Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

The Impact of Logic Locking on Confidentiality: An Automated Evaluation

Lennart M. Reimann, Evgenii Rezunov, Dominik Germek, Luca Collini, Christian Pilato, Ramesh Karri, Rainer Leupers

TL;DR

The paper investigates the runtime confidentiality risks of logic locking, a protection technique that ties circuit functionality to a secret key. It introduces an automated evaluation framework based on path sensitization and ATPG to assess leakage in five cryptographic benchmarks under three locking schemes (ASSURE, EPIC, D-MUX). The findings reveal substantial confidentiality vulnerabilities, including up to 100% of the encryption key leaked under certain ASSURE configurations, up to 73.83% under EPIC, and up to 25% under D-MUX when attackers can manipulate inputs or keys. These results highlight the need for security assessments that extend beyond key recovery to ensure confidentiality in deployed logic-locked hardware.

Abstract

Logic locking secures hardware designs in untrusted foundries by incorporating key-driven gates to obscure the original blueprint. While this method safeguards the integrated circuit from malicious alterations during fabrication, its influence on data confidentiality during runtime has been ignored. In this study, we employ path sensitization to formally examine the impact of logic locking on confidentiality. By applying three representative logic locking mechanisms on open-source cryptographic benchmarks, we utilize an automatic test pattern generation framework to evaluate the effect of locking on cryptographic encryption keys and sensitive data signals. Our analysis reveals that logic locking can inadvertently cause sensitive data leakage when incorrect logic locking keys are used. We show that a single malicious logic locking key can expose over 70% of an encryption key. If an adversary gains control over other inputs, the entire encryption key can be compromised. This research uncovers a significant security vulnerability in logic locking and emphasizes the need for comprehensive security assessments that extend beyond key-recovery attacks.

The Impact of Logic Locking on Confidentiality: An Automated Evaluation

TL;DR

The paper investigates the runtime confidentiality risks of logic locking, a protection technique that ties circuit functionality to a secret key. It introduces an automated evaluation framework based on path sensitization and ATPG to assess leakage in five cryptographic benchmarks under three locking schemes (ASSURE, EPIC, D-MUX). The findings reveal substantial confidentiality vulnerabilities, including up to 100% of the encryption key leaked under certain ASSURE configurations, up to 73.83% under EPIC, and up to 25% under D-MUX when attackers can manipulate inputs or keys. These results highlight the need for security assessments that extend beyond key recovery to ensure confidentiality in deployed logic-locked hardware.

Abstract

Logic locking secures hardware designs in untrusted foundries by incorporating key-driven gates to obscure the original blueprint. While this method safeguards the integrated circuit from malicious alterations during fabrication, its influence on data confidentiality during runtime has been ignored. In this study, we employ path sensitization to formally examine the impact of logic locking on confidentiality. By applying three representative logic locking mechanisms on open-source cryptographic benchmarks, we utilize an automatic test pattern generation framework to evaluate the effect of locking on cryptographic encryption keys and sensitive data signals. Our analysis reveals that logic locking can inadvertently cause sensitive data leakage when incorrect logic locking keys are used. We show that a single malicious logic locking key can expose over 70% of an encryption key. If an adversary gains control over other inputs, the entire encryption key can be compromised. This research uncovers a significant security vulnerability in logic locking and emphasizes the need for comprehensive security assessments that extend beyond key-recovery attacks.

Paper Structure

This paper contains 23 sections, 8 figures, 4 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Logic Locking
  4. RTL Locking (ASSURE)
  5. XOR/XNOR Locking (EPIC)
  6. MUX-based Locking (D-MUX)
  7. Path Sensitization
  8. Attack Model
  9. Analysis
  10. Attack
  11. Related Work
  12. Methodology
  13. Preparing the Benchmarks
  14. ASSURE
  15. EPIC
  16. ...and 8 more sections

Figures (8)

  • Figure 1: A logic-locked IC has the same functionality as its not-locked version (a) using the correct logic-locking key (b). The same functionality connotes the absence of direct data leakages. Misusing the logic-locking hardware with a malign key can cause sensitive data leakages (c).
  • Figure 2: Use of logic locking to secure the supply chain.
  • Figure 3: The three logic locking algorithms introducing additional logic: EPIC (adds XOR and XNOR gates), D-MUX (adds multiplexer), and ASSURE (adds logic on RTL level, such as additional ports, logic, and arithmetic operations and XOR gates).
  • Figure 4: Path sensitization is applied to retrieve the encryption key bits from the circuit. The analysis shows a detection for bit 1 (enc_key1), by applying the logic locking key "11". No input combination of the known inputs and logic locking key bits can forward enc_key2 to an output. A logic locking key of "00" restores the original functionality. The leakage of enc_key1 occurs via paths introduced by logic locking.
  • Figure 5: The ATPG framework is used to identify leakage paths for each sensitive bit.
  • ...and 3 more figures