Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Disguising Topology and Side-Channel Information through Covert Gate- and ML-Enabled IP Camouflaging

Junling Fan, David Koblah, Domenic Forte

Abstract

Semiconductor intellectual property (IP) theft incurs hundreds of billions in annual losses, driven by advanced reverse engineering (RE) techniques. Traditional ``cryptic'' IC camouflaging methods typically focus on hiding localized gate functionality but remain vulnerable to system-level structural analysis. This paper explores ``mimetic deception,'' where a functional IP (F) is designed to structurally and visually masquerade as a completely different appearance IP (A). We provide a comprehensive evaluation of three deceptive methodologies: IP Camouflage, Graph Matching, and DNAS-NAND Gate Array, analyzing their resilience against GNN-based node classification, and Differential Power Analysis (DPA). Crucially, we demonstrate that mimetic deception achieves a novel anti-side-channel defense: by forcing the mis-classification of cryptographic primitives, the adversary is led to apply an incorrect power model, causing the DPA attack to fail. Our results validate that this multi-layered approach effectively thwarts the entire RE toolchain by poisoning the structural and logical data used for netlist understanding.

Disguising Topology and Side-Channel Information through Covert Gate- and ML-Enabled IP Camouflaging

Abstract

Semiconductor intellectual property (IP) theft incurs hundreds of billions in annual losses, driven by advanced reverse engineering (RE) techniques. Traditional ``cryptic'' IC camouflaging methods typically focus on hiding localized gate functionality but remain vulnerable to system-level structural analysis. This paper explores ``mimetic deception,'' where a functional IP (F) is designed to structurally and visually masquerade as a completely different appearance IP (A). We provide a comprehensive evaluation of three deceptive methodologies: IP Camouflage, Graph Matching, and DNAS-NAND Gate Array, analyzing their resilience against GNN-based node classification, and Differential Power Analysis (DPA). Crucially, we demonstrate that mimetic deception achieves a novel anti-side-channel defense: by forcing the mis-classification of cryptographic primitives, the adversary is led to apply an incorrect power model, causing the DPA attack to fail. Our results validate that this multi-layered approach effectively thwarts the entire RE toolchain by poisoning the structural and logical data used for netlist understanding.

Paper Structure

This paper contains 18 sections, 5 equations, 3 figures, 2 tables.

Table of Contents

  1. Introduction
  2. Background
  3. IC Camouflaging and Covert Gates
  4. IC Reverse Engineering and Netlist Understanding
  5. DPA Attack on Ciphers
  6. Deceptive Design Methodologies
  7. IP Camouflage
  8. Graph Matching
  9. DNAS-Based Gate Array Optimization
  10. Summary of Methodologies
  11. Experiments
  12. Experiment Setup & Scope
  13. Side-Channel Resilience Analysis
  14. Comparative Analysis: AIG vs. GM
  15. Side-Channel Resilience (DPA Score)
  16. ...and 3 more sections

Figures (3)

  • Figure 1: Overview of a Differential Power Analysis (DPA) attack workflow targeting a cryptographic S-Box with a peak for correct key guess.
  • Figure 2: Overview of the three proposed deceptive design methodologies: (a) Graph Matching using standard gates, (b) IP Camouflage using AIG-VAE interpolation, and (c) DNAS-Based NAND Array optimization.
  • Figure 3: Evaluation of DPA Resilience under Mimetic Deception. The plot compares the Guessing Entropy (GE) of a target S-Box against an attacker using the correct power model (Blue/Baseline) versus an incorrect model induced by deception (Green/Deceptive). While the baseline attack rapidly converges to the correct key (low entropy) within 2,000 traces, the deceptive design maintains high entropy even after 32,000 traces, preventing successful key recovery. The red arrow indicates the DPA Resilience Score, quantifying the sustained protective gap achieved by forcing a statistical model mismatch.