AbstractLogic locking is a protection technique for outsourced integrated circuit (IC) designs that thwarts IC piracy and ICcounterfeiting by untrusted foundries. In this technique, the IC design house locks the correct functionality of the circuitusing a key that is known only to the trusted entities in the design house. As the correct key values are provided by the designhouse after production, a malicious adversary in the foundry house will not be able to unlock overproduced or counterfeitICs. In this paper, we mount linear approximation attacks and differential attacks on random logic locking (RLL), fault-analysis based logic locking (FLL), and strong logic locking (SLL) techniques. We present a formal approach to mount thelinear approximation attack on multiple circuit partitions and thereafter combining the approximations to form the attack ona locked logic cone of the circuit. We present our results on ISCAS’85 benchmark circuits. In linear approximation attack,the combinatorial blocks are partitioned and expressed as linear expressions to derive a relation between the primary inputsand the primary outputs of the circuit. The attack aims to determine the linear approximation that has the highest probabilityof occurrence for the correct key input. In differential attacks, we could recover the embedded secret key in device withattack effort lesser than exhaustive search attack.
As the complexity1 of constructing and/or maintaininga fabrication facility with advanced capabilities increasesexponentially, numerous semiconductor companies aregoing fabless. The fabless companies design integratedcircuits (ICs) that are manufactured by an off-shore fabri-cation industry. This outsourcing of IC fabrication enablesthe design companies to access advanced semiconductortechnology at a lower cost. However, outsourcing leads to
1An initial version of this paper has been published with title,“Linear Approximation and Differential Attacks on Logic LockingTechniques”, in 32nd International Conference on VLSI Design,VLSID 2019, Delhi, India, January 5-9, 2019. In this paper, we presenta formal method to determine the probability of occurrences of thelinear approximations across multiple partitions that will guide ancryptanalyst to choose suitable approximations to recover the secretkey.
Extended author information available on the last page of the article.
security threats as the offshore foundry may not be trust-worthy [12]. Such untrusted elements in the foundry leadto multiple security threats in the IC manufacturing sup-ply chain that comprise overproduction, Trojan insertion,reverse engineering, intellectual property (IP) theft, andcounterfeiting [4]. As such threats lead to annual losses inmillions of dollars to the semiconductor industry, hardwaresecurity has become imperative in present day scenario [20].
To thwart adversaries from mounting such attacks, anumber of hardware design-for-trust (DfTr) techniquessuch as IC metering [7], IC camouflaging [6, 18], ICwatermarking [1], split manufacturing [3], and logic lockinghave been proposed. Of all these protection techniques,logic locking gained significant interest owing to itsversatility of protection from an attacker at any pointof IC supply chain. It comprises obfuscation methods tohide and/or lock the functionality of a netlist. Figure 1demonstrates different phases of the IC design flow; thefabrication industry, the testing package assembly, and theIC activation entity are the untrusted elements of the ICdesign flow. Logic locking is an IC protection techniquethat hides the functionality and implementation of a circuitdesign by adding additional gates into the design, therebythwarting reverse engineering and overproduction threats.The gates inserted in the design are called key gates. A
Fig. 1 Logic locking in IC design flow. The dark gray regions indicate untrusted phases in the design whereas the light gray regions denote trustedentities. [22]
key gate can be an XOR/XNOR gate [9, 11, 12, 20], amultiplexer [2], or a look-up table (LUT) [16]. One inputof the key gate is an intermediate output of the originaldesign while the other input is the key input. The key inputsare driven from an on-chip memory. To exhibit correctfunctionality of the design, a valid key needs to be setin the on-chip memory. A tamper-proof chip protection isimplemented to prevent untrusted foundries from probingon the internal wires of the design. The locking hardwarewith key gates renders the IC unusable if correct key is notapplied into the key inputs.
The earliest attempt of logic locking called EPIC (EndingPiracy of ICs) provided a complete logic locking frame-work [12]. However, it suffered from a small Hammingdistance between the correct outputs and incorrect out-puts corresponding to the same set of inputs. Other logiclocking techniques focused on determining the best loca-tions for inserting key gates, such as random [12], fault-analysis based [11], and strong interference based logiclocking [10]. Such proposed techniques were subsequentlyfollowed by key recovery attacks that exploited vulnerabili-ties of logic locking techniques, such as satisfiability-based(SAT) attack [15], sensitization [10], AppSAT [14], and sig-nal probability skew (SPS) attacks [19]. The recent works inthis area, such as, Anti-SAT [16], TTLock [17], and strippedfunctionality based logic locking (SFLL) [21], are primarilyfocused on thwarting SAT and removal attacks.
2Motivation and Contribution
In this paper, we present two variants of classicalcryptanalysis attacks, namely linear approximation attackand differential attack on RLL, FLL, and SLL circuits.Classical cryptanalysis is termed as the art of obtainingthe key that exploits the nature of locking or encryptionalgorithm with the aid of prior knowledge of patterns ofprimary input and the corresponding primary output pairs.To the best of our knowledge, we are the first to point out theapplication of classical cryptanalysis techniques to recoverthe secret key embedded in logic locking techniques. Themotivation of this proposed work stems from the fact thatall existing non-invasive attacks on different logic lockingtechniques employ specific properties of the respective logiclocking technique, such as identifying input values to thecircuit that can prune out incorrect key values that lead
to incorrect output of a logic cone. The efficacy of suchattack techniques depend on the number of inputs to bequeried which can prune out a large number of incorrectkey values in a single query. However, in this work, we onlyconsider the circuit topology comprising the logic gates inthe original circuit and the additional key gates to performcircuit partitioning and then mount the linear approximationand differential attack.
In linear approximation attack, we first compute thelinear approximation of the known logic block that resultsin minimal corruption of output bits. For the entire circuit,this results in multiple linear approximation expressionsthat comprise the inputs and outputs of the circuit partition.We compute the probability of occurrence of linearapproximations for each partition. For each partition, weconsider the linear approximation which has the highestlinear bias value. In case of cascaded partitions, such achoice of linear approximations leads to a large bias valueof the overall linear approximation for entire logic coneof the circuit. This forms a distinguisher for the attackerto determine the corect key input to the correspondinglogic cone. Further, we mounted differential attack on thethree logic locking techniques in which we propagate aconstrained differential from the inputs and monitor itspropagation through a set of key gates in its path. Weidentified propagation of multiple differentials within thelogic locked circuits that were constrained with circuitpartitioning algorithms.
The paper is organized as follows. Section 3 illustratesthe background on present logic locking algorithms, attacks,and their respective defenses in the existing literature.Section 4 presents an insight into the proposed linearapproximation attack on logic locked circuits. Section 5focuses on the differential attack on the logic lockedcircuits. Section 6 discusses the experiments and thecorresponding results on the logic locked version ofbenchmark circuits. Section 7 concludes the paper.
3 Background
The original circuit netlist is a vectored Boolean functionF : {0, 1}n �→ {0, 1}m comprising n inputs and m outputs,referred to as sets I = {0, 1}n and O = {0, 1}m. Foreach output Oi , 0 ≤ i ≤ (m − 1), a logic cone definesthe circuit that yields Oi . The logic cone is defined as,
J Electron Test (2019) 35:641–654642
LCi : {0, 1}n1 �→ {0, 1}, which comprises of n1 inputs. Thelocked netlist of F is denoted as, FL : {0, 1} × {0, 1}k �→{0, 1}n, that comprises k key gates referred to as K ={0, 1}k in addition to the n inputs and m outputs. If FL
is activated with the correct key, kc, then ∀i ∈ {0, 1}n,FL(i, kc) = F(i). For other key inputs, kinc, ∃i ∈ I , suchthat FL(i, kinc) �= F(i). Similarly, a locked logic cone isdefined as, LCi
L : {0, 1}n1 ×{0, 1}k1 �→ {0, 1}, i.e., the logiccone LC comprises of k1 key gates in its locked netlist.
The traditional logic locking techniques that exist inliterature are as follows:
1. Random logic locking (RLL): This technique insertskey gates at random locations in a netlist. In RLLcircuit, the interference between the key gates areminimal, thus leading to attack vulnerabilities. RLLhas been shown to be vulnerable to attacks such asSAT attack that exploit the algorithmic weakness of thislogic locking technique.
2. Fault-analysis based logic locking (FLL): Thistechnique prevents black box usage of an IC whilemounting an attack, thus the attacker needs to determinethe circuit implementation while mounting an attack.The technique maximizes Iinc where Iinc = {i ∈I : LF (i, kinc) �= F(i)}. The key gates areinserted at those nodes of the circuit, which maximize|Iinc| when incorrect key values are applied. ForFLL implementation, some algorithms employ VLSItest based algorithms to maximize output corruption,whereas other logic locking methods use graphcentrality indicators with smaller computational effort.
3. Strong logic locking (SLL): In sensitization attack onFLL, the attacker aims to sensitize each individual keygate to the logic cone output. In SLL, the designersclaim that the circuit topology involving key gatescannot sensitize any key to the output due to the mutualinterference of at least two key gates a logic coneoutput. Due to the mutual interference between thekeys, an attacker is forced to resolve multiple keyssimultaneously, rather than a single key.
In this paper, we refer to combinational logic lock-ing which involves combinational logic elements suchas XOR/XNOR gates [10–12], AND/OR gates [2],MUXes [8], or a composition of these elements [5]. Sincethe proposition of these techniques, multiple metrics suchas, output corruptibility, clique size, number of distinguish-ing input patterns (DIPs), percentage of key bits recov-ered, and execution time have been proposed. Despite suchefforts, many key recovery attacks have been mounted onlogic locking techniques that comprise the class of side-channel attacks as well [13].
3.1 Attacker’s Threat Model
In the proposed attack as well as all existing attacks on theselogic locked circuits, the threat model involves the followingaspects:
(i) the circuit designer and the design tools are trusted,(ii) the foundry, the test-facility, and the end user of an IC
are untrusted,(iii) a linear approximation (LA) attacker and differential
analysis (DA) attacker has access to both the lockednetlist and the functionally activated IC. The attackeralso has the knowledge of the logic locking algorithmused and the location of the key gates in lockedcircuit. The unknown parameter is the key value,which is a binary vector.
4 Proposed Linear Approximation Attackon LL Circuits
In this Section, we first define some terms related to linearapproximation attack and then present the methodology ofcombining the linear approximations of circuit partitions togenerate the approximation for an entire logic cone of thecircuit.
(i) Linear Approximation: This attack takes advantageof high probability occurrence of linear expressionsinvolving the circuit partition inputs and the circuitpartition outputs. In this attack, the idea is toapproximate the operation of a circuit partition (underKγ1 , . . . , Kγn3
as the key inputs) with a linearexpression where the linearity is defined as themodulo-2 bit-wise operation, the expression is of theform,
(a1 · Xα1) ⊕ (a2 · Xα2) ⊕ . . . ⊕ (an1 · Xαn1) ⊕
(b1 · Yβ1) ⊕ . . . ⊕ (bn2 · Yβn2) = 0 (1)
where ai, bj ∈ {0, 1}, 1 ≤ i ≤ n1, 1 ≤ j ≤ n2,and Xαi
, 1 ≤ i ≤ n1, denotes the inputs to a circuitpartition LBL, and Yβi
, 1 ≤ i ≤ n2, denotes theoutputs of LBL. The approach in linear approximationattack is to determine expressions of the above formfor each circuit partition that have a large or smallprobability of occurrence for the correct key input tothe partition. If LBL does not leak any informationabout Kγi
, 1 ≤ i ≤ γn3 , then the probability that alinear expression in Eq. 1 holds is exactly 1
2 . If a logic-locked circuit partition exhibits a probability to hold
J Electron Test (2019) 35:641–654 643
Eq. 1 with large deviation from 12 , this is an evidence of
logic-locked partition’s poor randomization ability ofthe correct output of the partition when correct value ofkey input Kγt , 1 ≤ t ≤ n3, to that partition is asserted.
(ii) Linear bias: Suppose we randomly select valuesfor n1, n2 bits of inputs and outputs of LBL byselecting zero or one values of ai and bj and putthem in the equation above. We define the linearbias as the deviation from the probability of 1
2 for alinear expression to hold that is exploited in linearapproximation attack. In other words, if the expressionin Eq. 1 holds with probability p� for randomlychosen values of ai and bj , then the linear bias isε� = |p� − 1
2 |. The higher the value of ε�, the betterthe applicability of linear approximation attack withsmaller number of queries for Xi and Yj .
After having defined linear expression of a circuit partition,the next question is how can we apply the linearexpressions of the partitions of the logic-locked circuit to getinformation of the secret key values. For all circuit partitionsthat form cascaded logic blocks from the primary inputs toprimary outputs, the linear expressions can be concatenatedso that a large number of intermediate signals between thepartitions are eliminated. Thus the concatenation results ina linear expression that has a large bias value, ε�, and theexpression involves only the primary inputs and primaryoutputs of the logic locked circuit.
Consider two circuit partitions or logic blocks, LB1L
and LB2L, such that the outputs of LB2
L drive the inputsof LB1
L. Consider that linear approximations for LBiL and
LBi+1L partitions are denoted by random variables X1 and
X2, respectively. If we combine these two partitions, wenote the following relationships of the corresponding linearexpressions:
(a) X1 ⊕X2 = 0 is a linear expression denoting X1 = X2.(b) X1⊕X2 = 1 is an affine expression denotingX1 �= X2.
Suppose, the probability distributions for the randomvariables X1 and X2 are given as Pr[X1 = 0] =p1, P r[X1 = 1] = 1 − p1, Pr[X2 = 0] = p2, andPr[X2 = 1] = 1 − p2. If the two linear approximations(random variables) for these partitions are independent, thenthe joint probability distributions are demonstrated in thefollowing table.
Pr[X1 = 0, X2 = 0] p1p2
Pr[X1 = 0, X2 = 1] p1(1 − p2)
P r[X1 = 1, X2 = 0] (1 − p1)p2
Pr[X1 = 1, X2 = 1] (1 − p1)(1 − p2)
For the combined partitions of LB1L and LB2
L, it can beshown that the combined linear approximations satisfy thefollowing probability distributions,
Pr[X1 ⊕ X2 = 0] = Pr[X1 = X2]= Pr[X1 = 0, X2 = 0]
+Pr[X1 = 1, X2 = 1]= p1p2 + (1 − p1)(1 − p2) (2)
Further, if the linear bias of p1 and p2 are εl1 and εl2 ,respectively, where − 1
2 ≤ εl1 , εl2 ≤ 12 , it follows that
p1 = 12 + εl1 and p2 = 1
2 + εl2 . Substituting p1 and p2 inEq. 2, we obtain,
Pr[X1 ⊕ X2] = 1
2+ 2εl1εl2 (3)
and the linear bias of combining the linear approximations,X1 ⊕ X2, corresponding to random variables X1 and X2 isεl1,2 = 2εl1εl2 . This can be further generalized to n randomvariables (i.e., linear approximations for n circuit partitions,LB1
(b) if there exists only one pi = 12 , then Pr[X1 ⊕ . . . ⊕
Xn = 0] = 12 .
The expression X1 ⊕ . . . ⊕ Xn corresponds to combininglinear approximations for all circuit partitions, and henceis analogous to the linear approximation of the entire logiccone. Further, if the linear bias of linear approximation, εli ,for each circuit partition LBi
L is high for all i, 1 ≤ i ≤ n,then combining linear approximations must also yield a highlinear bias of the entire logic cone.
In linear approximation attack, the logic locked circuitFL is first partitioned into locked logic cones LCi
L thatcomprises key gates by employing the breadth first search(BFS) algorithm on the entire circuit, where i is the number
J Electron Test (2019) 35:641–654644
of output bits in the circuit. The boundary of the partitionis determined as soon as a key gate or a primary inputgate is encountered. Hence, the running time of the circuitpartitioning algorithm is O(|K|(|V | + |E|)), where |K| isthe size of search key space, and |V | and |E| are the numberof logic gates and interconnections within those gates,respectively. Each LCi
L contains all inputs that determinethe output of the logic cone; the LCi
L is then partitionedinto small logic blocks as shown in Algorithm 1. Thepartitioning of the circuit is based on the location of keygates in the logic cone. The partitioning of the circuitis followed by linear approximation of each of the logicblocks. Subsequently, the linear approximation expressionsare combined to yield an approximation involving theprimary inputs, primary outputs, key inputs and someintermediate signals of the logic blocks. Henceforth, wedenote I � Y if signal I drives or sensitizes signal Y , andI �� Y if signal I fails to sensitize ssignal Y (Fig. 2).
4.1 Algorithm for Circuit Partitioning
In circuit partitioning shown in Algorithm 1, the entirecircuit is first partitioned into logic conesLCi
L, (1 ≤ i ≤ n);each logic cone comprises a combinational output Oi , theset of inputs that drive Oi , and the combinational blockthat computes Oi . Each LCi
L is then further partitioned into
logic blocks LBjL such that each logic block comprises at
least one key gate from the set KG. The partitioning startsfrom the output of the logic cone and proceeds towards theprimary inputs. The partitioning can be performed in thefollowing two ways:
(i) Considering LCiL as an acyclic graph, the partition
starts from the output gate that computes Oi as theroot, and proceeds through each child node of this rootand then the subsequent children of each considered.The partition stops when a child node at a certain stepis detected as a key gate, K ∈ KG. In this case, allgates at the boundary of the partition shall have thesame level as that of the key gate K .
(ii) Considering LCiL as an acyclic graph, the partition
starts from the output gate that computes Oi as theroot, and proceeds through each child node of this rootand then the subsequent children of each considered.The traversal across each branch of a parent node stopswhen either a key gate or a primary input gate isencountered.
In Fig. 3, LB1L is created, which is followed by
construction of LB2L and LB3
L, respectively. Each logic
block LBjL comprises a set of gates or vertices (PS
jV ),
key gates (KGjV ), and set of wires between gates or edges
G10
G25
G26
G24
G19
G28G16
G27
G31G29 G30
2
2
2
3
3
3
4
4
5
5
6
6
7 8
K1
I1
I7
I3
K2
K6
K4
I6
I2
K3
K5G11
Y1
Y2
G22
G23
Fig. 2 Linear Approximation attack on logic cones of a circuit.Integers on key gates in blue color indicate the height of the gate fromthe input; the height of a primary input or a key input is 1. The redcolor and green color parts of the circuit correspond to two separatepartitions of the circuit, while the black part belongs to both partitionsof the circuit
J Electron Test (2019) 35:641–654 645
G10
G25
G26
G24
G28G16
G27
G29 G30
2
2
2
3
3
3
4 5
67 8
K1
I1
I3
K2
K6
I6
I2K3
K5
G11
LBL1
Y1G22
LBL2LBL
3
Fig. 3 Each partition of a circuit is separated by dashed boundary. Thepartitions are labelled in green circles. The height of each logic gate ismentioned in a blue color
PSjE . As partitioning algorithm constructs a logic block, it
constructs three sets, PSjV , KG
jV , and PS
jE ; the process
continues until all gates have been considered for partition.The partitioning algorithm terminates when a key gate hasbeen considered in the partition. Hence a partition startswith either a logic gate driving a primary output, or a logicgate driving a key gate. For instance, in Fig. 3, the logicblock LB2
L comprises gate G16 when the construction ofthe partition starts; construction of LB2
L finishes when thekey gate G28 is encountered by the algorithm. For the linearapproximation attack to be effective,
(i) the probability of the input set of LBL to match withany linear combination of inputs should be as close to1 as possible.
(ii) the number of cascaded logic blocks LBL from aprimary output to the primary input should be minimalwhich would otherwise pull the bias value of theoverall combinational circuit close to 1
2 , thus renderingthe attack ineffective.
4.2 Algorithm for Computing Linear Approximationfor the Partitioned Circuit Blocks
In this attack, the individual partitions from Partall aretaken as input from Algorithm 1. For each partition LBL,a set of outputs of logic gates that sensitizes the key gatesin LBL, is constructed. Subsequently, the set of primaryinputs PIi that sensitizes such outputs of logic gates iscomputed. These two sets undergone a linear combinationof corresponding elements to yield the vector approx. Forexample, consider the partitioned logic block LB1
L; the setOLBL
for LB1L comprises the output of {G16, G10} gates
that sensitize (�) the input gates of LB1L. Further, the set
ILBLin step 4 for this logic block comprises the union of:
(i) set of primary inputs {I2, I3, I6} which sensitize gateG16 and,
(ii) set of primary inputs {I1, I3} that sensitize gate G10.
Both G16 and G10 drive the input gates G29 and G24of LB1
L, respectively. For this logic block, the linearapproximation involves these primary inputs and the outputsignals of the set OLBL
.
5 Proposed Differential Attack on LL Circuits
In this attack, we mount a differential attack along with asensitization attack on a logic locked circuit. For describingsensitizing the key to the output, consider the circuit inFig. 4a. In this circuit, asserting I3 = 0 sets the output ofthe NAND gate to logic 1. We define differential �I as theXOR of two different input vector values to the same set ofprimary inputs. From Table 1, consider the propagation ofdifferential �I to the output �Y under the effect of key K .As the table demonstrates, the key K affects the polarity ofthe differential as it propagates from the input of XOR keygate to its output. In Fig. 4a, constraining I3 propagates the
J Electron Test (2019) 35:641–654646
Table 1 Polarity inversion (restore) of an output differential w.r.t aninput differential at a key gate occurs if the actual key value is 1(0)
K �I �Y
0 0 → 1 0 → 1
0 1 → 0 1 → 0
1 0 → 1 1 → 0
1 1 → 0 0 → 1
polarity of the differential in I1 ∧ I2 to the output Y , therebyleaking information of key K to the output Y .
In general, an attacker computes the conjunctive normalform (CNF) representation of the logic locked circuit. Forinstance, the conjunctive normal form (CNF) representationof the circuit in Fig. 4a is,
(¬I1 ∨¬I2 ∨¬K)∧ (I1 ∨K)∧ (I2 ∨K)∧ (¬I3 ∨¬N) (5)
The attacker first constrains the inputs to the logic values,I3 = 0, I1 = 1, I2 = 1, that sensitizes the key to the outputas Y = ¬K . In the CNF representation of the partition,the attacker first identifies the clauses that do not have keyinput as a literal. Subsequently, he identifies those inputs inthe clauses, whose frequency of occurrence is high. Suchinputs are considered dominant inputs as they ensure thatminimal number of inputs are required to be assigned valuesto sensitize the key to the output. The dominant inputs areset to high so as to sensitize the key input of other clausesto the circuit partition output. In Eq. 5, we assign the inputset, I1 = I2 = I3 = 0, to sensitize key K to the circuitoutput Y . For circuits, wherein the key cannot be sensitizedto the output by assignments to the circuit partition inputs,we apply differential attack.
In differential attack on logic locking techniques, wecreate differentials at the input of the logic circuit thatpropagate to the output to recover the key. In this attack, weconstrain certain inputs to constant values while other inputsare subjected to input differentials �I whose propagationto a logic cone output is monitored. An input differential,�I of input I is defined as �I = I1 ⊕ I2, i.e., the XORof two consecutive input values that I is subjected to. Thedifferential attack is based on the property of a XOR key
gate that the value of the secret key affects the propagationof differential polarity from the input to the output. Thisphenomenon is exhibited by the following property of aXOR key gate whose inputs are I and K while output is Y .
We consider the logic locked circuit shown in Fig. 5.In differential attack, we choose the smallest logic conein the circuit, i.e., the logic cone that comprises minimumnumber of key gates. The entire circuit is partitioned untilall gates of the circuit have been identified. For any logic-locked circuit under attack, we partition the circuit intobranches and subbranches. In Fig. 5, the five branches ofthe circuit have been shown. We constrain the maximumnumber of branches to logic 0 or logic 1 depending on thecircuit topology. Subsequently, we apply three attack modesdepending upon whether an attack mode recovers the keyin the partition. We present all the three attack modes indifferential attack with respect to circuit in Fig. 5.
5.1 Attack Mode 1
We apply constant inputs and attempt to determine the keyinput values from the input values, output values, and theCNF expression of the partitioned circuit. For instance, incircuit shown in Fig. 5, we constrain Branch2, Branch3,Branch4, and Branch5 to logic 1 by subjecting the inputs,I3 = I5 = I8 = I11 = 0, respectively. Further, we applythe inputs I1 = I2 = 1. This reduces the CNF expression to¬K1 = 0, i.e., we obtain K1 = 1.
5.2 Attack Mode 2
We create an input differential �I to a partitioned circuitand observe the polarity of the output differential �Y toobtain the key values. We compute a subset of primaryinputs (I ′ ⊂ I ), such that a non-zero differential �I ′creates a non-zero output differential �Y in the partitionedcircuit. The propagation of �Y is traced to the output ofthe logic cone. In Fig. 5, we constrain Branch1, Branch3,Branch4, and Branch5 to logic 1 through input pattern,I1 = I5 = I8 = I11 = 0, respectively. We target Branch2and set I3 = 1. In this case, if I2 == K3, then I4 � Y ,else I4 �� Y . If I2 = K3, the node B in Branch2 is setto logic 1, else it is set to logic 0. So the pair of signals
Fig. 4 a Logic locked circuitwith a key gate and some inputsclose to the output. b Anotherexample of logic locked circuit K
I3
Combologic
I4
In
Y
N
I1
I2
K31
K28
K29
I29
I30
Y
J Electron Test (2019) 35:641–654 647
I1I2
K1I4
K2
I2
K3I5
K4K2
I4I6
K5
K6
I7
I8K7K8
I6
I7
I3
I9
K10
I10
K11
I11
K9
Y
Branch 1
Branch 2
Branch 3
Branch 5
Branch 4
B
A
C
D
E
F
G
HI
J
I3
Fig. 5 A circuit example for differential attack. The key gates areshown in red color and the node labels are encircled
(I2, I4) determine the value of K3 in this case. If gate drivenby nodes A and B occur to be logic gate X, then the logicvalue at node B can be determined as,
B = �I � �Y ?P : Q, (X gate must be in the activebranch).
If X = NAND or AND, then P = 1, Q = 0. IfX = OR, then P = 0, Q = 1. The logic value at nodeB yields the relation between I2 and K3. Subsequently, weget the value of K2 from Attack Mode 1 by applying inputconstraints on Branch2.
Table 2 Linear bias for occurrence of key values for partition LB1L
K1 K6 Pr[
Count2n
]Bias = Pr
[Count2n
] − 12
0 0 1832
116
0 1 1432 − 1
16
1 0 1432 − 1
16
1 1 1832
116
Table 3 Linear bias for occurrence of key values for partition LB2L
K5 Pr[
Count2n
]Bias = Pr
[Count2n
] − 12
0 1432 − 1
16
1 1832
116
5.3 Attack Mode 3
In case both Attack Mode 1 and Attack Mode 2 fail,we vary all the inputs to an active sub-branch to yieldrelations between the key inputs and intermediate wirevalues. Subsequently, we again apply Attack Mode 1 andAttack Mode 2 on each of the active sub-branches that yieldsthe relations in the previous step. The results of the mounteddifferential attack in presented in the next section.
5.4 Limitations of Attack Modes
(i) Limitations of attack mode 1: In Fig. 5, if an input,Ii ∈ {I3, I5, I8, I11} depends on a key input Ki , theresulting CNF expression will involve Ki and K1.Hence, instead of determining the exact value of K1,the attacker obtains an expression involving Ki andK1.
(ii) Limitations of attack mode 2: In this attack mode, wefocus on determining values to a subset of primaryinputs, I ′, such that I ′ ⊂ I , which propagates an inputdifferential �I to the output differential �Y of theassociated circuit partition. The differential �Y mustbe observable to the output of the logic cone. Thisattack mode fails in any one or both these followingcases:
(a) the set I ′ = φ, i.e., we cannot assign a truthvalue to any subset of primary inputs I such that�I propagates to �Y of the circuit partition.
(b) the output differential �Y of the circuit partitioncannot be traced to the output of the logic cone.For instance, if �Y appears on input of an ANDgate in its path to the logic cone output, andwhile the other input of the AND gate is alwaysset to zero, then �Y will not be observable at thelogic cone output.
Table 4 Linear bias for occurrence of key values for partition LB3L
K2 K3 Pr[
Count2n
]Bias = Pr
[Count2n
] − 12
0 0 1632 0
0 1 1632 0
1 0 1632 0
1 1 1632 0
J Electron Test (2019) 35:641–654648
Fig. 6 Linear approximation results of Partition-1 and Partition-2 of c1355 benchmark circuit
Fig. 7 Linear approximation results of sub-partitions 1 and 2 of Partition-3 in c1355 benchmark circuit
J Electron Test (2019) 35:641–654 649
(iii) Limitations of attack mode 3: In this mode, as wevary all inputs to an active sub-branch to yieldrelations between the key inputs to the partition andthe circuit partition inputs, this case is equivalent toexhaustive search approach to yield information of thekey inputs. Hence, this attack mode does not exhibitfailure cases.
6 Experiments and Results
6.1 Experimental Results of Linear ApproximationAttack
For the two partitions, LB1L, and LB2
L shown in Fig. 3,we obtain the following linear approximation equations thatyields minimum Hamming distance with the correspondingfunctions of the respective blocks,
G10 ⊕ G16 ⊕ I1 ⊕ I3 ⊕ I6 ⊕ I2 ⊕ K5 ⊕ K2 ⊕ K3 = 0
G11 ⊕ I3 ⊕ I6 ⊕ K2 = 0
In these equations, G10, G16, and G11 represent the outputof the respective gates in the circuit. The partition LB1
L
comprises two keys K1 and K6, which have four possiblevalues. For this circuit there are 32 possible values of theinput. The linear bias for the joint probability of occurrenceof possible key values for (K1, K6) are shown in Table 2.From the table, the linear bias profiles of the two key inputsreduce the key search space by half.
The partition LB2L comprises the key K5, which has two
possible values 0 and 1, respectively. The linear bias forthe for the probability of occurrence of K5 is as shown inTable 3. The linear bias profile shows that the two key valuesare not equiprobable. This sets the criteria that the key gatelocations should be determined in such a way that linear biasprofiles should be equiprobable for all possible values of thekey.
The linear approximation expression for the partitionLB3
L does not comprise any key input. Hence, from Table 4,we find that the linear bias profiles for the key inputsK2 andK3 in the last partition LB3
L are equiprobable. Hence, thekey gate locations in this partition is resilient against linearapproximation attack.
We demonstrate the probability Pr[match] of matchingof linear approximation of a logic block LBi
L with anylinear combination of the the involved inputs to the logicblock. The value of Pr[match] ids computed as the fractionof the least Hamming distance of the truth table of theoutput of LBi
L with any of the 2n linear combination ofthe n inputs to LBi
L with respect to all the 2n possibleinput values. The closer the value of Pr[match] to 0 or 1,the better the linear approximation can be used to mountthis attack to derive linear expressions involving the key
gates. Infact, if the attacker resolves linear approximationof cascaded partitions with high accuracy, he can mergethe approximations to compute the expression of largerblocks. We hereby state that the probability of success ofmounting the linear approximation attack depends on thebias of Pr[match] of the linear approximation. We definethe bias ε as,
ε = Pr[match] − 1
2
In this expression, higher the bias of a linear approximation,the more stronger it will be to resolve the approximationsinvolving key gates. Consider the linear approximationexpressions of two cascaded logic blocks LBi
L and LBi+1L
as Xi and Xi+1 with corresponding bias values εi andεi+1. The linear approximations involve the key gate inputsembedded in the corresponding LBL as well. The linearapproximations can be merged to form eitherXi⊕Xi+1 = 0or Xi ⊕ Xi+1 = 1 (with a certain fractional error value)depending on whether Pr[match == Xi ⊕ Xi+1] ≈ 1or Pr[match == Xi ⊕ Xi+1] ≈ 0, respectively. ForLBi
L and LBi+1L with Pr[match == Xi] = 1
2 + εi andPr[match == Xi+1] = 1
2 + εi+1, respectively, the biasvalues satisfy the range − 1
2 ≤ εi, εi+1 ≤ 12 . Subsequent to
merging LBiL and LBi+1
L , the corresponding probability ofmatching with Xi and Xi+1 depends on,
Xi+1 = 0] = 12 + 2εiεi+1. Hence, the bias of the overall
merged linear approximation equations, Xi ⊕ Xi+1 = 0is computed as εi,i+1 = 2εiεi+1. With n subsequentlogic blocks LBL from the output of logic cone LCL
to the corresponding primary inputs, the bias of overallmerged linear approximation equations, ε1,...,n=2ε1 . . . εn.As − 1
2 ≤ εi ≤ εi+1, more the number of the logic blocks,ε1,...,n=2ε1 . . . εn → 0. In this case, as the match on overallmerging Pr[X1⊕ . . .⊕Xn] → 1
2 , it will be harder to mountthe linear approximation attack.
We considered the c1355 circuit in the ISCAS’85benchmark, and demonstrate the Pr[match] of all thepartitions. In Figs. 6, 7, 8, and 9, we demonstrate thePr[match] of the identified partitions of the circuit withthat of the linear combination of inputs to the partition.We mention the corresponding linear combination of theinput values as well to which the partition has the leastHamming distance with respect to the truth table values.For some partitions, as the input size is large, and hence thecorresponding input space rendered exponentially harder,we split a partition (referred to as part) into furthersub-partitions (referred to as subpart in the plots) asdemonstrated in the figures. The results demonstrate that
J Electron Test (2019) 35:641–654650
Fig. 8 Linear approximation results of sub-partitions 3 and 4 of Partition-3 in c1355 benchmark circuit
Fig. 9 Linear approximation results of sub-partitions 1, 2, and 3 of Partition-4 in c1355 benchmark circuit
J Electron Test (2019) 35:641–654 651
the Pr[match] of truth table a certain partition output withany closest linear approximation of the logic block is lowerbounded by 1
2 . A judicious partitioning scheme rendershigher probability. For a considered partition, an exactvalue of Pr[match] =1 imply that the considered partitioninvolves only linear gates, i.e., XOR gates. The higher thevalue of the Pr[match], the higher will be the ease to mountthe linear approximation attack. TheOutput# demonstratesthe number of outputs of partition under attack.
6.2 Experimental Results of Differential Attack
In the circuit shown in Fig. 5, we set Branch1, Branch2,Branch4, and Branch5 to logic 1 by putting I1 = I2 =I8 = I11 = 0, respectively. We set I5 = 1; if Y = 0, thenlogic value at nodes C = D = E = 1. This implies thatthe value of Branch3 is zero. If C = 1, it implies that bothinputs of the corresponding XOR gate have opposite outputpolarities (K2 ⊕ K4 = 1), i.e., either K2 = 0, K4 = 1or K2 = 1, K4 = 0. Similarly, if for certain input valuesof I9, I10, and I11, Branch 4 = 0, then it implies I11 = 1and K9 ⊕ H = 1. Hence, if K9 = 1, then K10 = I9 andK11 = I10. Otherwise, if K9 = 0, then (I = 0, J = 0), or(I = 1, J = 0), or (I = 0, J = 1), i.e., either (K10 = I9,K11 = I10), or (K10 = I9, K11 = I10), or (K10 = I9,K11 = I10).
We mounted this attack on logic locked versions of c432ISCAS’85 benchmark circuit that employs a 32-bit keyinput. The attack results demonstrated in Fig. 10 indicatesthat the differential attack:
(i) on RLL technique recovers lesser numbers of keyvalues in each iteration as shown in Fig. 10a. Also, thenumber of inputs that need to be set in order to mounta successful key recovery attack is higher than 15 forcorrect key input value K = 22.
(ii) on FLL technique recovers larger number of keysper iteration. From Fig. 10b, the red circled plotdemonstrates that each attack mode iteration yieldsthree key input values.
(iii) on SLL technique recovers relations between the keyinputs. As shown in Fig. 10c, this attack requiresincreased number of iterations to recover a key value.Also mounting differential attack requires setting alarge number of primary inputs to a constant value.
7 Conclusion
In this paper, we demonstrate that the key gate locationsin a logic locked circuit may render a certain partition ofthe circuit vulnerable to linear approximation attack. Thelinear bias in the probability of occurrence of certain key
Fig. 10 Differential attack results on a random logic locked (RLL),b fault-analysis based logic locked (FLL), and c strong logic locked(SLL) versions on c432 ISCAS’85 benchmark circuit. The resultsindicate the number of inputs that need to be kept constant and requiredto vary or produce a differential to yield each key values. Further, itdepicts the number of previously recovered key values that were usedto extract a key
values leaks information to the attacker that all key valuesare not equiprobable, hence informs the attacker of the hot-spots in a logic locked circuit. We formally demonstratethat in case of cascaded partitions, linear approximationswith large bias values can be combined to yield a linearapproximation of entire locked logic cone of the circuit witha significant bias value. This bias value, however small,forms a distinguisher to an attacker in pruning out incorrect
J Electron Test (2019) 35:641–654652
key values corresponding to the logic cone of the circuit, andhence yields the correct key. The larger the bias value, thesmaller number of input queries required to mount the attackon the locked logic cone of the circuit. In differential attack,we demonstrate how the propagation of input differentialacross a XOR key gate is affected by the value of keyinput. If the propagation of this differential from the primaryinputs to the output of a logic cone is observable to anattacker, then the key information gets leaked to him.
References
1. Abdel-Hamid AT, Tahar S, Aboulhamid EM (2004) A survey onIP watermarking techniques. Design Automation for EmbeddedSystems 9(3):211
2. Dupuis S, Ba PS, Di Natale G, Flottes ML, Rouzeyre B (2014)A novel hardware logic encryption technique for thwartingillegal overproduction and hardware trojans. In: 2014 IEEE20th international on-line testing symposium (IOLTS). IEEE,pp 49–54
4. Guin U, Forte D, Tehranipoor M (2013) Anticounterfeit tech-niques: from design to resign. In: 14th international workshopon microprocessor test and verification, MTV 2013, Austin, TX,USA, December 11-13, 2013, pp 89–94
5. Lee YW, Touba NA (2015) Improving logic obfuscation via logiccone analysis. In: 2015 16th Latin-American test symposium(LATS). IEEE, pp 1–6
6. Li M, Shamsi K, Meade T, Zhao Z, Yu B, Jin Y, Pan DZ (2017)Provably secure camouflaging strategy for ic protection. IEEEtransactions on computer-aided design of integrated circuits andsystems
7. Maes R, Schellekens D, Tuyls P, Verbauwhede I (2009) Analysisand design of active IC metering schemes. In: 2009 IEEEinternational workshop on hardware-oriented security and trust.IEEE, pp 74–81
8. Plaza SM, Markov IL (2015) Solving the third-shift problemin ic piracy with test-aware logic locking. IEEE Transactionson Computer-Aided Design of Integrated Circuits and Systems34(6):961
9. Rajendran J, Pino Y, Sinanoglu O, Karri R (2012) A faultanalysis perspective. In: 2012 design, automation & test in Europeconference & exhibition, DATE 2012, Dresden, Germany, March12-16, 2012, pp 953–958
10. Rajendran J, Pino Y, Sinanoglu O, Karri R (2012) Security anal-ysis of logic obfuscation. DAC Design Automation Conference2012:83–89
11. Rajendran J, Zhang H, Zhang C, Rose GS, Pino Y, SinanogluO, Karri R (2015) Fault analysis-based logic encryption, vol 64.https://doi.org/10.1109/TC.2013.193
12. Roy JA, Koushanfar F, Markov IL (2008) Ending piracy ofintegrated circuit. In: Proceedings of the conference on Design,automation and test in Europe ACM, pp 1069–1074
13. Sengupta A, Mazumdar B, Yasin M, Sinanoglu O (2019) Logiclocking with provable security against power analysis attacks.IEEE Transactions on Computer-Aided Design of IntegratedCircuits and Systems
14. Shamsi K, Li M,Meade T, Zhao Z, Pan DZ, Jin Y (2017) AppSAT:Approximately deobfuscating integrated circuits. In: 2017 IEEE
international symposium on hardware oriented security and trust(HOST). IEEE, pp 95–100
15. Subramanyan P, Ray S, Malik S (2015) Evaluating the securityof logic encryption algorithms. In: 2015 IEEE internationalsymposium on hardware oriented security and trust (HOST).IEEE, pp 137–143
16. Xie Y, Srivastava A (2016) Mitigating SAT attack on logiclocking. In: International conference on cryptographic hardwareand embedded systems. Springer, pp. 127–146
17. Yasin M, Mazumdar B, Rajendran J, Sinanoglu O (2017) TTLock:Tenacious and traceless logic locking. In: 2017 IEEE internationalsymposium on hardware oriented security and trust (HOST).IEEE, pp 166–166
18. Yasin M, Mazumdar B, Sinanoglu O, Rajendran J (2016)Camoperturb: Secure IC camouflaging for minterm protection.In: 2016 IEEE/ACM international conference on computer-aideddesign (ICCAD). IEEE, pp 1–8
19. Yasin M, Mazumdar B, Sinanoglu O, Rajendran J (2017) Securityanalysis of Anti-SAT. In: 2017 22nd Asia and South pacific designautomation conference (ASP-DAC). IEEE, pp 342–347
20. YasinM, Rajendran JJ, Sinanoglu O, Karri R (2016) On improvingthe security of logic locking. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems 35(9):1411
21. Yasin M, Sengupta A, Nabeel MT, Ashraf M, Rajendran JJ,Sinanoglu O (2017) Provably-secure logic locking: From theoryto practice. In: Proceedings of the 2017 ACM SIGSAC conferenceon computer and communications security. ACM, pp 1601–1618
22. Yasin M, Sinanoglu O (2017) Evolution of logic locking. In: 2017IFIP/IEEE international conference on very large scale integration(VLSI-SoC). IEEE, pp 1–6
Publisher’s Note Springer Nature remains neutral with regard tojurisdictional claims in published maps and institutional affiliations.
Bodhisatwa Mazumdar is an Assistant Professor in the Disciplineof Computer Science and Engineering at IIT Indore. Prior to thisposition, he was a Post Doctoral Researcher in Design for ExcellenceLaboratory at New York University Abu Dhabi. He earned his PhDandMS degrees from IIT Kharagpur. He has been a Technical ProgramCommittee Member of conferences such as VLSID, SPACE, andVDAT conferences. His research interests include optimised hardwareimplementations of cryptographic primitives, side channel attacks andcountermeasures, and design countermeasures against IP piracy andtheft.
Soma Saha is an Assistant Professor in the Department of ComputerEngineering at Shri Govindram Seksaria Institute of Technology andScience, Indore. She was Assistant Professor at National Instituteof Technology, Rourkela. She has earned her doctoral degree fromIndian Institute of Technology Kharagpur. Her research interests are inHardware IP security and Soft Computing.
Ghanshyam Bairwa is a final year undergraduate student in theDiscipline of Computer Science and Engineering at Indian Instituteof Technology Indore. His research work is based in logic lockingtechniques and other domains of IP Security. My interested fields areNetwork Security, Computer Architecture and Operating System.
Souvik Mandal is a senior undergraduate student in the in theDiscipline of Computer Science and Engineering at Indian Instituteof Technology Indore. His research interests are in cryptanalysis,specially cryptanalysis using machine learning. He is currently aproduct development intern at Appointy.
Tatavarthy Venkat Nikhil is a senior undergraduate student in thein the Discipline of Computer Science and Engineering at IndianInstitute of Technology Indore. He is presently an intern at Mathworks,Hyderabad. His research interests lie in Cryptanalysis and MachineLearning.
![Sarcasm & Thwarting in Sentiment Analysis [IIT-Bombay]](https://static.documents.pub/doc/80x56/5559a7f6d8b42a5b2a8b4d58/sarcasm-thwarting-in-sentiment-analysis-iit-bombay.jpg)
