sun, Dongsu
Luo and Liyu Gui, you are my best and lifelong friends, and thank you for
your support and company during my PhD journey.
Finally, I am deeply grateful to my parents (Qiwei Chen and Liu Zeng),
my grandfather Xianghu Zeng, and my family for their love, encouragement,
and support during my PhD journey.
Without any of the aforementioned people, this dissertation would not
be possible.
Dake Chen
Los Angeles, California
December 2022
iv
Table of Contents
Dedication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ii
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii
List of Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii
List of Figures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Abstract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Chapter 1: Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.1 Privacy and Security of Human and Hardware . . . . . . . . . 1
1.2 Side-channel Analysis . . . . . . . . . . . . . . . . . . . . . . . 3
1.3 Logic Locking . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.4 Oracle-guided Attacks . . . . . . . . . . . . . . . . . . . . . . 6
1.4.1 SAT-based Attack . . . . . . . . . . . . . . . . . . . . 6
1.4.2 Algebraic Attacks . . . . . . . . . . . . . . . . . . . . . 9
1.5 Oracle-less Attacks . . . . . . . . . . . . . . . . . . . . . . . . 12
1.5.1 Machine Learning Attacks . . . . . . . . . . . . . . . . 12
1.5.2 Functional Analysis Attack on Logic Locking . . . . . . 17
1.6 Contributions of Thesis . . . . . . . . . . . . . . . . . . . . . . 17
1.7 Thesis Organization . . . . . . . . . . . . . . . . . . . . . . . . 21
Chapter 2: Defenses and Attacks on Privacy of Human and Hard-
ware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
2.1 Human and Machine Learning Privacy . . . . . . . . . . . . . 22
2.1.1 Threats to Human Privacy in Split Learning . . . . . . 22
2.1.2 Maximum Likelihood Attack . . . . . . . . . . . . . . . 24
2.1.3 Inverse Network Attack. . . . . . . . . . . . . . . . . . 24
2.2 Hardware Privacy and Logic Locking . . . . . . . . . . . . . . 25
2.2.1 Logic Locking on Scan Chain . . . . . . . . . . . . . . 26
2.2.2 Combinational Logic Locking . . . . . . . . . . . . . . 29
2.2.3 Sequential Logic Locking . . . . . . . . . . . . . . . . . 38
v
2.3 Advanced SAT-based Attack . . . . . . . . . . . . . . . . . . . 41
Chapter 3: Distillation-based Inverse Network Attack . . . . . . . . . 44
3.1 Proposed Inverse Network Attack . . . . . . . . . . . . . . . . 45
3.2 Experimental Results . . . . . . . . . . . . . . . . . . . . . . . 47
3.2.1 Comparison of IDPAs . . . . . . . . . . . . . . . . . . 47
3.2.2 Choice of DINA’s Loss Coefficients . . . . . . . . . . . 49
Chapter 4: Island-basedRandomDynamicVoltageScalingasaCoun-
termeasure for Power Side-Channel Attacks . . . . . . . . 51
4.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
4.1.1 Correlation-Based Power Analysis . . . . . . . . . . . . 52
4.1.2 Elastic Alignment . . . . . . . . . . . . . . . . . . . . . 54
4.1.3 Metrics for Countermeasure Effectiveness . . . . . . . . 56
4.2 Island-based Random DVS . . . . . . . . . . . . . . . . . . . . 57
4.3 SNR Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
4.4 Alignment Analysis . . . . . . . . . . . . . . . . . . . . . . . . 65
4.5 Clustering Attack . . . . . . . . . . . . . . . . . . . . . . . . . 66
4.6 Experimental Results . . . . . . . . . . . . . . . . . . . . . . . 68
4.6.1 Trace Generation and Experiment Design . . . . . . . 68
4.6.2 Effectiveness of Elastic Alignment . . . . . . . . . . . . 70
4.6.3 Resistance to Clustering . . . . . . . . . . . . . . . . . 72
Chapter 5: GF-Flush: A GF(2) Algebraic Attack on Dynamically
Secured Scan Chains . . . . . . . . . . . . . . . . . . . . 74
5.1 Dynamically secured scan chain . . . . . . . . . . . . . . . . . 76
5.1.1 LFSR . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
5.1.2 Dynamically Obfuscated Scan Chains . . . . . . . . . . 77
5.1.3 Algebraic Analysis . . . . . . . . . . . . . . . . . . . . 78
5.2 GF-Flush: A GF(2) Algebraic Attack . . . . . . . . . . . . . . 79
5.2.1 Algebraic Foundations of the Attack . . . . . . . . . . 79
5.2.2 Analysis of the Attack . . . . . . . . . . . . . . . . . . 83
5.3 Multiple-Input Signature Register . . . . . . . . . . . . . . . . 83
5.4 Attack on a MISR . . . . . . . . . . . . . . . . . . . . . . . . 84
5.5 Experimental results . . . . . . . . . . . . . . . . . . . . . . . 86
5.5.1 Experiment Setup . . . . . . . . . . . . . . . . . . . . . 86
5.5.2 Analysis of Basic Obfuscated Scan Chains . . . . . . . 88
5.5.3 Analysis of Impact of MISRs . . . . . . . . . . . . . . . 89
5.5.4 Comparison to Other Attacks . . . . . . . . . . . . . . 90
Chapter 6: UnravelingLatchLockingUsingMachineLearning,Boolean
Analysis, and ILP . . . . . . . . . . . . . . . . . . . . . . 94
vi
6.1 Latch Based Logic Locking . . . . . . . . . . . . . . . . . . . . 97
6.2 Machine Learning and Deep learning Models . . . . . . . . . . 98
6.2.1 Multi-layer Perceptrons. . . . . . . . . . . . . . . . . . 98
6.2.2 Random Forest . . . . . . . . . . . . . . . . . . . . . . 99
6.2.3 Attack model . . . . . . . . . . . . . . . . . . . . . . . 99
6.3 Proposed Two-Phase Attack . . . . . . . . . . . . . . . . . . . 99
6.3.1 Motivation and Overview of Our Approach . . . . . . . 100
6.3.2 Sequential Graph and Node Feature Set . . . . . . . . 102
6.3.3 Phase 1: Identify Logic Decoys . . . . . . . . . . . . . 105
6.3.4 Phase 2: Identify Remaining Latches . . . . . . . . . . 106
6.4 Experimental Results . . . . . . . . . . . . . . . . . . . . . . . 109
6.4.1 Experiment Setup . . . . . . . . . . . . . . . . . . . . . 109
6.4.2 Dataset Generation . . . . . . . . . . . . . . . . . . . . 110
6.4.3 Accuracy Results . . . . . . . . . . . . . . . . . . . . . 110
6.4.4 Functional Corruptibility Analysis . . . . . . . . . . . . 112
6.4.5 Feature Importance Analysis . . . . . . . . . . . . . . . 113
6.4.6 Baseline MLP and Ablation Studies . . . . . . . . . . . 114
Chapter 7: Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . 116
7.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
7.2 Conclusions and Possible Next Steps . . . . . . . . . . . . . . 118
Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
vii
List of Tables
1.1 Tseytin transformation equations for commonly used logic gates 7
1.2 Gate encoding look-up table . . . . . . . . . . . . . . . . . . . 14
2.1 An example vulnerable to SAT-based attack . . . . . . . . . . 32
2.2 Truth table of a circuit locked by SARLock . . . . . . . . . . . 33
2.3 Truth table of a circuit locked by SFLL-HD
0
. . . . . . . . . . 37
4.1 Effectiveness of Elastic Alignment Plus CPA on Two-island
iRDVS Traces . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
5.1 Comparison of SAT and proposed attacks I . . . . . . . . . . . 90
5.2 Comparison of SAT and proposed attacks II . . . . . . . . . . 91
5.3 Comparison of SAT and proposed attacks III . . . . . . . . . . 92
6.1 Truth table of the LBLL latch controllers . . . . . . . . . . . . 98
6.2 Attack accuracy results for 3-Level MLP. . . . . . . . . . . . . 111
6.3 Attack accuracy results for 2-Level MLP. . . . . . . . . . . . . 112
viii
List of Figures
Figure 1.1 SAIL attack flow . . . . . . . . . . . . . . . . . . . . . 12
Figure 2.1 Process of split learning . . . . . . . . . . . . . . . . . 23
Figure 2.2 Static secured scan chain . . . . . . . . . . . . . . . . 28
Figure 2.3 Illustration of XOR-based logic locking . . . . . . . . 30
Figure 2.4 Implementation of SARLock . . . . . . . . . . . . . . 34
Figure 2.5 Architecture of Stripped Functionality Logic Locking. 35
Figure 2.6 Modified state transition graph of HARPOON . . . . 40
Figure 2.7 Unrolling process of the advanced SAT-based attack . 42
Figure 3.1 Model architecture of DINA . . . . . . . . . . . . . . 45
Figure 3.2 Comparison of IDPAs including MLA, EINA, and
DINA. . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Figure 3.3 Attack results of DINA-c1 and DINA-c2 on VGG16.
The improvements are the increased average SSIM
gained by DINA-c1. . . . . . . . . . . . . . . . . . . . 49
Figure 4.1 Elastic alignment applied to a trace misaligned with
dynamic frequency scaling . . . . . . . . . . . . . . . 55
Figure 4.2 Illustration of a typical iRDVS structure with n = 9
islands and m = 3 independent voltages. Each inde-
pendentvoltagedomainhasadifferentcolorandeach
cloud represents a group of logic; the shaded logic is
under attack. . . . . . . . . . . . . . . . . . . . . . . . 57
Figure 4.3 Correlation of iRDVS versus key byte hypothesis for
the different number of independent voltages assum-
ing no temporal misalignment unless otherwise spec-
ified. The correct value of the key byte is 197. . . . . 63
Figure 4.4 Example of elastic aligned trace after single-island DVS 70
Figure 4.5 MTDandPGEiRDVSunderclusteringattack. Empty
circles indicate unsuccessful attacks, whereas filled
circles indicate successful attacks. . . . . . . . . . . . 72
Figure 5.1 Generic architecture of linear feedback shift register . 77
ix
Figure 5.2 Basic structure of dynamically obfuscated scan chains 78
Figure 5.3 Flow of the proposed attack . . . . . . . . . . . . . . 79
Figure 5.4 Structure of a secured scan chain with MISR . . . . . 84
Figure 5.5 Average attack run-times vs. number of key bits λ . . 88
Figure 5.6 Average attack run-times with different size MISRs . 89
Figure 6.1 The four steps of Latch-Based Logic Locking (LBLL) 97
Figure 6.2 Overview of the proposed two-phase attack on LBLL. 100
Figure 6.3 Introduction of false paths by logic decoys . . . . . . . 100
Figure 6.4 Illustration of the abstraction of combinational logic
and generation of a circuit’s sequential graph . . . . . 102
Figure 6.5 Triangle, trapezoid, loop, and self-loop features . . . . 103
Figure 6.6 Illustration of coloring constraints . . . . . . . . . . . 108
Figure 6.7 Feature importance for the two ML classifiers . . . . . 114
x
Abstract
As portable electronic systems and machine learning (ML) services become
ubiquitous, ensuring the privacy of human data and hardware intellectual
property has become more crucial. In particular, side-channel attacks, in-
cluding power side-channels, are significant threats to both machine learning
and hardware intellectual property and logic locking has been a promising
approach to provide hardware privacy and security in the face of a possibly-
insecure fabrication supply chain, including techniques to lock sequential
elements using Latch-Based Logic Locking (LBLL) and techniques to lock
the scan chains using psuedo-randomly generated dynamic keys.
This thesis aims to present a distillation-based inverse network attack on
ML inference data, an island-based random dynamic voltage scaling defense
on power side-channel attacks, an oracle-guided attack on dynamically se-
cured scan chains, and an oracle-less attack on the latch-locking approach.
The thesis makes the following contributions:
xi
1. Development of a distillation-based inverse network attack that recov-
ers inference data. This attack demonstrates the threat to sensitive
data in machine learning services.
2. Developmentofanisland-basedrandomdynamicvoltagescaling(iRDVS)
approach to thwart power side-channel attacks.
3. Propose a novel clustering-based attack and apply the attack to evalu-
ate the iRDVS defense and find the optimal number of islands.
4. Development of an oracle-guided attack on dynamically secured scan
chains. We pinpoint an algebraic vulnerability of these dynamic de-
fenses that involves creating and solving a system of linear equations
over the finite field GF(2).
5. Development of an attack that incorporates the Multiple-Input Signa-
ture Registers (MISRs) into the algebraic model.
6. Developmentofaframeworkthatconvertsagate-levelcircuitnetlistto
graph representations with different levels of detail and the capability
for analyzing these graphs for subsequent analysis.
7. Developmentofanoracle-lessandtwo-phaseattackonlatch-lockedcir-
cuits that uses a novel combination of deep learning, Boolean analysis,
and integer linear programming (ILP).
xii
Chapter 1
Introduction
1.1 Privacy and Security of Human and
Hardware
As our world embraces the internet-of-things, autonomous vehicles, and ma-
chine learning as a service (MLaaS), ensuring the privacy of our human,
machine learning, and hardware Intellectual Property has become crucial.
AsreportedbyU.S.Government[1]andrecentpublications[2,3],thethreats
to both hardware intellectual property (IP) and human privacy have become
ubiquitous.
Due to the increasing application scenarios for MLaaS which process sen-
sitive data, the threat to human privacy and machine learning (ML) IP has
become one of the major concerns of the services. On the one hand, the
processed data from clients may contain medical or other sensitive informa-
tion which should not be revealed to the service providers. On the other
hand, the service providers also wish to protect the privacy of their business
IP, including the weights and architecture of their ML models. Recently,
1
side-channel attacks have demonstrated their effectiveness in recovering the
secret information of the ML IP and should not be neglected [4–7].
For the privacy of hardware IP, modern integrated circuit (IC) design
and manufacturing heavily rely on a decentralized supply chain whose ini-
tial purpose was to increase the overall profit for all entities on the chain.
Trustworthiness of the hardware supply chain, however, has caused signifi-
cant concern related to threats that include intellectual property (IP) piracy
and IP over production [8], Trojan insertion [9], and reverse engineering as
follows:
• Hardware Trojans [9]: can be maliciously inserted in the design that
can be dormant in the testing phase but activated in the future, which
jeopardizes the normal operation of the IC.
• IP piracy and IP over production [9]: malicious foundries who are
contracted with the IP designers may build more ICs than required
and sell them without the consent of the designer.
• Reverse engineering: third parties who have access to the critical de-
signs along the supply chain can reverse engineer the design secret and
reproduce the designs for illegal profit.
As the prevalence of the threats to the privacy of hardware IP, Logic
locking (LL) is one of the most promising approaches to thwart them.
2
1.2 Side-channel Analysis
Side-channel analysis and attacks are one of the major threats to the privacy
of both ML and hardware IP. In general, this analysis exploits information
leakageassociatedwiththephysicalcharacteristicsofachiporMLsystemto
revealsecretinformation, includingtiming, power, electromagnetic, memory,
and even acoustic side channels. The power side-channel attack has shown
success in recovering ML IP with high accuracy [6]. The timing side-channel
attack is presented to be effective for reverse engineering the secret of neural
networks [4,7]. Besides these channels, if we broaden the channel selection
to other information, such as feature maps in the neural network, human
privacy is also vulnerable.
For hardware privacy, the differential power attack (DPA) [10] is one
of the effective forms of power attacks, leveraging statistical formulations
to uncover the dependency between a secret key and the measured power
consumption of the design. Traditional DPA uses an absolute difference of
means (DoM) calculation to infer the sensitivity of the power consumption
of a single chosen signal with respect to the value of the secret key. It then
identifies the value that yields the largest difference as the likely secret key.
In contrast, the correlation power attack (CPA) [11] computes a correlation
coefficient leveraging multiple signals simultaneously, which renders it more
flexible and robust.
3
Previous work on power attacks for hardware IP focuses on DPA and
applications to random logic locking [8] and strong logic locking [12], which
are not resilient to SAT attacks. The investigation of power attacks on ran-
dom and strong logic locking [13] exposed a phenomenon called key aliasing,
in which an incorrect and correct key can have similar DoM or correlation
coefficient, limiting the attack effectiveness. Traditional DPA has also been
applied to the Stripped-functionality Logic Locking (SFLL) technique [14],
albeit unsuccessfully [15]. It’s analysis, however, identified two additional
challenges. First, the key gates are typically spread out at different locations
in the circuit and likely processed at different time instances. Second, the
power consumption associated with each key bit is relatively small compared
to the large uncorrelated switching noise in the circuit. This scattered power
consumption gives rise to a relatively low signal-to-noise ratio (SNR) [16]
and makes traditional DPA impractical. A template attack [17] has also
been proposed, where templates are used to describe the distribution of the
power consumption for all key guesses. These templates are then matched
with measured power samples from a functional chip. While this attack is
shown to be successful against conventional logic locking techniques, it tends
to become ineffective for state-of-the-art SAT-resilient techniques: because
every key guess corresponds to a template, the required number of templates
grows exponentially with the number of key bits used in the design.
4
1.3 Logic Locking
Logic locking (LL) is a common approach to thwart the threats to hardware
IP [14,18–20]. In general, these approaches either incorporate additional
ports and associated logic to the circuit or use some primary input ports
as key ports to support the introduction of the secret keys. When the user
applies an incorrect key value or sequence of keys to the locked circuit, the
circuit output will be incorrect, thus locking the correct functionality.
Two categories of LL approaches have been proposed. The first class is
combinational logic locking which inserts combinational gates into the cir-
cuits. However, these approaches are vulnerable to a variety of attacks that
can uncover the secret key or the circuit function. Some of these attacks,
including SAT attacks [21], assume that the attacker has access to an ora-
cle, i.e., a working unlocked circuit that can provide the correct output for
any desired input. Other attacks use information about the circuit structure
(netlist), including, among others, sensitization attacks [12] and removal and
bypass attacks [19,22,23]. Among these attacks, SAT-based attacks draw
the most attention. To thwart this kind of attack, point-function based logic
locking methods [14,24–26] have been proposed. Unfortunately, the two
point-function based defences [24,25] are vulnerable to removal and bypass
attacks, and the recent one Secure Function Logic Locking (SFLL) [14] is
vulnerable to the Functional Analysis attacks [27]. The second category,
5
sequential logic locking, aims to modify the finite state machine by adding
new states into it [28–30]. The SAT-based attack cannot be directly applied
on the sequential logic locking without access to secure scan chains [31,32],
however,enhancedSATattacks[33,34]areproposedbyunrollingthesequen-
tial circuit and thereby convert the original circuit to a large combinational
circuit on which the SAT-based attack is applicable.
1.4 Oracle-guided Attacks
For analysis of logic locking approaches, many powerful attacks leverage an
oracle which is an unlocked circuit with correct functionality, such as SAT-
based attacks and algebraic attacks. The SAT-based attack uses an oracle to
rule out the incorrect key. Algebraic attacks collect outputs from oracle. In
addition, side-channel attacks that require channel reference from an oracle
can also be considered as another form of an oracle-guided attack.
1.4.1 SAT-based Attack
AnefficientattackonlogiclockingtechniquesisaSAT-basedattackthathas
been proven to be very successful on many traditional combinational logic
locking methods [21]. The SAT-based attack iteratively adds conjunctive
6
normal form (CNF) constraints based on the outputs from the oracle so that
it eliminates incorrect keys and limits the search space to the correct key.
SincetheinputstoSATsolversareusuallyrepresentedinconjunctivenor-
mal form (CNF), the first step of an SAT-based attack usually is to convert
the combination logic circuit into CNF so that the SAT solver can efficiently
checkthesatisfiability. Forthisconversion,ausefulmethodisTseytinTrans-
formation which can take combinational logic as input and yields a Boolean
expression in CNF [35]. For every gate, the method introduces a new vari-
able to represent its output, the Table 1.1 demonstrates the CNFs of three
commonly used logic gates. These equations can be used for transforming
all combination logic to CNF.
Gate
Type
Logic CNF
NOT out =¬in (¬in∨¬out)∧(in∨out)
NAND out =¬(in1· in2) (¬in1∨¬in2∨¬out)∧(in1∨out)∧(in2∨out)
NOR out =¬(in1+in2) (in1∨in2∨out)∧(¬in1∨¬out)∧(¬in2∨¬out)
Table 1.1: Tseytin transformation equations for commonly used logic gates
Once acquiring the CNF of the locked circuit, the attackers will feed it
into the SAT-based attack and recover the correct key. The detailed imple-
mentation of the SAT-based attack is in Algorithm 1.1.
In Algorithm 1.1, the inputs are the CNF C of the locked circuit and
corresponding unlocked circuit O, E
i
represents the CNF constructed by
7
Algorithm 1.1 SAT-based attack algorithm
Input: CNF of locked circuit C, oracle O
Output: correct key K
E
0
=C(IN,K
1
,OUT
1
)∧C(IN,K
2
,OUT
2
)
M
0
=E1∧(OUT
1
̸=OUT
2
)
i = 0
while sat(M
i
) do
DIP
i
=sat
IN
(M
i
)
OUT
g
i
=oracle(DIP
i
)
E
i+1
=E
i
∧C(DIP
i
,K
1
,OUT
g
i
)∧C(DIP
i
,K
2
,OUT
g
i
)
M
i+1
=E
i+1
∧(OUT
1
̸=OUT
2
)
i =i+1
end while
correct key K =sat
K
1
(M
i
)
progressively adding constraints from DIPs and golden outputs OUT
g
i
, the
M
i
is an expression from E
i
and effectively is a miter circuit which is used
for identifying two keys with distinct outputs. In every iteration, it first runs
the SAT solver on M
i
. If it is satisfiable, the solver will produce an DIP
i
which will be further fed into oracle to acquire the golden output. Then
the attacker will add the constraints based on the DIP
i
and golden output
OUT
i
to the E expression and update M as well. With the integration of
constraints, ineachiterationtheattackercaneliminateatleastoneincorrect
key, if the attackers are fortunate, they may obtain the correct key in a few
iterations.
8
1.4.2 Algebraic Attacks
This thesis presents a Galois Field (GF) based attack which can be catego-
rized as an algebraic attack on scan chain logic locking technique which will
be elaborated in Chapter 2 and Chapter 5.
The algebraic cryptanalysis or algebraic attack [36–40] has been widely
used for attacking various ciphers and encryption algorithms. These attacks
aim at deriving sufficient nonlinear equations first, then recovering the key
bits by solving these equations. It is worth noting that the LFSR-based
securitysystemsareeasilysusceptibletothisattackbecauseoftheproperties
in LFSR [36].
In algebraic attacks on ciphers, three types of equations are usually con-
sidered to model the targets [37]:
• Type 1: low degree multivariate expression of input-output relations.
• Type 2: input-output expressions with a small number of monomials
whose order can be low or high degree.
• Type 3: attacker introduces dummy variables so that low-degree or
near-linear equations are acquired.
An efficient algebraic attack is proposed in [37], this attack models the
S-boxes and the whole DES with a system of multivariate equations and
9
proposes two different approaches to solve it. The first approach is an elim-
ination algorithm based on Gr¨ obner bases algorithms called ElimLin, this
algorithm iteratively eliminates variables by substituting with a linear ex-
pression until linear equations are obtained, for the elimination order, it first
eliminates the variables that occur in the smallest number of equations and
then eliminates high frequent variables. The second approach is to convert
AlgebraicNormalForm(ANF)toConjunctiveNormalForm(CNF)byusing
the conversion technique presented in [41]. To model XORs, it introduces
dummy variables for the conversion and solves the acquired CNF equations
by using an efficient SAT solver.
In [42], the authors present an algebraic attack on LFSR-based systems,
stream ciphers that inject nonlinearity into the system. The stream ciphers
consist of multiple LFSRs with a non-linear Boolean function. As for the
security of these ciphers, the designers usually consider the likelihood that a
potential algebraic attack may achieve. This paper proposes an approach to
significantlylowerthedegreeoftheequationsusedinthealgebraicattack. It
firstmultipliestheoriginalequationswithdesignedmultivariatepolynomials
to obtain low-degree equations that approximate the original equations with
high probability, secondly, it applies the XL algorithm to solve the system of
10
low-degree equations [43]. The key step in this attack is to find the multi-
plied multivariate polynomial so that a low-degree product is acquired, this
polynomial usually stems from observations and factorization.
The XL algorithm [43] is a method that is able to efficiently solve large
systems of quadratic or higher multivariate polynomial equations, thus used
in many algebraic attacks. This algorithm is divided into four steps:
1. Generate all possible products of variables in the equations, then mul-
tiply original equations with these products respectively.
2. Consider each high-degree term as a new variable, and perform Gaus-
sian elimination. The terms containing a single variable are eliminated
last.
3. Assume step two yields at least one univariate equation, solve this
equation over its finite field.
4. iterates this process to find the value of other variables.
In essence, algebraic attacks have two core phases, the first one is to
constructthesystemoflinearornon-linearequationsthatmodelthetargeted
system. The second phase usually aims at solving the acquired system of
equations with the assistance of an effective algorithm or SAT solver in a
manageable time.
11
1.5 Oracle-less Attacks
Other than oracle-guided attacks, some successful attacks circumvent the
requirement for oracle and targets revealing the structural leakage of logic
lockingschemes. FALLattack[27]pinpointsthestructuralsignatureofSFLL
and most learning based attacks perform structural analysis to disclose the
secret keys.
1.5.1 Machine Learning Attacks
Recently some machine learning (ML) or deep learning (DL) based attacks
have also been developed. Contrary to SAT-based attacks, most ML-based
attacksareoracle-lessapproachesthatdonotrequireanunlockedcircuitand
aim to pinpoint structural patterns associated with key bit values [44].
Figure 1.1: SAIL attack flow
12
SAIL [45] targets XOR-insertion-based logic locking. The key motivation
of SAIL is the observation that transformations and optimization from the
synthesistoolaredeterministicandlocal,soalocalsub-graphoflogicaround
the key gate is sufficient for analysis. SAIL aims to recover the original cir-
cuit by using the ML techniques to learn the deterministic transformation
patterns and revert them, then analyze the key gate types which correspond
to different key values. The attack flow of SAIL is presented in Figure 1.1,
the two critical steps in the flow are training two models, the change pre-
diction model, and the reconstruction model. The change prediction model
has binary outputs and performs inference to decide if the sub-graph around
key ports is post-synthesis or pre-synthesis. If a post-synthesis sub-graph is
detected, the second model, the reconstruction model that learned the trans-
formation patterns will recover the circuit before synthesis. Once getting the
original key gate, they can manifest the signature of the corresponding key
bit, thereby disclosing the correct key bits. The average recovery accuracy of
SAIL is over 80%. As for dataset generation, the authors observe that SAIL
perform best if the training and testing data are on the same circuit, so they
perform one more round of locking and re-synthesize the locked circuit to
generate training samples.
Snapshot [46] targets more general gate-insertion-based LL techniques
and uses ML models to infer the correct key from a locked netlist. The
13
authors explore different neural network models including Multi-Layer Per-
ceptron (MLP) and Convolutional Neural Network (CNN), then apply Ge-
netic Algorithms (GA) to automatically evolve the neural network so as to
find the suitable one, the results demonstrate the evolution process is much
faster than grid search. Snapshot focuses on the local logic around key gates
as well, it identifies key gates from key inputs and then analyzes the sub-
graphs around them. As for feature engineering, Snapshot uses a locality
vector extraction algorithm, it first applies a look-up table to encode the key
gates in the sub-graph as shown in Table 1.2:
Gate type NOT AND NAND OR XOR NOR XNOR BUF FF
Code 1 2 3 4 5 6 7 8 9
Table 1.2: Gate encoding look-up table
The characteristic vector of the sub-graph consists of three parts. The
first part is acquired by performing Breadth-First Search (BFS) from the
key gate towards the direction of primary inputs, the second part is the
encoding of the key gate in the sub-graph from Table 1.2 and the third
part is acquired by performing another BFS towards the primary output
direction. The concatenation of the three parts forms the vector of the sub-
graph around each key gate. During the two BFS, the searching depths are
two tunable parameters. The Snapshot sets both depths equal to five so that
vectors with 400 lengths are acquired, for building MLP, the vectors are one
14
dimension,whileforCNN,thevectorsarereshapedtotwodimensions. Asfor
dataset generation, two scenarios are described in Snapshot, the Generalized
Set Scenario (GSS) and the Self-Referencing Scenario (SRS). For GSS, the
dataset is generated from other circuits which are randomly locked by the
same technique. It is worth noting that these training circuits do not include
the targeted one in this case. While for SRS, similar to SAIL, it re-locks
and re-synthesizes the locked netlists, then acquires training samples from
the second round of locking netlists.
GNNUnlock [47] targets SAT-resistant logic locking techniques [28–30]
using a Graph Neural Network (GNN) whose outputs guide a removal at-
tack. It trains a GNN to classify all gates in the circuit into three classes,
original, protection, and restore, then removes the gates in the second and
third classes to recover the original circuit. This attack is based on the ob-
servation that the structures of protection logic are key-dependent and thus
have learnable characteristics, the ML techniques can learn these character-
istics from the feature vector of each gate. It first extracts a complete graph
from the netlist, each gate corresponds to a node and each wire corresponds
to an edge in the graph. The feature vector for each node is composed of its
in-degree, out-degree, binary connections features and encodings of gates in
its neighborhood based on a look-up table similar to Table 1.2. The GNN
15
architecture used in the attack is a two-layer GraphSAGE [48] in which ag-
gregation functions are mean and concatenation. The GNNUnlock attack
is trained and evaluated on ISCAS-85 and ITC-99, the circuits used in the
evaluation process are excluded from the training set. Each benchmark is
randomly encrypted with different key sizes and key values so that the train-
ing data is sufficient to obtain a powerful model.
Moreover, SWEEP [49] propagates constant 0 and 1 from key ports so as
to collect features of circuits from the synthesis tool, thereby disclosing key
bit values from the discrepancy of characteristics. The aforementioned ML-
based attacks are oracle-less, while some ML attacks require guidance from
an oracle. BOCANet [50] which uses recurrent neural networks, SURF [51]
which revamps SAIL, GenUnlock [52] which proposes a GA-based pipelined
approachandParticleSwarmOptimization(PSO)Guidedattack[53]require
assistance from oracle to develop better attacks. In addition, NNgSAT [54]
leverages Message-Passing Neural Network (MPNN) to assist SAT solver to
find the satisfying assignments, thereby enhancing the SAT-based attack on
circuits that locked with or contain SAT-hard structures.
As defenses to these attacks, UNSAIL [55] injects adversarial1 samples
into the training set and D-MUX [56] improves MUX insertion-based logic
locking by remodeling the combinational logic around the MUX to increase
the resiliency.
16
1.5.2 Functional Analysis Attack on Logic Locking
Functional Analysis Attack (FALL) is an oracle-less and structural attack
that pinpoints the structural leakage of TTLock and SFLL-HD
h
[27]. The
attack is based on the observation that the key information is hard-coded in
the circuit.
The first step of the FALL attack is to identify the inputs that support
the comparator in the circuit by structural analysis. Then for TTLock and
SFLL-HD
0
, the attack analyzes the unateness for each input to disclose the
correct key. For SFLL-HD with other h, the FALL attack identifies two
distinct input patterns that are 2h Hamming distance apart, the common
bits in the input patterns are equal to the corresponding bits in the correct
key, and the remaining key bits are disclosed by querying the circuit. The
experimental results demonstrate FALL attack can successfully reveal the
correct key in more than 80% circuits that are locked by SFLL-HD without
assistance from oracle.
1.6 Contributions of Thesis
Fortheprivacyofhumans,thisworkprovidesadistillation-basedattackthat
pinpoints the vulnerability of human privacy during the inference of neural
17
networks and demonstrates a defense that applies an island-based random
dynamic voltage scaling approach to thwart power side-channel attacks.
For the privacy of hardware IP, we proposed analysis and attack on the
state-of-the-art defense of the scan chain first, then provided a framework
that offers the conversion from netlist to graph representation and a two-
phase oracle-less attack that unravels the state-of-the-art logic locking tech-
nique, Latch-Based Logic Locking (LBLL). In particular, the first attack
leverages algebraic and Galois field techniques and the second two-phase at-
tackusesanovelcombinationofdeeplearning, Booleananalysis, andInteger
Linear Programming (ILP).
Our contributions are:
1. Distillation-basedinverse-networkattack(DINA)onevaluatingthepri-
vacy of client’s data:
• Propose a distillation-based inverse-network attack that improves
the privacy evaluation
• Motivate and facilitate a private inference framework that parti-
tions the neural network model to achieve lower overhead of com-
putation and communication
18
• Evaluate DINA on CIFAR-10 and CIFAR-100 and demonstrate
DINA outperforms state-of-the-art inverse network attacks in-
cluding maximum likelihood attack (MLA) and enhanced inverse-
network attack (EINA) [57,58]
2. Island-based random dynamic voltage scaling (iRDVS) approach to
thwart power side-channel attacks
• Apply a signal-to-noise ratio based method to analyze the impact
of the number of independent voltage islands.
• Analyze the resistance of this approach to alignment.
• Propose a novel clustering-based attack that is able to align the
power traces and effectively attack systems with one, two, and
three independent voltages.
• Proposeusingseveralindependentvoltagesinanisland-basedran-
dom DVS (iRDVS) framework to thwart power side-channel at-
tack
• EvaluateiRDVSbyapplyingstate-of-the-artalignmenttechniques
anddemonstratethatiRDVScanbeeffectivewithasmallnumber
of independent voltages
3. GF(2) algebraic attack on dynamically secured scan chains:
19
• Derive the algebraic representation over GF(2) for a dynamic se-
cured scan chain to symbolically model the system.
• Performtheflushattackontheverilogcircuitswiththescanchain
and collect outputs for attacking.
• Evaluate the proposed attack on ISCAS-89 benchmarks and
record the run-times. We also reproduced the state-of-the-art at-
tack and compared its efficiency with the proposed attack.
• Further consider a more practical scenario that incorporates the
Multiple-Input Signature Registers (MISRs) into the algebraic
model and evaluate the run-time of the attack.
4. Two-phase attack unraveling latch-based logic locking:
• Build an attack framework that converts a circuit netlist to graph
representations. The graph can be a complete graph with one
node per gate, a sequential only graph with one node per sequen-
tial element, or a customized graph. The framework can also
extract generic and tailored structural features from the circuit
and annotate the graph representation accordingly.
• Apply machine learning and deep learning techniques to classify
the latches in the circuits locked by LBLL.
20
• Leverage the synthesis tool to perform Boolean analysis so as to
simplify the circuit.
• Build an ILP whose constraints limit the solution space to legal
primary-secondary configurations. The ILP is fed by the softmax
probabilities from the deep learning model.
• Evaluate the two-phase attack on ISCAS-89 and ITC-99 bench-
mark circuits that are locked with LBLL.
1.7 Thesis Organization
Theremainderofthedissertationisorganizedasfollows. Chapter2describes
the relevant background covering defenses and attacks on the privacy of hu-
man and hardware. Chapter 3 elaborates on the distillation-based inverse
network attack. Chapter 4 shows the island-based random dynamic volt-
age scaling as a defense on power side-channel attacks. Chapter 5 presents
our GF(2) algebraic attack on dynamically secured scan chains. Chapter 6
elaborates on our two-phase attack on LBLL including the proposed ML
techniques and ILP. Chapter 7 concludes the work and describes possible
future work.
21
Chapter 2
Defenses and Attacks on
Privacy of Human and
Hardware
This chapter first reviews the threats and attacks on the privacy of human
data. Thechapterthendiscussespopulardefensesandattacksontheprivacy
of hardware intellectual property.
2.1 Human and Machine Learning Privacy
2.1.1 Threats to Human Privacy in Split Learning
Inferencedataprivacywasfirstsystematicallystudiedin[57]forcollaborative
inferenceinsplitlearning(SL),whereanetworkMissplitintotwoparts: M
1
containingthefirstconsecutivelayersin MandM
2
containingtheremaining
layers. As shown in Figure 2.1, two participants, edge and cloud or client
and server, hold M
1
and M
2
respectively. When performing the inference,
22
the edge feeds its input x into M
1
and sends the result M
1
(x) to the cloud.
The cloud then processes M
2
(M
1
(x)) and shares the inference results with
the edge if necessary.
Figure 2.1: Process of split learning
In the edge-cloud scenario, the cloud is curious-but-honest trying to re-
cover edge’s input x from M
1
(x) through two kinds of inference data pri-
vacy attacks (IDPAs), i.e., the maximum likelihood attack (MLA) and the
inverse-network attack (INA) [57]. In this case, the cloud server behaves as
the attacker and follows the semi-honest threat model, where both parties
strictly follow the cryptographic protocols, but try to reveal their collabora-
tor’s private input by inspecting the information they received.
23
2.1.2 Maximum Likelihood Attack
Maximum Likelihood Attack (MLA) is one of the powerful IDPAs [57]. It
aims to find the inference data x from the intermediate feature map M
l
(x)
wherel is the partition layer of cloud and edge and treats the inverse process
asanoptimizationproblem. MLAstartswithahypotheticalinferenceimage
and applies Euclidean distance to measure the similarity of the hypothetical
feature map and the feature map received from the edge client as shown
below. This similarity serves as the objective function. Then it leverages the
gradient descent to minimize the objective function ˆ x = argmin
ˆ x
∥M
l
(ˆ x)− M
l
(x)∥
2
2
where the ˆ x is the hypothetical inference image. Adam is proven to
accelerate optimization and leads to a more stable process. After sufficient
iterations, the optimization would converge and provide an estimation for
the inference image or data.
2.1.3 Inverse Network Attack
Inverse Network Attack (INA) is another effective attack that aims at recov-
ering the inference data from the intermediate feature map M
l
(x). It con-
structsaninversionmodelM
∗ withasinglearchitecture, trainsthemodelby
takingM
l
(x
′
)(x
′
∈ TraningSet) andx
′
as the input and output, and recovers
the input x by querying M
∗ .
24
Conceptually, this new model M
∗ approximates the inverse function of
thefirst llayersinM. AnenhancedINA(EINA)isproposedin[58]wherethe
inversionmodelM
∗ consistsofmorepowerfulresidualblocks[59]. Compared
to MLA, INA is more efficient since it only needs to perform inference on
the INA model once with the intermediate feature map while MLA requires
thousands of iterations to converge.
2.2 Hardware Privacy and Logic Locking
Logic locking as a promising technique for thwarting reverse engineering and
protecting the hardware IP has been analyzed from various perspectives,
among these analyses, the most predominant attack is the SAT-based at-
tack. The SAT-based attack leverages an oracle circuit which provides cor-
rectfunctionalityandSATsolvertoiterativelysearchforDistinguishedInput
Patterns (DIPs), thereby progressively eliminating the incorrect keys.
To inhibit SAT-based attacks, three potential approaches which can be
appliedcooperativelyhavebeenproposed. GiventheSAT-basedattacksrely
on the access to scan chain, the first approach aims to protect the scan chain
which introduces a new key that is required for accessing the scan chain, re-
lated defenses will be presented in Section 2.2.1. The second approach which
will be elaborated in Section 2.2.2 lowers the corruption rate for incorrect
keys so that the required number of Distinguished Input Patterns (DIPs)
25
is increased. Since the miter circuit used in an SAT-based attack can only
be combinational logic, the third approach introduces sequential logic and
alters a single key to a sequence of keys thereby circumvents the applicable
scenario of SAT-based attack, these sequential logic locking defenses will be
elaborated in Section 2.2.3.
2.2.1 Logic Locking on Scan Chain
Scan chains provide increased controllability and observability for testing
digital circuits. The increased testability, however, can also be a source of
information leakage for sensitive designs.
Scan chains are not only used in oracle-guided attacks on Logic lock-
ing techniques, but some adversaries also leverage the observability of scan
chains to attack hardware implementation of encryption algorithms. Since
the encryption algorithms are public, the attackers can scan out the inter-
mediate values from the circuit and coupled them with the known plaintext
or ciphertext to derive the secret key. For symmetric key cryptography, the
hardwareimplementationofDataEncryptionStandard(DES)andAdvanced
Encryption Standard (AES) has been cracked in [60] and [61] respectively
with access to scan chains. As for asymmetric key cryptography, the attacks
on Elliptic Curve Cryptography (ECC) [62] and Rivest–Shamir–Adleman
(RSA) [63] have been proposed.
26
Given the ubiquitous concern of scan chain, many countermeasures have
been proposed, The work [64] proposes a method that is able to detect sus-
picious mode switching from normal to testing, once a malicious switching
is detected, it reset values in the circuit to avoid leakage. Logic locking is
another powerful protection on the scan chain by introducing logic gates and
key ports into the scan chain, the defenses mainly have two directions, using
static and dynamic keys.
Staticsecuredscanchaintechnique[65]introducesashiftregisterwithN
ORgatestolockthescanchainsothattheattackersarenotabletocorrectly
switch the mode of flip-flops if the input key is wrong. As shown in Figure
2.2, the shift register is composed of N regular flip-flops to store key bits.
The scan flip-flops in the circuit have two modes, function and test mode
which are controlled by the control signal cs. In the circuit, N flip-flops are
selected for locking and each of their control signals is connected to an OR
gate, oneinputoftheORgatesistheglobalcontrolsignalCS, andtheother
input is the state value of the introduced shift register, either Q or Q
′
and
KI represents the key input and is used for loading the key.
When CS = 0, the selected flip-flops are controlled by the state value
of the shift register, to correctly switch to test mode, a counter is used to
monitortheCS signalstayslowfor2cycles, thentheclocksignaloftheshift
register is gated for N cycles and the N-bits key is loaded sequentially from
27
KI ports if the input key bits match all Q or Q
′
connections (Q corresponds
tokeybit0andQ
′
correspondstokeybit1),allflip-flopsacquirevaluesfrom
previous flip-flops and working in test mode. If any key bit mismatches, the
control signal cs of the corresponding flip-flops will be 1 and these flip-flops
will obtain value from the original logic and thereby corrupt and scan in and
out. When CS = 1, the circuit is in function mode, in which the outputs
of all OR gates are forced to 1 so that all flip-flops obtain values from the
originallogicandfunctionnormally. Intheexampleimplementationofstatic
secured scan chain in Figure 2.2, the N = 3 and correct key= 101.
Figure 2.2: Static secured scan chain
28
To thwart the attacks on static defenses [66], the dynamic secured scan
chain techniques have been proposed, these defenses and proposed attack
will be presented in detail in Chapter 5.
2.2.2 Combinational Logic Locking
In addition to logic locking on scan chains, two categories of logic locking
approach on logic have been proposed in the past few years. The first class
is combinational logic locking which inserts combinational gates into the cir-
cuits. The simple method of combinational logic locking is randomly insert-
ing locking gates along with key ports into the logic, this method is proved
to be susceptible to SAT-based attacks [21]. To increase the resilience to
SAT-based attacks, point-function based methods, such as SARLock [24]
and Anti-SAT [25], appropriately insert point functions along with the orig-
inal circuit, that is, functions that evaluate to output value one only at a
small number of points. More recently, SFLL [14] improves SARLock for
counteracting removal attacks by first stripping the functionality of a circuit
portion and then using a point-function block to restore it.
Random Logic Locking
The simplest way to insert combinational gates to the logic of a circuit is
to use XOR gates controlled by key input bits. The first XOR-based logic
29
locking method, Random Logic Locking (RLL) [8], inserts XOR or XNOR
gates, called key gates, at random nets in the circuit, as shown in Figure 2.3.
Figure 2.3: Illustration of XOR-based logic locking
As we can observe in Figure 2.3, one of the inputs of the XOR gate
is used as the key input bit. The behavior of the locking gate is shown
below, if the key input is zero, the XOR gate acts like a buffer that only
adds a small delay and does not change the logic function of the circuit and,
i.e., W
original
= W
modified
. Otherwise, it flips the logic value of a wire, i.e.,
W
original
̸=W
modified
, and can propagate its effect to the primary output.
W
modified
=
W
original
, key = 0
¬W
original
, key = 1
(2.1)
If the inserted gate is a XNOR gate, the behavior would be exactly the
opposite. The XOR gate corresponds to key bit 0 and the XNOR gate
corresponds to key bit 1, after synthesis, this structural characteristic would
be concealed.
30
However, since the XOR gates are inserted at random locations, not all
keygatescanpropagatethealteredeffecttoprimaryoutputs. Fault-analysis-
basedLogicLocking(FLL)[67],instead,insertsthekeygatesbasedonafault
analysis algorithm to significantly increase their influence on the primary
output. RLL and FLL can both be attacked by the sensitization attack [12],
which aims to find test patterns that can propagate the effect of one single
key gate to the primary output. Based on the output value, the attacker
infers the correct key bit. Strong Logic Locking (SLL) [12] was proposed to
counteract the sensitization attack by entangling the effects of multiple key
gates so that it is difficult to find a test pattern that propagates the effect of
the target key gate without knowing the correct key bits for other key gates.
While SLL is resilient to the sensitization attack, it falls short of providing
the same output corruption level as previous techniques.
SAT Attack Resistant Logic Locking
With the advent of SAT-based attack, it is a generic attack that cracks all
gate insertion-based logic locking techniques and recovers the secret keys of
locked circuits in a manageable time.
As presented in 1.4.1, SAT-based attack iteratively searches for DIPs to
eliminateincorrectkeys. Inthecircuitslockedbygateinsertiontechniques,it
is likely that a single DIP eliminates multiple incorrect keys, in some cases,
31
the attack can recover the correct key in a few iterations with good DIPs
found, thus the run-time of SAT-based attack depends on the number of
DIPs required to narrow down the search space so that the correct key is the
only one left, if each DIP can eliminate more incorrect hypothesis, the less
number of iteration and run-time are required for the attack.
As presented in the work [21], 90% locked circuits can be cracked in
250 or fewer DIPs. the required number of DIPs is relatively small, this
explains the effectiveness of the attack. The truth Table 2.1 presents an
example vulnerable to the SAT-based attack, as long as the outputs of a key
mismatch with the golden output Out, it will be ruled out, as we can see
in the table, the SAT-based attack is able to recover the correct key in a
few iterations even if it randomly searches DIPs, with the SAT solver, the
searching process would be more efficient.
Out for different key value
In Out k0 k1 k2 k3 k4 k5 k6 k7
000 0 0 1 1 0 0 1 1 0
001 1 0 0 0 1 0 0 0 0
010 1 1 0 0 1 0 1 0 0
011 0 1 0 1 0 1 1 0 0
100 1 1 0 0 1 1 1 1 0
101 0 0 1 0 0 0 1 0 0
110 0 1 0 0 0 1 0 1 1
111 1 1 1 0 1 0 0 0 1
Table 2.1: An example vulnerable to SAT-based attack
32
InspiredbytheinsightsofSAT-basedattack,SATAttackResistantLogic
Locking (SARLock) that implements the SAT-resistant truth table is pro-
posed [24]. The truth table of SARLock is shown in Table 2.2, the correct
key is 3, and for every DIP, it can only eliminate one incorrect key, in this
case, the number of required DIPs is 8 which equals the 2
# input bits
− 1.
Therefore, the complexity of SAT-based attack is exponential as the increase
of # key bits.
Out for different key value
In Out k0 k1 k2 k3 k4 k5 k6 k7
000 0 1 0 0 0 0 0 0 0
001 1 1 0 1 1 1 1 1 1
010 1 1 1 0 1 1 1 1 1
011 0 0 0 0 0 0 0 0 0
100 1 1 1 1 1 0 1 1 1
101 0 0 0 0 0 0 1 0 0
110 0 0 0 0 0 0 0 1 0
111 1 1 1 1 1 1 1 1 0
Table 2.2: Truth table of a circuit locked by SARLock
Figure 2.4 shows the implementation of the SAT-resistant truth table,
the PI, KI, PO represent primary input, key input, and primary output
respectively. TheSARLockaddsacomparatortocomparetheprimaryinput
with the key input, when the primary input equals the input key value, the
comparator outputs a flip signal 1 as an input to the inserted XOR gate so
that the XOR gate would flip the output from the original logic to result in
a wrong final output. When the PI is not equal to KI, the flip signal would
33
Figure 2.4: Implementation of SARLock
be 0 and the correct outputs are produced. The mask is used to reset the
flip signal when the correct key is input. Since SARLock does not modify
the original logic, it can be applied in conjunction with gate insertion-based
logic locking techniques.
Stripped Functionality Logic Locking
Although the circuits locked by SARLock gain SAT resilience, it also leaks
structural signature which causes the locked circuits to be vulnerable to re-
moval attack and bypass attack [22]. The removal of attack traces from the
key input ports to identify the comparator and mask thereby recovers the
original logic by removing the added circuitry. The bypass attack aims at
identifying the DIP that yields incorrect output when the wrong key is pro-
vided, then adds bypass circuitry to correct the output. In addition, based
34
on Table 2.2, for each incorrect key, most inputs will produce correct out-
puts, and the low output corruption rate allows the approximation of the
circuit [68].
Given various threats to SAT-resistant approaches, Stripped Functional-
ity Logic Locking (SFLL) is proposed to withstand these vulnerabilities [14],
thearchitectureofSFLLispresentedinFigure2.5. Toresistremovalattacks,
SFLL intentionally strips part of the functionality of the circuit, namely it
injects internal errors into the circuit, then uses a restore unit to recover the
correctfunctionality. SeveralvariantsofSFLLareproposedtofulfilldifferent
applications.
Figure 2.5: Architecture of Stripped Functionality Logic Locking
SFLL-HD
h
isagenericapproachthatprovidesresistancetomanyattacks,
it selects the same number of input bits as the number of key bits, then flips
35
the output of the original circuit for the input patterns in which the selected
input bits are h Hamming distance to the secret key, therefore, the total
number of input patterns being stripped are:
2
m− n
∗
n
h
= 2
m− n
∗ n!
h!(n− h)!
(2.2)
where m denotes the number of input bits and n denotes the number of key
bits. In the implementation of SFLL-HD
h
, the restore unit is composed of n
XOR gates along with an adder to achieve Hamming distance computation.
The variant SFLL-HD
h
that imposes exponential complexity on SAT-based
attack is SFLL-HD
0
. In this case, since the zero Hamming distance implies
equality, the restore unit is effectively a n bit comparator with an XOR gate.
ThetruthtableofacircuitlockedbySFLL-HD
0
ispresentedinTable2.3,
in this example, the correct key is 3, when the correct key is provided, the
restore signal is set to recover the strip functionality for the correct key. We
can also observe from the columns of the truth table, unlike SARLock, in
SFLL-HD
0
every incorrect key leads to two errors.
We analyze the SAT-resistance of SFLL-HD
0
from the rows of the truth
table, each row corresponds to a DIP. In the example shown in Table 2.3,
we can find that a single DIP only eliminates one incorrect key except 011,
so in the worst case the SAT-based attack requires seven DIPs to obtain the
36
Out for different key value
In Out k0 k1 k2 k3 k4 k5 k6 k7
000 0 1 0 0 0 0 0 0 0
001 1 1 0 1 1 1 1 1 1
010 1 1 1 0 1 1 1 1 1
011 0 1 1 1 0 1 1 1 1
100 1 1 1 1 1 0 1 1 1
101 0 0 0 0 0 0 1 0 0
110 0 0 0 0 0 0 0 1 0
111 1 1 1 1 1 1 1 1 0
Table 2.3: Truth table of a circuit locked by SFLL-HD
0
correct key. Since only one DIP out of 2
# key bits
DIPs assists to rule out all
incorrectkeys,thelikelihoodthatattackerscanfindthisDIPisexponentially
low, thussimilartoSARLock, thecomplexityofSAT-basedattackonSFLL-
HD
0
is still exponential as the increase of # key bits.
InadditiontoSAT-resistance, allvariantsofSFLLhavestrongresistance
toremovalattacks. SinceSFLLstripspartofthefunctionalityoftheoriginal
circuit, when the attackers trace from key ports and remove the restore unit,
they can only recover the circuitry that outputs errors injected by the strip
unit,thusthecircuitslockedbySFLLhavegoodresiliencetoremovalattacks.
In addition to SFLL-HD
h
, another version of SFLL, SFLL-flex uses a look-
up table (LUT) in the restore unit to allow the designer to tailor the input
patterns that they desire to protect. The architecture of SFLL-flex replaces
the HD checker in SFLL-HD
h
with the customized LUT.
37
Recently, however, the FALL attack identifies the structural signature
of SFLL and cracked over 80% circuits locked by SFLL [27]. Furthermore,
as the advent of machine learning and deep learning techniques, the GN-
NUnlock uses a GNN whose outputs guide a removal attack, the ML-guided
removal attack achieves high accuracy on SFLL. These attacks pinpoint the
structuralvulnerabilitiesofSFLL,whichmotivatethedevelopmentofamore
advanced logic locking technique that combines the merits of combinational
and sequential logic locking, Latch-Based Logic Locking (LBLL), will be
elaborated in Chapter 6.
2.2.3 Sequential Logic Locking
Sequential logic locking is another class of logic locking, this method aims
to protect sequential circuits from reverse engineering [28–30]. Unlike com-
binational logic locking approaches which insert logic gates, sequential logic
locking techniques insert new states into the finite state machine of the orig-
inal circuit, and the transitions of the original machine are also modified.
The approach introduces an authentication phase which is composed of the
insertedstatessothatthecircuitcanenterthestatesthatprovidethecorrect
functionality. In the first few clock cycles, the clients’ input sequence of keys
via primary input ports to perform the authentication phase, if the sequence
38
of keys is correct, the circuit would be admitted to the normal functional
states and provide correct outputs.
Since the original SAT-based attacks require the key ports to conduct
iterative trials, sequential logic locking techniques that do not have any ex-
tra key port have nature resilience to it. Advanced SAT-based attacks that
expose the vulnerability of these techniques are introduced in Section 2.3.
Besides, the removal attacks at the logic level are also struggling with se-
quential logic locking techniques because the boundary between locking and
original logic is not clear. However, the removal attack at the state level
which analyzes the state transition graph may pinpoint structural signatures
from it [33].
HardwareProtectionthroughObfuscationOfNetlist(HARPOON)which
is the first sequential logic locking approach [28] obfuscates a sequential cir-
cuitsuchthatthecircuitcanbeadmittedtothenormalfunctionmodewhen
it is provided a correct sequence of input patterns so as to pass the authenti-
cation phase. The obfuscation of HARPOON is divided into two steps. The
first step is to modify the state transition function of the finite state machine
in the sequential circuit and the second step is selecting some internal nodes
in the circuit and modifying them. After the structural modifications, the
designer resynthesizes the netlist to further conceal the structural signatures
which may be taken advantage of by adversaries.
39
Figure 2.6: Modified state transition graph of HARPOON
Figure 2.6 presents the modified state transition graph of HARPOON,
after boot-up, the circuit start in authentication mode, if applied correct
input patterns in the correct order, the circuit will enter the normal mode
that provides the correct functionality, however, if any input patterns or
the order is incorrect, the circuit will stay in the authentication mode and
produce incorrect outputs.
To realize the modified state transition graph, HARPOON first applies
a multi-pass ranking algorithm to select some nodes, this ranking algorithm
iteratively eliminates the influenced fan-out cones and selects the node with
thelargestnumberofuntouchedfan-outconessothatthemodificationofse-
lected nodes has more impact on the primary outputs. Besides, HARPOON
introduces Modification Kernel Function (MKF) to increase the fan-in size
of a node, the MKF has two sources, first, it can be an OR logic of all pri-
mary inputs, or it can be randomly selected from the internal nodes without
forming a combinational loop. After node selection and MKF introduction,
40
a new finite state machine along with XOR gates is inserted, the modified
function of the selected node would be:
f
mod
=f
ori
∗¬ en+¬f
ori
∗ f
mkf
∗ en (2.3)
where f
mod
represents the output of modified node, f
ori
denotes the selected
node and f
mod
represents the output of MKF. The en signal is an output
of the inserted finite state machine, if the client passes the authentication
phase, the en would be 0, and the circuit functions correctly, otherwise the
en would be 1, and the MKF and XOR gate corrupt the functionality. The
introduction of MKF increases the corruption rate when the authentication
fails.
Graph analysis approaches point out a potential vulnerability of HAR-
POON [33], as we can observe in 2.6, only one edge links two modes, with
careful analysis of the state transition graph, the states in different modes
can be recognized. Moreover, an advanced SAT-based attack that can be
applied to sequential logic locking is introduced in the next section.
2.3 Advanced SAT-based Attack
Since the sequential logic gates can not be converted to CNF, the original
SAT-based attacks are only applicable to combinational logic. An advanced
41
SAT-based attack which is referred to as unrolling SAT-based attack targets
sequential logic locking, as well as scan chain locking techniques, have been
proposed [66,69], the results demonstrate the unrolling SAT-based attacks
are effective on the dynamic secured scan chain.
ThegoaloftheunrollingSAT-basedattackistoconverttheentirecircuit
toalargecombinationallogicbyremovingthesequentiallogicandreplicating
the original combinational logic multiple times to introduce key ports.
Figure 2.7: Unrolling process of the advanced SAT-based attack
As shown in Figure 2.7, the top figure is the target-locked circuit and the
bottomfigureisthelargecombinationlogicafterunrolling. Theattackerfirst
removesthesequentiallogicwhichistheregisterinthefigure,thenreplicates
the combinational logic multiple times, the number of replicas depends on
42
the length of the key sequence L. The acquired large combination logic is
applicabletotheoriginalSAT-basedattack. TheimprovedSAT-basedattack
canbeefficientonsequentiallogiclockingtechniquesandsecuredscanchains,
thus should be considered when designing a locking scheme.
43
Chapter 3
Distillation-based Inverse
Network Attack
In Chapter 2, we present the threats to human privacy in split learning with
two attacks. Private inference (PI) has appeared to address the rising con-
cern over data and model privacy in machine learning inference as a service
and split learning [2,3]. However, existing PI frameworks suffer from high
computational and communication costs due to the expensive multi-party
computation (MPC) protocols. In this chapter, we propose a novel infer-
ence data privacy attack, named distillation-based inverse network attack
(DINA). The finding of the novel attack is also leveraged to design a two-
partyPIframeworkpresentinganefficientpartitioningoftheneuralnetwork
model and requiring only the initial few layers to be performed with MPC
protocols. The proposed attack, DINA, outperforms existing state-of-the-art
attacks [57,58] by achieving ∼ 0.1− 0.23 more structural similarity (SSIM)
in image recovery tasks.
44
Input
′
Recov. $
Sub-block 1 Tentative
clearlayers
Sub-block 2 Sub-block 3
Basicinverse
block 1
Basicinverse
block 2
Basicinverse
block 3
Targetmodel
DINAmodel(
∗
)
…
Figure 3.1: Model architecture of DINA
3.1 Proposed Inverse Network Attack
Despite EINA [58] increasing the complexity of the inversion model to en-
hance its inverse ability, it does not take full advantage that server has ac-
cess to the intermediate layer outputs of its own model, which can be used
to guide the training of the inversion model. Therefore, we introduce distil-
lation points in DINA to help the inversion model better approximate the
target inverse function.
Figure 3.1 presents the model architecture in DINA, which is composed
of a sequence of basic inverse blocks. Each basic inverse block consists of
a ResNet basic block [59] and a dilated convolution layer. Since the ReLU
layer significantly affects the attack, we partition the tentative attack layers
before l
′
into sub-blocks that end with a ReLU layer, namely, each sub-block
45
only contains one ReLU layer. The proposed attack then uses a basic inverse
block to recover the input of one sub-block, as shown in Figure 3.1, each
basic inverse block approximates the inverse function of the sub-block above
it.
To better train each basic inverse block, DINA selects middle points be-
tween sub-blocks as distillation points and applies a fine-grained distillation
approach that optimizes the distance between the output of each basic in-
verse block and the feature map on the corresponding distillation point. The
distances are incorporated into a new loss function:
L
DINA
=
N
X
j=1
α j
∥D
j
− I
j
∥
2
2
+α 0
∥x− ˆ x∥
2
2
(3.1)
where the first term is the weighted sum of distance terms at distillation
points, α j
is the coefficient that controls the weight of the distance at dis-
tillation point j, D
j
denotes the feature map at distillation point j in the
target model, I
j
is the input of basic inverse block j in DINA model, and
N represents the total number of selected distillation points. The second
term is the distance between the inference input x and the output ˆ x from
the DINA model.
To assist a distillation point in providing effective guidance on its nearest
basic inverse block, the attack applies monotonously increasing coefficients
α j
from the output to input of DINA model: α 0
< α 1
< α 2
... < α N
, this
46
ensures that each basic inverse block obtains the most guidance from its
nearest distillation point. In the example shown in Figure 3.1, there are
two distillation points, colored in red and orange, respectively. Although
the losses at the output of the DINA model and both distillation points
contribute to optimizing parameters in the basic inverse block 2, the loss at
the orange distillation point has the largest impact due to the monotonously
increasing coefficients.
3.2 Experimental Results
3.2.1 Comparison of IDPAs
WeapplyMLA[57],EINA[58],andDINAoneachlayerofVGG16torecover
images in CIFAR-10 and CIFAR-100 datasets. When targeting layer l, MLA
solves ˆ x = argmin
ˆ x
∥M
l
(ˆ x)− M
l
(x)∥
2
2
through gradient descent with 10000
iterations and randomly initialized ˆ x. In EINA, we construct an inversion
networkM
∗ withresidualbasicblocks[59]andtrainitusingthelossfunction
ofL
EINA
=∥x− M
∗ (M
l
(x))∥
2
2
and stochastic gradient descent optimizer. In
DINA, we introduce distillation points and train M
∗ with the loss function
in (3.1). The coefficients in our training are monotonously increasing as
α 0
= 1,α 1
= 3,α j
= 2∗ α j− 1
(j ≥ 2). Both training processes are with a
47
1 2 3 4 5 6 7 8 9 10111213
Conv. id
0.2
0.4
0.6
0.8
Avg. SSIM
VGG16 CIFAR-10
MLA
EINA
DINA
Threshold
1 2 3 4 5 6 7 8 9 10111213
Conv. id
VGG16 CIFAR-100
MLA
EINA
DINA
Threshold
Figure 3.2: Comparison of IDPAs including MLA, EINA, and DINA.
0.001 learning rate. After training the model M
∗ , we run the inference over
1000 images from each dataset and evaluate the recovery ability.
AttackresultsarepresentedinFigure3.2,whereDINAachieves0.229and
0.205moreaverageSSIMthanMLAatlayer7onCIFAR-10andCIFAR-100,
respectively. DINA also presents 0.108 and 0.145 more SSIM than EINA at
layer 7 on CIFAR-10 and CIFAR-100.
InthealgorithmofthenovelPIframeworkwhichpartitionstheencrypted
layers and clear layer, it searches for a potential boundary layer after which
IDPA begins to fail. MLA, EINA, and DINA return layers 7.5, 8.5, and 9
as the potential boundary layer for CIFAR-10, respectively, and layers 7.5,
9.5, and 10 for CIFAR-100, respectively. Therefore, DINA finds a more
conservative boundary than MLA and EINA.
48
1 2 3 4 5 6 7 8 9 10 11 12 13
Conv. id
0.2
0.4
0.6
0.8
Avg. SSIM
VGG16 CIFAR-10
DINA-c1
DINA-c2
1 2 3 4 5 6 7 8 9 10 11 12 13
Conv. id
0.2
0.4
0.6
0.8
Avg. SSIM
VGG16 CIFAR-100
DINA-c1
DINA-c2
0.025
0.000
0.025
0.050
0.075
0.100
Improvement
0.10
0.05
0.00
0.05
0.10
0.15
Improvement
Figure 3.3: Attack results of DINA-c1 and DINA-c2 on VGG16. The improve-
ments are the increased average SSIM gained by DINA-c1.
3.2.2 Choice of DINA’s Loss Coefficients
In DINA, we use monotonously increasing coefficients α j
(j ≥ 0) in the loss
function for more effective guidance on the basic inverse blocks. In this sec-
tion, we compare DINA with increasing coefficients α 0
= 1,α 1
= 3,α j
=
2∗ α j− 1
(j ≥ 2), denoted as DINA-c1, and DINA with uniform coefficients
α j
= 1(j ≥ 0), denoted as DINA-c2. Figure 3.3 presents the attack results
where DINA-c1 achieves a higher average SSIM. We use DINA-c1 in all of
49
our experiments. From the results, we can observe the DINA with increas-
ing coefficients achieves better performance and demonstrate a more stable
recovery capability. Besides, DINA with increasing coefficients also provides
a more conservative boundary for the PI framework.
50
Chapter 4
Island-based Random Dynamic
Voltage Scaling as a
Countermeasure for Power
Side-Channel Attacks
As presented in Chapter 1, Side-channel attacks are one of the significant
threats to the privacy of both ML and hardware IP. In particular, power
side-channel attacks have become an increasing source of concern [70]. To
thwart the power side-channel attacks, we propose and analyze an island-
based random dynamic voltage scaling (iRDVS) approach that uses multiple
independent random voltages that are more difficult to estimate. We first
analyzethesignal-to-noiseratio(SNR) ofiRDVS,thenexploretheresistance
ofthistechniquetoalignment. Weevaluatebothasafunctionofthenumber
of independent voltages. Together, we argue, these analyses suggest that a
design with a small number of independent voltages achieves high security.
51
Aspartofouralignmentanalysis, weproposeanovellyappliedclustering
algorithm to classify iRDVS traces and enable more effective power attacks.
Clustering algorithms have been used to create profiles of given hardware
using traces with known keys [71], as well as to identify regions of interest in
encryption algorithms that use exponentiation [72]. Our approach, by con-
trast, uses clustering to classify power traces from different unknown iRDVS
voltages into groups of similar voltages. Our experimental results show that
this clustering-based attack is able to uncover keys in systems protected by
one, two, and three dynamic voltage islands but has a limited benefit when
applied to iRDVS schemes with four or more islands.
4.1 Preliminaries
This section summarizes correlation-based power analysis, provides details
on the elastic alignment technique used to test our approach and introduces
two common metrics for quantifying countermeasure effectiveness.
4.1.1 Correlation-Based Power Analysis
Power analysis attacks take advantage of the dependence of a circuit’s power
consumption on the data it processes. A common method of disclosing this
correlation employs a differential technique introduced by Kocher et al. [70]
52
called differential power analysis (DPA) that recovers keys bit-by-bit. An-
other powerful technique requiring less knowledge of the algorithm imple-
mentation, introduced by Brier et al. is correlation-based power analysis
(CPA) [11]. Brier et al. demonstrated that all countermeasures against CPA
provide similar defensive effectiveness against DPA. Moreover, CPA is capa-
ble of attacking several bits at a time instead of only a single bit. Because
of this advantage, we applied CPA in our experiments.
CPAusesthecorrelationbetweenthemeasuredpowerconsumptionanda
data-dependent power model to reveal secret information. This power model
estimates power consumption from intermediate values in the algorithm un-
der attack that is dependent on known data and hypothesized secret data
(e.g., bytes of an AES key). One common and simple power model estimates
that the power consumption at a specific point in time is proportional to the
Hammingdistanceoftargetedintermediatesignals, i.e., thenumberofsignal
bits that change their value at that time. If the starting value of the signals
is unknown, then the Hamming weight, i.e., the number of bits that evaluate
to one at that time, can be used but is less accurate.
When performing an attack, power measurements are broken up into
traces, where each trace contains the power consumption over the duration
of one encryption. Two matrices are used, the hypothesis matrix H and the
trace matrix T. H contains a hypothesized power consumption of a chosen
53
operation for each encryption based on the power model, while T contains
the region of interest of the power traces.
The correlation between the power estimate and the actual power mea-
surement is calculated using the correlation coefficient or correlation factor
ρ [11]. Importantly, a correlation is calculated between the hypothesized
power and every sample of the measured power trace for every encryption,
after which the highest correlation coefficient from any of those samples is
chosen. Because of this, CPA attacks are more successful if the operation
correspondingwiththeintermediatevalueoccursatthesamesampleinevery
trace. If countermeasures have been employed to misalign operations, apply-
ing alignment algorithms before power attacks can greatly increase attack
success.
4.1.2 Elastic Alignment
Woudenbergetal.[73]proposeapowerfulalignmentalgorithm, elastic align-
ment, to preprocess traces corrupted by random delay insertion or an unsta-
bleclock. Thetwo-stepprocedurealignsrecordedtracestoasinglereference.
First, itleveragesa traditional algorithm, dynamic time warping [74], tofind
a warp path that maps the time steps of each sample trace to those of a
reference trace. To do this, the algorithm computes the Euclidean difference
between each target trace t and a reference trace r, captured in a 2-D cost
54
matrixofsizeP× Q, whereP andQarethelengthsoftracestandr, respec-
tively. It then applies dynamic programming to identify the minimum-cost
path through the matrix between points (0,0) and (P,Q). This path defines
the correspondence between traces r and t. Secondly, guided by this path,
elastic alignment averages across samples when multiple samples of t map
to one time step and duplicates samples of t when one sample of t maps to
multiple time steps.
Figure 4.1: Elastic alignment applied to a trace misaligned with dynamic fre-
quency scaling
55
Figure 4.1 illustrates the alignment process. The first trace shown in Figure
4.1 is a reference trace. The second trace is a frequency-scaled version of
the first, and the third trace is the result of applying the elastic alignment
algorithm to the second trace, illustrating a successful alignment.
4.1.3 Metrics for Countermeasure Effectiveness
There are two common metrics for measuring side-channel countermeasure
effectiveness. The first is Minimum Traces to Disclosure (MTD), which is
the number of encryption/decryption traces required to disclose all of the
secret information. A higher MTD indicates a more secure countermeasure.
This metric requires that all bytes of the secret are guessed correctly. Partial
Guessing Entropy (PGE) [75]canbeamorepracticalevaluationmetricthan
MTD because it does not require a correctly-guessed secret. PGE is com-
puted from the ranking of possible values of the subkey bytes in descending
order of correlation as estimated by the Pearson correlation coefficient. PGE
is the rank of the correct subkey, where a PGE of 0 denotes that the subkey
was correctly guessed. A large PGE indicates a low correlation of the correct
subkey and consequently a system robust to attacks.
56
4.2 Island-based Random DVS
Traditional DVS countermeasures can be attacked if the random dynamic
voltage is uncovered [76]. Attackers can scale measured power traces in
time and amplitude to match a reference trace, which renders DVS designs
vulnerable.
To circumvent the weaknesses of single-island DVS, this paper proposes
using several independent voltages in an island-based random DVS (iRDVS)
framework,illustratedinFigure4.2. iRDVSmakesside-channelattacksmore
difficult because attackers must differentiate between multiple simultaneous
random dynamic voltages.
Figure 4.2: Illustration of a typical iRDVS structure with n = 9 islands and
m = 3 independent voltages. Each independent voltage domain has a different
color and each cloud represents a group of logic; the shaded logic is under attack.
57
One practical means of implementing this iRDVS framework for a
pipelineddesignistopartitioneachcombinationalstageintomultipleislands
with independent voltage control. The voltages can be randomly adjusted
with the constraint that the delay of each pipeline stage is roughly the same,
thereby maximizing overlapping computation and minimizing the chance of
introducing timing side channels. Multiple islands can share one voltage
supply to support scaling this approach to large circuits with many islands.
Moreover,theislandsneednotallbethesamesizebutcanbeadjustedbased
on both logical and physical constraints. We assume each island will have an
on-chip DC/DC converter whose control will leverage the entropy from an
off-the-shelf true random number generator (TRNG). This is similar to the
randomvoltagegenerationproposedforrandomDVS[77–79]. Aswasimple-
mented in [77], we assume the TRNGs will be on-die and thus not directly
accessible to power attacks. Determining the optimal number and configu-
ration of independent voltages that not only thwarts voltage prediction but
also retains the statistical merits of DVS is one of the key research objectives
we explore here.
58
4.3 SNR Analysis
The signal-to-noise ratio (SNR) is typically used to quantify how well the
secret portion of the computation is hidden within the overall power con-
sumption [16]. The SNR is defined as:
SNR =
Var(AP)
Var(N)
where AP denotes the power consumption associated with the intermediate
valuethatcarriessecretinformationandN consistofthepowerconsumption
of uncorrelated computations and electronic noise. In this section, we exam-
inetheSNRofvariousislandconfigurationstoanalyzetheireffectiveness. To
simplify our analysis, we assume the traces are perfectly aligned; we analyze
the misalignment benefit associated with iRDVS in the next section.
The correlation between the hypothetical intermediate value and power
traces can be derived in terms of SNR:
ρ =
ρ ap
q
1+
1
SNR
where ρ ap
denotes the correlation between the power consumption of the
attacked part and the hypothetical intermediate value [16]. This equation
59
shows that a lower SNR leads to a lower correlation, which indicates higher
robustness.
Let T
i
be a power trace for island i normalized by the voltage of that
island. Let v
i
denote the independent random dynamic supply voltage for
island i. Because the switching power is proportional to v
α , where α ≈ 2,
and most instantaneous power consumption is from switching power, the
DVS power traces are proportional to v
α T. Let n denote the number of
independent islands and m represent the number of independent voltages
used. We present three different cases for comparison: first, the m = n
independent DVS case, which means we assign a different random voltage to
each island; then, the cases with two (m = 2) and one (m = 1) independent
voltages.
Without loss of generality, assume the first island is attacked, so the
power consumption of the other n− 1 islands is switching noise. The SNR
for m =n iRDVS islands (v
1
, v
1
, ..., v
n
) can be represented as follows. Let σ and µ denote the standard deviation and mean of their associated variables,
respectively. Since v
i
and T
i
are independent of each other, we can expand
the variance for both denominator and numerator.
60
SNR
m=n
=
Var(v
α 1
T
1
)
Var(
P
n
i=2
v
α i
T
i
)
=
σ 2
v
α 1
σ 2
T
1
+σ 2
v
α 1
µ 2
T
1
+µ 2
v
α 1
σ 2
T
1
P
n
i=2
(σ 2
v
α i
σ 2
T
i
+σ 2
v
α i
µ 2
T
i
+µ 2
v
α i
σ 2
T
i
)
Considering the special case that variances and means of the island power
consumptionandsupplyvoltagesarethesame, denoted σ 2
T
,µ T
,σ 2
v
α andµ v
α ,
we obtain:
SNR
m=n
=
σ 2
v
α σ 2
T
+σ 2
v
α µ 2
T
+µ 2
v
α σ 2
T
(n− 1)σ 2
v
α µ 2
T
+(n− 1)(µ 2
v
α σ 2
T
+σ 2
v
α σ 2
T
)
Similarly,wecanderivetheSNRforthecaseswheremisequaltotwo(v
1
,
v
2
) and one (v) independent voltages, the latter modeling the conventional
DVS approach.
SNR
m=2
=
Var(v
α 1
T
1
)
Var(v
α 1
P
n
2
i=2
T
i
+v
α 2
P
n
i=
n
2
+1
T
i
)
=
σ 2
v
α σ 2
T
+σ 2
v
α µ 2
T
+µ 2
v
α σ 2
T
[(
n
2
− 1)
2
+(
n
2
)
2
]σ 2
v
α µ 2
T
+(n− 1)(σ 2
v
α σ 2
T
+µ 2
v
α σ 2
T
)
61
SNR
m=1
=
Var(v
α 1
T
1
)
Var(v
α 1
P
n
i=2
T
i
)
=
σ 2
v
α σ 2
T
+σ 2
v
α µ 2
T
+µ 2
v
α σ 2
T
(n− 1)
2
σ 2
v
α µ 2
T
+(n− 1)(σ 2
v
α σ 2
T
+µ 2
v
α σ 2
T
)
Due to the algebraic property that for a ≥ 1 and b ≥ 1, (a + b)
2
≥ a
2
+b
2
≥ a+b,itcaneasilybeshownthatSNR
m=n
≥ SNR
m=2
≥ SNR
m=1
.
This indicates that, somewhat counter-intuitively, without considering the
misalignmentandtemporaladvantage,alower numberofDVSislandsresults
in lower SNR, thereby lower correlation and higher robustness.
We can explain this trend more generally from the perspective of covari-
ance.
Var(v
α i
T
i
+v
α j
T
j
) =Var(v
α i
T
i
)+Var(v
α j
T
j
)+
2Cov(v
α i
T
i
,v
α j
T
j
)
The above equation is the general formula for computing the variance of two
islands. If the two islands have the same supply voltage, i.e., v
i
= v
j
, the
two quantities v
α i
T
i
and v
α j
T
j
are correlated, therefore the covariance term
Cov(v
α i
T
i
,v
α j
T
j
)isgreaterthanzero. Whenthetwoislandshaveindependent
random voltages with possibly different means and variances, i.e., v
i
̸= v
j
62
where σ 2
T
, µ T
, σ 2
v
α and µ v
α are not equal, the two quantities v
α i
T
i
and v
α i
T
i
are also independent and Cov(v
α i
T
i
,v
α j
T
j
) = 0.
This reduction in variance caused by an increasing number of supply
voltages can be generalized to more islands. For the case of m = 2, the
n
2
noise islands supplied by v
2
are correlated with one another, increasing
the covariance terms in the denominator and decreasing the SNR. However,
if we keep n constant and increase the number of voltage supplies m, the
correlation between islands reduces (increasing SNR) because fewer islands
are correlated with each other. When m = n, each island is powered by an
independentsupplysothereisnocovarianceamongnoiseislands. Therefore,
the variance of the noise is minimized and the SNR is maximized for this n.
Figure 4.3: Correlation of iRDVS versus key byte hypothesis for the different
number of independent voltages assuming no temporal misalignment unless oth-
erwise specified. The correct value of the key byte is 197.
63
We experimentally verified this trend by performing CPA on a simplified
model of AES that simulated the Sbox operations in the first round of AES.
This model, given a plaintext, computes the 16 Sbox output values for the
first round of AES and generates a power pulse with a peak amplitude cor-
responding to the sum of their Hamming weights and a fixed width. This
pulse was scaled in time according to the Sakurai-Newton delay model with
α = 2 and in amplitude according to the squared voltage of the island [80].
Figure 4.3 demonstrates the results of varying the number of independent
supplies m in the simplified model of iRDVS. The y-axis of each graph spec-
ifies the correlation values, where the peaks are located at the correct byte
hypotheses for the first byte of the AES key. A larger peak at the correct
byte hypothesis indicates the design is easier to attack. The peak correla-
tions of the single-island and two-island cases are close, and as the number
of independent voltages increases, the correlation also increases. However,
the correlation for a small number of independent voltages (between 2 and
8) remains well below that observed without dynamic voltage scaling.
64
4.4 Alignment Analysis
IRDVS and DVS introduce temporal advantages for attack resistance in ad-
dition to improving SNR by amplitude scaling. According to the Sakurai-
Newton delay model [80,81],
τ =
C
L
V
k(V − V
T
)
α ,
the delay of the gates is closely related to the voltage supply. Assuming
each independent voltage can change much faster than the duration of an
attack, the power samples of the secret component will be shifted in time as
the voltage changes. This means that the power samples associated with the
secret operation, which were expected to be aligned, may be spread over a
large range.
The work in [16] presents a relationship between misalignment and the
correlation coefficient:
ρ (H,v
α T) =ρ (H,v
α s
T
s
)∗ p∗ s
Var(v
α s
T
s
)
Var(v
α T)
,
whereH representsthe Hammingweightor Hamming distance matrix of the
hypothetical intermediate value, v
α T denotes the power consumption at a
certain time, v
α s
T
s
refers to the portion of the power consumption caused by
65
the secret operation, and p denotes the probability that the secret operation
isconsumingpowerattheattacktime. Thus,ρ (H,v
α s
T
s
)isthecorrelationfor
the case where the secret samples are perfectly aligned, whereas ρ (H,v
α T)
is the correlation for the full design with misalignment. Having one or more
dynamic voltages would lead to a small p by reducing the probability that
secretpowersamplesareself-aligned. iRDVSandDVSreducepanddecrease
the correlation coefficient, making CPA attacks more difficult.
4.5 Clustering Attack
Many alignment techniques, including elastic alignment [73], are based on a
notionofadistancebetweentraces. Powertracesfromsimilaroperationscan
bealignedbyminimizingthedistancebetweenthem. Becausevoltagescaling
increasesthedistancebetweenoperations, andmultiplesuppliesaddrandom
noise, these techniques are ineffective when applied to our iRDVS approach,
as we will show in Figure 4.6. We propose to strengthen alignment attacks
using a novel clustering-based classification of the iRDVS traces into several
groups that share similar voltage characteristics. After this classification, we
perform a CPA attack on every cluster and rank the possible subkeys based
ontheirderivedcorrelationcoefficients,thenaveragetherankofeachpossible
subkey across all clusters and reorder the subkeys based on the average rank.
This new rank order combines the information obtained from all individual
66
attacks on all clusters. We pick the subkey with the lowest average rank to
determine MTD and determine PGE by the final rank of the correct subkey.
We propose using the computationally efficient K-means clustering algo-
rithm [82] to group similar traces. This approach heuristically minimizes the
distances among the power values of traces in each cluster. A critical param-
eter for K-means clustering is the number of clusters, which is generally set
beforethestartoftheclusteringalgorithm. Wehypothesizethatthenumber
of clusters should match the number of different voltage combinations used
in the trace set. In this way, each cluster will ideally contain traces from the
samespecificcombinationofvoltages, ensuringtheindividualpowersamples
containing the secret key are aligned.
The number of ideal clusters K grows quickly with both the number
of independent voltage supplies m and the number of distinct voltages g
each voltage supply can support, which means that clusters become smaller
(and less likely to reveal the secret key) as the number of voltage supplies
grows. If each island performs different computations, the number of ideal
clusters is g
m
. If, however, each island performs similar computations, as in
the case of our experiments, due to the possible same voltage and similar
computations, some combinations of voltages would lead to similar power
consumption which should be in the same cluster. Thus the ideal number of
67
clusters K reduces to the number of combinations of m samples from a set
of size g with repetition allowed. This can be computed as [83]
K =
m+g− 1
m
For example, with three voltage supplies each having five distinct voltages,
there are 5
3
= 125 voltage settings but only
3+5− 1
3
=
7!
3!· 4!
= 35 voltage
combinationswithrepetitionallowed. Notethathavingmanyclustersimplies
that the average number of traces in each cluster will be K times smaller,
reducing the effectiveness of the individual CPA analysis on each cluster.
This motivates the experimental analysis, presented in the next section, of a
range of K values to find the optimal number of clusters.
4.6 Experimental Results
This section describes how we evaluated the effectiveness of our iRDVS ap-
proach against alignment and CPA attacks.
4.6.1 Trace Generation and Experiment Design
We developed an in-house tool in Python to preprocess traces and perform
CPA. Our tool converts power traces from various sources into a standard
format,voltagescalesthetracesandcombinesscaledtracestoformsynthetic
68
iRDVS traces. It also performs CPA and clustering attacks on both the
original and synthetic traces and generates metrics including the correlation
coefficient,PGE,andMTD.Thetooloptionallyusesanopen-sourcewarping
algorithm [74] to preprocess the traces.
The original traces used for scaling and combining in these experiments
are open-source traces from a combinational 128-bit AES implemented and
measured on the Sasebo-GII board by Northeastern University [84]. We
make each trace the power consumption of one voltage island. We use the
Sakurai-Newton delay model [81] with α = 2 to expand each sample in the
original trace by interpolation, where V
dd
for each island is randomly picked
from the set{0.6,0.7,0.8,0.9,1}. We then add the scaled traces together to
form the synthetic traces of our iRDVS design. This sum approximates a
pipelined implementation of AES where each round operates simultaneously.
To reduce the computation time and increase the probability of disclosure,
we also extract the general region of interest from the synthetic traces before
running CPA. Note that the original traces are a set of 100k, so to generate
two island traces, half of the traces are used as signal islands while the other
half is used as noise islands, combined into a total of 50k traces. If we
need more than 50k traces, we repeat this process with different scaling and
combiningofboththesignalandnoisetraces. Thismeansthatthe50k signal
plaintexts are repeated, but scaled differently and combined with different
69
noise islands. For other multi-island traces, we applied similar methods to
generate synthetic traces.
4.6.2 Effectiveness of Elastic Alignment
As described in section 4.1, we tested preprocessing the traces using the
open-source Python package fastdtw [85] to find the warp path, after which
we applied elastic alignment based on Woudenberg et al.’s approach [73].
Figure 4.4: Example of elastic aligned trace after single-island DVS
70
However, even for the single-island DVS case, the elastic alignment does
not perform nearly as well as for the frequency scaling case shown in section
4.1. As illustrated in Figure 4.4, the aligned trace does not match up with
the reference trace. The frequency differs from that of the reference trace,
and there are gaps of no activity where none actually exists in the reference.
When we perform the same experiment with two independent voltages, the
elastic technique is even less successful. The trace after alignment is almost
the same as the original misaligned one, i.e., it yields negligible alignment
that does not significantly help the attack.
Tofurtherdemonstratetheineffectivenessoftheelastictechniqueagainst
iRDVS,wesimplifiediRDVStotwoislands, fixedthevoltageoftheislandto
be attacked, and randomized the voltage of the other island, providing only
twocandidatesforthisrandomvoltage. Wefirstappliedtheelastictechnique
to these traces and then performed CPA on the elastic aligned traces. The
results, illustrated in Table 4.1, show that MTD remains larger than 100k
traces and that the PGE increases, suggesting that the elastic technique
actually hurts the attack. Figure 4.4 shows how the elastic technique fails to
align operations of interest even for n = m = 1, so for this n = m = 2 case
we would expect that these operations would be further misaligned from one
another, decreasing the attack success as we observed in Figure 4.5.
71
Table 4.1: Effectiveness of Elastic Alignment Plus CPA on Two-island iRDVS
Traces
MTD for original iRDVS traces >100k
Avg. PGE for original iRDVS traces 49
MTD for traces aligned by elastic technique >100k
Avg. PGE for traces aligned by elastic technique 148
Figure 4.5: MTD and PGE iRDVS under clustering attack. Empty circles indi-
cate unsuccessful attacks, whereas filled circles indicate successful attacks.
4.6.3 Resistance to Clustering
To analyze the potential benefits of clustering as a preprocessing step, we
varied the number of clusters K and plotted MTD and PGE as functions of
K. Figure 4.5 presents the MTD and PGE for g = 5 with the number of
independent islands n ranging from one to four. 100k traces were used for
n = 1 and 2, and 200k traces were used for n = 3 and 4, to account for the
72
decreased cluster size described in section 4.5. We assume that m = n for
every experiment.
For the single-island DVS case, using clustering reduces the MTD from
over100k (K = 1)downto16k. Thisminimumisachievedwhenthenumber
of clusters is well chosen (K = 5). For the two-island case, when the number
of clusters is close to the ideal K = 15, the clustering attack can disclose
most subkeys with 100k traces. Note that as illustrated in Figure 4.5, if the
attackers are not able to correctly estimate K, the MTD exceeds 100k. For
three-island iRDVS, for all values tested, the MTD was between 100k and
200k. The PGE reaches 0 when the number of clusters reaches the ideal
K = 35, showing that the secret is disclosed when K is correctly specified.
For the four-island case, K was swept from 10 to 100, with the ideal being
70. The PGE at K = 70 is 123 and the MTD exceeds 200k, indicating that
the secret is far from being uncovered.
73
Chapter 5
GF-Flush: A GF(2) Algebraic
Attack on Dynamically Secured
Scan Chains
Chapter 2 introduces that the increased testability provided by scan chains
canbeasourceofinformationleakageforsensitivedesigns. Thestate-of-the-
art defenses to secure scan chains apply dynamic keys to pseudo-randomly
invertthescanvectors. Inthischapter,wepinpointanalgebraicvulnerability
of these dynamic defenses that involves creating and solving a system of
linear equations over the finite field GF(2). In particular, we propose a novel
GF(2)-basedflushattackthatbreakseventhemostrigorousversionofstate-
of-the-art dynamic defenses. We then demonstrate how our attacks can be
extended to scan chains compressed with Multiple-Input Signature Registers
(MISRs).
In contrast to SAT attacks [66,69] which attack the scan chain coupled
with locked combinational logic, our attack isolates the scan chain, enabling
74
theuseofmorecomputationallyscalablealgebraictechniquesusedincrypto-
analysis [37], including attacks on LFSRs [42], and automatic test pattern
generation [86,87]. In particular, the attack involves solving a system of
linear equations over the finite field GF(2) whose size scales linearly with the
size of the key. We empirically validate that the complexity of our attack
is computationally tractable, recovering keys as long as 500 bits in less than
7 seconds. Our attack times are, on average, over 4300x faster than the
comparable state-of-the-art SAT attack.
We further consider the case when the only access to the scan chain
outputs is through test compression logic, such as Multiple-Input Signature
Registers (MISR). Since MISRs also consist of XOR gates and FFs they can
be modeled, analyzed, and thus considered in our attack. To the best of
our knowledge, this is the first attack on obfuscated scan chains that con-
siders MISRs. One prior attack [66] considered XOR gates for compression
but these are less complex than MISRs and offer lower compression rates.
Another prior attack on an AES cipher [88] analyzed its feasibility when
its outputs were accessible only after a MISR. For our attack, even if with
MISRs, the attack times are manageable.
75
5.1 Dynamically secured scan chain
5.1.1 LFSR
A Linear Feedback Shift Register (LFSR) is often used as a pseudo-random
number generator in many cryptographic and secure systems because of its
lightweight, low overhead, and high throughput [89,90].
ThegenericstructureofanLFSRisshowninFigure5.1, whereλ denotes
its length and the Binary values c
0
to c
λ − 1
determine its feedback structure.
The next state equation f
t+1
i
can be represented as
f
t+1
i
=f
t
i+1
, for i∈ [0,λ − 1) (5.1)
f
t+1
λ − 1
=
λ − 1
X
j=0
c
j
f
t
j
(5.2)
wheretandt+1representthecurrentandnextstate,respectively,f
t
i
denotes
the value of stage i of LFSR at time t, and all operations are in GF(2).
The sequence generated by an LFSR is periodic and the period depends
on the values of c
i
and the initial state, or seed of the LFSR. The maximum
period of an LFSR of length λ is 2
λ − 1 [91]. The sequences generated by
LFSRs with the maximum period are referred to as PN-sequences and these
are desired for security systems as they are more difficult to break than
LFSRs with small periods.
76
Figure 5.1: Generic architecture of linear feedback shift register
5.1.2 Dynamically Obfuscated Scan Chains
Due to the effectiveness of SAT attacks [66] on static scan chain obfusca-
tion techniques [92], state-of-the-art secure chains dynamically obscure scan
chains using XORs that are driven by an LFSR [31,93,94] and pseudo-
randomly invert the scan sequence.
1
The basic structure of these schemes is
shown in Figure 5.2, where λ represents the length of the LFSR and key, N
denotes the length of the scan chain, and b represents the spacing of locking
gates throughout the chain. Besides being inserted with fixed distance b,
the locking gates can also be randomly inserted between scan flip-flops. The
most secure version of these methods updates the LFSR every clock cycle,
applying new key bits to the scan locking gates every cycle.
1
MUXes can also be used to selectively invert the scan bit by muxing between the Q
and Q
bar
outputs of the scan FFs [93].
77
Figure 5.2: Basic structure of dynamically obfuscated scan chains
5.1.3 Algebraic Analysis
LFSRs are commonly used in built-in-self-test structures and algebraic anal-
ysis [86,87] has been used to find seeds and characteristic polynomials that
lead to high test coverage. Moreover, algebraic cryptanalysis or algebraic
attack [37,42] has been widely used for attacking various ciphers. These at-
tacks first find low degree equations to approximate the function of feedback
shift registers (FSR) or algorithms based on their features, then leverage the
XL algorithm [43] to solve the system of multivariate polynomial equations,
thereby acquiring the key bits. These algebraic techniques, however, have
never been applied in scan-chain locking. Considering all operations in the
LFSR, scan-chain locking gates, and MISR are effectively XOR operations,
we hypothesize that an algebraic attack over GF(2) can be very efficient.
78
5.2 GF-Flush: A GF(2) Algebraic Attack
5.2.1 Algebraic Foundations of the Attack
Figure 5.3: Flow of the proposed attack
The basic flow of our proposed attack is illustrated in Figure 5.3. Similar
to previous attacks on the same defenses [69], we assume that the netlist is
reverse-engineered and thus the structural information about the LFSR c
i
,
thelengthofthescanchainN, andthelocationofXORgatesbareknownto
the attacker. We also assume the attacker has access to an oracle, which in
thiscaseamountstoaworkingscan-chainwiththecorrectseedprogrammed
in the LFSR.
79
To obtain enough algebraic expressions, our attack shifts in a sequence
of logic 0s into the oracle scan chain obfuscated by the LFSR and captures
the corresponding scan outputso. This is known as flushing the scan chain
[66]. As we show below, choosing logic 0s to scan in instead of random bits
simplifies the algebraicexpression of the scan output and corresponding final
system of equations.
Inparticular, wecanderiveanalgebraicrepresentationofthesecurescan
chain. ThematrixrepresentationoftheLFSRstatesrevealsmanyproperties
and can be derived from Equation 5.2 as follows
f
t+1
0
.
.
.
f
t+1
λ − 2
f
t+1
λ − 1
=
0 1 ··· 0
.
.
.
.
.
.
.
.
.
.
.
.
0 0 ··· 1
c
0
c
1
··· c
λ − 1
f
t
0
.
.
.
f
t
λ − 2
f
t
λ − 1
(5.3)
where, t and t+1 represent the current and next cycle, respectively, and f
t
i
denotes the state value of F
i
at time step t. We will refer to this transition
80
matrix as T. The state at any time step t
′
can then be derived from the
LFSR seed andT as follows
f
t
′
0
.
.
.
f
t
′
λ − 2
f
t
′
λ − 1
=
0 1 ··· 0
.
.
.
.
.
.
.
.
.
.
.
.
0 0 ··· 1
c
0
c
1
··· c
λ − 1
t
′
s
0
.
.
.
s
λ − 2
s
λ − 1
(5.4)
To simplify this representation, we use the matrix and vector forms as
follows
f
t+1
=T ∗ f
t
(5.5)
f
t
′
=T
t
′
∗ s (5.6)
Using Equation 5.6, we can symbolically represent the key input of any lock-
ing gate driven by the ith stage of the LFSR at time step t
′
:
f
t
′
i
= (T
t
′
∗ s)[i] (5.7)
We observethat when logic0s gothrough thescan chain, they aresimply
XOR with keys f
t
′
i
. We can thus derive the symbolic expression for the
expectedvaluesofthescanoutsignal. Leto
m
correspondtothescanoutput
associated with the mth scan input. We then have
81
o
m
=(T
m
s)[0]+(T
m+b
s)[1]+(T
m+2b
s)[2]
+...+(T
m+(λ − 1)b
s)[λ − 1] (5.8)
By introducing an identity matrix R with shape λ ∗ λ and factoring out s,
we can further simplify this expression as follows
o
m
=[r
0
T
m
+r
1
T
m+b
+r
2
T
m+2b
+...+r
λ − 1
T
m+(λ − 1)b
]s (5.9)
where r
i
is the ith row of R. The size of the first term a = r
0
T
m
+...+
r
λ − 1
T
m+(λ − 1)b
is 1∗ λ . Using the above o
m
symbolic equation repeatedly for
λ clock cycles and extracting their first term a, we can compose a system of
linear equations in GF(2)
As =o (5.10)
whereA consists of λ a’s ando is the corresponding captured scan outputs.
Our attack completes by solving this system of equations in GF(2).
82
5.2.2 Analysis of the Attack
Since the system of linear equations in Eq. 5.10 is based on the physical
structure of the circuit, it is guaranteed to be solvable. If A is full-rank,
the solution yields the unique secret seed vector s. Otherwise, the solution
yields a set of potential seed vectors characterized by a particular solution of
As =o along with the null space ofA. More precisely, when the rank is k
less than λ , there are 2
k
possible seeds. These seeds can be used in further
analysis, such as brute-force or SAT attacks, possibly in conjunction with
attacking the combinational logic.
State-of-the-art secure chains are protected by a shadow chain which pre-
vents the scan chain from being influenced by the LFSR for the first λ clock
cycles [94]. Since the scan chain is longer than the LFSR, the first o fully
affected by the LFSR will be scanned out at cycle N + 1. Interestingly,
our attack can circumvent this defense by simply skipping the first N scan
outputs and collecting the next λ scan outputs to compose the matrixA.
5.3 Multiple-Input Signature Register
As the size of chips and the number of scanned FFs increase, the latency
and memory requirements to shift out and process their stored values during
the test grows. For this reason test compression techniques, involving both a
83
decompressor and compressor, have become an essential part of the design.
The decompressor expands one scanned-in sequence into many parallel scan
chain segments and the compressor compresses the outputs of many parallel
scan segments into one. The most commonly used compressor is a Multiple-
Input Signature Register (MISR) [95] illustrated in Figure 5.4,
Since the MISR can prohibit direct access to the scan outputs, it has a
significant impact on all HW security attacks that rely on scan chain access,
includingpreviousSATattacks[66,69]. Interestingly,astheMISRusesXOR
gates that are commonly used to obfuscate combinational logic, one might
think the MISR effectively encrypts the scan outputs.
5.4 Attack on a MISR
Figure 5.4: Structure of a secured scan chain with MISR
84
Figure 5.4 shows the structure of a dynamically secured scan chain with
a MISR, where the length of every chain is N, the Boolean values d
i
define
the structure of the MISR, and D
i
represent the internal Boolean state of
MISR that is available for reading after every round of tests. We can observe
that the MISR thwarts the direct access to scan outputs im
i
. Importantly,
the h XOR gates in MISR are locking gates that corrupt the scan outputs
im and make attacks that demand direct access to scan outputs ineffective.
Therefore, it is important to integrate the MISR into our algebraic model.
In our attack on scan chains with a MISR, we still shift in a sequence of
logic 0s into the scan chain. After 2N cycles, the MISR forms the signature
outputs D
2N
i
which we read out. First, we derive the scan outputs im
i
from
the LFSR keys f:
im
t
i
=
N− 1
X
r=0
f
t− N+r
r+iN
(5.11)
whereim
t
i
denotes the scan output of i
th
chain at cyclet, the sum is addition
in GF(2), and all f’s are be obtained using Equation 5.6. Then, we derive
D
t
i
as follows
D
t
0
=im
t− 1
0
+d
0
∗ D
t− 1
h− 1
(5.12)
D
t
i
=im
t− 1
i
+D
t− 1
i− 1
+d
i
∗ D
t− 1
h− 1
for i> 0 (5.13)
85
where D
t
i
represents the internal values of the MISR stage i at cycle t and
the initial D
0
i
are reset to 0. After 2N cycles, the signature outs are formed
and available for reading:
signature out
i
=D
2N
i
(5.14)
where every signature out is an equation in terms of seed bits. Thus we
obtain h such equations in each round of testing.
We do not reset the LFSR but, as is typical, we reset the MISR at the
beginningofeverytestsequence. Hencewerequireλ/h =h∗ N/h =N tests,
each generating h equations, to obtain a sufficient number of equations to
recoverthesecretseed. SimilartotheanalysisinSection5.2.2, auniqueseed
vector s is acquired in the case that these equations are full-rank, otherwise,
we acquire a set of potential seed vectors.
5.5 Experimental results
5.5.1 Experiment Setup
Our experiments in Sections 5.5.2 and 5.5.4 compare our algebraic attack to
SAT attacks on scan chains and thus exclude a MISR.
2
Both experiments
2
In practice, there often exists a bypass signal to circumvent the MISR. This analysis
considers the case the attacker has access to such a signal.
86
demonstrate results for different key lengths. Since our attack isolates the
scan chain, LFSR, and MISR, there is no need to model the combinational
logic driven by the scan chain. For experiments in Sections 5.5.2 and 5.5.3,
we assume the key length λ equals the scan chain length (N without a MISR
and hN with a MISR), i.e., we set b = 1, and the update of the LFSR is
synchronized to the scan clock, which is also presumed to be the most secure
defense. In addition, we assumed the existence of a shadow chain of length
λ . We used MATLAB to generate the LFSR transition matrixT, transition
matrix of the secure scan chain A and MISR signature out recursively. We
then utilized the MATLAB function gflineq () and, when necessary, gf2null()
to identify all the solutions over GF(2). For each key length, we randomly
chose 10 configuration vectors c, constrained to have c
0
= 1, made all d
i
= 1,
andmeasuredtheaveragerun-timeincludingthegenerationofmatrixAand
T and the solving of the system of linear equations.
ForexperimentsinSection5.5.4,weincorporatedthedynamicallysecured
scan chain into the ISCAS-89 benchmarks [96] in Verilog and perform the
proposed attack on them. We added scan chains to circuits and randomly
insertedkeygatesaccordingtovarioustestedkeylengths, thenextractedthe
key positions and applied the proposed attack. All experiments were run on
an Intel i7-8700 CPU running at 3.20 GHz with 16 GB RAM.
87
5.5.2 Analysis of Basic Obfuscated Scan Chains
Figure 5.5: Average attack run-times vs. number of key bits λ Figure5.5plotstheaverageattackrun-timeonthedefensewithoutMISR
as the number of key bits λ ranging from 3 to 500. Even with 500 key bits,
the attack on average took less than 7 seconds. The run-time trend suggests
thecomplexityofourattackscalesasnomorethanalow-degreepolynomial.
Thisisexpectedbecausesolvingasystemoflinearequationshasacomplexity
no worse than O(λ 3
). To further show the scalability of our proposed attack,
we also tried λ = 1000 and the attack took 66 seconds.
Interestingly, 87% of the random configurations led to a unique seed,
however, the average number of seeds is influenced by a few extreme cases
and is 43.8. We further experimented with λ = 500 and explored 1000
88
Figure 5.6: Average attack run-times with different size MISRs
different random configurations of c. The average number of seeds of 2.5
with the vast majority cases yielding a unique seed. We should emphasize
however that for configurations where we could verify that the characteristic
polynomial of the LFSR is primitive, a unique seed was always unveiled.
5.5.3 Analysis of Impact of MISRs
Figure 5.6 demonstrates the average attack run-times on the dynamically
secured scan chain with different lengths of MISRs h as a function of varying
key length λ constrained by the relationship λ = h∗ N. The experiments
with λ> 300 timed-out after 8 hours for smaller values of h. This is because
with a MISR, we obtain only h equations every test round (i.e., 2N cycles)
89
compared to the case without a MISR which produces roughly one equation
every cycle. For practical MISR lengths that are typically greater than 16
[97], the attack run-time remains under 8 hours for key lengths of under 250.
In all cases, the run-time is dominated by the computation of the various
powers of the system matrix T.
5.5.4 Comparison to Other Attacks
Table 5.1: Comparison of SAT and proposed attacks I
Benchmark
Key
bits
SAT attack
run-times
(secs)
Proposed
attack
run-times
(secs)
Improv.
ratio
s5378
10 12.98 0.04 325
20 29.39 0.05 588
30 66.84 0.03 2228
40 1823.79 0.04 45595
s9234
10 15.48 0.01 1548
20 37.87 0.05 757
30 95.75 0.06 1596
40 4071.83 0.04 101796
s15850
10 39.31 0.01 3931
20 90.13 0.01 9013
30 151.08 0.05 3022
40 2352.71 0.04 58818
s13207
10 46.09 0.03 1536
20 107.52 0.01 10752
30 214.45 0.03 7148
40 5680.52 0.02 284026
Average improvement 33292
90
Table 5.2: Comparison of SAT and proposed attacks II
Benchmark
Key
bits
SAT attack
run-times
[69] (secs)
Proposed
attack
run-times
(secs)
Improv.
ratio
s38584
144 925 0.54 1713
160 557 0.65 857
176 1175 0.73 1610
192 872 1.00 872
208 4897 1.17 4185
224 4792 1.28 3744
240 2880 1.44 2000
256 9219 1.74 5298
272 2831 1.92 1474
288 15025 2.10 7155
304 6465 2.39 2705
320 12745 2.48 5139
336 10678 2.55 4187
352 11502 2.73 4213
368 11173 3.90 2865
s38417
144 862 0.73 1181
160 583 0.92 634
176 1711 1.48 1156
192 945 1.12 844
208 1947 1.34 1453
224 1999 1.42 1408
240 2252 1.53 1472
256 16220 1.90 8537
State-of-the-art attacks on dynamically secured scan chains are based on
SAT attacks [66,69]. In particular, [69] observed that the LFSR logic can
be unrolled and combined with the associated combinational logic circuit
and then attacked by SAT. They tested their attack framework with various
ISCASbenchmarksanddemonstratedthatevenwith368keybitstheycould
91
Table 5.3: Comparison of SAT and proposed attacks III
Benchmark
Key
bits
SAT attack
run-times
[69] (secs)
Proposed
attack
run-times
(secs)
Improv.
ratio
s38417
272 14603 2.10 6954
288 24546 2.28 10766
304 33591 2.63 12772
320 62135 2.79 22271
336 81504 2.90 28105
352 74140 3.03 24469
368 70591 4.51 15652
s35932
144 281 0.77 365
160 634 0.69 919
176 372 1.26 295
192 618 1.18 524
208 597 1.38 433
224 1007 2.06 489
240 810 2.24 362
256 832 2.71 307
272 1364 3.00 455
288 2657 3.41 779
304 1881 2.87 655
320 2992 3.02 991
336 2008 4.78 420
352 2270 5.14 442
368 3231 4.79 675
Average improvement 4307
successfully uncover the LFSR seed in less than 23 hours. However, their
attack assumed the combinational logic was not logic locked, in contrast to
what is advocated in [94]. This is an important limitation because several
combinational obfuscation techniques are known to be SAT resistant [14,98]
whichwouldhampertheeffectivenessofSATattacks. Furthermore, theSAT
92
attacks rely on access to scan outputs and thus should consider the impact
of a MISR.
In contrast, our proposed attack isolates the scan chain and in particular
does not involve modeling or attacking the combinational logic and thus
circumvents any effort to obfuscate the combinational logic. Moreover, since
it leverages the algebraic nature of the problem it can integrate the MISR
into the attack.
Table 5.1, 5.2, 5.3 compare the SAT and proposed attack run-times. We
reproduced the SAT attack and successfully applied them to four moderate-
sized ISCAS circuits with key sizes between 10 and 40 bits, the comparison
betweentheproposedattackandSATattackonthesamemachineisreported
in 5.1. On larger circuits, our implementation timed out after 2 days and we
thus also compare to run-times reported from [69], the results are presented
in Table 5.2, 5.3. The disparity of performance is likely because [69] used
a tailored rather than off-the-shelf SAT solver and used a more powerful
computer. In both cases, however, the proposed attack recovers the set
of potential seeds are always over two orders of magnitude faster than the
equivalentSATattackandonaverageover4300xfaster. Again,thisrun-time
benefit would be even larger if the combinational circuits were also locked.
93
Chapter 6
Unraveling Latch Locking
Using Machine Learning,
Boolean Analysis, and ILP
As shown in Chapter 2, while many techniques have focused on locking
combinational logic, an alternative approach, Latch-Based Logic Locking
(LBLL) [99], referred to more simply as latch locking, is a less studied de-
fense that aims to combine the merits of combinational and sequential logic
locking. It first duplicates a subset of a design’s FFs, then retimes them,
and replaces them with latches. It then inserts two types of decoy latches,
delay decoy and logic decoy, to obfuscate the netlist. It then adds control
logic such that all latches must be correctly keyed for the circuit to function
correctly as a primary-secondary-based design. In particular, when correctly
keyed, the delay decoys are forced to be transparent and the logic decoys
are forced to emit a constant 0. Additional combinational logic is added to
94
ensure the 0 does not alter the correct operation of the circuit. The ap-
proach demonstrates resilience to standard SAT and model-checking-based
attacks [99] and, to the best of our knowledge, has yet to be broken.
In this chapter, we present an two-phase attack on latch-locked circuits
that uses a novel combination of deep learning, Boolean analysis, and in-
teger linear programming (ILP). This attack requires access to the reverse-
engineered netlist but, unlike SAT attacks, is oracle-less, not needing access
to the unlocked circuit or correct input/output pairs. Our attack is based on
the observation that the sequential graph associated with primary-secondary
latch-based designs have a regular structure that is broken by the random
insertion of decoy latches. This distinction yields structural signatures that
can be taken advantage of by machine learning. The first phase of our attack
identifies the logic decoys. The logic decoys are then removed and the circuit
issimplifiedviaconstantpropagation. Inthesecondphase,thesimplifiedcir-
cuitisinputtoasecondMLclassifierthatidentifiesdelaydecoylatches. The
softmax outputs of the classifier are fed as the objective function of an ILP
whose constraints understand the correct structure of a primary-secondary
latch-baseddesign. TheILPfindsalargepoolofpotentialkeysthatareclose
to the classified output but also adhere to latch constraints. We assume each
of the identified keys can be independently evaluated by the attacker.
95
Our attack was trained and evaluated using the ISCAS’89 and ITC’99
benchmarks and configured to find a pool of 10k potential keys for each
test circuit. The best key within the pool is on average 96.9% accurate and
measured the impact of incorrect keys by measuring its functional corrupt-
ibility [100]. We found that the best-identified key unlocks the correct func-
tionality in 8 of the tested 19 circuits and leads to low function corruptibility
(less than 4%) in 3 additional circuits. The attack run times demonstrate
the scalability of the approach, remaining less than 15 minutes in all circuits
tested.
Thereisaplethoraofresearchthattriestocombinemachinelearningand
constrained optimization in various ways, including using machine learning
to speed-up constrained optimization algorithms and end-to-end methods
that feed the results of machine learning into optimization algorithms [101].
In particular, this specific combination of classification with ILPs has been
applied in natural language processing to detect disfluencies in speech in
which the structure of the speech is also important [102]. To the best of our
knowledge, however, this is the first hardware security attack that combines
the benefits of a trained ML classifier with an ILP.
96
Figure 6.1: The four steps of Latch-Based Logic Locking (LBLL)
6.1 Latch Based Logic Locking
Figure 6.1 illustrates the four steps of latch locking. Step one uses a commu-
nity detection algorithm to select a subset of FFs. Each selected FF is then
duplicated(step2)andre-timedbeforebeingreplacedwithlatches(step3).
1
At this point, notice that the latches must be two-colorable as alternating
primaryandsecondarylatches. Lastly, delayandlogicdecoylatchesareran-
domly inserted into the netlist (step 4). Delay decoys, when keyed correctly,
are forced to be transparent and thus only influence the delay of the circuit.
Logicdecoys,ontheotherhand,whenkeyedcorrectly,outputafixed0value.
Their insertion must be coupled with extra OR/XOR/MUX gates to ensure
1
In principle, it is also possible to convert the FF’s to latches before retiming, but
commercial tools have better support for FF-based retiming.
97
the latch, when keyed correctly, does not corrupt the circuit’s functionality.
Control logic is added to each latch that accepts two-bit keys to configure
the four types of latches. Thus, if we correctly classify the latches into the
four categories, the correct keys are disclosed.
key 0 key 1 latch clk latch rst latch type
0 0 1 active logic decoy
0 1 1 inactive delay decoy
1 0 clk’ inactive primary
1 1 clk inactive secondary
Table 6.1: Truth table of the LBLL latch controllers
6.2 Machine Learning and Deep learning
Models
6.2.1 Multi-layer Perceptrons
A Multi-layer Perceptron (MLP) consists of an input, several hidden, and
an output layer of fully connected neurons. The universal approximation
theorem[103]hasproventhatMLPsarecapableoflearninganyinput-output
functionmotivatingtheirwide-spreaduseinclassificationtasks. Thesoftmax
activation function is often used at the output layer to produce a probability
that the input is in each trained class. The class with the highest probability
is typically selected to be the classification result.
98
6.2.2 Random Forest
A random forest (RF) is another widely used classifier that consists of a
large number of decision trees that act as an ensemble. Each decision tree
recursively splits input samples based on features that lead to the smallest
conditional entropy and outputs a classification vote. The class with the
most votes from the ensemble of decision trees is selected as the final class
prediction.
6.2.3 Attack model
Similar to most oracle-less attacks [27,47,49], we assume the adversary has
access to the GDSII mask and has reverse-engineered the gate-level netlist.
The adversary also has information about the technology library and thus is
able to estimate the static delays in the circuit as well as detailed knowledge
of the LBLL algorithm. We do not assume that the adversary has access to
the unlocked circuit. That said, to evaluate the accuracy of our attack, we
use the ground truth latch classifications.
6.3 Proposed Two-Phase Attack
This section first provides motivation and an overview of our two-phase ap-
proach. It then formalizes our notion of a sequential graph, describes the
99
set of features used in our ML classifiers, and details each of the two attack
phases.
Figure 6.2: Overview of the proposed two-phase attack on LBLL
6.3.1 Motivation and Overview of Our Approach
Figure 6.3: Introduction of false paths by logic decoys
100
Thesequentialgraphofacircuitabstractsawaythecombinationallogicof
a circuit. Its nodes are primary input/outputs as well as sequential elements
(flip-flopsandlatches)andtheedgesrepresentthepresenceofcombinational
logic between nodes. The sequential graph of primary-secondary designs
have a very regular structure; the graph is two-colorable. Our experiments
have shown that it is relatively easy to identify the insertion of delay decoys
that break this structure. However, the insertion of logic decoys is more
complex. In particular, as shown in Figure 6.3, logic decoys, when inserted
using MUXes, can create false paths between latches. In particular, the
LBLL flow randomly inserts a MUX whose selection port is the output of
a logic decoy. The ’0’ input to the MUX is attached to the near end of an
original net, and the output of the MUX is connected to the far end of the
same net. Therefore, when the logic decoy is keyed correctly, the circuit
operates as if no decoy is added. On the other hand, the ’1’ input to the
MUX is randomly connected to another pin in the community. Thus, a false
pathbetweenlatchesiscreated,whichmakesthesequentialgraph’sstructure
more complex.
This observation motivates our two-phase approach, shown in Figure 6.2.
Inourfirstphase, weuseMLtodetectthelogicdecoysandthenuseBoolean
analysis to remove the false paths created by these decoys. With the logic
decoys and associated false paths removed, our second phase classifies the
101
remaining latches using a combination of ML and ILP. In particular, we use
the softmax outputs of a second classifier to create the objective function of
an ILP whose constraints limit the solution space to legal primary-secondary
configurations with delay decoys. The ILP solver is configured to not only
find the closest legal key to that identified by the ML classifier but also iden-
tify many keys that are close to optimal, which the attacker can individually
test.
6.3.2 Sequential Graph and Node Feature Set
Figure 6.4: Illustration of the abstraction of combinational logic and generation
of a circuit’s sequential graph
Anexampleistheabstractionofasequentialgraphfromacircuitisillus-
trated in Figure 6.4. A sequential graph is formally defined as G = (V,E,F)
where the set of nodes V consists of latches, FFs, and primary inputs and
outputs. An edge e ∈ E exists between nodes if there is a combinational
102
path between the node elements. F represents a vector of structural fea-
tures associated with each latch node used by our machine learning models
to classify each latch individually.
In the proposed approach, we extract fourteen features for each node
latch, some of which are illustrated in Figure 6.5:
Figure 6.5: Triangle, trapezoid, loop, and self-loop features
1. Triangle feature: the fraction of fan-ins v
1
of a node of interest (NOI)
v
2
thatshareafan-out. Asdefinedbelow, itmaydetectdecoysbecause
this structure is not 2-colorable.
P
v
1
∈FI(v
2
)
I[FO(v
2
)∩FO(v
1
)]
|FI(v
2
)|
(6.1)
where I denotes the indicator function and FI and FO return the
fan-ins and fan-outs of a node.
103
2-3. As an extension of the triangle feature, we define two trapezoidal fea-
turestodetectwhentwoconsecutivedecoylatchesareinsertedbetween
primary and secondary latches. The first feature is
P
v
1
∈FI(v
2
)
I[FO(FO(v
2
))∩FO(v
1
)]
|FI(v
2
)|
(6.2)
where v
2
is the NOI. The second feature is similar but focuses on the
fan-ins of fan-ins of the NOI (labelled v
3
in Figure 6.5).
4-5. Max fan-out delay and max fan-in delay, normalized for each circuit.
6. Loop: binary feature that detect if NOI resides in a loop of three nodes
as shown in Figure 6.5.
7. Single fan-in or fan-out: a binary feature that detects if the NOI has
only 1 fan-in or fan-out.
8-10. Three fan-in features: number of fan-in latches, FFs, and primary in-
puts.
11-13. Three fan-out features: number of fan-out latches, FFs, and primary
outputs.
104
14. False self-loop feature: used for detecting logic decoy latches that in-
troduce false self-loops in their fan-out latches, as shown in Figure 6.5,
and defined as
max
v
2
∈FO(v
1
)
v
2
∈SL
1
|FI(v
2
)|
(6.3)
where SL is the set of latches that have a self-loop and the max op-
eration effectively yields the highest likelihood that the NOI v
1
is the
cause of one of its fan-outs v
2
to have a false self-loop.
6.3.3 Phase 1: Identify Logic Decoys
Oncethesequentialgraphsandfeaturevectorsareextracted,phase1aimsto
identify the logic decoy latches. The identified logic decoys are then removed
andthecircuitissimplifiedviaconstantpropagation. Fortheclassifierinthis
phase, we found that a random forest outperforms other classifiers, including
a support vector machine (SVM), MLP, and convolutional neural network
(CNN), many of whom for this problem suffer from overfitting.
Note that this phase has a similar goal as the SAAM attack in [56] in
thatit, tosomedegree, istryingtoidentifyrandomlyinsertedMUXes. How-
ever, our approach is different because it focuses on the impact the insertion
has on the circuit’s sequential graph and does not directly rely on the prob-
abilities of the MUX input being connected. This means even if LL was
improved to incorporate the intelligent MUX insertion algorithm described
105
in D-MUX [56], our approach may still be effective. That said, guiding the
LBLL MUX insertion step such that it can fool ML is an interesting area of
future work.
6.3.4 Phase 2: Identify Remaining Latches
Totrainthesecondphaseofourattack,weuseground-truthlabelstoremove
logic decoys from the locked circuit, generate simplified sequential graphs
and the associated feature vectors, then train a second classifier. For this
classifier, we explore options with two and three output classes. The first
distinguishes the delay decoys from primary/secondary latches, and the lat-
ter classifies all three types. In this phase, we use an MLP whose output
activation function is a softmax to yield probabilities for each class. These
probabilities are used as the coefficients in the ILP objective function and
guide the optimization process.
For the ILP, two sets of binary variables T and C are used. Each latch is
associated with three T variables, T
M
, T
S
, and T
DD
, as logic decoys are pre-
sumably already identified and removed. Each latch also has one C variable
which specifies its “color”. The ILP objective function is to maximize
N
X
i=1
[Pr
M
(i)∗ T
M
(i)+Pr
S
(i)∗ T
S
(i)+Pr
DD
(i)∗ T
DD
(i)]
106
where N is number of latches and Pr
M
, Pr
S
and Pr
DD
are the softmax
probabilities from the MLP classifier. Note that Pr
M
= Pr
S
= Pr
MS
when
a two-level classifier is used.
We generate three sets of constraints for the ILP. The first set includes
three basic constraints, the first of which is that each latch must be classified
into exactly one type of latch
T
M
(i)+T
S
(i)+T
DD
(i) = 1
The next two constraints correlate the latch’s T variable to its color C.
C(i) = 1 if T
M
(i) == 1
C(i) = 0 if T
S
(i) == 1
The C variable of every primary latch is equal to 1 and that of every sec-
ondary latch is equal to 0. The colors of delay decoys is the subject of latter
constraints.
The second set of constraints is the latch boundary constraints which
helpsdisambiguatethecoloringoptionsandavoidstheassignmentofprimary
andsecondarytobeswitched. Sincethecommunity-basedalgorithmapplied
inLBLLbacktracksfromthelargestfan-incone, thesub-graphnearthePOs
107
has less complexity than near the PIs. Thus, we select the primary output
constraint to direct the coloring.
1) If latch i is connected to a PO and T
DD
(i) = 0, then T
S
(i) = 1. 2).
Conversely, if latch i is connected to a PO and T
DD
(i) = 1, then C(i) = 0.
Thisisbecauseeveryflip-flopisdividedintoapairofprimaryandsecondary
latches, thus there must be a secondary latch after every primary latch.
Therefore, if a latch is immediately connected to PO and is not a delay
decoy,itmustbeasecondarylatch. Conversely,ifalatchthatisimmediately
connected to a PO is a delay decoy, then its C variable must be 0 to ensure
anyprimary/secondarylatchthatdrivesitisclassifiedasasecondary. Lastly,
3) if latch i is connected to both a PI and PO, it can neither be a primary
nor secondary because they appear in pairs. Thus, such a latch must be a
delay decoy, as illustrated in Figure 6.6.
Figure 6.6: Illustration of coloring constraints
The third set of constraints is for coloring and is applied to every pair of
latches, where latch i drives latch j. 1) If T
M
(i) = 1, then T
M
(j) = 0; and
2) If T
S
(i) = 1, then T
S
(j) = 0. These constraints ensure that a primary
latch cannot be followed by a primary latch and a secondary latch cannot be
108
followed by a secondary latch. Moreover, 3) if T
DD
(j) = 1, then C(j) =C(i)
and 4) if T
DD
(i) = 1 and T
M
(j)+T
S
(j) = 1, then C(j)̸= C(i). These two
constraintsarethecoreforgraphcoloringandensuringthesolutionscloseto
thegroundtruthareidentified. Tomakesurethattheprimaryandsecondary
latches in all paths are alternately arranged, the color of delay decoy latches
shouldbethesameasanydrivinglatchinordertopassthecolorinformation
to any fan-out latch. Hence, the C variable of a delay decoy latch should
be the same as any fan-in latch and the color of a primary/secondary latch
should be different than that of any fan-in delay decoy. The result is that
the coloring constraint passes through chains of delay decoys, as illustrated
in Figure 6.6.
6.4 Experimental Results
6.4.1 Experiment Setup
The proposed two-phase attack was evaluated on ISCAS’89 and ITC’99
benchmark circuits. The netlist to graph and sequential graph extraction
was implemented in Python with the NetworkX library. The model training,
inference, and subsequent ML analysis were implemented using Pytorch and
scikit-learn. TheBooleananalysiswasperformedintheCadenceGenustool.
Allexperiments, otherthantheILPcomponents, wereperformedonanIntel
109
i7-8700 CPU running at 3.20 GHz with 16-GB RAM and NVIDIA GeForce
RTX 2080 GPU with 16-GB memory. The ILPs were conducted on an Intel
i7-10850H CPU running at 2.70 GHz with 32-GB RAM.
6.4.2 Dataset Generation
Intotalwehave19circuitsacrossthetwobenchmarksuites. Foreachcircuit,
welockeditwithLBLLscriptsandgenerated11lockedvariantswithdifferent
random seeds.
2
To attack each of the 19 benchmark circuit, we trained a
modelusingthe18othercircuitsandtheirvariants,splittingsamplesbetween
training and validation. The number of latch samples used for training the
models ranged from 75k to 77k. For the first classifier (phase 1), we trained
the models with the original locked circuits. For the second classifier (phase
2), wetrainedthemodelswithsimplifiedcircuits, removingtheground-truth
logic decoys and associated false paths.
6.4.3 Accuracy Results
Columns 3-4 in Table 6.2 and 6.3 detail the overall accuracy under four
differentMLPandILPconfigurationsusedinthesecondphase. Inparticular,
we tested both a 2-level and 3-level classifier and, in both cases, configured
2
We thank the authors of [99] for making their scripts available to us.
110
Circuit
# of 3-Level MLP (%)
keys T-1 T-10k FC
s298 100 85.0 88.0 8.6
s9234 188 87.2 94.1 0.02
s13207 116 98.3 100.0 0
s15850 252 89.7 96.0 0
s35932 592 90.5 91.6 3.2
s38417 1060 97.5 99.0 17.4
s38584 452 93.8 97.8 8.5
b03 124 83.1 93.5 19.8
b04 112 100.0 100.0 0
b07 412 90.8 95.1 15.1
b11 412 91.3 96.1 34.1
b12 424 94.6 97.9 0
b13 156 97.4 100.0 0
b14 984 97.5 98.3 3.3
b15 2736 94.6 95.0 6.6
b17 3858 92.0 92.5 7.9
b20 940 99.8 100.0 0
b21 840 99.0 100.0 0
b22 920 99.6 100.0 0
Ave. 93.8 96.6 6.6
Table 6.2: Attack accuracy results for 3-Level MLP.
theILPtosearchforthetop1(labeled“T-1”)andtop10k(labeled“T-10k”)
potential classifications of latches. We report the accuracy of the only/best-
identified classifications.
For both top-1 and top-10k results, the latch constraints with the 2-level
classifier yielded the highest average accuracy, fully disclosing the specified
secret key in 6 of 19 circuits and, on average, achieving keys that are, on
average, 96.9% accurate.
111
Circuit
# of 2-Level MLP (%)
keys T-1 T-10k FC
s298 100 84.0 88.0 8.6
s9234 188 87.2 94.1 0.03
s13207 116 98.3 100.0 0.0
s15850 252 91.7 97.2 0.0
s35932 592 90.7 92.7 1.5
s38417 1060 97.3 99.1 17.3
s38584 452 93.8 97.6 8.5
b03 124 89.5 93.5 19.8
b04 112 100.0 100.0 0.0
b07 412 91.7 95.6 10.6
b11 412 93.0 96.8 46.8
b12 424 96.5 99.3 0.0
b13 156 96.2 100.0 0.0
b14 984 96.8 98.1 3.3
b15 2736 95.4 95.9 6.6
b17 3858 92.9 93.5 8.2
b20 940 99.1 100.0 0.0
b21 840 99.3 100.0 0.0
b22 920 99.6 100.0 0.0
Ave. 94.4 96.9 6.9
Table 6.3: Attack accuracy results for 2-Level MLP.
Notethatevenforthelargestcircuittested,theMLPinferencerun-timeis
less than 5 minutes and the ILP completes its search in less than 15 minutes.
6.4.4 Functional Corruptibility Analysis
We also measured the functional corruptibility of each circuit with the best-
identified key in the two configurations whose accuracy is shown in Table 6.2
and 6.3. The functional corruptibility of a keyed combinational circuit is the
fraction of output bits that are incorrect [104,105]. For sequential circuits,
112
however, the inputs should be randomly selected and sequentially applied
overb clock cycles to enable errors in the next state logic to propagate to the
primaryoutputs[100]. Wechoseb = 1000withdifferentrandominputs1,000
times and averaged the results to obtain a more comprehensive measure of
average functional corruptibility.
TheresultsareshownintheFCcolumnsinTable6.2and6.3. Forseveral
cases, even a small number of incorrect key bits lead to a large fraction of
outputerrors,asmaybeexpectedforasequentialcircuit. However,overall,8
circuitsachieve100%correctfunctionality(FC=0). AnFC=0isexpectedfor
keysthatare100%accurate. Interestingly, however, insomecases, FC=0for
keys that are less than 100% accurate. We manually investigated these cases
and found that at least some misclassified latches are actually functionally
redundant because all their fanouts are logic decoys. We believe this is a
consequenceofthelockingscriptsequentiallyaddingdecoyswithoutverifying
that the decoy is not functionally redundant.
6.4.5 Feature Importance Analysis
We performed feature importance analysis for the two classifiers used in our
attack as shown in Figure 6.7. For the RF classifier, which is used to detect
logic decoy latches, the max fan-out delay, triangle and number of fan-out
FFs are the most salient features. For the second MLP classifier, mainly
113
Figure 6.7: Feature importance for the two ML classifiers
used for detecting delay decoys, the triangle and two trapezoid features are
the most important. This is in line with our expectations since these three
features are designed to detect insertions of individual and pairs of decoy
latches that create non-2-colorable sub-graphs.
6.4.6 Baseline MLP and Ablation Studies
To further justify our approach, we first created a baseline, one-stage 4-class
MLP to classify all latches with the features described in Section 6.3.2 and
obtained an average accuracy of 82.99%. We then conducted two ablation
studies to quantify the value of different components of our attack, as de-
scribed below.
114
Value of ILP
To quantify the value of our ILP, we replaced it with a recursive search al-
gorithm that found the 10k closest keys to the MLP identified result, where
we used the MLP softmax probabilities to define the (weighted) distance be-
tween keys. The average accuracy for this algorithm is 87.4%. The resulting
drop in accuracy of around 9% illustrates the significant benefit of the ILP
limiting the search space to properly colorable classifications.
Number of Classifiers
To quantify the advantage of the two-phase approach over a single-phased
approach, we combined the baseline 4-level MLP with false path removal
and an ILP. After the classifier, we removed the identified logic decoys and
simplified the circuit. We then formulated a T-10k ILP with the simplified
circuit and the objective function coefficients from the MLP. The average
accuracy for this approach is 89.8%. The result shows an overall degradation
in an average accuracy of around 7%.
115
Chapter 7
Conclusion
This chapter concludes this dissertation. We summarize our work and pro-
pose some interesting areas of future work.
7.1 Summary
Despite the increasing number of electronic devices and global supply chains
leading us to a more convenient and efficient world, in exchange for these
benefits, the privacy of our data and intellectual property is confronting a
larger challenge. News regarding the infringement or concerns of privacy is
reported almost every week.
This thesis first presents an attack on the client’s inference data and mo-
tivates a more efficient private inference framework to build privacy aware-
ness for the clients who frequently use machine learning services and provide
promisingprotectionfortheirdata. Moreover, thisthesisproposesanisland-
basedrandomdynamicvoltagescalingapproachtohinderpowerside-channel
attacks and empirically show an optimal number of independent voltage.
This defense is capable of protecting sensitive data and hardware IPs from
116
being attacked by power attacks. In addition, this thesis presents a scalable
GF(2) algebraic attack on scan chains that are obfuscated by dynamic keys
generated by an LFSR. The experimental results demonstrate that the de-
fenses with 500 key bits can be cracked in 7 seconds. The attack times are,
on average, over 4300x faster than state-of-the-art SAT-based attacks on the
same defenses and circumvent any obfuscation on the combinational logic
portions of the design. The power of the proposed attack stems from the
observation that all operations in the defensive circuitry can be modeled in
GF(2). The results highlight that while SAT attacks are powerful, algebraic
attacks should not be overlooked as they can be dramatically more efficient.
This thesis also presents an oracle-less and two-phase attack that combines
deep learning, Boolean analysis, and integer linear programming (ILP) on
latch-based logic locking (LBLL). The empirical results demonstrate that
the best-identifiedkeys are, on average, 96.9%accurate and thecorrect func-
tionality is fully or mostly disclosed in the majority of the circuits tested.
The attack run times are all less than 15 minutes. Even though the secret
key often remains partially hidden, our results show that the structure of the
LBLL circuits can leak significant information to an attacker.
117
7.2 Conclusions and Possible Next Steps
This thesis presents an attack that combines machine learning and con-
strained optimization, we note that the two-phase attack illustrates the ben-
efits of combining data-driven and structural analyses and assert that the
proposed combination of MLP and ILP is a good template for many CAD
problems.
Interesting future work can focus on several potential directions. Firstly,
the two-phase attack on the latch-locking leverages a multilayer perceptron
to produce the estimation for each latch. The motivation to use an ILP as a
post-ML process stems from the regular graph structure of the latch-based
designs. This observation may also inspire an interesting one-phase attack
usingagraphneuralnetworkmodelwhichiscapableoflearningtheneighbor-
hoodrepresentationofanode. Theintroduceddecoylatchescanberegarded
asanomalynodesinthesequentialgraph. Owetotheneighborhoodaggrega-
tion property, graph neural network demonstrates its powerful capability in
anomaly detection [106]. One interesting future work can be to train a graph
neural network that provides better estimations and classification results.
Secondly, another observation that inspires a one-phase attack on latch-
locking is the results of the first phase in the two-phase attack limit the
performance of the second phase. The purpose of phase one is to identify the
false paths introduced by the addition of logic decoys. To achieve this in a
118
one-phase setting, an interesting future work can be to add a set of variables
in the ILP with associated constraints. Based on the assignment of latches,
thesevariablesareabletospecifyifaconnectionisfixedatzeroorone. With
the awareness of fixed connections, the ILP could be better than the one in
the two-phase attack. In addition, to further improve the accuracy, another
interesting direction to explore is to incorporate the some of constraints with
unrolled sequential circuits into SAT attack to narrow down its search space.
Besides the threats to hardware IP, some future works on human and
machine learning are also interesting. The multi-party computation (MPC)
has shown its capability for protecting the privacy of both client’s data and
machine learning IP [3], however, when it is applied on the vision trans-
formers which are the state-of-the-art model for many vision tasks [107], we
observe high overhead. The high overhead stems from the MPC-expensive
operations in the softmax layer that is used in the attention mechanism. In-
teresting future works to mitigate the overhead could be to explore a new
attention mechanism and some new softmax activations that are tailored to
MPC. In particular, an attention mechanism that has a lower complexity
instead of quadratic could be less expensive in MPC communication. For
the softmax layer, which normalizes tensors to probabilities, the associated
exponential and reciprocal operations are expensive for MPC. Another inter-
esting direction is to explore a more efficient operation that substitutes the
119
exponential or use an activation function that achieves the same effect as the
softmax.
120
Bibliography
[1] U.S. Department of Commerce, “Defense industrial base assessment:
Counterfeit electronics,” 2010.
[2] B. Knott, S. Venkataraman, A. Hannun, S. Sengupta, M. Ibrahim,
and L. van der Maaten, “Crypten: Secure multi-party computation
meets machine learning,” Advances in Neural Information Processing
Systems, vol. 34, pp. 4961–4973, 2021.
[3] P. Mishra, R. Lehmkuhl, A. Srinivasan, W. Zheng, and R. A. Popa,
“Delphi: A cryptographic inference service for neural networks,” in
29th USENIX Security Symposium (USENIX Security 20), Aug. 2020.
[4] C. Gongye, Y. Fei, and T. Wahl, “Reverse-engineering deep neu-
ral networks using floating-point timing side-channels,” in 2020 57th
ACM/IEEE Design Automation Conference (DAC), 2020, pp. 1–6.
[5] S. Maji, U. Banerjee, and A. P. Chandrakasan, “Leaky nets: Recover-
ing embedded neural network models and inputs through simple power
and timing side-channels—attacks and defenses,” IEEE Internet of
Things Journal, vol. 8, no. 15, pp. 12079–12092, 2021.
[6] Y. Zhang, R. Yasaei, H. Chen, Z. Li, and M. A. Al Faruque, “Stealing
neural network structure through remote fpga side-channel analysis,”
IEEE Transactions on Information Forensics and Security, vol.16, pp.
4377–4388, 2021.
[7] W. Hua, Z. Zhang, and G. E. Suh, “Reverse engineering convolutional
neural networks through side-channel information leaks,” in 2018 55th
ACM/ESDA/IEEE Design Automation Conference (DAC), 2018, pp.
1–6.
[8] J. A. Roy, F. Koushanfar, and I. L. Markov, “EPIC: Ending Piracy of
Integrated Circuits,” in 2008 Design, Automation and Test in Europe,
2008, pp. 1069–1074.
121
[9] M. Tehranipoor and F. Koushanfar, “A Survey of Hardware Trojan
Taxonomy and Detection,” IEEE Des. Test. Comput., vol. 27, no. 1,
pp. 10–25, 2010.
[10] P.Kocher,J.Jaffe,andB.Jun,“Differentialpoweranalysis,”in Annual
International Cryptology Conference, 1999, pp. 388–397.
[11] E. Brier, C. Clavier, and F. Olivier, “Correlation Power Analysis with
a Leakage Model,” in International Workshop on Cryptographic Hard-
ware and Embedded Systems. Springer, 2004, pp. 16–29.
[12] M. Yasin, J. J. Rajendran, O. Sinanoglu, and R. Karri, “On Improving
theSecurityofLogicLocking,” IEEE Transactions on Computer-Aided
DesignofIntegratedCircuitsandSystems,vol.35,no.9,pp.1411–1424,
2016.
[13] M. Yasin, B. Mazumdar, S. S. Ali, and O. Sinanoglu, “Security anal-
ysis of logic encryption against the most effective side-channel attack:
DPA,” in 2015 IEEE International Symposium on Defect and Fault
Tolerance in VLSI and Nanotechnology Systems (DFTS), 2015, pp.
97–102.
[14] M. Yasin, A. Sengupta, M. T. Nabeel, M. Ashraf, J. Rajendran, and
O. Sinanoglu, “Provably-Secure Logic Locking: From Theory To Prac-
tice,” in Proceedings of the 2017 ACM SIGSAC Conference on Com-
puter and Communications Security, 2017, pp. 1601–1618.
[15] A. Sengupta, B. Mazumdar, M. Yasin, and O. Sinanoglu, “Logic
locking with provable security against power analysis attacks,” IEEE
Transactions on Computer-Aided Design of Integrated Circuits and
Systems, vol. 39, no. 4, pp. 766–778, 2020.
[16] S. Mangard, “Hardware countermeasures against DPA–a statistical
analysis of their effectiveness,” in Cryptographers’ Track at the RSA,
2004, pp. 222–235.
[17] A. Chakraborty, Y. Xie, and A. Srivastava, “Template attack based
deobfuscation of integrated circuits,” in 2017 IEEE International Con-
ference on Computer Design (ICCD), 2017, pp. 41–44.
[18] K. Shamsi, M. Li, K. Plaks, S. Fazzari, D. Z. Pan, and Y. Jin, “IP
Protection and Supply Chain Security through Logic Obfuscation: A
Systematic Overview,” ACM Transactions on Design Automation of
Electronic Systems (TODAES), vol. 24, no. 6, pp. 1–36, 2019.
122
[19] K. Shamsi, M. Li, T. Meade, Z. Zhao, D. Z. Pan, and Y. Jin, “Circuit
obfuscation and oracle-guided attacks: Who can prevail?” in Pro-
ceedings of the on Great Lakes Symposium on VLSI 2017, 2017, pp.
357–362.
[20] S. Dupuis and M.-L. Flottes, “Logic Locking: A Survey of Pro-
posedMethodsandEvaluationMetrics,”JournalofElectronicTesting,
vol. 35, no. 3, pp. 273–291, 2019.
[21] P. Subramanyan, S. Ray, and S. Malik, “Evaluating the security of
logic encryption algorithms,” in 2015 IEEE International Symposium
on Hardware Oriented Security and Trust (HOST), 2015, pp. 137–143.
[22] X. Xu, B. Shakya, M. M. Tehranipoor, and D. Forte, “Novel Bypass
Attack and BDD-based Tradeoff Analysis Against all Known Logic
Locking Attacks,” in International Conference on Cryptographic Hard-
ware and Embedded Systems. Springer, 2017, pp. 189–210.
[23] M. Yasin, B. Mazumdar, O. Sinanoglu, and J. Rajendran, “Removal
AttacksonLogicLockingandCamouflagingTechniques,” IEEETrans-
actions on Emerging Topics in Computing, vol. 8, no. 2, pp. 517–532,
2020.
[24] M. Yasin, B. Mazumdar, J. J. Rajendran, and O. Sinanoglu, “SAR-
Lock: SAT attack resistant logic locking,” in 2016 IEEE International
Symposium on Hardware Oriented Security and Trust (HOST). IEEE,
2016, pp. 236–241.
[25] Y. Xie and A. Srivastava, “Anti-SAT: Mitigating SAT attack on logic
locking,” IEEE Transactions on Computer-Aided Design of Integrated
Circuits and Systems, vol. 38, no. 2, pp. 199–207, 2018.
[26] M. Yasin, B. Mazumdar, J. J. V. Rajendran, and O. Sinanoglu, “TT-
Lock: Tenacious and traceless logic locking,” in 2017 IEEE Interna-
tional Symposium on Hardware Oriented Security and Trust (HOST),
2017, pp. 166–166.
[27] D. Sirone and P. Subramanyan, “Functional Analysis Attacks on Logic
Locking,” in 2019 Design, Automation Test in Europe Conference Ex-
hibition (DATE), 2019, pp. 936–939.
[28] R.S.ChakrabortyandS.Bhunia,“HARPOON:AnObfuscation-Based
SoC Design Methodology for Hardware Protection,” IEEE Transac-
tions on Computer-Aided Design of Integrated Circuits and Systems,
vol. 28, no. 10, pp. 1493–1502, 2009.
123
[29] A. R. Desai, M. Hsiao, C. Wang, L. Nazhandali, and S. Hall, “Inter-
locking obfuscation for anti-tamper hardware,” in CSIIRW ’13, 2013.
[30] Y.Hu, K.Yang,S.Nazarian, andP.Nuzzo, “SANSCrypt: ASporadic-
Authentication-Based Sequential Logic Encryption Scheme,” in 2020
IFIP/IEEE 28th International Conference on Very Large Scale Inte-
gration (VLSI-SOC), 2020, pp. 129–134.
[31] X. Wang, D. Zhang, M. He, D. Su, and M. Tehranipoor, “Secure Scan
and Test Using Obfuscation Throughout Supply Chain,” IEEE Trans-
actions on Computer-Aided Design of Integrated Circuits and Systems,
vol. 37, no. 9, pp. 1867–1880, 2018.
[32] D. Chen, C. Lin, and P. A. Beerel, “GF-Flush: A GF(2) Algebraic At-
tack on Secure Scan Chains,” in 2021 IEEE International Symposium
on Defect and Fault Tolerance in VLSI and Nanotechnology Systems
(DFT), 2021.
[33] T. Meade, Z. Zhao, S. Zhang, D. Pan, and Y. Jin, “Revisit sequential
logic obfuscation: Attacks and defenses,” in 2017 IEEE International
Symposium on Circuits and Systems (ISCAS), 2017, pp. 1–4.
[34] Y. Hu, Y. Zhang, K. Yang, D. Chen, P. A. Beerel, and P. Nuzzo, “Fun-
SAT: Functional corruptibility-guided SAT-based attack on sequential
logic encryption,” 2021.
[35] G. S. Tseitin, On the Complexity of Derivation in Propositional Calcu-
lus. Berlin,Heidelberg: SpringerBerlinHeidelberg,1983,pp.466–483.
[36] M. R. Albrecht, C. Cid, L. Grassi, D. Khovratovich, R. L¨ ufteneg-
ger, C. Rechberger, and M. Schofnegger, “Algebraic cryptanalysis of
STARK-friendly designs: application to MARVELlous and MiMC,” in
International Conference on the Theory and Application of Cryptology
and Information Security. Springer, 2019, pp. 371–397.
[37] N. T. Courtois and G. V. Bard, “Algebraic Cryptanalysis of the Data
Encryption Standard,” in IMA International Conference on Cryptog-
raphy and Coding. Springer, 2007, pp. 152–169.
[38] S.Simmons,“AlgebraicCryptanalysisofSimplifiedAES,” Cryptologia,
vol. 33, no. 4, pp. 305–314, 2009.
[39] J. Nakahara, P. Sepehrdad, B. Zhang, and M. Wang, “Linear (Hull)
andAlgebraicCryptanalysisoftheBlockCipherPRESENT,”inInter-
national Conference on Cryptology and Network Security. Springer,
2009, pp. 58–75.
124
[40] C. Cid and R.-P. Weinmann, “Block Ciphers: Algebraic Cryptanalysis
and Groebner Bases,” in Groebner Bases, Coding, and Cryptography.
Springer, 2009, pp. 307–327.
[41] G. V. Bard, N. T. Courtois, and C. Jefferson, “Efficient methods for
conversion and solution of sparse systems of low-degree multivariate
polynomials over GF (2) via SAT-solvers,” 2007.
[42] N. T. Courtois and W. Meier, “Algebraic Attacks on Stream Ciphers
with Linear Feedback,” in Advances in Cryptology — EUROCRYPT,
E. Biham, Ed. Springer, 2003, pp. 345–359.
[43] N. Courtois, A. Klimov, J. Patarin, and A. Shamir, “Efficient Algo-
rithms for Solving Overdefined Systems of Multivariate Polynomial
Equations,” in Advances in Cryptology — EUROCRYPT, B. Preneel,
Ed. Berlin, Heidelberg: Springer, 2000, pp. 392–407.
[44] D. Sisejkovic, L. M. Reimann, E. Moussavi, F. Merchant, and R. Leu-
pers,“LogicLockingattheFrontiersofMachineLearning: ASurveyon
Developments and Opportunities,” arXiv preprint arXiv:2107.01915,
2021.
[45] P. Chakraborty, J. Cruz, and S. Bhunia, “SAIL: Machine Learn-
ing Guided Structural Analysis Attack on Hardware Obfuscation,” in
2018 Asian Hardware Oriented Security and Trust Symposium (Asian-
HOST), 2018, pp. 56–61.
[46] D. Sisejkovic, F. Merchant, L. M. Reimann, H. Srivastava, A. Hallawa,
and R. Leupers, “Challenging the Security of Logic Locking Schemes
in the Era of Deep Learning: A Neuroevolutionary Approach,” ACM
Journal on Emerging Technologies in Computing Systems (JETC),
vol. 17, no. 3, pp. 1–26, 2021.
[47] L. Alrahis, S. Patnaik, F. Khalid, M. A. Hanif, H. Saleh, M. Shafique,
and O. Sinanoglu, “GNNUnlock: Graph Neural Networks-based
Oracle-less Unlocking Scheme for Provably Secure Logic Locking,”
in 2021 Design, Automation Test in Europe Conference Exhibition
(DATE), 2021, pp. 780–785.
[48] W. L. Hamilton, R. Ying, and J. Leskovec, “Inductive Representation
Learning on Large Graphs,” 2018.
[49] A. Alaql, D. Forte, and S. Bhunia, “Sweep to the Secret: A Constant
Propagation Attack on Logic Locking,” in 2019 Asian Hardware Ori-
ented Security and Trust Symposium (AsianHOST), 2019, pp. 1–6.
125
[50] F. Tehranipoor, N. Karimian, M. Mozaffari Kermani, and H. Mah-
moodi, “DeepRNN-OrientedParadigmShiftthroughBOCANet: Bro-
ken Obfuscated Circuit Attack,” in Proceedings of the 2019 on Great
Lakes Symposium on VLSI, 2019, pp. 335–338.
[51] P.Chakraborty,J.Cruz,andS.Bhunia,“SURF:JointStructuralFunc-
tional Attack on Logic Locking,” in 2019 IEEE International Sympo-
sium on Hardware Oriented Security and Trust (HOST), 2019, pp.
181–190.
[52] H. Chen, C. Fu, J. Zhao, and F. Koushanfar, “GenUnlock: An Auto-
matedGeneticAlgorithmFrameworkforUnlockingLogicEncryption,”
in 2019 IEEE/ACM International Conference on Computer-Aided De-
sign (ICCAD), 2019, pp. 1–8.
[53] R. Karmakar and S. Chattopadhyay, “A Particle Swarm Optimization
Guided Approximate Key Search Attack on Logic Locking in The Ab-
sence of Scan Access,” in 2020 Design, Automation Test in Europe
Conference Exhibition (DATE), 2020, pp. 448–453.
[54] K. Z. Azar, H. M. Kamali, H. Homayoun, and A. Sasan, “NNgSAT:
Neural Network guided SAT Attack on Logic Locked Complex Struc-
tures,” in 2020 IEEE/ACM International Conference On Computer
Aided Design (ICCAD). IEEE, 2020, pp. 1–9.
[55] L. Alrahis, S. Patnaik, J. Knechtel, H. Saleh, B. Mohammad, M. Al-
Qutayri, andO.Sinanoglu, “UNSAIL:ThwartingOracle-LessMachine
Learning Attacks on Logic Locking,” IEEE Transactions on Informa-
tion Forensics and Security, vol. 16, pp. 2508–2523, 2021.
[56] D. Sisejkovic, F. Merchant, L. M. Reimann, and R. Leupers, “Decep-
tive Logic Locking for Hardware Integrity Protection against Machine
Learning Attacks,” IEEE Transactions on Computer-Aided Design of
Integrated Circuits and Systems, 2021.
[57] He, Zecheng and Zhang, Tianwei and Lee, Ruby B, “Model inversion
attacks against collaborative inference,” in Proceedings of the 35th An-
nual Computer Security Applications Conference, 2019, pp. 148–162.
[58] J. Li, A. S. Rakin, X. Chen, Z. He, D. Fan, and C. Chakrabarti,
“ResSFL: A Resistance Transfer Framework for Defending Model In-
version Attack in Split Federated Learning,” in Proceedings of the
IEEE/CVF Conference on Computer Vision and Pattern Recognition,
2022, pp. 10194–10202.
126
[59] K.He, X.Zhang, S.Ren, andJ.Sun, “Deepresiduallearningforimage
recognition,”inProceedings of the IEEE conference on computer vision
and pattern recognition, 2016, pp. 770–778.
[60] B. Yang, K. Wu, and R. Karri, “Scan based side channel attack on
dedicated hardware implementations of Data Encryption Standard,”
in 2004 International Conferce on Test, 2004, pp. 339–344.
[61] B. Yang, K. Wu, and R. Karri, “Secure Scan: A Design-for-Test Archi-
tecture for Crypto Chips,” IEEE Trans. Comput.-Aided Design Integr.
Circuits Syst., vol. 25, no. 10, pp. 2287–2293, 2006.
[62] R. Nara, N. Togawa, M. Yanagisawa, and T. Ohtsuki, “Scan-based At-
tack against Elliptic Curve Cryptosystems,” in 15th ASP-DAC, 2010.
[63] R.Nara, K.Satoh, M.Yanagisawa, T.Ohtsuki, andN.Togawa, “Scan-
based side-channel attack against RSA cryptosystems using scan sig-
natures,” IEICE transactions on fundamentals of electronics, commu-
nications and computer sciences, vol. 93, no. 12, pp. 2481–2489, 2010.
[64] D. Hely, F. Bancel, M. Flottes, and B. Rouzeyre, “Test control for
secure scan designs,” in European Test Symposium (ETS’05), 2005,
pp. 190–195.
[65] A. Cui, Y. Luo, and C.-H. Chang, “Static and dynamic obfuscations of
scandataagainstscan-basedside-channelattacks,” IEEE Transactions
on Information Forensics and Security, vol. 12, no. 2, pp. 363–376,
2017.
[66] L. Alrahis, M. Yasin, N. Limaye, H. Saleh, B. Mohammad,
M. Alqutayri, and O. Sinanoglu, “ScanSAT: Unlocking Static and Dy-
namic Scan Obfuscation,” IEEE Transactions on Emerging Topics in
Computing, pp. 1–1, 2019.
[67] J. Rajendran, H. Zhang, C. Zhang, G. S. Rose, Y. Pino, O. Sinanoglu,
and R. Karri, “Fault Analysis-Based Logic Encryption,” IEEE Trans-
actions on Computers, vol. 64, no. 2, pp. 410–424, 2015.
[68] K. Shamsi, M. Li, T. Meade, Z. Zhao, D. Z. Pan, and Y. Jin, “App-
SAT:ApproximatelyDeobfuscatingIntegratedCircuits,”in2017IEEE
International Symposium on Hardware Oriented Security and Trust
(HOST), 2017, pp. 95–100.
[69] N. Limaye and O. Sinanoglu, “DynUnlock: Unlocking Scan Chains
Obfuscated using Dynamic Keys,” in DATE, 2020, pp. 270–273.
127
[70] P. Kocher, J. Jaffe, and B. Jun, “Differential Power Analysis,” in An-
nual International Cryptology Conference, 1999, pp. 388–397.
[71] C. Whitnall and E. Oswald, “Robust Profiling for DPA-style At-
tacks,” in Proceedings Cryptographic Hardware and Embedded Systems
(CHES), 2015, pp. 3–21.
[72] J. Heyszl, A. Ibing, S. Mangard, F. De Santis, and G. Sigl, “Clus-
tering Algorithms for Non-profiled Single-execution Attacks on Expo-
nentiations,” in International Conference on Smart Card Research and
Advanced Applications, 2013, pp. 79–93.
[73] J. G. J. v. Woudenberg, M. F. Witteman, and B. Bakker, “Improv-
ing Differential Power Analysis by Elastic Alignment,” in Topics in
Cryptology - CT-RSA 2011, ser. LNCS, 2011, pp. 104–119.
[74] “Dynamic Time Warping (DTW) Algorithm,” https://pypi.org/
project/fastdtw/.
[75] C. O’Flynn and Z. David Chen, “Side channel power analysis of an
AES-256bootloader,”inIEEE28thCanadianConferenceonElectrical
and Computer Engineering (CCECE), 2015, pp. 750–755.
[76] K. Baddam and M. Zwolinski, “Evaluation of Dynamic Voltage and
Frequency Scaling as a Differential Power Analysis Countermeasure,”
in 20th International Conference on VLSI Design held jointly with 6th
International Conference on Embedded Systems (VLSID), 2007, pp.
854–862.
[77] P. Liu, H. Chang, and C. Lee, “A True Random-Based Differential
Power Analysis Countermeasure Circuit for an AES Engine,” IEEE
Transactions on Circuits and Systems II: Express Briefs, vol. 59, no. 2,
pp. 103–107, 2012.
[78] W. Yu and S. K¨ ose, “Exploiting voltage regulators to enhance vari-
ous power attack countermeasures,” IEEE Transactions on Emerging
Topics in Computing, vol. 6, no. 2, pp. 244–257, 2018.
[79] Shengqi Yang, W. Wolf, N. Vijaykrishnan, D. N. Serpanos, and Yuan
Xie, “Power Attack Resistant Cryptosystem Design: a Dynamic Volt-
age and Frequency Switching Approach,” in Design, Automation and
Test in Europe (DATE), 2005, pp. 64–69 Vol. 3.
[80] A. P. Chandrakasan, S. Sheng, and R. W. Brodersen, “Low-power
CMOS Digital Design,” IEEE Journal of Solid-State Circuits, vol. 27,
no. 4, pp. 473–484, 1992.
128
[81] T.SakuraiandA.R.Newton,“Alpha-powerLawMOSFETModeland
Its Applications to CMOS Inverter Delay and Other Formulas,” IEEE
Journal of Solid-State Circuits (JSSC), vol. 25, no. 2, pp. 584–594,
1990.
[82] J. MacQueen et al., “Some Methods for Classification and Analysis of
Multivariate Observations,” in Proc. of the Fifth Berkeley Symposium
on Mathematical Statistics and Probability, vol. 1, no. 14, 1967, pp.
281–297.
[83] K. H. Rosen and K. Krithivasan, Discrete mathematics and its ap-
plications: with combinatorics and graph theory. Tata McGraw-Hill
Education, 2012.
[84] P.Luo,Y.Fei,L.Zhang,andA.A.Ding,“Side-channelPowerAnalysis
ofDifferentProtectionSchemesagainstFaultAttacksonAES,”in 2014
International Conference on ReConFigurable Computing and FPGAs
(ReConFig14), 2014, pp. 1–6.
[85] S. Salvador and P. Chan, “Toward Accurate Dynamic Time Warping
in Linear Time and Space,” Intelligent Data Analysis, vol. 11, no. 5,
pp. 561–580, 2007.
[86] Li-Ren Huang, Jing-Yang Jou, and Sy-Yen Kuo, “Gauss-elimination-
based generation of multiple seed-polynomial pairs for LFSR,” IEEE
Trans. Comput.-Aided Design Integr. Circuits Syst., vol. 16, no. 9, pp.
1015–1024, 1997.
[87] H. Wunderlich, “Self Test Using Unequiprobable Random Patterns,”
in Proc. IEEE 17th InternationalSymposium on Fault-Tolerant Com-
puting, FTCS-17, 1987.
[88] J. Da Rolt, G. Di Natale, M.-L. Flottes, and B. Rouzeyre, “Are Ad-
vanced DfT Structures Sufficient for Preventing Scan-Attacks?” in
2012 IEEE 30th VLSI Test Symposium (VTS), 2012, pp. 246–251.
[89] R.ShivaPrasad,A.Siripagada,S.Selvaraj,andN.Mohankumar, Ran-
dom Seeding LFSR-Based TRNG for Hardware Security Applications.
Springer, 2019, pp. 427–434.
[90] J. Meli` a-Segu´ ı, J. Garcia-Alfaro, and J. Herrera-Joancomart´ ı,
“Multiple-polynomial LFSR based pseudorandom number generator
for EPC Gen2 RFID tags,” in IECON 2011 - 37th Annual Conference
of the IEEE Industrial Electronics Society, 2011, pp. 3820–3825.
129
[91] W.Wardlaw,“AMatrixModelfortheLinearFeedbackShiftRegister,”
Naval Research Lab, Tech. Rep., July 1989.
[92] R. Karmakar, S. Chattopadhyay, and R. Kapur, “Encrypt Flip-Flop:
A Novel Logic Encryption Technique For Sequential Circuits,” ArXiv,
vol. abs/1801.04961, 2018.
[93] R. Karmakar, S. Chattopadhyay, and R. Kapur, “A Scan Obfuscation
Guided Design-for-Security Approach for Sequential Circuits,” IEEE
Trans. Circuits Syst. II, Exp. Briefs, vol. 67, no. 3, pp. 546–550, 2020.
[94] M. M. Rahman, A. Nahiyan, S. Amir, F. Rahman, F. Farahmandi,
D. Forte, and M. Tehranipoor, “Dynamically Obfuscated Scan Chain
To Resist Oracle-Guided Attacks On Logic Locked Design,” IACR
Cryptol. ePrint Arch., vol. 2019, p. 946, 2019.
[95] F. Elguibaly and M. W. El-Kharashi, “Multiple-input Signature Reg-
isters: An Improved Design,” in PACRIM., vol. 2, 1997, pp. 519–522
vol.2.
[96] F. Brglez, D. Bryan, and K. Kozminski, “Combinational profiles of
sequential benchmark circuits,” in IEEE International Symposium on
Circuits and Systems,, 1989, pp. 1929–1934 vol.3.
[97] K.N.DevikaandR.Bhakthavatchalu, “ProgrammableMISRModules
for logic BIST based VLSI testing,” in ICCICCT, 2016, pp. 699–703.
[98] K. Shamsi, T. Meade, M. Li, D. Z. Pan, and Y. Jin, “On the Approx-
imation Resiliency of Logic Locking and IC Camouflaging Schemes,”
IEEE Trans. Inf. Forensics Security, vol. 14, no. 2, pp. 347–359, 2019.
[99] J. Sweeney, V. Mohammed Zackriya, S. Pagliarini, and L. Pileggi,
“Latch-Based Logic Locking,” in 2020 IEEE International Symposium
on Hardware Oriented Security and Trust (HOST), 2020, pp. 132–141.
[100] Y. Hu, Y. Zhang, K. Yang, D. Chen, P. A. Beerel, and P. Nuzzo, “Fun-
SAT: Functional corruptibility-guided SAT-based attack on sequential
logicencryption,”in2021IEEEInternationalSymposiumonHardware
Oriented Security and Trust (HOST), 2021, pp. 281–291.
[101] J. Kotary, F. Fioretto, P. Van Hentenryck, and B. Wilder, “End-
to-end constrained optimization learning: A survey,” arXiv preprint
arXiv:2103.16378, 2021.
130
[102] K. Georgila, “Using Integer Linear Programming for Detecting Speech
Disfluencies,” in Proceedings of Human Language Technologies: The
2009 Annual Conference of the North American Chapter of the As-
sociation for Computational Linguistics, Companion Volume: Short
Papers, 2009, pp. 109–112.
[103] K. Hornik, “Approximation Capabilities of Muitilayer Feedforward
Networks ,” Neural networks, vol. 4, no. 2, pp. 251–257, 1991.
[104] J. Rajendran, H. Zhang, C. Zhang, G. S. Rose, Y. Pino, O. Sinanoglu,
and R. Karri, “Fault analysis-based logic encryption,” IEEE Transac-
tions on Computers, vol. 64, no. 2, pp. 410–424, 2015.
[105] M. Merten, M. E. Djeridane, S. Huhn, and R. Drechsler, “SAT-based
key determination attack for improving the quality assessment of logic
locking mechanisms.”
[106] J. Tang, J. Li, Z. Gao, and J. Li, “Rethinking graph neural networks
for anomaly detection,” arXiv preprint arXiv:2205.15508, 2022.
[107] A. Dosovitskiy, L. Beyer, A. Kolesnikov, D. Weissenborn, X. Zhai,
T. Unterthiner, M. Dehghani, M. Minderer, G. Heigold, S. Gelly,
J. Uszkoreit, and N. Houlsby, “An image is worth 16x16 words: Trans-
formers for image recognition at scale,” ICLR, 2021.
131
Abstract (if available)
Abstract
As portable electronic systems and machine learning (ML) services become ubiquitous, ensuring the privacy of human data and hardware intellectual property has become more crucial. In particular, side-channel attacks, including power side-channels, are significant threats to both machine learning and hardware intellectual property, and logic locking has been a promising approach to provide hardware privacy and security in the face of a possibly-insecure fabrication supply chain, including techniques to lock sequential elements using Latch-Based Logic Locking (LBLL) and techniques to lock the scan chains using pseudo-randomly generated dynamic keys. This thesis aims to present a distillation-based inverse network attack on ML inference data, an island-based random dynamic voltage scaling defense on power side-channel attacks, an oracle-guided attack on dynamically secured scan chains, and an oracle-less attack on the latch-locking approach.
Linked assets
University of Southern California Dissertations and Theses
Conceptually similar
PDF
Graph machine learning for hardware security and security of graph machine learning: attacks and defenses
PDF
Security-driven design of logic locking schemes: metrics, attacks, and defenses
PDF
Compiler and runtime support for hybrid arithmetic and logic processing of neural networks
PDF
An FPGA-friendly, mixed-computation inference accelerator for deep neural networks
PDF
Side-channel security enabled by program analysis and synthesis
PDF
Simulation and machine learning at exascale
PDF
Towards efficient edge intelligence with in-sensor and neuromorphic computing: algorithm-hardware co-design
PDF
A green learning approach to deepfake detection and camouflage and splicing object localization
PDF
Acceleration of deep reinforcement learning: efficient algorithms and hardware mapping
PDF
Ultra-low-latency deep neural network inference through custom combinational logic
PDF
Generative foundation model assisted privacy-enhancing computing in human-centered machine intelligence
PDF
Dynamic topology reconfiguration of Boltzmann machines on quantum annealers
PDF
Striking the balance: optimizing privacy, utility, and complexity in private machine learning
PDF
Efficient machine learning techniques for low- and high-dimensional data sources
PDF
Security and privacy in information processing
PDF
AI-enabled DDoS attack detection in IoT systems
PDF
Learning logical abstractions from sequential data
PDF
Radiation hardened by design asynchronous framework
PDF
Practice-inspired trust models and mechanisms for differential privacy
PDF
Custom hardware accelerators for boolean satisfiability
Asset Metadata
Creator
Chen, Dake
(author)
Core Title
Attacks and defense on privacy of hardware intellectual property and machine learning
School
Viterbi School of Engineering
Degree
Doctor of Philosophy
Degree Program
Computer Engineering
Degree Conferral Date
2023-05
Publication Date
01/23/2023
Defense Date
01/05/2023
Publisher
University of Southern California
(original),
University of Southern California. Libraries
(digital)
Tag
hardware security,logic locking,machine learning,OAI-PMH Harvest,privacy,Security
Format
theses
(aat)
Language
English
Contributor
Electronically uploaded by the author
(provenance)
Advisor
Beerel, Peter Anthony (
committee chair
), Nakano, Aiichiro (
committee member
), Nuzzo, Pierluigi (
committee member
)
Creator Email
dakechen@usc.edu
Permanent Link (DOI)
https://doi.org/10.25549/usctheses-oUC112718702
Unique identifier
UC112718702
Identifier
etd-ChenDake-11431.pdf (filename)
Legacy Identifier
etd-ChenDake-11431
Document Type
Dissertation
Format
theses (aat)
Rights
Chen, Dake
Internet Media Type
application/pdf
Type
texts
Source
20230126-usctheses-batch-1003
(batch),
University of Southern California
(contributing entity),
University of Southern California Dissertations and Theses
(collection)
Access Conditions
The author retains rights to his/her dissertation, thesis or other graduate work according to U.S. copyright law. Electronic access is being provided by the USC Libraries in agreement with the author, as the original true and official version of the work, but does not grant the reader permission to use the work if the desired use is covered by copyright. It is the author, as rights holder, who must provide use permission if such use is covered by copyright. The original signature page accompanying the original submission of the work to the USC Libraries is retained by the USC Libraries and a copy of it may be obtained by authorized requesters contacting the repository e-mail address given.
Repository Name
University of Southern California Digital Library
Repository Location
USC Digital Library, University of Southern California, University Park Campus MC 2810, 3434 South Grand Avenue, 2nd Floor, Los Angeles, California 90089-2810, USA
Repository Email
cisadmin@lib.usc.edu
Tags
hardware security
logic locking
machine learning