 Hi everyone today. I'm going to be presenting my paper on gas lock a security card ability trade-off resilient logic locking scheme This work was done while I was a PhD student at the University of Florida in collaboration with Dr. Sheldon shoe at North Beach University and professors Mark turn for endowment 40 at the University of Florida So here is an outline for today's talk in the first part I will provide an introduction to logic locking as well as the motivations behind it I will also go over some of the recently proposed logic locking techniques and some of the trade-offs that have been found in them in Terms of resistance to various tax I will then provide details on our proposed approach, which is gas gas lock or cascaded locking that specifically mitigates these Attack resiliency trade-offs. I will also explain the various security properties around castlock Especially around its resistance to various attacks as well as overheads I will then go into the details of our extension to castlock termed mirrored castlock or and casc that has been Especially formulated to mitigate removal attacks of the gate level. I will then end the talk with our conclusion As we all know the semiconductor supply chain today follows a horizontal business model Whereby different steps in the integrated circuit production process are scattered throughout the globe This is especially evident in today's age of system on chips Whereby IPs are sourced from multiple third parties sometimes hundreds of third parties and fabrication as well as tests are also outsourced While this supply chain has vastly increased in complexity over the past decade It has also resulted in significant cost reduction and has also allowed each party or design house to focus on their core strengths At the same time a global supply chain has also given rise to a number of issues related to integrated circuit security In terms of foundry and outsourced fabrication threats such as IPIC piracy and theft Hard retrogens or malicious backdoors over production These threats could exist There are also risks associated with various third parties involved in the design process such as outsourced physical design or DFT service providers This could give rise to issues such as IP piracy as well as hard retrogens Finally once the chip is fab packaged and shipped to OEMs or customers and is out in the field There's the risk of reverse engineering which then leads to issues such as cloning IP piracy design exploitation or tampering To counter these IP supply chain threats logic locking has been proposed as a potential solution The basic idea behind logic locking is quite simple It makes the functional behavior of a chipper design dependent on a secret key Now this is done by adding keying logic for example XOR gates as shown in the figure here into the design So the basic idea is that the design fails to produce the correct input output behavior unless the correct key is provided to the key gates This locking can also be done at various abstractions, but it's most commonly done at the gate or net disc level Due to the locked behavior of the design It is assumed that threats such as IPIC piracy over production and other attacks are thwarted since If you don't have the key that means the design is not functionally valid Since logic locking was first introduced numerous attacks have been proposed against it The first few attacks included DFT or ATPG based techniques to propagate the secret key to observable points of the circuit and thus infer the correct key Countermeasures for such an attack included careful placement of locking gates in the design to cause interference among key gates Removal attacks were also proposed in order to identify the key gates or locking logic in the design via structural metrics An attacker would subsequently in a removal attack remove the locking gates in order to invalidate the obfuscation or locking To mitigate such attacks logic resynthesis was proposed as a solution So what resynthesis does is it can merge the locking logic with the original design via logic optimization and thus prevent isolating of the locking gates in the design net list However, the most effective and notable attack proposed on logic locking so far has been boolean satisfiability or sat-based attacks In this approach an unlocked chip is assumed to be available from the open market or from a malicious insider Scan access to the chip is also assumed to be available The attacker then uses this unlocked chip as an oracle to infer the correct key The actual attack proceeds as follows Then attacker first formulates a mitre circuit from two wrong key guesses on two copies of the locked circuit From this formulation a distinguishing input pattern or dip is obtained Which is then checked against the unlocked circuit Or chip to obtain a golden input output response pair Now this golden input output response pair is then added as a constraint to the initial circuit formulation iteratively Until no more dips are obtained or distinguishing input patterns are obtained at this point What can be concluded is that if no more dips are found all wrong keys have been ruled out And usually this happens in only a few iterations And at the end of the attack the sat solver is able to return the correct key So you're iteratively ruling out pretty much the entire incorrect key space You know few iterations and the sat solver is giving you the correct key and just a few iterations To counter sat-based attacks several specific sat resistance counter measures have also been recently proposed The common idea behind most of these approaches is to insert a sat resistant logic block into the circuit Now what this block basically forces the sat attack tool to do Is to basically apply brute force. That is the sat attack tool is forced to apply All possible input patterns to rule out all all the possible incorrect keys and conversion of the correct key Now without this block what would happen is the attack would only take a few iterations to basically prune out the entire Incorrect key space and zoom into the correct key However, this block basically limits the discriminating ability of sat attack via these distinguishing input patterns it limits this capability as a result the attack is able to Converge on the correct key only after applying brute force That is it has to apply all 2 to the n input patterns to be able to converge on the correct key One of the more notable sat resistance locking techniques that has been proposed is anti-sat Which was introduced in chest 16 It is also similar to other sat resistant locking techniques In the sense that a sat resistant locking block is stitched into the original design net list However, the block functional behavior is quite unique It uses a pair of complementary logic blocks g and g bar that are ended together With g getting the key ki one and g bar getting the key ki two Note that ki one and ki two don't actually need to be equal to each other They just need to be set in such a manner that g and g bar outputs are always going to be equal to each other Now this means that the output y if you provide the correct key is always going to be zero And as a result the circuit functionality will never be corrupted via the xor gate that is shown here in red Sat resistance of the block is a function of the actual logic that is chosen chosen to be g and g bar When the output one count of g the boolean function g is very low sat attack resistance is maximized This is because it limits the ability of the attack to rule out incorrect keys Conversely, this also means that the output corruptibility of the circuit is quite low This means that for most input patterns the circuit behaves as though it wasn't locked at all So there is this inherent trade-off in anti-sat in terms of sat attack resistance as was corruptibility So if you're doing better on one end example resisting sat attacks, you're necessarily doing worse on corruptibility In chess 17, uh, we also proposed a new bypass attack against anti-sat and its variance The central idea of bypass attacks is to inject some additional logic Which we call the bypass circuitry into the locked circuit with anti-sat Now this bypass circuit, uh, basically mitigates the output corruptibility from the anti-sat block In other words, it identifies incorrect input output pairs from the circuit Which are expected to be quite limited if sat attack resistance needs to be guaranteed The attack then uses the bypass circuit to correct these input output pairs Which have been identified to be incorrect and thus the circuit is unlocked without ever needing the correct key With this attack What we also found that there is an inherent trade-off with regards to sat versus bypass attack resistance So if high sat attack resiliency is to be maintained This automatically implies that there is going to be a weak bypass attack resistance for the anti-sat block circuit Conversely, if we want to ensure strong bypass attack resistance This necessarily implies that there is a weak sat resistance with anti-sat So we found this trade-off that was sort of inevitable with anti-sat So in this work, we propose cast lock as an extension to anti-sat for specifically combating the various attack resistance trade-offs that we just talked about So in the paper, we proved that number one Breaking cast lock with sat attack requires at the minimum brute force through the entire input space We also proved that Cast lock is resistant to bypass attack and renders this attack infeasible But most importantly, we proved that number one and two The resistance to sat attacks as well as bypass attacks are simultaneously achievable Something which was not possible with anti-sat As an extension to cast lock we also propose m gas Which is a mirrored cast lock We specifically propose this to extend the resistance of cast locks to attacks based on removal against white box adversaries Before going into the details of cast lock and mirrored gas We would like to first talk about what are the high-level objectives for a logic locking scheme And how cast lock and subsequently m gas can meet them So the first requirement obviously is that the locking scheme should be lightweight So that it should result in low area power and delay overheads on the design That is intended to be locked The second one obviously it should be resilient to attacks More specifically, it should be resistant to sat attacks, which specifically means The sat attack algorithm should be forced to perform brute force through the entire input space to resolve the correct key Secondly, it should also be resistant to bypass attacks, which means For the bypass attack algorithm, it should be infeasible to find these bypass patterns to correct Finally, it should also be resistant to removal attacks Which means the locking logic that has been embedded into the circuit to perform the logic obfuscation logging Should not be readily identifiable and removed from the circuit so that the locking is basically nullified So these are the high-level objectives for a logic locking scheme that we would strive to meet So now we'll dive into the actual construction of our proposed cast lock approach So cast lock itself is quite similar to anti-sat, but it differs in two aspects First it adopts a cascaded structure in its complementary Boolean functions g and g bar As opposed to the tree structure followed in anti-sat Later, we will show how the structural difference in construction Guarantees some of the security properties of cast lock The second aspect is the Boolean functions itself g and g bar In cast lock, we vary the output one count of the g and g bar logic by varying the proportion of and and or gates What remains the same as anti-sat, however Is the input itself to the g and g bar blocks In both anti-sat and cast lock the xor of the inputs with the key is fed into g and g bar Note here that mixing Are using a mix of xors and xnors Can and should be used And the circuits should be re-synthesized afterwards So that an attacker won't be able to simply decode the correct key by observing The xor or xor gates in the cast lock block This was a requirement for anti-sat and it is also a requirement that holds true for cast lock So now we will elaborate on some of the security properties of cast lock We'll start with lemma one Which specifically has to do with proving the sat resistance of cast lock Under any arbitrary Construction of the boolean functions g-cast and g-bar cast Now by arbitrary, I mean in the cascade Of gates that are present in the boolean function g-cast and g-bar cast you can vary the and and or In the cascade to vary the output craft ability But regardless of which construction of and and or as you choose You will be able to prove that cast lock maintains Maximum sat resistance regardless of the construction To put it in another way that means if sat attack was conducted on cast lock The attack would be forced to go through all possible input patterns that is all to the End of them to be able to rule out all incorrect keys. So basically sat attacks would be reduced to brute force attacks So now we will lay out a proof sketch for the sat attack resistance security property from lemma one For this proof sketch Let's assume that we have the truth table for the boolean function g-cast and g-bar cast as shown here in the figure below In this figure or truth table We have the input patterns arranged in ascending order Now let's assume that the output one count Which is the number of input patterns that lead to g-cast is equal to one Let's assume that the number of patterns is arbitrary In other words, you can think of it as the height of this column highlighted in yellow Of this column of ones you can think of that as being any arbitrary height In such an order truth table, we will always have the smallest input input pattern Let's call this element for which g-cast is equal to one Uh Now let's assume that a wrong key composed of w k one j and w k two j Which jointly result in the wrong key w k j This wrong key goes into cast lock now recall that cast lock again has two portions g-cast and g-bar cast you can think of as w k one j going into g-cast and w k two j going into g-bar cast and jointly these two keys form w k j Now let's assume that the hamming distance of such a wrong key is as shown here That is w k two j the key going into g-bar cast is only different by a lsp or least significant bit from the correct key now for such a wrong key What effectively ends up happening is that g-bar cast the output from g-bar cast effectively gets pairwise flipped as shown in the truth table Uh and now at the input pattern element And only element we observe that both g-cast and g-bar cast is equal to one You can see that highlighted in yellow here What this basically means is for this input pattern and only this input pattern which with a wrong key w k j We get the output is equal to one Which means cast lock is effectively flipping the output bit of the logic circuit and cropping the input pattern for only element and no other input pattern So for any sad attack the only way to eliminate the wrong key w k j is to apply the distinguishing input pattern element and no other pattern Note that no other input pattern is able to rule out this wrong key. It is only element that can do this Now further since there are two to the n such wrong keys Of this of the type of w k j We can now say that there are actually two to the n unique patterns that are required for the sad attack to prune out all the wrong keys and guarantee a correct key Now this effectively proves that the sad attack algorithm will be reduced to brute force regardless of the output one count of g-cast or g-bar cast since a key such as Blue k j is always guaranteed to exist and these unique input patterns in the form of elvin Are always guaranteed to exist regardless of the output corruptibility that we've composed in g-cast or g-bar cast um, so Through the proof sketch, uh, we showed how for any arbitrary construction of g-cast and g-bar cast We are able to achieve best case-sat resistance. That is the set attack will require at least to the n iterations We also made an attempt at validating this experimentally by generating some sample anti-sat as well as cast lock Gate level net lists and using the sat attack platform to test them out What you can see in this Chart over here is that for cast lock Regardless of the output corruptibility or p-value You can see that the number of sad iterations is always maximum now by maximum I mean n is equal to 8 that means The number of inputs going to the cast lock block for this particular example was n equals to 8 So the number of iterations is always through the bar 8 Which is what we have over here Whereas for anti-sat which follows the tree structure we can see that Depending on the p-value the sat attack iterations the number of iterations required can vary And we see that the number of sad iterations is maximized only when p is extremely low or extremely high Now recall that Even though the sat attack iterations is high this also means high vulnerability to bypass attacks at these quarters So there is this inherent trade-off that you see in anti-sat, but for cast lock you can see that Sad attack iterations are always maximized regardless of the p-value The second security property of cast lock is output corruptibility Which can be varied by tuning the output one count of the boolean functions g-cast and g-bar cast And this can be done without any loss in sat attack resistance as we just showed previously The third property relates to bypass attack resistance to ensure this What cast lock does is it prevents the bypass attack algorithm from finding distinguishing input patterns or dips to bypass The ability of the bypass attack to find these dip patterns Distinguishing input patterns via the mitre circuit shown here on the right So this ability is drastically decreased as the p-value or output corruptibility of the cast lock circuit is increased as shown by the expression here So from a defender's perspective, he or she may choose to increase the corruptibility of the design to thwart bypass attacks While at the same time Guaranteeing best-case-sat attack resistance, which was not previously possible with anti-sat We can also look at the security properties of cast lock under two models One is under black box attack model and the other one is through a white box Black box attacks include attacks such as sat and bypass, which was the focus of cast lock In such an attack an attacker only analyzes the locked circuit via input output patterns or its functional behavior This might be the case of a reverse engineer trying to break the design in the field On the other hand white box attacks include capabilities of the attacker to perform Full structure structural analysis of the design Including netlist analysis now this gives them the opportunity to analyze the netlist and look for specific locking implementations to remove Of course, as we said earlier in the talk Resynthesis does provide a degree of protection against such attacks And so does additional x or x nor based locking on top of cast lock However, we found that such hybrid attack locking techniques do not really hold up against a particular modified version of the sat attacks that are known as absat Absat attacks are an extension to the baseline sat attacks with a subtle difference So in each iteration of the attack instead of adding one golden input output pattern The attack adds n such io patterns obtained from the distinguishing input pattern and the unlock chip This in essence increases the circuit formulation size But also helps to rule out a larger portion of the incorrect key space There is also a parameter set such that the attack instead of trying to converge on the 100 correct key Terminates with an approximately correct key that guarantees low output corruptibility and in some cases even the correct key Now coming back to cast lock when we insert additional x or x nor gates To prevent removal attacks What ends up happening is an expanded key space is created with some of it having low output corruptibility and some of it Having high output corruptibility as shown in this truth table Where the red marked outputs represent incorrect outputs Now when absat adds multiple golden input output patterns as constraints in every single iteration These help to rule out not only keys in the high corruptibility space But also in the low corruptibility space As a result it is more likely but of course not guaranteed that trying to prevent removal attack Actually hurts your ability to resist absat attacks So what we've established is in order to prevent removal attacks under a white box attack model It is clear that additional xor or x nor insertion is not enough So what we've come up with instead is an extension to cast lock called a mirrored cast lock or m gas The idea behind this simple extension Is that we have two mirrored copies of cast locks stitched into the original circuit netlist Instead of just one with one having a hard-coded secret key case secret So it's hard-coded and the other one having the actual secret key driven from the outside, which is k gas Now after inserting these two blocks the circuit is Is resynthesized in order to embed k secret into the netlist itself What now happens is if an attack attempts to remove the cast lock block with the key k gas driven from that side The cast lock block with the Secret key k secret which is merged into the original design after the synthesis that still remains in the netlist So correct functionality of the circuit is only guaranteed when the key k gas is equal Or set equal to the secret key k secret which is embedded inside the netlist Without doing this the circuit functionality remains corrupted As a result of the cast lock block with k secret which is embedded into the original design So m gas is able to protect cast lock against white box attacks such as removal Now unfortunately this countermeasure is not without its drawbacks Most notably what happens with m gas is if you try to increase the corruptibility of the locking It results inevitably in reduced sat attack resistance Now this happens mainly because the original circuit's output is corrupted on a certain number of input patterns This is because of the embedded cast lock block with k secret If the sat attack algorithm by any chance finds any of these patterns Such as the ones highlighted in blue in this root table shown It is able to arrive at the correct key in a single iteration Now of course this is probabilistic from the perspective of the sat attack But unfortunately the probability of success of the sat attack increases as you keep bringing the output corruptibility of the circuit out Now this brings us back to the trade-off between sat attack and corruptibility which we talked about at the beginning But in the context of white box attacks So this table briefly summarizes the security properties of m gas sat attack resistance Now of course depends on the output corruptibility of the circuit Which at turn is determined by the output one count b as far as the choice of the secret key case secret embedded into the original net list These two factors also determine the output corruptibility of the circuit, of course Apsat attack resistance is ensured as the attack has no guarantees of terminating with a correct or almost correct key Removal attack resistance is ensured due to the gas lock block Embedded into the original circuit with key secret as we explained previously and finally bypass attack resistance is inherited from gas lock So we also evaluated m gas against another recently proposed removal attack resistance logic blocking Technique that is known as sfll or strip functionality logic locking So we did a series of results on a few benchmarks and we found that in terms of overhead area delay and power We do better than sfll and offer the same severe security guarantees But of course at the end of the day both techniques still have the trade-off of corruptibility versus sat resistance Under a white box attack model So the designer has to carefully analyze the trade-off and I'll have to implement the locking accordingly So the table briefly summarizes the various logic locking techniques that have been proposed recently and their resistance to various attacks We can see that gas lock defends against sat and bypass attacks But is vulnerable to removal under a white box attack model To counter this we have proposed m gas which prevents removal attack But at the same time trade-off sat attack resistance with output corruptibility This is the same case with sfll However, it has been found vulnerable to a recently proposed fall attack that specifically attacks its mode of implementation We've seen that this fall attack does not apply to m gas In conclusion Gas lock provides a low overhead logic locking solution, which is simultaneously resistant to sat and bypass attacks Unlike anti-sats It can maintain non-trivial after corruptibility and remain secure under a black box attack model To prevent removal attacks we've proposed mirrored gas lock or m gas Which remains secure under a white box attack model But at the cost of sat attack resistance Which is traded off with of course output corruptibility