“The Key is Left under the Mat: On the Inappropriate Security Assumption of Logic Locking Schemes” (2020)

AUTHORS:

T. Rahman, S. M. Rahman, S. Tajik, M. Tehranipoor, and N. Asadi

Logic locking has been proposed as an obfuscation technique to protect outsourced IC designs from IP piracy by untrusted entities in the design and fabrication process. In this case, the netlist is locked by adding extra key-gates, and will be unlocked only if a correct key is applied to the key-gates. The key is assumed to be written into a non-volatile memory after the fabrication by the IP owner. In the past several years, the focus of the research community has been mostly on Oracle-guided attacks, such as SAT attacks, on logic locking and proposing proper countermeasures against such attacks. However, none of the reported research in the literature has ever challenged a more fundamental assumption of logic locking, which is the security of the key itself. In other words, if an adversary can read out the correct key after insertion, the security of the entire scheme is broken. In this work, we first review possible adversaries for the locked circuits and their capabilities. Afterward, we demonstrate that even with the assumption of having a tamper- and read-proof memory for the key storage, which is not vulnerable to any physical attacks, the key transfer between the memory and the key-gates through registers and buffers make the key extraction by an adversary possible. To support our claim, we implemented a proof-of-concept locked circuit as well as one of the standard logic locking benchmarks on an FPGA manufactured with a 28 nm technology and extract obfuscation keys using optical probing. Finally, we discuss the feasibility of the proposed attack in different scenarios and propose potential countermeasures.