Integrated circuits (ICs) often represent the ultimate root of trust of modern computing systems. However, the decentralization of the IC design and manufacturing process over the years, involving multiple players in the supply chain, has increasingly raised the risk of hardware security threats from untrusted third parties.
Logic encryption aims to counteract some of these threats by appropriately modifying the logic of a circuit, that is, by adding extra components and a set of key inputs such that the functionality of the circuit cannot be revealed until the correct value of the key is applied. Several logic encryption methods have been proposed over the the last decade to protect the designs from threats such as intellectual property (IP) piracy, reverse engineering, and hardware Trojan insertion (see, e.g., (Roy et al., 2010; Rajendran et al., 2015; Yasin et al., 2016; Shamsi et al., 2019a; Tehranipoor and Koushanfar, 2010)). However, existing techniques are often tailored to specific attacker models and security concerns, and rely on different metrics to evaluate their effectiveness. It is then difficult to quantify the security of different methods, rigorously evaluate the inherent trade-offs between different security concerns, and systematically contrast their strength with traditional area, delay, and power metrics.
This paper introduces a formal modeling framework for the evaluation of logic encryption schemes and the exploration of the associated design space. We rely on a general functional model for logic encryption that can encompass all the existing methods. Based on this general model, we make the following contributions:
We define a set of metrics that can formally capture multiple, possibly conflicting, security concerns that are key to the design of logic encryption schemes, such as functional corruptibility and resilience to different attacks, thus providing a common ground to compare different methods.
We develop compact models to efficiently quantify the quality and resilience of four methods, including state-of-the-art logic encryption techniques, and enable trade-off evaluation between different security concerns.
Simulation results on a set of ISCAS benchmark circuits show the effectiveness of our modeling framework for fast and accurate evaluation of the design trade-offs. Our models produce conservative estimates of resilience, which are closer to the measurements than previous approaches. Finally, our approach can provide quantitative support to inform system-level decisions across multiple logic encryption strategies as well as the implementation of compound strategies, which can be necessary for providing high levels of protection against different threats with limited overhead.
2. Background and Related Work
Logic encryption techniques have originally focused mostly on a subset of security concerns, and lacked methods to systematically quantify the level of protection against different (and potentially unknown) hardware attacks. A class of methods, such as fault analysis-based logic locking (FLL) (Rajendran et al., 2015), mostly focuses on providing high output error rates
when applying a wrong key, for example, by appropriately inserting key-controlled XOR and XNOR gates in the circuit netlist. Another class of techniques, based on one-point functions, such asSARLock (Yasin et al., 2016), aims, instead, to provide resilience to SAT-based attacks, a category of attacks using satisfiability (SAT) solving to efficiently prune the space of possible keys (Subramanyan et al., 2015). These methods require an exponential number of SAT-attack iterations in the size of the key to unlock the circuit, but tend to expose a close approximation of the correct circuit function. Efforts toward a comprehensive encryption framework have only started to appear.
Stripped functionality logic locking (SFLL) (Yasin et al., 2017b) has been recently proposed as a scheme for provably secure encryption with respect to a broad set of quantifiable security concerns, including error rate and resilience to SAT attacks as well as removal attacks, meaning to remove the encryption logic from the circuit. However, while the average number of SAT-attack iterations grow exponentially with the key size, the worst-case SAT-attack duration can become unacceptably low, which calls for mechanisms to explore the combination of concepts from SFLL with other schemes. Zhou (Zhou, 2017) provides a theoretical analysis of the contention between error rate and SAT-attack resilience in logic encryption, drawing from concepts in learning theory (Valiant, 1984). Along the same direction, Shamsi et al. (Shamsi et al., 2019a) develop diversified tree logic (DTL) as a scheme capable of increasing the error rate of SAT-resilient protection schemes in a tunable manner. A recent effort (Shamsi et al., 2019b) adopts a game-theoretic approach to formalize notions of secrecy and resilience that account for the impact of learnability of the encrypted function and information leakage from the circuit structure. While it builds on previous analyses (Zhou, 2017; Shamsi et al., 2019a), our approach is complementary and focuses on models and metrics to enable fast and accurate evaluation across multiple encryption techniques and security concerns, eventually raising the level of abstraction at which security-related design decisions can be made.
Finally, we distinguish between logic encryption, which augments the circuit function via additional components and key bits, and obfuscation (Barak et al., 2001; Goldwasser and Rothblum, 2007), which is concerned with hiding the function of a circuit or program (without altering it) to make it unintelligible from its structure. In this paper, we focus on the functional aspects of logic encryption, and leave the modeling of its interactions with obfuscation as a direction for future work.
3. Logic Encryption: Models and Metrics
We denote by the cardinality of a set . We represent a combinational logic circuit with primary input (PI) ports and primary output (PO) ports by its Boolean function , where and , and its netlist, modeled as a labelled directed graph . Both and may be parameterized by a set of configuration parameters , with values in , related to both the circuit function and implementation. Given a function , logic encryption creates a new function , where and is the set of key input ports added to the netlist. There exists such that . We call the correct key. We wish to express as a function of and the encryption logic.
3.1. A General Functional Model
We build on the recent literature (Zhou, 2017; Yasin et al., 2017a, b) to define a general model, capable of representing the behavior of all the existing logic encryption schemes, as shown in Fig. 1. The function maps an input and key value to a flip signal, which is combined with the output of via a XOR gate to produce the encrypted PO. The value of the PO is inverted when the flip signal is one. We assume that is parameterized by a set of configuration parameters, with values in related to a specific encryption technique.
3.2. Security-Driven Metrics
We can describe how the circuit output is affected by logic encryption via an error table, such as the ones shown in Tab. 1. Based on the general functional model above and the associated error tables, we define a set of security-driven metrics that capture the quality and resilience of encryption.
Functional Corruptibility. Functional corruptibility quantifies the amount of output error induced by logic encryption to protect the circuit function. Consistently with the literature (Shamsi et al., 2019a), we define the functional corruptibility as the ratio between the number of corrupted output values and the total number of primary input and key configurations (the entries in the error table), i.e.,
where is the indicator function, evaluating to if and only if event occurs.
SAT Attack Resilience (). A SAT attack (Subramanyan et al., 2015) assumes that the attacker has access to the encrypted netlist and an operational (deobfuscated) circuit, used as an oracle, to query for correct input/output pairs. The goal is to reconstruct the exact circuit function by retrieving a correct key. At each iteration, the attack solves a SAT problem to search for a distinguishing input pattern (DIP), that is, an input pattern that provides different output values for different keys, i.e., such that . The attack then queries the oracle to find the correct output and incorporate this information in the original SAT formula to constrain the search space for the following iteration. Therefore, all the keys leading to an incorrect output value for the current DIP will be pruned out of the search. Once the SAT solver cannot find a new DIP, the SAT attack terminates marking the remaining keys as correct.
, we quantify the hardness of this attack using the number of SAT queries, hence the number of DIPs, required to obtain the circuit function. Computing this number in closed form is challenging, since it relates to solving a combinatorial search problem, in which the search space generally depends on the circuit properties and the search heuristics on the specific solver or algorithm adopted. Current approaches(Yasin et al., 2017b)
adopt probabilistic models, where the expected number of DIPs is computed under the assumption that the input patterns are searched according to a uniform distribution. We adopt, instead, a worst-case conservative model and use the minimum number of DIPs to quantify the guarantees of of an encryption technique in terms of SAT-attack resilience. The duration of the attack also depends on the circuit size and structure, since they affect the runtime of each SAT query. In this paper, we regard the runtime of each SAT query as a constant and leave a more accurate modeling of the duration of the attack for future work.
Approximate SAT-Attack Resilience (). Approximate SAT attacks, such as AppSAT (Shamsi et al., 2017) and Double-DIP (Shen and Zhou, 2017), perform a variant of a SAT attack but terminate earlier, when the error rate at the PO is “low enough”, providing a sufficient approximation of the circuit function. In this paper, we take a worst-case approach by assuming that an approximate SAT attack terminates in negligible time, and define the approximate SAT- attack resilience () as the minimum residual error rate that can be obtained with an incorrect key (different than ), i.e.,
where is the number of incorrect output values for key input .
Removal Attack Resilience (). A removal attack consists in directly removing all added encryption logic to unlock a circuit, e.g., by bypassing the flip signal (Yasin et al., 2017b) or the key-controlled XOR/XNOR gates (Chakraborty et al., 2018). We make the worst-case assumption that all the key-related components can be removed from the encrypted netlist in negligible time. We then define the resilience metric as the ratio of input patterns that are still protected after removal, i.e.,
where is the Boolean function obtained after removing all the key-related components.
4. Encryption Methods
We instantiate the general model and metrics in Sec. 3 for four logic encryption techniques, namely, SARLock, SFLL, DTL, and FLL, showing that it encompasses existing methods, including state-of-the-art techniques. Tab. 2 lists the security models for them regarding the four security metrics described in Sec. 3. Detailed model formulations and proofs are discussed in this section.
SARLock. SARLock combines the output of the original circuit with a one-point function . SARLock can then be mapped to the general functional model, where , as shown in Fig. 2a. consists of the key size . Consistently with previous work (Yasin et al., 2016), we derive the closed form expressions in Tab. 2. The use of a one-point function results in very low functional corruptibility but exponential SAT-attack resilience. The number of DIPs is constant and bounded above by , thus there is no improvement in SAT resilience for key sizes larger than . Finally, because the circuit will show zero corruptibility after the attacker bypasses the flip signal.
Diversified Tree Logic (DTL). The one-point functions used in SARLock or Anti-SAT (Xie and Srivastava, 2018) are based on AND-tree structures. DTL appropriately replaces some of the AND gates in these structures with another type of gate, i.e., XOR, OR, or NAND, to obtain a multi-point function, as shown in Fig. 2b. The parameter set includes: (1) the key size ; (2) the type of point-function , e.g., ; (3) the replacement tuple , where is a gate type for the replacement, and and denote the layer and number of gates selected for replacement, respectively, with . Tab. 2 shows the expressions obtained when SARLock, and XOR. Expressions of and can be directly computed based on the analysis in the literature (Shamsi et al., 2019a). In DTL, the error table has the same number of errors in each column, except for the correct key column, which makes equal to . , , and can be tuned to increase and while decreases.
SFLL. Fig. 2c shows the schematic of SFLL, where the value of the primary output is given by . Both the stripping circuit and the restore circuit are point functions. The stripping block corrupts part of the original function, while the restore unit then restores the correct value upon applying the correct key. SFLL can be mapped to the general functional model with . We focus on SFLL-HD where is a Hamming distance comparator. The parameter set includes and , representing the key size and the HD parameter for the HD comparator, respectively. The comparator output will evaluate to one if and only if the HD between its inputs is . The key size must be at most equal to the number of PI ports in the fan-in cone of the protected PO port, i.e., , while is at most equal to .
SFLL is the only technique in Tab. 2 that is resilient to removal attacks. In fact, at the implementation level, is merged with to form a monolithic block via re-synthesis and, therefore, it is hard to remove. On the other hand, unlike SARLock, it does not guarantee exponential SAT-attack resilience. For example, as shown in Tab. 1b for , selecting one input pattern, such as , is enough to prune out all the incorrect keys and unlock the circuit after one SAT-attack iteration. Previous work (Yasin et al., 2017b) proposes a probabilistic model in terms of expected number of DIPs. Based on this model, the SAT resilience of SFLL increases exponentially with . However, this model is based on the assumptions that: (i) finding one protected input pattern is enough to prune out all the incorrect keys and terminate a SAT attack; (ii) SAT solvers select input patterns with a uniform distribution. Such a probabilistic model tends to become inaccurate when is different than or , since one protected input pattern is no longer enough to terminate a SAT attack. Moreover, these models tend to ignore the heuristics adopted by state-of-the-art SAT solver to accelerate the search. A conservative metric is, instead, the minimum number of DIPs, adopted in this paper.
Theorem 4.1 ().
Finding the minimum number of DIPs from the error table can be reduced to a min set cover problem, which is NP-hard (Korte et al., 2012).
Theorem 4.1 shows the hardness of finding the minimum number of DIPs, we can, however, use greedy algorithms, prioritizing the input patterns that can eliminate the largest number of incorrect keys, in order to emulate worst-case SAT attacks and provide approximate but conservative estimates for their duration. Fig. 3 shows the largest number of DIPs, over all possible values for , returned by the greedy algorithm with different key sizes from 1 to 17. By definition, should be less than or equal to the results in Fig. 3 which exhibits a sub-exponential behavior.
Both and , shown in Tab. 2, are derived with the following proofs.
Theorem 4.2 ().
For SFLL-HD, if the key size is , is .
As reported in (Yasin et al., 2017b), the total number of stripped input patterns and unstripped input patterns are and , respectively. For each stripped input pattern and each unstripped input pattern, the number of key patterns which render a corrupted output is and , respectively. By summing those terms up, we have the following expression for FC:
FLL. FLL aims at creating high with low overhead by appropriately adding key-gates in the circuit, as shown in Fig. 2d. While the key-gates are not directly inserted at the primary output, their combined effect can still be represented by an appropriate function producing the same error pattern. While depends on the specific circuit and cannot be computed in closed form, FLL can achieve higher values than the other three methods, based on empirical results. However, it cannot guarantee exponential with the key size. Moreover, the XOR/XNOR-based key-gates may be easy to identify, leading to negligible resilience to removal attacks.
5. Results and Discussion
We evaluated models and metrics on a -GHz Core-i9 processor with -GB memory. We first investigated the effectiveness of our models for fast trade-off evaluation on a set of ISCAS benchmark circuits. The blue areas in Fig. 4a-c pictorially represent, as a continuum, the feasible encryption space for different methods and user requirements. For example, Fig. 4a shows that a funtional corruptibility () as high as can still be achieved with SARLock; however, it can only be implemented for very low, and therefore impractical, key sizes. Fig. 4b highlights the trade-off between SAT attack resilience () and approximate SAT attack resilience () in DTL. As expected, DTL is able to increase and with the cost of decreasing . The highest possible achieved by DTL is higher than that of SARLock in Fig. 4a. Finally, Fig. 4c exposes a trade-off between and in SFLL. It shows that increasing adversely impacts , possibly due to the fact that, as increases, the error distribution is not uniform; while the peak error rate increases, the error can become significantly low for some of the incorrect keys.
We further implemented all the encryption configurations explored in Fig. 4a-c on four ISCAS benchmark circuits, generating netlists in minutes, to compare the model predictions with the measurements. We used open-source libraries to simulate SAT attacks (Subramanyan et al., 2015) and report the actual value of . We empirically estimated by averaging the functional corruptibility over logic simulations on the encrypted netlists. By using a similar procedure, an empirical estimate for was obtained by taking the average over logic simulations for each key pattern, and then the minimum corruptibility value over incorrect key patterns. Fig. 6 reports the results for four ISCAS benchmark circuits, showing that the empirical resilience would always exceed the one predicted by our model (blue bar) for both and . For of the design (red bar) the empirical proved to be smaller than the predicted one by a negligible margin (), which is within the error affecting our simulation-based empirical estimates.
To compare our SAT resilience model for SFLL with the measured number of DIPs, we simulate SAT attacks on the encrypted netlists of four ISCAS circuits using SFLL-HD. For each combination of key size and value of , we generate netlists, by randomly permuting the order of the gates, and compute the average number of DIPs over SAT attacks. As shown in Fig. 5, the average number of DIPs is accurately predicted by our greedy algorithms for all key sizes and values, while it diverges significantly from the estimates based on the probabilistic model in the literature (Yasin et al., 2017b), especially when is close to zero.
The analysis above suggests that combining multiple techniques can help alleviate the design trade-offs and achieve high security levels across multiple metrics. To test this hypothesis, we encrypted the ISCAS circuit C880 with both SARLock and DTL, by using a logic OR gate to combine their output (flip) signals. We then combined the output of the OR gate with the output of the original circuit via a XOR gate. Fig. 4d shows that the compound strategy significantly alleviates the trade-offs posed by SARLock alone, making it possible to achieve both high functional corruptibility and SAT-attack resilience. For example, the topmost configuration in Fig. 4d achieves and , which cannot be obtained with SARLock or DTL alone. The compound scheme, where the SARLock block has key size 13 and the DTL block has key size 4, with two AND gates being replaced by one XOR gate in the first layer, is able to provide both high and . Measurement results are, again, in total agreement with our model predictions, showing that our models can indeed be used to capture the performance of compound encryption schemes.
Simulation results show the effectiveness of the proposed models and metrics for fast and accurate evaluation of the design trade-offs as well as the exploration of compound logic encryption strategies, which may be required for protecting against different threats with small overhead. Future extension of this work include the incorporation of overhead models as well as support for structural and learning-based attacks. We plan to also investigate the extension of our framework to sequential logic encryption methods. Finally, we plan to further develop an automated design and verification environment (Venugopalan et al., 2019) leveraging our models and methods to perform design space exploration and inform system-level design decisions across multiple encryption schemes.
This work was partially sponsored by the Air Force Research Laboratory (AFRL) and the Defense Advanced Research Projects Agency (DARPA) under agreement number FA8560-18-1-7817.
-  (2001) On the (im) possibility of obfuscating programs. In Annual International Cryptology Conference, pp. 1–18. Cited by: §2.
SAIL: machine learning guided structural analysis attack on hardware obfuscation. In 2018 Asian Hardware Oriented Security and Trust Symposium (AsianHOST), pp. 56–61. Cited by: §3.2.
-  (2007) On best-possible obfuscation. In Theory of Cryptography Conference, pp. 194–213. Cited by: §2.
-  (2019) Security-driven metrics and models for efficient evaluation of logic encryption schemes. In 2019 17th ACM/IEEE International Conference on Formal Methods and Models for System Design (MEMOCODE), Cited by: footnote 1.
-  (2012) Combinatorial optimization. Vol. 2, Springer. Cited by: Theorem 4.1.
-  (2015) Fault Analysis-Based Logic Encryption. IEEE Transactions on Computers 64 (2), pp. 410–424. External Links: Cited by: §1, §2.
-  (2010) Ending Piracy of Integrated Circuits. Computer 43 (10), pp. 30–38. Cited by: §1.
-  (2017) AppSAT: approximately deobfuscating integrated circuits. In Hardware Oriented Security and Trust (HOST), 2017 IEEE International Symposium on, pp. 95–100. Cited by: §3.2.
-  (2019) On the approximation resiliency of logic locking and ic camouflaging schemes. IEEE Transactions on Information Forensics and Security 14 (2), pp. 347–359. Cited by: §1, §2, §3.2, §4.
-  (2019) On the impossibility of approximation-resilient circuit locking. In Hardware Oriented Security and Trust (HOST), 2019 IEEE International Symposium on, pp. 161–170. Cited by: §2.
-  (2017) Double dip: re-evaluating security of logic encryption algorithms. In Proceedings of the on Great Lakes Symposium on VLSI 2017, pp. 179–184. Cited by: §3.2.
-  (2015) Evaluating the security of logic encryption algorithms. In 2015 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), pp. 137–143. External Links: Cited by: §2, §3.2, §5.
-  (2010) A survey of hardware trojan taxonomy and detection. IEEE design & test of computers 27 (1), pp. 10–25. Cited by: §1.
A theory of the learnable.
Proceedings of the sixteenth annual ACM symposium on Theory of computing, pp. 436–445. Cited by: §2.
-  (2019) System-level framework for logic obfuscation with quantified metrics for evaluation. In 2019 IEEE Secure Development Conference (SecDev), Cited by: §6.
-  (2018) Anti-SAT: Mitigating SAT Attack on Logic Locking. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, pp. 1–1. External Links: Cited by: §4.
-  (2016-05) SARLock: SAT attack resistant logic locking. In Hardware Oriented Security and Trust (HOST), 2016 IEEE International Symposium on, pp. 236–241. External Links: Cited by: §1, §2, §3.2, §4.
-  (2017) TTLock: tenacious and traceless logic locking. In 2017 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), pp. 166–166. Cited by: §3.1.
-  (2017) Provably-Secure Logic Locking. Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security - CCS ’17. External Links: Cited by: §2, §3.1, §3.2, §3.2, §4, §4, §5.
-  (2017) A humble theory and application for logic encryption.. IACR Cryptology ePrint Archive 2017, pp. 696. Cited by: §2, §3.1.