Logic Encryption Using Dynamic Keys
A thesis submitted to the
Graduate School
of the University of Cincinnati
in Partial fulfillment of the
requirements for the degree of
MASTER OF SCIENCE in the Dept. of Electrical Engineering and Computing Systems
of the College of Engineering and Applied Sciences
October 2020
By
Vaishali Muralidharan
Bachelor of Technology in Electronics and Communication
SASTRA University, Thanjavur, Tamil Nadu, India
May 2015
Thesis Advisor and Committee Chair: Ranga Vemuri,Ph.D. ABSTRACT
Many Logic Encryption methods have been proposed for thwarting supply chain threats. Logic locking techniques can hide the design functionality from miscreants along the VLSI supply chain and hence thwart IC reverse engineering as well as other attacks. Traditional logic encryption strategies lock the original design with a key inputs (known only to the designer) which prevents the circuit from functioning as required unless a correct key value is applied. Applying incorrect key values lead to functional corruption of the circuit outputs. These encryption strategies were susceptible to a Boolean satisfiability based attack (abbreviated as SAT attack) which could itera- tively eliminate incorrect classes of keys to quickly discover the correct key values. Subsequently, encryption schemes based on point functions and cyclic methods were introduced to defeat the SAT attack. Recently, logic encryption for sequential circuits has been proposed utilizing the dynamic nature of sequential circuits to increase se- curity. However, they may be susceptible to sequential satisifiability or incremental bounded model checking based attacks. In this thesis, a novel sequential logic locking technique which necessitates the applications of dynamically changing key values to allow the correct operation of the locked design is proposed. This technique works in contrary to the previous methods which use fixed key values to corrupt the payload. Applying a logic value from the correct dynamic key sequence as a static key would still corrupt the signal in the circuit. This would force the attacker to spend more time to find the complete dynamic sequence for larger circuits. A technique to generate dynamic keys from traditional static memory using con- cepts based on pseudo random generators [Linear Feedback-Shift Registers and Cel- lular Automata] is presented in this thesis. Various sequential circuits are obfuscated to evaluate the effectiveness of this scheme against oracle-based attacks.
i
The only time success comes before work is in the dictionary.
Harvey Specter To the Almighty and my dearest family... Acknowledgments
I would say that the most sought after page in any thesis would be the Acknowl- edgement section. Its probably the only page which could be understood without prior knowledge or expertise. Any Master’s thesis can definitely not be a sole contribution made just by the author, in this case, made by me. A lot of people have helped me get past this journey. I would like to thank all of them who made this possible, and I will keep the list short. First and foremost, I would like to thank my parents for giving me the best life I could ever ask for, for being the source of infinite moral support. This would not have been possible without their unconditional love, sacrifices. Thank you for putting up with me and being there for me anytime and everytime. A special thanks to my little brother Siddharth and the entire family for constantly keeping my back. To my thesis advisor - Dr. Ranga Vemuri, Thank you for your invaluable guidance throughout out my research work. I have always been impressed by your expertise and contributions to the filed of VLSI. The whole journey with you has been a great learning experience. I would express my deepest appreciation and gratitude to Dr. Wen Ben Jone and Dr. Carla Purdy for being a part of my thesis committee. Section 3.1 of this thesis work includes collaborative work with Yasaswy Kasarabada, PhD candidate in the Digital Design Environment Laboratory. I would like to thank him for being a great mentor and also for his contributions. I am also grateful to him for taking time to review my thesis draft. I would like to thank other DDEL members for making the lab a fun and wonderful place to work. Speaking of full-time, I would like to thank Ricky Lewellilng, my manager at Cadence, for giving me an opportunity in his team. I was able to gain industrial ex- perience while being enrolled as a student. Many thanks to my teammates for being patient and taking the pressure off of me as I am winding up my thesis.
v Last but not least, I would like to thank all my friends being supportive through all my endeavors. A special mention to the 3305 family, I would not have got past the year 2020 without you guys. Once again, I would like to thank anyone and everyone who has helped me and guided me to this achievement.
vi Table of Contents
Abstract ...... v
Acknowledgments ...... v
List of Tables ...... x
List of Figures ...... xi
Chapter 1: Introduction ...... 1
1.1 IC Design Flow ...... 2
1.2 Threats/Attacks to Integrated Circuits ...... 3
1.3 State-of-the-art Defense Techniques ...... 4
1.3.1 IC Camouflaging ...... 4
1.3.2 IC Split-Manufacturing ...... 5
1.3.3 Logic Encryption ...... 6
1.4 Thesis Statement ...... 7
1.5 Thesis Organization ...... 9
1.6 Summary ...... 10
Chapter 2: Prior Work and Motivation ...... 11
2.1 Logic Encryption – Combinational Circuits ...... 11
2.1.1 EPIC – Combinational Logic locking ...... 11
vii 2.1.2 Fault Analysis & Weighted Logic locking ...... 12
2.2 Combination Circuits – Attack Methods ...... 15
2.2.1 Boolean Satisfiability based attack – SAT attack [11] ...... 15
2.3 SAT – Resilient Techniques ...... 19
2.3.1 SARLock Encryption - Description ...... 20
2.3.2 Anti-SAT Encryption - Description ...... 21
2.3.3 Cyclic Obfuscation - Description ...... 22
2.4 SAT-Resilient Technique and Attacks ...... 23
2.4.1 Removal Attack & TTLock Encryption – Description ...... 23
2.5 Logic Encryption – Sequential Circuits ...... 25
2.5.1 Hardware Protection based on Netlist Obfuscation ...... 25
2.5.2 Sequential Encryption using State deflection [33] ...... 26
2.6 Sequential Circuits – Attack Methods ...... 28
2.6.1 Sequential SAT attack [12] ...... 28
2.6.2 KC2 – Key Condition Crunching [13] ...... 29
2.7 Summary ...... 31
Chapter 3: Dynamic Key Generation ...... 33
3.1 SLED Architecture – An Overview ...... 35
3.1.1 Encryption System – Construction ...... 36
3.2 Dynamic Key Generator (DKG) ...... 39
3.2.1 Basics of Finite State Machine ...... 39
3.2.2 DKGL ...... 39
3.3 DKGC ...... 46
3.4 Experimental Setup ...... 49
viii 3.4.1 Benchmark Details ...... 49
3.4.2 Attack Strategy for Benchmarks ...... 50
3.5 Results ...... 53
3.6 Summary ...... 62
Chapter 4: Methods to Limit Correct Key ...... 63
4.1 Limiting Kc – Random Selection Method ...... 64
4.2 Limiting Kc – Comparator Method ...... 66
4.3 Comparison and Results ...... 68
4.3.1 Results ...... 68
4.3.2 Area and Power Overhead Comparison ...... 77
4.4 Summary ...... 79
Chapter 5: Conclusion and Future Work ...... 80
5.1 Conclusion ...... 80
5.2 Future Work ...... 81
5.3 Summary ...... 82
References ...... 86
ix List of Tables
Table 3.1 Dynamic Key Generator LFSR - Combinations ...... 45
Table 3.2 Dynamic Key Generator Cellular Automata - Combinations . . . 50
Table 3.3 ITC’99 Benchmark Circuit Description ...... 51
Table 3.4 DI width for each benchmark for 64-bit key size ...... 54
Table 3.5 SLED method Encryption Results – KeySize 64 bits ...... 55
Table 3.6 SLED method Encryption Results – KeySize 128 and 256 bits . . 56
Table 4.1 Limiting Kc – Method 1 Encryption Results - KeySize 64 bits . . 69
Table 4.2 Limiting Kc – Method 2 Encryption Results - KeySize 64 bits . . 73
x List of Figures
Figure 1.1 IC Design Flow – An Outline [3] ...... 3
Figure 1.2 Indifference in cell contancts - IC Camouflaging [9] ...... 5
Figure 1.3 Logic Encryption [11] ...... 7
Figure 2.1 Combinational Logic locking as given in [16] ...... 12
Figure 2.2 A circuit encrypted using XOR-gate (E1). Logic ’1’ is the valid key for E1...... 13
Figure 2.3 Mux (E1) based encryption from [26] ...... 14
Figure 2.4 Miter circuit to determine DIPs [11] ...... 17
Figure 2.5 SARLock Circuit [18] ...... 20
Figure 2.6 Truth table depicting the discriminating ability of input patterns in SARLock which resists the SAT attack [18] ...... 21
Figure 2.7 Anti-SAT encryption method [19] ...... 22
Figure 2.8 Cyclic Obfuscation method – Adding dummy wire and connec- tions to introduce combinational loop in the circuit [21] ...... 23
Figure 2.9 Proposed TTLock architecture. Restore logic is used to fix the inversion for a correct key value corresponding to a particular input combination. K6 is the secret key in the figure. [31] ...... 24
Figure 2.10 HARPOON Encryption Scheme – An Outline [32] ...... 26
Figure 2.11 Novel DSD Method a) State Transition Graph b) Circuit exam- ple of the method c) Proposed State Transition Path [33] ...... 27
Figure 3.1 SLED Architecture - An Outline ...... 35
xi Figure 3.2 Generic LFSR Structure [14] ...... 41
Figure 3.3 State transition diagram for LFSR shown in Fig 3.2 ...... 42
Figure 3.4 Two 3-bit External LFSR, DKGL Structure [6x4] ...... 43
Figure 3.5 Even parity State transition [DS] for Seed S0 = “011001” [6e4 design] ...... 44
Figure 3.6 Odd parity State transition [DS] for Seed S0 = “011001” [6o4 design] ...... 44
Figure 3.7 Switching parity State transition [DS] for Seed S0 = “011001” [6s4 design] ...... 45
Figure 3.8 Two 3-bit CA based DKGC Structure [6e3, 6o3] ...... 47
Figure 3.9 Even parity Dynamic State transition (DS) for Seed S0 = “101000” [6e3] ...... 48
Figure 3.10 Odd parity Dynamic State transition (DS) for Seed S0 = “101000” [6o3] ...... 49
Figure 3.11 Encryption time of benchmarks ...... 58
Figure 3.12 Area Overhead – (Synthesis) ...... 58
Figure 3.13 Area Overhead – (Gate Count) ...... 59
Figure 3.14 Power Overhead – (ICC results) ...... 59
Figure 3.15 Max Unroll Count for SAT attack ...... 60
Figure 3.16 Max Iterations for KC2 attack ...... 60
Figure 3.17 KC2 Attack – Decryption Time ...... 61
Figure 3.18 SAT Attack – Decryption Time ...... 61
Figure 4.1 Two 3-bit External LFSR, DKGL Structure using Method 1 . . 65
Figure 4.2 Two 3-bit External LFSR, DKGL Structure using Method 2 . . 67
Figure 4.3 Encryption time of benchmarks ...... 69
Figure 4.4 Area Overhead – (Synthesis) ...... 70
xii Figure 4.5 Area Overhead – (Gate Count) ...... 70
Figure 4.6 Max Unroll Count for SAT attack ...... 71
Figure 4.7 Max Iterations for KC2 attack ...... 71
Figure 4.8 KC2 Attack – Decryption Time ...... 72
Figure 4.9 SAT Attack – Decryption Time ...... 72
Figure 4.10 Encryption time of benchmarks ...... 74
Figure 4.11 Area Overhead – (Synthesis) ...... 74
Figure 4.12 Area Overhead – (Gate Count) ...... 75
Figure 4.13 Max Unroll Count for SAT Attack ...... 75
Figure 4.14 Max Iteration Count for KC2 Attack ...... 76
Figure 4.15 KC2 Attack - Decryption Time ...... 76
Figure 4.16 SAT Attack – Decryption Time ...... 77
Figure 4.17 Area Overhead Comparison(Gate Count) –SLED vs SLED-M1 VS SLED-M2 ...... 77
Figure 4.18 Power Overhead Comparison –SLED vs SLED-M1 VS SLED-M2 78
xiii Chapter 1
Introduction
Advancements in Integrated Circuit technology have revolutionized the world of com- munication, transportation, aviation and health care systems among others. Inte- grated circuits have found applications in automobile, computing, space, military and communication industries. A great deal of sensitive information is being processed in these applications that cannot tolerate any kind of data leaks or exploitation attacks.
With the furtherance in CMOS technology, the IC industries have been able to fabricate chips wherein the number of transistors on the die has doubled every two years, tracking with the Moore’s law [1]. This has increased the cost of fabrication of ICs, up to 15% for each new transistor node [2]. The semiconductor fabrication houses spend nearly 15−20 billion [2] in developing and maintaining their fab lines. Due to this, most design companies, in order to cut down the cost incurred by fabrication, have gone fab-lite, thus sending their design to third-party foundries for fabrication. Though this provides a cost effective global supply chain, IC designs have become vulnerable to unwarranted threats along the chain.
Miscreants along the global IC supply chain tend to exploit the design by reverse engineering, overproducing or inserting trojans into the design. Counterfeit IC’s are becoming a serious concern to the safety and security of processing and storage sys-
1 tems. Many State-of-the-art defense techniques such as IC Camouflaging, IC Split Manufacturing and Logic Encryption have been devised to protect IC’s from these malicious agents.
This chapter provides an overview of the IC design flow, potential attacks on ICs along the supply chain and various approaches designed to thwart these attack. The thesis statement and its overview are discussed in the last two sections of this chapter.
1.1 IC Design Flow
The steps involved within the IC design flow are listed below [3]:
• System Specification - The first step in the design flow is to write the system’s functional specifications, physical dimensions and the PPA (Performance, Power & Area) constraints.
• Architectural and Logic Design Specification - In this phase, the design is modeled in a HDL (Hardware Description Language) and then transformed by synthesis into a logic level implementation. A standard cell library which is a collection of well defined characterized logic gates that is used to implement a digital design. The digital implementation is later turned into a mask layout using a physical synthesis tool in the next phase.
• Physical Design - In this phase, the entire syntehsized netlist is placed and routed. In this phase, the entire synthesized netlist is placed and routed. This is done based on the system constraints to optimize the PPA parameters. The final layout of the design is produced in the GDSII format.
2 Figure 1.1: IC Design Flow – An Outline [3]
• Physical Verification and Signoff - This is the last phase of the IC design process. Following the physical design synthesis, the chip is verified and then signed-off for fabrication, packaging and further testing.
The entire IC design flow is shown in Figure 1.1. With the current trend of the IC industry going completely fabless, the physical layout design is being outsourced for fabrication. Outsourcing carries with it a high risk of the design being compromised by various attacks some of which are discussed in the next section.
1.2 Threats/Attacks to Integrated Circuits
As discussed earlier, the role of external fabrication units have become pivotal in the IC design flow. Design companies choose to outsource the fabrication of their designs to a third party vendor. A design sent to an untrusted foundry is vulnerable to the addition of malicious circuits which cause its functionality to fail [4] and make it prone to diverse security threats [5]. Some of these threats are discussed below.
3 • Hardware Trojan - Hardware Trojan is a malicious circuit inserted into the IC by an attacker either in the foundry or at the design house. The malicious circuit is activated upon rare events, disrupting the functionality of the IC and hence causing it to malfunction. The malicious circuit can also be used to leak secret information.
• Reverse Engineering - An attacker can reverse engineer the functionality of the design to his/her desired abstraction level using either destructive or non- destructive methods [6].
• Counterfeiting - An attacker can illegally forge or imitate the original design/- circuit [7]. Repackaging and selling the old and/or malfunctioning test parts has been a serious cause for concern.
• Side Channel Attack/Analysis - Secret information from an IC can be ob- tained by exploiting side channel modalities like operating speed, power con- sumption and electromagnetic emission of the target applications [8].
• IP Piracy - An attacker or a rogue foundry can pirate the design unlawfully without the designer’s consent. These ICs can be sold in the black market for a competitive price, in possible infringement of patents.
1.3 State-of-the-art Defense Techniques
1.3.1 IC Camouflaging
A fabricated IC can be reverse engineered through de-packaging, delayering and ana- lyzing the Scanned Electron Microscopy (SEM) images of the layout. IC Camouflaging is a technique developed with the aim to thwart reverse engineering attacks through the introduction of look-alike cells [9].
4 Figure 1.2: Indifference in cell contancts - IC Camouflaging [9]
As the SEM images of a camouflaged cell look identical, the attack cannot discrim- inate between different types of gates and cannot therefore decipher its functionality by scanning their images. The camouflaging technique proposed in [9] is illustrated in Figure 1.2.
The dummy contacts introduced in Figure 1.2 manipulate the design making it difficult to trace the connection from the dummy contacts. It can be inferred from the figure that the cell introduced can act as an inverter or a buffer. When the physical connection with contact 1 is real and contact 2 is a dummy, the cell acts as an inverter. Similarly, when a physical connection established with contact 2 is real and contact 1 is a dummy, the cell acts as a buffer. Although the two cells look identical, the functionality differs depending on the physical contacts made. This makes it difficult for the attacker to reverse engineer the circuit being camouflaged.
1.3.2 IC Split-Manufacturing
Another technique introduced to prevent reverse engineering of the circuit is Split Manufacturing. The design layout is divided into two partitions. The first partition called FEOL or Front End of Line constitutes the transistors and the lower metal layers. The second partition called BEOL or Back End of Line constitutes the higher metal layers. FEOL is sent to an un-trusted foundry while the BEOL is outsourced to
5 a trusted foundry for fabrication [10]. This makes it almost infeasible for the attacker at the untrusted facility to recover the missing connections to complete the design.
1.3.3 Logic Encryption
Logic Encryption, also called logic locking or logic obfuscation, is a method used to prevent counterfeiting and IC over production. New gates are introduced into the circuit, called key gates, to compromise it functionality. The key gates can either be connected to primary inputs called key inputs or to an internal signal. Thus, an encrypted circuit would have primary inputs, key inputs and primary outputs. The circuit produces the desired results when correct key values are applied. Application of incorrect key values produces incorrect outputs for one or more input vectors.
Figure 1.3 illustrates an example of Logic Encryption proposed in [11]. The key chosen to lock the design is the designer’s secret. Two key gates (XOR gates) Key Gate 1 and Key Gate 2 are inserted into the design. K1 and K2 are the key inputs to the circuit. G1, G2, G3, G6, G7 are the primary inputs and G22, G23 are the primary outputs. One input to each of the key gate is an internal signal while the other is the key input mentioned above. Only when a correct key value is applied to these key inputs K1 = 0 and K2 = 0, the correct outputs are produced.
Logic encryption thwarts any attack on over production and counterfeiting because the attacker cannot guarantee proper functionality in the absence of the correct key value. Also, trojan insertion into the design would be hard for the attacker without the knowledge of the design functionality. Numerous encryption methods for logic obfuscation have been proposed. Multiple de-obfuscation methods capable of discov- ering the correct key values have also been devised. These will be discussed in detail in Chapter 2.
6 Figure 1.3: Logic Encryption [11]
1.4 Thesis Statement
In this work, a technique has been proposed to encrypt sequential circuits using dy- namically changing key values. This is a deviation from the methods used in previous research which predominantly advocate the use of static (fixed) key values. There have been successful attacks against encryption schemes for sequential circuits such as the SeqSAT attack [12] and the KC2 attack [13]. These attacks were able to decrypt small to medium circuits within a span of 10-12 hours. The new technique proposed in this thesis is capable of withstanding these newer attack strategies against encrypted sequential circuits.
The technique proposed in this thesis offers two variations to generate dynamic keys. Concepts based on Pseudo Random Number Generators (PRNGs) and Cellular Automaton (CA) structures are used to generate these dynamic keys from a traditional static memory value. These concepts exploit the state space of a finite state machine to generate these dynamic keys. The operation of a locked logic circuit depends on the key inputs. The proposed encryption method mandates that the key values must change after the design has undergone a chosen event. Hence, these key inputs are referred to as Dynamic key Inputs (DIs).
A unit called the Dynamic Key Generator (DKG) is responsible for generating
7 Dynamic keys Sequences (DS). The DS generated by the DKG depends on the value stored in the memory blocks of this module. The DKG block is safely embedded into a secure memory module, making it inaccessible to the attacker. The output of the DKG block is DI.
The DKG monitors the state space of the FSM to generate the next key value in the DS and puts it on the DIs. This happens upon the occurrence of a chosen event called the trigger. Apart from the DKG, other blocks are added to the design to facilitate the encryption strategy. These include a block that detects the occurrence of the trigger value and a block which authenticates the key from the DKG block.
The trigger signal is used to indicate to the DKG as to when the values of the DI should change. As already mentioned, on the assertion of the trigger signal, the DKG generates the next value in the DS and places it on the DIs. This logic value of the DI is constantly monitored by a key detection unit which corrupts the payload on the application of wrong key.
As mentioned above, two different techniques are used to generate dynamic keys. The first technique is based on Pseudo Random Number Generators (PRNG). The PRNGs used in this work are Linear Feedback Shift Register (LFSR) [14]. The initial input to the LFSR is fed from a static memory. Each subsequent state is a linear function of its previous state. Exclusive-or is used as the linear function of bits in its design. The sequence generated by the LFSR is used to produce the DS.
The second technique is based on Cellular Automata (CA) [15], a discrete model in automata theory. CA is a collection of cells, where each cell represents a finite set of states. These states evolve through discrete time steps according to a set of rules based on the states of the neighboring cells. Similar to the LFSR technique, the sequence generated by the CA structure is used to produce the DS.
8 The major drawback of the above mentioned approach is the large static input key space fed to the DKG module. The large key space is due to the nature of the FSM in itself where any state in the correct FSM cycle fed as the input to the DKG, could produce the correct FSM cycle, thus the correct DS and hence the correct DIs . Two different methods to limit the correct key space are proposed in this thesis. A sub-set of the states from the entire correct key-space is selected using two different techniques. In the first technique, one state from the entire key space is randomly chosen and ANDed against the trigger signal. In the second technique, one state is selected from the entire key space using a comparator based approach and ANDed against the trigger signal. The DKG produces the correct DS and hence the correct DIs only on the application of a correct static value. This has helped reduce the input key space to a large extent.
The randomness involved in producing the dynamic keys make it difficult for the attacker to decipher the state space of the FSM thereby thwarting sequential attacks against it.
1.5 Thesis Organization
In Chapter 2, we discuss the existing encryption methods for logic obfuscation. Mul- tiple decryption techniques will also be explained. This serves as the technical back- ground for the thesis.
In Chapter 3, we describe a sequential logic locking method that uses dynamic key values obtained from the secure memory to determine corruption on the payload signals. A novel technique to generate these dynamic keys from a traditional static memory is also presented. Various sequential circuits were used to evaluate the ef- fectiveness of this scheme against oracle-based attacks. Results obtained on verifying
9 the robustness of the proposed technique against the Seq-SAT and KC2 attacks are presented in this chapter.
In Chapter 4, we introduce an approach to limit the state space of the correct key values for both LFSR and CA based encryption strategies. A more robust technique to select the correct key from the entire correct key space has also been discussed in this chapter. The Seq-SAT and KC2 resiliency of the proposed technique is verified by the results in the final section of this chapter.
In Chapter 5, a summary of all the proposed methodology is presented. The closing remarks establish the pros and cons of each method mentioned. The possible future research directions are listed in the final section of this chapter.
1.6 Summary
The basic design flow of an IC was introduced in this chapter. Vulnerabilities to the IC design such as counterfeiting, reverse engineering and IC piracy were discussed followed by an overview of various techniques devised to counter these supply chain vulnerabilities. We will discuss in detail the existing logic encryption techniques for combinational and sequential circuits with our focus being on sequential circuits.
10 Chapter 2
Prior Work and Motivation
In this chapter, we discuss the existing encryption [16]-[17] and decryption techniques in logic encryption. A detailed discussion on the decryption strategy based on Boolean satisfiability (SAT) [11] is presented. This attack was able to decrypt small to medium circuits within a span of upto 12 hours forcing researchers to develop defense method- ologies [18] [19] [20] [21] [22] that are SAT resilient. Encryption methods for sequential circuits [23] [24] [25] and attack strategies proposed [12] [13] against sequential circuit encryption methods are also discussed in this chapter.
2.1 Logic Encryption – Combinational Circuits
This section discusses logic encryption techniques designed for combinational circuits.
2.1.1 EPIC – Combinational Logic locking
One of the very first techniques developed to end IC Piracy was proposed in [16]. This technique makes use of a random number to lock the chip. Random numbers are produced for every IC before it is sent for testing. These random numbers are dispatched to the owner, who in turn send the activation code. Activation code plays a key role in making the chip function correctly. Thus, this code helps the IP holder keep track of how ICs are manufactured and distributed.
11 Figure 2.1: Combinational Logic locking as given in [16]
EPIC [16] performs combinational locking by inserting XOR andor XNOR gates at random signals in the circuit to introduce corruption. These gates are controlled by a set of signals which can be primary inputs also known as key inputs or any internal signal in the circuit. The encrypted circuit will behave correctly only on the application of a correct key value.
For example, consider the combination logic locking method describe in [16], shown in Figure 2.1. From Figure 2.1, we infer that an XOR gate is added to a half adder. Only when K=1 is applied, the locked adder will function correctly. Otherwise, the output signal of the inserted XOR gate gets inverted corrupting the primary output.
2.1.2 Fault Analysis & Weighted Logic locking
The method described in the previous section has a shortcoming, where the output may not be necessarily affected when a wrong key is applied. This may be due to the insertion of gates at random locations in the design. The method proposed in [26] [27] was to replace the random insertion of key gates with insertion based on Fault Impact factor or by actuating the probability of gates.
12 Figure 2.2: A circuit encrypted using XOR-gate (E1). Logic ’1’ is the valid key for E1.
Let’s consider an example as shown in [16]. The key gates used to lock the circuit are inserted at random locations, shown in Figure 4.2. We observe from Figure 4.2, that the gate E1 is inserted at a random location. One of the inputs to E1 is the key input K1 and the other input is the output of the NOT gate G2. In this example, the correct key value for K1 is 0, the circuit should exhibit its original functionality only when K1 is set to a value 0.
When K1 is set to 1, the value at the input bits I1, I2, I3, I4 and I5 are set to “01000”, the output observed would be “00” in place of “10”, which is the correct output. However, if the input bits are set to a value “11100” and the value of K1 is 1, the encrypted circuit produces the correct value. From what’s stated in [26], we can conclude that the circuit produces the correct output for about 75% of the input patterns leading to an inference that the encryption technique is weak and the error rate is 25%.
In order to overcome this limitation, Rajendran et. al. [26], proposed a technique based on fault analysis of the circuit. In this technique, the key gates are inserted based on fault analysis of the circuit and a wrong key produces a wrong output. This technique is associated with fault propagation and fault analysis of the circuit which
13 has proven to be the traditional method. Fault Impact is a metric that has been devised to determine the crux of the proposition. It denotes the number of patterns based on stuck-at (s-s-a) faults that excite a single stuck at fault and the corresponding outputs impacted by the fault.
Figure 2.3: Mux (E1) based encryption from [26]
F aultImpact = (NoP0.NoO0 + NoP1.NoO1)
Here NoP0 is the factor that determines the total number of patterns required to detect stuck-at-0 faults and NoO0 tells us the total output bits affected by that fault.
Similarly, stuck-at-1 faults are computed by the factors NoP1 and NoO1. Key gates are inserted at locations which have a very high fault-impact factor. The key gates usually inserted are XOR/XNOR gates.
Another technique involving multiplexers to achieve encryption was also proposed by Rajendran et. al. in [26]. The select line of the MUX is connected to the key input. One input of the mux is connected to the wire that serves as the falseinput and the other input of the mux is connected to the trueinput value. Based on the key
14 value, the mux would choose the correct or wrong input values. The wire connected to the correct input value is called trueinput and the wire connect to the wrong input value is called falseinput value. Similar to the fault analysis method proposed with the XOR/XNOR gates, fault propagation methods are associated with MUXes to encrypt the circuit. This has been represented in Figure 2.3.
Methods discussed in the above section are vulnerable to Boolean satisfiability based attack called SAT attack. SAT attack is explained in detail in the next section.
2.2 Combination Circuits – Attack Methods
2.2.1 Boolean Satisfiability based attack – SAT attack [11]
Definitions
SAT Attack [11] is an iterative algorithm which employed state-of-the-art SAT solvers such as Lingeling [28] and MiniSAT [29] in its implementation. The attack is composed under the assumption that the attacker has a black box access to the unlocked circuit. That is, he/she has a copy of the unlocked IC from the open market. This was discussed in brief under the logic encryption section in Chapter 1.
The aim of the algorithm is to find the correct key used to encrypt the circuit, by diligently selecting primary inputs patterns. It reduces the key space by eliminat- ing the incorrect keys after every iteration. A single input pattern (also known as the Distinguishing Input Patterns [DIP]) can eliminate multiple incorrect key values. Hence, it is only for the correct key/keys for which the output of the encrypted circuit is equivalent to the output of the unencrypted circuit. Therefore, the attack is said to be successful when after each iteration the algorithm tries to determine a Distin- guishing Input Pattern (DIP) for which many incorrect key values are uniquely eliminated.
15 The final key iterated out is guaranteed to be the correct key. The main goal of SAT is to eliminate all wrong keys by finding all the DIPS, thus, converging all the correct key values.
Assumption Made
SAT attack makes the following assumptions:
1. The encrypted circuit is purely combinational. In case of sequential circuits, the design needs to be unrolled and attacked.
2. Also for sequential designs, the sequential elements are assumed to be accessible through scan chains and other DFT – Design for Testability techniques.
3. Black box access or a copy of the unlocked circuit from the open market is available to the attacker.
Formal Model
A combinational encrypted circuit having M primary inputs, L key inputs and N primary outputs is taken into consideration for this attack model. The CNF or Con- junctive Normal Form of the circuit can be denoted as:
C(X~ , K~ , Y~ ) ⊂ B(M+L+N) , B = 0, 1 (2.1)
where, X~ ⊂ BL, K~ ⊂ BL and Y~ ⊂ BN (2.2)
16 ~ ~ ~ From the equation 2.1, when K is the correct key scheme i.e., K = Kc , it corre- sponds to the input and output relation of the unencrypted or original circuit. The CNF of unlocked circuit is given by,
~ ~ C0(X, Y ) ⊂ B(M + N) (2.3) ~ ~ when, X ⊂ Xc. Therefore, the main aim of the algorithm is to find the correct ~ key Kc .
Algorithm Description
~ ~ ~ ~ ~ Let X1, X2, X3, ..... XN be the input patterns applied to the locked circuit. Let Y1, ~ ~ ~ X2, X3, ....XN be the corresponding outputs for those input patterns. The miter setup show in Figure 2.4, consist of two copies of encrypted circuit to which the same input ~ ~ patterns are applied. Let k in Kc be the correct key value that would be consistent for n such iterations undergone by the SAT solver. The fact that key value found upon termination of the attack is the only correct key value or it belongs to the correct key set, needs to be ensured without brute force verification.
Figure 2.4: Miter circuit to determine DIPs [11]
17 ~ ~ Let K1 and K2 be the key inputs applied to the two encrypted copies of the miter, ~ ~ respectively. When K1 and K2 become equivalent on application of the same inputs patterns to both the copies, they produce the same output Y~ . The corresponding mathematical representation is given by
~ ~ ∀ ~ ~ ~ ~ ~ ~ K1 ≡ K2 ←→ Xi : C(Xi , K1, Yi) ∧ C(Xi , K2, Yi) (2.4)
From Figure 2.4, we can infer that when the diff signal become logic ‘1’, the outputs produced by the two copies are not equivalent, concluding that either both or one of the keys are incorrect. Distinguishing input patterns are used to iteratively eliminate ~ ~ the wrong classes of keys through difference in their outputs Y1 and Y2.
According to the algorithm, the incorrect keys identified in one iteration are not supposed to be repeated in the subsequent iterations, in order for the attack to ter- minate quickly.
The mathematical requisites have been covered in the previous sections. According to the definition, it can be understood that the CNF equivalent of the circuit is loaded as input to the SAT solver. A single input pattern may not be sufficient to eliminate all the incorrect keys. Hence, the process is carried out in an iterative manner such that no more DIPs can be deciphered by the SAT solver. It also eliminates the wrong keys during every iteration. The algorithm comes to a halt when no more DIPs are found.
The algorithm is given below. The total time taken by the SAT solver depends on total number of iterations taken, before it terminates and the total number of iterations taken to find the correct keys. The tool was available at [30]
18 2.3 SAT – Resilient Techniques
The technique proposed in [11] uses the divide and conquer method to examine the circuit for which SAT attack was unable to find the correct key. This was because the circuits contained AND-tree structures. Also, these AND-tree structures made the circuit a hard instance for the SAT to decrypt. Hence, the SAT attack was able to recover only about 30% of the keys.
For any circuit which contains AND-Trees with N-input, it would take at least 2N iterations to decrypt the circuit with the correct key. This makes it an exponential problem leading to the evolution of many SAT-Resilient techniques. Many encryption techniques based on point-functions have been proposed in [31] which have proven to be SAT resilient. Point function – A unique output value produced for only one input vector by a Boolean function.
These SAT resilient methods devised based on point functions are explained in the next section.
19 2.3.1 SARLock Encryption - Description
Subramanyan et al. [11] proposed a powerful attack using Boolean satisfiability that could quickly converge all the correct keys by ruling out equivalence classes of incorrect keys in each iteration. The time taken for the SAT attack is directly propositional to number of equivalence class of keys in the given problem. Yasin et. Al [18] proposed a technique that exploits the above property to make the Boolean satisfiability attack inefficient and the executing time comparable to that of brute force attack.
SARLock takes advantage of the ability to efficiently discriminate the unique input patterns of the SAT solver to make a circuit SAT resilient. SAT attack becomes extremely inefficient when it is able to eliminate only one key for every DIP. Consider the table shown in Figure 2.6, a, b, c are the primary inputs to the circuit and Y is the corresponding primary output of the circuit. From the truth table, it is observed that k6 is the correct key value. Also, we can observe that the output differs from the correct output for every unique input pattern.
This shows that the SAT solver would require at least (2|K| -1) distinguishable input patterns to find the correct key value for a circuit having K keys bits [18]. The circuit implementation of SARLock is shown in Figure 2.5. To represent the truth table in the circuit, a comparator module is used. The algorithm states that, when
Figure 2.5: SARLock Circuit [18]
the signal IN is equivalent to the signal K, a flip signal is asserted and the com-
20 parator output is flipped.. A mask bit is used to control the assertion of the flip signal when a correct key is applied. Thus, it helps corrupt outputs.
Figure 2.6: Truth table depicting the discriminating ability of input patterns in SARLock which resists the SAT attack [18]
2.3.2 Anti-SAT Encryption - Description
The SAT attack time to recover the correct key could be made exponential by including a lightweight circuit block or the Anti-SAT block as proposed in [19]. Figure 2.7 is used to illustrate the Anti-SAT design. The Anti-SAT logic blocks consisting of two complementary functions
Both logic blocks are connected to the same set of primary inputs X but they exhibit a complementary function for locking. Two different keys (Kl1) and (Kl2) are locked at different points (l1) and (l2) and Y is the primary output of the logic blocks as shown in Figure 2.7.
Figure 2.7 presents the two configurations of the Anti-SAT block. The first config- uration is demonstrated in Figure 2.7(a) and the second configuration is demonstrated in Figure 2.7(b). They both defer by the final flip gate used.
21 Figure 2.7: Anti-SAT encryption method [19]
These are referred to as Type-0 and Type-1 Anti-SAT. When the key input to the Anti-SAT block holds the correct value, the outputs of the Anti-SAT block are constant. It can be either logic 0 or logic 1 depending on what type of implementation it is, as in Figure 2.7(a) or 2.7(b).
Let us consider Figure 2.7(c), if the correct key value is applied, logic 0 will be the output of the Anti-SAT block, making the XOR gate behave as a buffer. This helps the circuit exhibit its original functionality. If a wrong key value is applied, the output of the AntiSAT block becomes logic 1. This makes the XOR gate behave like an inverter thus introducing corruption to the original circuit.
2.3.3 Cyclic Obfuscation - Description
It was proposed in [21] by Shamsi et. al. that a given netlist can be obfuscated with many combinational loops, such that it becomes difficult for the solver to be launched. It is known that SAT attack can be launched if and only if the encrypted circuit netlist is represented as a Directed Acyclic Graph or DAG. By forming cycles or combinational loops in the circuit for incorrect key values, we can easily thwart the SAT attack. An example of this is shown in Figure 2.8. From the method proposed in [21], it is observed that combinational loops were formed by the addition of more dummy wires and gates.
22 Figure 2.8: Cyclic Obfuscation method – Adding dummy wire and connections to introduce combinational loop in the circuit [21]
2.4 SAT-Resilient Technique and Attacks
The SAT resilient methods namely, SARlock and Anti-SAT were vulnerable to the signal probability skew attack proposed in [23].
2.4.1 Removal Attack & TTLock Encryption – Description
Yasin et al. [31] proposed a locking technique which can overcome the SPS attack. The removal attack makes use of the signal probability skew analysis and tries to find the point function. The signal probability skew (SPS) is identified by,
sx = Pr [x=1] – 0.5 (2.5)
where, Pr[ x = 1] denotes the probability of signal x which is logic 1. The range of SPS is [-0.5,0.5]. This is because, the probability of the signal lies between 0 ≤ Pr [x =1] ≥ 1 .
In the technique proposed to thwart the SPS attack, the output of the logic cone of the signal is modified only for a particular input pattern called the protected input pattern (PIP). A unit known as the restore unit is added to the circuit which restores the output inverted on application of the correct key value.
23 Figure 2.9: Proposed TTLock architecture. Restore logic is used to fix the inversion for a correct key value corresponding to a particular input combination. K6 is the secret key in the figure. [31]
Figure 2.9 is used to explain the TTLock implementation [31]. The TTLock im- plementation is based on the point functions, explained using Fig 2.9. The output Ymod of the original logic cone is inverted only for the Protected Input Pattern, which according to the table in Figure 2.9, is the 6th input pattern. The restore units out- puts is asserted to logic - 1 when the key value is the same as the PIP pattern, thus restoring the value of the output Ymod to Y. Since the technique proposed is based on point functions, SAT would eliminate only one key per DIP. Also, it would take 2k -1 iteration to find the correct key in the worst scenario.
The author who proposed this technique assumes that the Protected Input Pattern (PIP) is the designers secret. For every PIP, the output value is inverted. The flip signal in the design is highly skewed and set to ‘0’ and thus will not be detected by the removal attack. A modified logic cone would be revealed after the removal attack and not the original circuit design.
24 2.5 Logic Encryption – Sequential Circuits
Some of the existing sequential circuit based logic encryption techniques using FSM obfuscation are discussed in this section.
2.5.1 Hardware Protection based on Netlist Obfuscation
R. S. Chakraborty et. al [32] proposed sequential obfuscation and authentication technique to protect hardware IPs. This technique proposes to modify the internal structure of the circuit based on its state transition properties. The authors of [32] proposed a netlist based obfuscation that exploits the state transition properties. The circuit in this encryption would operate in the normal mode only when a pre- determined locking state sequence is applied.
The authors of [32] have also employed PUFs (Physically Un-Clonable Function) for authentication in order to further increase security. Figure 2.10 shows the struc- tural and functional obfuscation methods. A figure 2.10, it is seen that the state machine is reset to an initial state. The initial state decides whether the circuit is in the normal or obfuscated mode. This forces the circuit to be in the normal mode.
This state machine then goes through a cycle or a set of sequences. Only when N specific input patterns are applied in a particular sequence does the circuit operate in the normal mode. Thereby, modifying the FSM of the circuit, after synthesis offers maximum security and high level of encryption.
25 Figure 2.10: HARPOON Encryption Scheme – An Outline [32]
2.5.2 Sequential Encryption using State deflection [33]
The author of [33] proposed a technique to obfuscate sequential circuits and hardware IPs by dynamically deflecting the FSM in the circuits. The basic methodology of this technique is shown in Figure 2.11. The technique as opposed to the traditional hardware obfuscation techniques, does not modify the original FSM of the circuit. The original method adds additional state transitions by utilizing the key sequence to lock the state transition to a functional reset state [33]. This adds a heavy overhead cost to the circuit.
The authors of [33] proposed the idea of a low-cost obfuscation method based on state deflection. Instead of adding a new FSM, this method uses the dynamicity of state deflection from original to black hole clusters when a wrong key value is applied. It uses a simple rotation function and selective bit flipping function to control state transitions paths as shown in Figure 2.11.
26 Figure 2.11: Novel DSD Method a) State Transition Graph b) Circuit example of the method c) Proposed State Transition Path [33]
The flip-function and the rotate function depend on the Key Sequence (KS). Thus, every attempt of a brute-force attack will mislead the attacker to draw a new con- clusion, thereby increasing the attacker’s time on reverse engineering the attack. A detailed idea about the state transitions and transition paths are as shown above in Figure 2.11.
27 2.6 Sequential Circuits – Attack Methods
2.6.1 Sequential SAT attack [12]
With respect to the attack strategy from [11] we can infer that, if the circuit has been unrolled to a combinational model, it can be attacked directly by the SAT tool. It is considered that a sequential circuit consisting of scan architectures are equivalents to combinational circuits. As all flip-flops assumed in the scan chain can be set to any value for each input vector applied making it a combinational circuit.
The threat model in [11] assumes that there is a black box access to the attacker of activated IC. The sequential SAT attack algorithm is shown as Algorithm 2. The algorithm considers a sequential circuit SK(V, E, K~ ) where V is the node set, E is the edge set and the key vector K~ ⊂ {0, 1}K such that |V |¡2l and |E| < 2l+m. Here, m is the number of primary inputs in the circuit and l is total flip-flops in the design. From [12], it is assumed that the attacker has access to the set-reset logic of the encrypted design. This gives access to the attacker to set the values of the flip-flop to an initial value or state V0.
In this algorithm, the possible combinational loops are identified and controlled using the method from [21]. After the cyclic constraints are taken care off, the en- crypted circuit is unrolled for an unroll count unr (> 2) to get the combinational
unr equivalent netlist of the sequential design SK .
The flip-flops are replaced with buffers in each copy and buffer wires are connected to the corresponding flip-flop in the previous and the next copy. The buffer wire of the first copy alone are connected to the set-reset logic. The combinational netlist
unr ~ SK obtained is attacked by the SAT tool to obtain the correct key assignment Kc.
28 Large number of input vectors is applied to the sequential circuit and the eval. Results obtained from the primary output of both the circuits are compared and the ~ incorrect set of keys are eliminated. If Kc value disagrees with the primary outputs of the sequential and the eval for a particular value of unr, the unr value is incremented ~ and the attack is continued. The attack is terminated when the value of Kc is a match for SK and eval.
For a successful attack, the authors of [12] propose a lower bound on the unroll count, depending on the number of flip-flops in the largest chain in a design. Lmax is minimum the number of clock frames, from where they can start the unroll count for a successful attack.
2.6.2 KC2 – Key Condition Crunching [13]
The SAT attack was extended to circuits with no scan chain access, by the authors of [13]. Yasin et. al. proposed that they required access only to the primary inputs/out- puts of an activated chip. By iterative model checking and simplifying key conditions (key conditioned crunching) [13], they were able to decrypt the circuit.
29 The attack procedure is similar to the SAT attack [11] as it prunes the keys or the search space in an iterative manner. However, instead of finding the Discriminating Input patterns (DIPs) in each iteration, it searches for a sequence of inputs denoted by XDIS. This is because of the restricted access to the internal registers. Thus, it can produce two different outputs for the same input sequence for a set of two different key values.
The KC2 attack instantiates the bounded model checker to find the sequence of inputs denoted by XDIS. Let C(X, K, Y ) represent the obfuscate circuit. Let Y be the output sequence, X be the input sequence and K be the key vector. Consider
CBlackBox(X) refer to the activated sequences output. As mentioned above, once the value of XDIS has been found in that particular iteration, the model is updated with a new condition to discover the next onset of keys in the next iteration. This process is repeated until no further XDIS is found within the same bound. [13]
According to the attack algorithm, three conditions are checked on reaching the bound. These are checked it order to figure out the conditions for termination, listed below as follow: [34]
• Unique Completion :- If there is only one key which satisfies all the distin- guishing inputs sequence set, then the attack is terminated. In short, it checks for the uniqueness of the key.
• Combinational Equivalence :- If one or more keys satisfy the previously found set of distinguishing input sequence, combinational equivalence is checked by the attack algorithm. Here, the input/output of sequential elements are considered as pseudo input/output signals, making the circuit a combinational one. This later subjected to SAT attack.
• Unbounded Model Check :- If the first two conditions fail, the distinguishing input sequences are checked for its existence for all the remaining key values
30 using unbounded model checker [34]. If not, more DIPs are discovered after the exhaustive search, then the already existing set of distinguishing input sequences is considered to be the complete set and the attack terminates.
This concept was exploited by Shamsi et al. with several other tweaks to success- fully propose a method against sequential encryption. [Antitamper]
2.7 Summary
The preliminary techniques for the obfuscation of combinational circuit were discussed in the beginning of the chapter. All these techniques were vulnerable to the SAT at- tack. A detailed description of the Boolean Satisfiability(SAT) attack was provided. An insight into the attacks algorithm, different properties of the circuit and it com- plexity that could defeat the SAT attacks were also discussed. SAT resilient techniques such as SARLock and Anti-SAT were discussed.
Removal attack proposed to counter SAT resilient techniques was discussed in this chapter. TTLock was discussed in the subsequent section which could thwart removal attacks.
Sequential encryption techniques such as HARPOON and Novel DSD were dis- cussed. A Sequential SAT attack method and KC2- Key condition crunching tech- nique for attacks against sequential circuits were discussed in the subsequent sections of the chapter. The above discussed SAT resilient techniques, SARLock and Anti- SAT could be used for the encryption of sequential circuits but they are proven to be vulnerable to removal and bypass based attacks. The method TTLock presented above seems to thwart the removal attack by modifying the logic cone of the design to realize the encryption strategy.
31 This makes it difficult to encrypt sequential circuits using these techniques. Tech- niques like HARPOON and Novel DSD, which exploit the state transition properties of the circuit to obfuscate and increase security, have also been discussed. These attacks exploit the behaviour of fixed key values. But, unfortunately these methods suffer from drawbacks such as vulnerability against Sequential-SAT attack and KC2 attack.
These drawbacks have urged researchers to develop new techniques that can with- stand sequential decryption attacks. In this thesis, a novel technique which uses the application of dynamically changing key values to allow the correct operation of the locked design is proposed. This works in contrary to the previous research meth- ods which use fixed key values, thus withstanding the newer attack strategies. The technique will be discussed in detail in the next chapter.
32 Chapter 3
Dynamic Key Generation
As discussed in the previous chapter, security of many logic encryption schemes has proven to be vulnerable to various attacks, importantly the Boolean satisfiability based attacks [11] [12][ 13]. Despite a lot of research in this field, there has been race between defense and attack methods.
SeqSAT based method developed to attack encrypted sequential circuits is carried out by unrolling the circuit, as proposed in [12]. The minimum number of unrolls required to determine the correct key depends on the longest flip-flop chain in the circuit. Also, it has been observed that the minimum number of unrolls does not necessarily assure that the satisfiability attack would returns the correct key. Based on theory from [34], the highest number of unrolls depend on the shortest path that the FSM would take to reach the chosen state from the starting state. This is derived based on the consideration that the sequential encryption uses event occurrence of a chosen state within the circuit for obfuscation.
It has also been inferred that the sequential circuits obfuscated need to be unrolled for a number of clock frames equal to the depth of the chosen state. For example, when a n-bit FSM such as a counter is considered. The total number of possible states that can occur are 2n. This FSM goes through 2n−1 states starting from the 0th state.
33 If the state occurring at 2n−1 is used for encrypting the circuit, then, unless the circuit has been unrolled for that many clock frames, SAT will not be able to decrypt the correct key value.
The encryption technique proposed in this thesis makes use of the above mentioned idea to produce a trigger signal on the occurrence of a chosen state within the circuit. Dynamically changing keys are produced on the occurrence of the trigger signal which is based on the chosen state. Designs based on PRNGS and CA are used to generate dynamic keys, which are testable FSM Obfuscation strategies. These methods are a deviation from the previous works where static keys were used to obfuscate state- transitions of the FSM. It is ensured that by applying a single logic value from the correct dynamic key sequence as a static key would still cause corruption inside the circuit. Therefore, the attacker needs to spend time and effort to find the complete dynamic key sequence which is constructed by exploiting the state space of a FSM. We have developed a method to generate the required dynamic keys from a static memory value such that the application of only the correct static value/values, also known as the seed or the initial value, ensure the generation of correct keys.
The technique proposed was able to thwart the current attack methods that use static key threat model [34] based on the concept proposed in [13].
An overview of the overall Sequential Logic Encryption using Dynamic keys (SLED) structure has been discussed in the Section 3.1. Section 3.2 explains the concepts of DKG, a principal block in the SLED architecture that facilitates the gen- eration of dynamically changing key values which.
34 3.1 SLED Architecture – An Overview
An overview of the SLED architecture has been explained in this section. This section involves collaborative work with Yasaswy Kasarabada.
Figure 3.1: SLED Architecture - An Outline
A generic architecture of the overall encryption scheme is shown in Figure. 3.1. The encryption architecture consists of the Original Design/Circuit which has M pri- mary inputs, N primary outputs and F state registers. As already discussed at the beginning of this chapter, this technique necessitates the application of dynamically changing key values to allow the corruption of the original design.
These key sequences are generated by the Dynamic Key Generator (DKG) which is the main focus of this thesis. We also have the Key Detection Unit and the Trigger Generation Unit contributing to the encryption, discussed in the next sections of this chapter.
35 3.1.1 Encryption System – Construction
In this encryption method, the original design is encrypted using dynamic keys as op- posed to static key sequences. In order to introduce randomness in producing dynamic keys, concepts based on PRNGs and Cellular Automata is used. A module called the Dynamic Key Generator (DKG) is used to produce the dynamic key sequence needed for encryption of the original design.
The DKG is safely embedded into a secure memory module. This makes it com- pletely inaccessible to the attacker. An input called the trigger generated on the occurrence of a chose state from the design, acts an input to the DKG block. Only on the assertion of the trigger, does the DKG generate the next sequence in the dynamic key logic sequence. The block that detects the chosen protected state to generate the trigger is called the Trigger Generator block or Trigger Unit (TU).
There is a block in the sequential circuit that constantly monitors the value from the DKG block. It checks the correctness of the key sequences and corrupts the payload when the key conditions are not satisfied.
All the above mentioned logic blocks are derived from the design or added in order to generate dynamic keys to corrupt the design. This logic is simulated for a definite number of clock cycles to deduce whether to corrupt the payload or not.
A brief description of the various blocks used in the encryption architecture is given below.
• Trigger Generator - It is constructed such that, a deep state is obtained from the gate-level netlist of the circuit by probing the design using circuit simulation. The circuit is simulated over a large number of time steps (10000). The designs states are probed to monitor its logic values. The observed state register values
36 and derived state transitions are used to calculate the depth of each state of the FSM.
A function g of the rare state is designed and applied to the logic values of the function g defined. This block is constructed such that its output is logic ‘1’ only when the output of this function applied to the logic values of the state register equals the output of the function applied against the rare state. This value is also called the trigger signal. Otherwise, the output of this block remains at logic ‘0’. The output of this block is fed as the input to the DKG and KDU blocks.
There is one drawback in the trigger generation process. The deep state chosen can either occur very frequently or never occur at all. This drawback has been countered by introducing a time out logic explained below.
According to the design, deep state is reached by a certain sequence. This sequence is not guaranteed to occur for each operation of the design after reset. Hence, the concept of deterministic trigger generation utilizing a time out logic has been introduced. The output signal from the deep state detector block is ORed with output signal from the timeout logic block to produce the final output of the trigger generator. The output of the OR gate is the final output of the Trigger Generation unit.
Since, an OR gate is used, the output logic becomes ’1’ either on the detection of a deep state or when the time out logic goes high when the design fails to detect a chosen deep state.
• Dynamic Key Generator - This block helps generate the dynamic key se- quences from a static memory module, thereby reducing the overhead cost to the circuit. This module generates finite cyclic order of logic values on the DI bits. Considering the dynamic sequences (DS), generated in the cyclic order, an intuitive method to generate DS is to select unique pseudo-random dynamic
37 key transitions such that no discernible relationship exists between the current and previous state. To mitigate the concern of area-overhead, a more deterministic DKG imple- mentation based on odd and even parity generator is utilized for the design. Two implementations of the DKG have been developed – LFSR-based DKG (DKGL) and Cellular Automata-based DKG (DKGC) as discussed in the above section. During our analysis, we observed that the ability to predictably control the states of the FSMs generated by LFSRs/CAs decreases significantly with increase in output width and the seed size. Hence smaller DKGs have been used for the design as mentioned in detail in the next section.
• Key Detection Unit - The trigger assertion by the TG unit is used by the KDU to monitor the DI bits for logic value changes. For correct operation of the design, the KDU checks the DI values for two conditions, namely correctness and dynamicity.
– Correctness – The parity relationship between each DI transition must be ascertained and checked against the expected parity relationship. This is designed as a function f in the design. Based on the value of this function f, corruption is induced into the original circuit.
– Dynamicity – In addition to correctness, the KDU must ensure that the logic values on the DI bits changed on each trigger activation. Hence, this criterion along with correctness is checked to induce corruption into the original circuit.
This block induces corruption in the original circuit by inverting the logic values of the chosen signal in the design. Since some of these nets are connected to the state register bits, this inversion can cause state corruption of the design, leading to incorrect operation.
38 3.2 Dynamic Key Generator (DKG)
The DKG block is the primary contribution of this thesis. Methods to design the DKG unit were discussed in the following sections.
3.2.1 Basics of Finite State Machine
An FSM is defined using a set of factors namely a finite set of states in the cyclic order denoted by S, initial state or the seed value denoted by S0, total set of state transitions represented by δ all possible input combinations denoted by I and the primary output combinations denoted by P0 .
The FSM can switch from one state to another state depending on the value of the primary inputs and the current state value. The FSM can only be in one of the many finite states at any given time.
An FSM outputs a different value based on the inputs. This unique characteristic of the FSM is exploited to design the DKG unit. This is used to control the operation of other sub-circuits in the design, thus locking the original circuit. Two different to build the DKG are explained next section.
3.2.2 DKGL
There are two kinds of random number generators based on the concept of FSM:
1. True random number generator (TRNG)
2. Pseudo random number generator (PRNG)
True random number generator: They are based on physical phenomena such as electric noise, noise from the fan of a computer etc. to generate a random number. TRNGs take a long time to produce a particular value, thus making it inefficient.
39 But, upside to it is that it produces aperiodic sequences. Pseudo random number generator: PRNGs use a set of mathematical formulas to produce a sequence of state transitions also called pseudo random numbers. The upside of using PRNGs as opposed to TRNGs is that it takes lesser time to produce a pseudo random number, but it produces periodic sequences. That is, the sequence repeats after a definite interval. But, it takes less time to produce the pseudo random number compared to TRNGs. Due to this reason, the algorithm was implemented using PRNGs. The dynamic key sequences DS, a set of logical values were produced using Linear Feedback Shift Register (LFSR), a type of PRNG.
LFSR is used to construct the Dynamic Key Generator (DKG) Module. The DKG generates dynamic key sequences (DS), a finite cyclic order of logic values on the DI bits. DI bits are the output of the DKG module.
~ ~ ~ ~ Considering DS = DI1 , DI2 , ..., DIs , DI1 , .., where S is the number of ele- ments/states in the cyclic order, an intuitive method to generate a secure DS is to select unique pseudo-random dynamic key transitions such that no discernible rela- ~ ~ tionship exists between DIt and DIt−1 . This would ensure the production of ‘random’ ~ DS which would increase its security since the attacker cannot predict the DIt by ~ ~ observing DI1 , ..., DIt−1 .
However, this approach has a few disadvantages. The area overhead incurred by the digital logic required to generate such a DS can be large leading to increased cost. Furthermore, as discussed in the previous section, the KDU for such a sequence would also have to be complex and can further contribute to the cost concerns. Finally, a complex DS may require the detection unit to explicitly store information regarding the correct DI transitions, which can be potentially extracted by an intelligent attacker to partially or completely infer the DS.
40 To alleviate these concerns, our DKG implementation generates a more deter- ~ ~ ministic DS which guarantees that f (DIt−1 , DIt ) is identical for all values of t. A parity-checker is chosen as f for our implementation allowing the DKG overhead to remain low while generating a deterministic DS that can be checked by the KDU without leaking information about the DI transitions.
Two implementations of the DKG have been developed – LFSR-based DKG (DKGL) and Cellular Automata-based DKG (DKGC). During our analysis, we observed that the ability to predictably control the states of the FSMs generated by LFSRs/CA de- creases significantly with increase in output width and seed size. Therefore, we opted to develop smaller DKGs which are switched together to generate large DKGs with controllable states.
LFSR - Construction
LFSR used in the construction of DKGL is a serial-in parallel-out shift register whose state is a linear function of its previous state. It can be internal or external with XOR being the most commonly used linear function.
Figure 3.2: Generic LFSR Structure [14]
Typical LFSRs are expressed in finite field arithmetic using representative feedback polynomials. As already mentioned, exclusive-or is the most commonly used linear function of single bits in its design. The initial state S0 of the LFSR, known as the
41 seed, determines the stream of logic values produced by the register. Hence, a series of cyclic logic values and the sequence repeats when all the numbers are generated in the cycle. Polynomials which generate all the 2n − 1 possible combination are called primitive polynomials. Implementation of one such LFSR is given in Figure 3.2.
The example state transitions for the LFSR depicted in Figure 3.2 is illustrated in Figure 3.3. The FSM cycle covers all 16 states (4 bit state register) depending on the polynomial which is used in the construction of the LFSR.
It should be noted that for an n bit LFSR, not all linear functions or polynomials generate 2n − 1 possible logic values. Thus, we can say that LFSRs can generate unique set of sequences that can be used as the required DS. By applying a chosen seed value S0 and carefully selecting the register bits that are used as DIs, a stream of values with the required parity can be generated. That is, it is used to generate unique set of sequences that can be used as the required DS. According to the design, the sequences generated are contains either even, odd or switching parity sequences.
Figure 3.3: State transition diagram for LFSR shown in Fig 3.2
LFSR has certain disadvantages when using with a large polynomial, namely, the key detection unit (KDU) for such huge LFSRs need to be very complex which in turn would lead to huge area overhead. Hence, use the design of small LFSRs concatenated to form large LFSRs.
Figure 3.4 shows two 3-bit external LFSRs, that were used to create a 6-bit LFSR. The polynomial of the 3-bit LFSRs used here are
42 x3 + x2 + x + 1 (Non- primitive polynomial)
The powers of the variable x indicate which flip-flop outputs are used for Exclusive- OR linear function.
The LFSR depicted in Figure 3.4 can generate 4-bit sequences with even parity, odd parity and switching parity using the same 6-bit seed. This is done by carefully selecting the DI bits as outputs from the DKG block. Discussing the design illustrated in Figure 3.4 with an example:- Considering “011001” as the seed S0 value to the LFSR in the DKG, the logic sequence generated on the outputs bits of the LFSR (d0, d2, d3, d5) always hold even parity values whereas output bits (d0, d1, d3, d4) always hold odd parity values. Figure 3.5 is used to illustrate a DS for an even parity transition cycle for the seed “011001”. Output bits pulled out of taps (d0, d2, d3, d5) are always even and hence produce an even parity FSM. Similarly, figure 3.6 is used to illustrate a DS for an odd parity transition cycle for the same seed.
Figure 3.4: Two 3-bit External LFSR, DKGL Structure [6x4]
43 Figure 3.5: Even parity State transition [DS] for Seed S0 = “011001” [6e4 design]
Figure 3.6: Odd parity State transition [DS] for Seed S0 = “011001” [6o4 design]
44 Table 3.1: Dynamic Key Generator LFSR - Combinations
DKG Type DKGL Polynomial LFSR Type 4e3 (xˆ4 + xˆ3 + x + 1) Fibonacci 4o3 (xˆ4 + xˆ3 + x + 1) Fibonacci 4s3 (xˆ4 + xˆ3 + x + 1) Fibonacci 4e4 (xˆ4 + xˆ2 + x + 1) Galois 4o4 (xˆ4 + xˆ2 + x + 1) Galois 4s4 (xˆ4 + xˆ2 + x + 1) Fibonacci 6e3 (xˆ3 + xˆ2 + x + 1) X2 Fibonacci 6o3 (xˆ3 + xˆ2 + x + 1) X2 Fibonacci 6s3 (xˆ3 + xˆ2 + x + 1) X2 Fibonacci 6e4 (xˆ3 + xˆ2 + x + 1) X2 Fibonacci 6o4 (xˆ3 + xˆ2 + x + 1) X2 Fibonacci 6s4 (xˆ3 + xˆ2 + x + 1) X2 Fibonacci 8e3 (xˆ4 + xˆ4 + x + 1) X2 Galois 8o3 (xˆ4 + xˆ4 + x + 1) X2 Galois 8s3 (xˆ4 + xˆ4 + x + 1) X2 Galois 8e3 (xˆ4 + xˆ4 + x + 1) X2 Fibonacci 8o4 (xˆ4 + xˆ4 + x + 1) X2 Fibonacci 8s4 (xˆ4 + xˆ4 + x + 1) X2 Fibonacci
Figure 3.7: Switching parity State transition [DS] for Seed S0 = “011001” [6s4 design]
45 3.3 DKGC
A Cellular Automaton (CA) [15] is a collection of cells where each cell is in one of a finite number of states. The neighborhood of a cell indicates the cells that are placed adjacently next to the specified cell. The next state of a cell is determined by the current state of the cell and the states of the cells in its neighborhood based on a fixed rule. Starting from an initial state, the state of the CA is determined by the states of the individual cells which are in-turn governed by their rule.
As mentioned above, the cells evolve at each time step according some rule to obtain the next logic state value. For a time step 2, D flip-flops help realize the storage elements of the next state logic. In our case, we are using a group additive CA.
Group Additive CA: If next state logic generation employs only XOR/XNOR gates and it produces cyclic states, then it is called group additive CA.
Non-Group Additive CA: It may produce acyclic states by employing other logic gates apart from XOR/XNOR gates. This is called non-group additive CA.
We have employed group-additive CA structures for encryption. This facilitates easy and fully testable FSM synthesis due to its unique state transition properties [15]. The next state logic of each cell in the CA design is a function of XOR of the present and the neighboring states [35]. Two such rule configurations are defined below and are generically defined as:
t+1 t t t ai = f(ai−1, ai, ai+1)
t th where ai corresponds to the state of the i at time t and fi is the next state transition function. The rule configuration used in the construction of DKGC is given
46 by combinations of <50,61, 61, 61. . . > . The two rule configuration mainly use are defined as given below:
t t Rule 50: ai+1 = ai
t+1 t t Rule 61: ai = ai (xor) ai−1
Thus, Our CA-based DKG implementation uses cells configured with one of these rules to generate the DS. Figure 3.8 shows two 3-bit CA structures combined to form a 6-bit [6e3/6o3] CA structure. The rules used for the CA structure in Figure 3.8 is <50 61 50 61 61 61 >.
This particular design can generate 3-bit sequences with even parity, odd parity using the same structure and different 6-bit seed by carefully selecting the DI bits. Here, cells with the outputs d0 and d2 are configured with Rule 50 while the remaining cells are configured using Rule 61.
Figure 3.8: Two 3-bit CA based DKGC Structure [6e3, 6o3]
Discussing the design illustrated in Figure 3.8 with an example:- Considering
“101000” as the seed S0 value to the CA Structure in the DKG, if the outputs
47 of these cells namely (d0, d1, d3) are used as DI bits, then the resulting DS has a DI transition of opposite polarity, i.e. the CA is configured as a 6s3 DKG. Alternatively, if the output bits (d0, d1, d2, d3) are selected as DI bits, the resultant DKG created is of 6e4 type.
If the XOR gates feeding the cells (d0, d1, d4) are changed to XNOR gates, then the key value that produces the required rules is “011010”. The Dynamic State transitions (DS) are illustrated in Figure 3.9 and 3.10.
Similar to the DKGL construction, the cellular automata based state transitions can be used for 6e3, 6o3 and 6s4 DKG structures.
Figure 3.9: Even parity Dynamic State transition (DS) for Seed S0 = “101000” [6e3]
48 Figure 3.10: Odd parity Dynamic State transition (DS) for Seed S0 = “101000” [6o3]
Similar to DKGL, a total 18 DKGCs were developed – 4x3, 4x4, 6x3, 6x4, 8x3 and 8x4. For designs requiring larger seed sizes or DI bits, these DKGCs are used in various combinations to generate a complete DKG by stitching the smaller designs. The different combinations of Cellular Automata used are as mentioned below in Table 3.2
3.4 Experimental Setup
The strength of the proposed encryption methods were tested using a series of exper- iments listed below.
3.4.1 Benchmark Details
The robustness of the proposed encryption technique was tested using the benchmarks from ITC’99 benchmark suite given in Table 3.3. The benchmark suite has been divided into two groups. Group 1 majorly consists of designs having less than 50 sequential elements and less than 1000 total gates and Group 2 consists of designs with a total gate count of 1000 gates and sequential elements greater than 100.
49 Table 3.2: Dynamic Key Generator Cellular Automata - Combinations
DKG Type DKGC Rules 4e3 50 61 50 61 4o3 50 61 50 61 4s3 50 61 50 61 4e4 50 61 50 61 4o4 50 61 50 61 4s4 50 61 50 61 6e3 50 61 50 61 61 61 6o3 50 61 50 61 61 61 6s3 50 61 50 61 61 61 6e4 50 61 61 50 61 61 6o4 50 61 50 61 61 61 6s4 50 61 50 61 61 61 8e3 50 61 50 61 50 61 8o3 50 61 50 61 50 61 8s3 50 61 50 61 50 61 8e4 50 61 61 61 50 61 61 61 8o4 50 61 50 61 50 61 50 61 8s4 50 61 50 61 50 61 50 61
Also, the benchmark designs were simulated for a set of 10,000 input patterns to select the trigger. The state register bits in the design were monitored to check the occurrence of the chosen protected state also known as the trigger. The benchmarks listed in Table 3.3 were encrypted according to the methodology explained in Section- 3.1 and the results were observed and are presented in Section 3.4.
3.4.2 Attack Strategy for Benchmarks
SAT Attack [11] – Unroll Method [12]
Since, the circuit has sequential elements, it has to be unrolled to be attacked using the SAT tool [30] developed by [11]. In this case, the obfuscated circuit is unrolled, where the flip flops are replaced with buffers in the unrolled version to apply the Boolean satisfiability attack. The unroll count usually denotes the number of clock cycles for which the design needs to unrolled.
50 Table 3.3: ITC’99 Benchmark Circuit Description
Group 1 Bench Design Inputs Outputs DFF Logics Total Gates b01 4 2 5 45 86 b02 3 1 4 25 45 b03 6 4 30 150 385 b04 13 8 66 480 881 b05 3 36 34 608 1021 b06 4 6 9 66 86 b07 3 8 51 382 738 b08 11 4 21 168 227 b09 3 1 28 131 260 b10 13 6 17 172 311 b11 9 6 30 366 805 Group 2 b12 7 6 121 1000 2017 b13 12 10 53 309 402 b14 34 54 247 3461 8679 b15 37 70 447 6931 12458 b16 19 1 64 508 756 b17 38 97 1407 21191 37117 b18 37 30 3308 49293 91666 b19 47 40 6618 98726 174157 b20 34 22 494 7741 19107 b21 34 22 494 7931 18718 b22 34 22 709 12128 28128
51 Let unroll count represent the number of clock frames for which the design is being unrolled. These designs have been encrypted for key sizes 32, 64 and 128. The initial value of the unroll count starts with the value 2. Instead of increasing the value of the unroll count by 1, it is increased by powers of 2. The number of keys asked to return by the SAT tool [30] depends on the possibility of correct key space explored during encryption. For the smaller key size tested, that is 32 bits, the SAT tool was asked to return around 128 keys, also considering the correct key space. For bigger key size, the SAT tool was asked to return around 512 keys.
Also, the circuit was unrolled for cycles in the range 2 to 1024, depending on the key size. The attack time allotted for the decryption of the whole design was about a day or 24 hours. If the SAT tool failed to output the correct key value for a particular unroll count, then the value of unroll for the next iteration were doubled and the attack process was repeated. When the SAT attack outputs fewer keys than what was asked, we can infer from [11] that the attack is a successful one and hence the attack can be terminated. The correctness of the key returned by the tool can be verified by creating a miter circuit and feeding the key to functionally verify design using the Jasper Gold tool.
In the case where the SAT tool gave keys values which more than the number of keys requested, the unroll count is incremented and the attack process is repeated.
KC2 Attack Strategy [13]
The sequential circuit were fed to the NEOS tool [36] developed based on the concept proposed by the authors of [13]. The iteration count was varied according to the size of the benchmark and the number of sequential elements in each benchmark. The obfuscated circuit with sequential elements around 100 were tested for 150 iteration and the benchmark with higher sequential elements were tested for 250 iteration. The results obtained were noted and are presented in the next section.
52 3.5 Results
The encryption was carried out for key size of 64, 128 and 256 bits. The results for key size 64 bits have been shown in Table 3.4. The benchmarks were encrypted using the DKGL and DKGC encryption methods.
The encryption technique for a 64 bit keysize, locked the sequential circuits using static memory size of 56. Hybrid DKG insertion technique was followed where both DKGLs and DKGCs were used to construct the completed DKG. A total 18 DKGCs and DKGLs developed – 4x3, 4x4, 6x3, 6x4, 8x3, were combined according to the key size to form a complete DKG structure . For example, in 4x3, 6x3 and 8x3, 4, 6, 8 denote the static memory/seed sizes of the individual DKGLs and DKGCs whereas the DI width was selected to be 3. These individual DKGL and DKGC blocks selected, were stitched together to form the complete DKG structure according to the key size. The complete SLED architectures were formed to encrypt the circuits of ITC’99 benchmarks.
The parity of each logic value on the DI bits can be even, odd or switching. The DI widths ranged from 23 to 44, depending on the DKG structures selected. The DI widths obtained for each benchmark has been depicted in Table 3.4. It can be inferred from Table 3.4 that for the encryption of b01 benchmark, seven 3-bit sized DKG structures were selected and three 4-bit sized DKG structures were selected accounting to a total of 43-bit sized DI bits for encryption of the benchmark. Additionally, the DKG was designed to output 8-bit static keys (used in the KDU). A full comparator is chosen as the g function used in the TG unit.
These encrypted circuits were later attacked using the Sequential SAT attack [11] [12] and the KC2 attack for sequential circuits [13] and the results are shown in Table 3.5.
53 Table 3.4: DI width for each benchmark for 64-bit key size
Benchmark Gate Size b01 (3-7, 4-3) b02 (3-5, 4-4) b03 (3-3, 4-6) b04 (3-4, 4-6) b05 (3-6, 4-4) b06 (3-4, 4-5) b07 (3-3, 4-7) b08 (3-5, 4-2) b09 (3-7, 4-2) b10 (3-6, 4-5) b11 (3-7, 4-3) b12 (3-5, 4-3) b13 (3-5, 4-4) b14 (3-6, 4-4) b15 (3-5, 4-4) b20 (3-5, 4-5) b21 (3-8, 4-3) b22 (3-4, 4-5)
In Table 3.5, the column EncT highlights the encryption time taken for encrypt- ing each circuit in the benchmark suite. Column #Unr reports the unroll count that the SAT attacks took on the successful decryption of a benchmark circuit and #Itr reports the number of iterations that KC2 took on successful decryption of a benchmark circuit. Iterations for unsuccessful decryption of a benchmark were not reported. Attk highlights the amount of time taken by SAT and KC2 for the above discussed attack model. AOGC denotes the area overhead obtained on the basis of gate count difference between the original and encrypted file. AOS denotes the total cell area overhead obtained by synthesizing the original and encrypted Verilog designs using Synopsys Design Compiler with saed90nm technology library. POS de- notes the overall power overhead obtained by synthesizing the original and encrypted Verilog designs using ICC with saed90nm technology library. FV denotes the results obtained after functional verification of the circuit using Cadence JasperGold tool. A miter circuit had been created using the original and encrypted verilog designs, fed with the correct key values to verify if both the designs are equal on the application
54 Table 3.5: SLED method Encryption Results – KeySize 64 bits
of the correct key value.
The SAT attack algorithm was found to be unsuccessful in decrypting the bench- marks which belong to Group A within 24 hours. A few medium sized benchmarks were decrypted by the Seq-SAT and KC2 attacks within a very small number of iter- ations. Benchmark b04 was successfully decrypted by Seq-SAT and benchmarks b04 and b13 were successfully decrypted by the KC2 attack. SAT failed to the find the correct key for benchmarks b01, b03, b09 and KC2 failed to find the correct key for benchmarks b01, b02, b03, b05, b09, b13 even though the attack was able to complete within 24 hours. Benchmarks that were relatively medium and large sized are SAT and KC2 resilient with respect to details from the Table.
The result is in Table 3.5. Also it can be seen from Table 3.5 that the area overhead ranged from 80% for smaller benchmarks to 0% for larger designs. Also, both SeqSAT and KC2 attacks failed to find the correct key against 90% of the benchmarks.
SeqSAT attack - Additionally, increasing the unroll count for large benchmarks
55 Table 3.6: SLED method Encryption Results – KeySize 128 and 256 bits
56 for a larger number of clock cycles, makes the SAT solver to form a large CNF which faces memory allocation error leading the SAT to quit.
KC2- Similarly, by increasing the iteration count for large benchmarks for a larger number’ of clock frames, leads the NEOS tool [36] to construct a large CNF resulting in memory allocation error, thereby forcing KC2 to quit. This condition is highlighted in red in the plot corresponding to Table 3.5.
The bars highlighted in red indicate that the benchmark is sequential attack re- silient. The result is as shown in the plots. The information was gathered for 64-bit key size as listed in Table 3.5. Encryption time, area overhead calculated using gate count and decryption results by SAT and KC2 attacks for key size 128 and 256 bits are presented in Table 3.6.
Encryption time, Attack time plots have been depicted in lograthimic scale. The figures for Encryption time, Area Overhead due to Synthesis and Gate Counts, Attack time for SAT and KC2 have also been plotted below. The max iteration counts has also been plotted below.
57 Figure 3.11: Encryption time of benchmarks
Figure 3.12: Area Overhead – (Synthesis)
58 Figure 3.13: Area Overhead – (Gate Count)
Figure 3.14: Power Overhead – (ICC results)
59 Figure 3.15: Max Unroll Count for SAT attack
Figure 3.16: Max Iterations for KC2 attack
60 Figure 3.17: KC2 Attack – Decryption Time
Figure 3.18: SAT Attack – Decryption Time
The total encryption time observed for all the benchmarks tested was less than 6-7 minutes. These details have been plotted separately for each benchmark and shown
61 in Figure 3.11.
3.6 Summary
In this chapter, the construction of the DKG block has been discussed. The integration of the DKG module into the SLED architecture and an overview of the architecture was explained.
From the results obtained it is evident that the proposed encryption techniques offer SAT resiliency to 90% of the benchmark circuits except for a few smaller designs like (b04, b13 etc.). The circuits that were successfully decrypted took less than four hour by both SeqSAT and KC2.
The major drawback to the above proposed design is the high number of correct static key values. Due to the inherent nature of the LFSR/CA, there might be a large FSM state space. Each state from this state space can act as an initial value or static key value to the DKG which produces the correct DS and hence the correct DIs. The downside to this design is that, for smaller key size, there might be a lot of correct keys, almost about 70% of the whole key state space. This might result in easier decryption of the circuit. Methods to limit the correct initial seed to the DKG will be proposed in Chapter 4 and the results have been noted. Using these techniques, the correct key value has been reduced from 75% to about less than 5%.
62 Chapter 4
Methods to Limit Correct Key
It is evident from the results of the previous section that the SLED method is resilient to SeqSAT and KC2 attacks, but it has a drawback. It has a large number of correct key static values which act as the seed to the DKG, thus producing the correct DS and hence the correct DIs for every state from this state space. This could easily help the attacker identify the keys using brute force method. Another drawback which could be a consequence of this is the large area overhead incurred due to the introduction of a whole new module in the design to generate dynamic keys.
In this chapter we introduce two techniques to limit Kc. The first technique involves pruning of the correct keys state space to find unique key patterns. This key is selected by a random method and the selected key bits are ANDed with the trigger signal (which is the input to the DKG). Thus, the DKG produces dynamic key sequences only on the assertion of the conditional trigger signal. This technique is discussed in detail in Section 4.1.
The second technique involves the usage of a comparator to scrutinize the key space to obtain minimal correct keys. Similar to the previous technique, the obtained key is ANDed with the trigger signal (which is the input to the DKG). The DKG produces dynamic key sequences only when the key scrutinized is applied making the
63 conditional trigger signal high. This is discussed in detail in section 4.2.
4.1 Limiting Kc – Random Selection Method
Considering the design mentioned in Figure 3.8, this particular design can generate 4-bit sequences with even parity, odd parity and switching parity using the same 6-bit seed by carefully selecting the DI bits. Among the 18 possible combinations, we have considered the 6x4 design to illustrate the enhancement in the method. The model mentioned in Figure 3.8 is modified to accommodate the drawback of explosion in correct initial seed to the DKG.
This is done by ANDing the key bits of the key value with the trigger signal generated from the Trigger Generation Unit to enable appropriate working of the DKG. That is the TG, asserts a trigger on the occurrence of protected state within the original circuit. The output obtained by ANDing the trigger and the key bits of the random key value selected is called conditional trigger.
The criteria used to scrutinize the correct key value and to assert the conditional trigger is as mentioned. One particular key value from the entire key space that satisfies the condition of the FSM is randomly chosen from the list and tied to the trigger signal from the trigger generation unit. Only when that particular key value is set in the static memory, does the conditional trigger signal will go high. Thus, only when both these conditions are satisfied does the DKG produce the correct DS and hence the correct DI values. Otherwise, it either stays at the reset state or goes through a wrong DS, until the correct key value is given. Figure 4.1 illustrates the design.
64 Figure 4.1: Two 3-bit External LFSR, DKGL Structure using Method 1
Discussing the design illustrated in Figure 4.1 with an example :- Considering the state space of the correct key values be 011001, 010101, 110110, 11111. All these states could produce the correct dynamic sequence when given as the initial value/seed to the DKG module. This makes all four states the correct key values, leading to an explosion in the correct key state space with increase in key size. But we want one of these key values to be the correct key. That is, only when that particular key value is set in the static memory, will the conditional trigger go high. Thus, the key input selected by random means is ANDed with the trigger signal from the Trigger Generation Unit to produce a conditional trigger which determine appropriate working of the module depicted in Figure 4.1.
The DKG can generate 4-bit sequences with even parity, odd parity and switching parity using the same 6-bit seed only when the conditional trigger signal goes high. The parity based sequences are obtained by carefully selecting the DI bits.
For example, considering “011001” as the key input selected as the seed S0 to the LFSR in the DKG. That is the static memory value is set to “011001”. Only on the applying this particular key value and the occurrence of the chosen state (trigger
65 being high) will the conditional trigger hold a logic value of ‘1’, will the next correct value in the dynamic sequence be generated on the output bits of the LFSR, thus facilitating the correct functioning of the DKG.
As mentioned in the previous section, the output bits of the DKG module (d0, d2, d3, d5) always hold even parity values whereas the output bits (d0, d1, d3, d4) always hold odd parity values for this particular key. Similarly, for switching parity values, from the above we can infer that (DIt-1 and DIt are of opposite parity at t), hence, (d1, d3, d4, d5) generate switching parity values. This method effectively helped limit Kc to a great extent, making less than 5
4.2 Limiting Kc – Comparator Method
The second technique proposed to limit Kc involves the usage of a comparator to scrutinize the key space to obtain minimal correct keys. Similar to the previous technique, the obtained key is ANDed with the trigger signal (which is the input to the DKG). Thus, the conditional trigger goes high and the DKG produces dynamic key sequences only on when the key is applied. Figure 4.2 illustrate the design based on the comparator method.
Considering the state space of the correct key values be 011001, 010101, 110110, 11111. All these states could produce the correct dynamic sequence when given as the initial value/seed to the DKG module. This makes all four states the correct key values, leading to an explosion in the correct key state space with increase in key size. We want one of these key values to be the correct key in order for the conditional trigger to go high. In this method, a comparator is used to select the key input bits which is then ANDed with the trigger signal from the Trigger Generation Unit.
66 Figure 4.2: Two 3-bit External LFSR, DKGL Structure using Method 2
For example, considering this set 011001, 010101, 110110, 11111 of keys as men- tioned above. Here, the first three bits are grouped/termed as A and the next three bits are termed as B. Comparator logic is used to check the condition if A¿ B. Based on the comparison, one key “011001” satisfies this condition. This key is chosen as correct key static value. Using this method, the number of correct static key values has reduced from 4 to 1.
Since, “011001” selected is the only correct static key input for the seed S0 to the LFSR in the DKG, applying this key value alone will set the conditional trigger to logic ‘1’. This is then ANDed with the trigger signal for TG. Only when both the logic signals are asserted high will the correct logic sequence be generated on the outputs bits of the LFSR.
This method effectively helped limit Kc to a great extent, reducing the ratio of correct keys to almost one fourth per DKG structure as mentioned above. The exper- imental results for both these methods are discussed in the next section.
67 4.3 Comparison and Results
Table 4.1 and 4.2 shows the results obtained by encrypting the designs using the enhancement methods for the SLED architecture. Similar to the results obtained in Chapter 3, the encryption time, area overhead obtained using synthesis and area over head calculated using gate count, the power overhead and the attack time results for both SeqSAT and KC2 attack methods are tabulated. The circuits have also been functionally verified using the Cadence Jasper Gold tool.
Table 4.1 shows the results obtained for 64 bit key size using Method 1 (random selection of keys designed) to limit KC. The plots for this are given subsequently.
It can be noted from Table 4.1 that both SAT and KC2 attacks are unable to decipher the correct key for many smaller benchmarks in addition to medium and larger benchmarks within a span of 24 hours.
The encryption time observed for all the benchmarks seemed to vary between few milliseconds and was found to be less than 7-8 minutes. The details have been plotted separately as shown in Figure 4.3 for enhancement method M1. The area overhead due to synthesis and gate count seemed to increase from smaller benchmarks but has negligibly increased for medium sized and larger benchmarks. The results have been plotted for reference from Figure 4.4 to 4.9. The miter circuit was created using the original and encrypted benchmarks for functional verification using Cadence Jasper Gold tool.
4.3.1 Results
Table 4.1 describes the results obtained on encrypting the circuit using method 1 for 64bit key size.
68 Table 4.1: Limiting Kc – Method 1 Encryption Results - KeySize 64 bits
Figure 4.3: Encryption time of benchmarks
69 Figure 4.4: Area Overhead – (Synthesis)
Figure 4.5: Area Overhead – (Gate Count)
70 Figure 4.6: Max Unroll Count for SAT attack
Figure 4.7: Max Iterations for KC2 attack
71 Figure 4.8: KC2 Attack – Decryption Time
Figure 4.9: SAT Attack – Decryption Time
72 Table 4.2: Limiting Kc – Method 2 Encryption Results - KeySize 64 bits
Similarly Table 4.2 depicts the encryption details collected for the comparator method of limiting Kc.
Table 4.2 shows the results obtained for 64 bit key size using Method 2 (comparator based selection of keys) to limit KC. Similar to the enhancement Method 1, there has been a increase in area overhead for smaller benchmarks, but the overhead increase was found to negligible for medium sized and large circuits. Results shown in Table 4.2 confirm that the proposed method exhibits SAT resiliency for all the benchmarks tested. Results have been plotted below for reference.
73 Figure 4.10: Encryption time of benchmarks
Figure 4.11: Area Overhead – (Synthesis)
74 Figure 4.12: Area Overhead – (Gate Count)
Figure 4.13: Max Unroll Count for SAT Attack
75 Figure 4.14: Max Iteration Count for KC2 Attack
Figure 4.15: KC2 Attack - Decryption Time
76 Figure 4.16: SAT Attack – Decryption Time
4.3.2 Area and Power Overhead Comparison
Figure 4.17: Area Overhead Comparison(Gate Count) –SLED vs SLED-M1 VS SLED-M2
77 Figure 4.17 show the area overhead comparison obtained due to gate count for the normal SLED method and the two variations of DKG used to limit Kc. The the power overhead comparison is shown in Figure 4.18.
Figure 4.18: Power Overhead Comparison –SLED vs SLED-M1 VS SLED-M2
From the above plots, we can conclude that the area overhead ranges from 80% for larger benchmark to 0% for smaller benchmarks for the traditional method. It varies from 100% to 0% for the two variation introduced to limit Kc. Similarly, the power was under 30% for most circuits. From the above results, we can infer that there seems to be a trade off between the PPA constraints. Although LKc – M1 and M2 seems to increase area overhead for smaller and medium sized benchmarks compared to the traditional method proposed, these benchmarks seem to be SAT resilient in comparison to the benchmarks encrypted using the traditional method.
78 4.4 Summary
Two enhancements to the already existing SLED method was proposed to Limit Kc values. Both these methods helped reduce Kc to an enormous extent. Results obtained from attacking the encrypted circuit using the SAT attack confirms that the proposed method offers SAT resilience to smaller benchmarks as well to initially proposed SLED methods.
The encryption techniques were also compared for area overhead. The area over- head for the two enhancement methods introduce to limit Kc was observed to be slightly higher for smaller and medium sized benchmarks but there was observed to be a negligible increase in area for larger sized benchmarks in comparison to the area overhead incurred due the traditional method. We can infer that this seems to be a trade-off in the PPA constraint. More security is obtained at the expense of increase area.
79 Chapter 5
Conclusion and Future Work
5.1 Conclusion
In this thesis a novel technique to encrypt the sequential circuits was proposed. The encryption strategy generates a dynamic key sequence on the occurrence of a rare event or rare state selected from within the circuit. Two different methods for the design of the Dynamic Key Generator (DKG) were described. The DKG was designed using PRNGs using LFSR and Cellular Automaton concepts. The main aim of the concept proposed in this thesis is to generate Dynamic key Sequence (DS) as Dynamic Inputs (DIs) which is the output of the DKG module.
The DKG module is placed within a secure memory making it difficult for the attacker to access it. On encrypting the circuit with the basic SLED encryption technique, it was inferred that the technique is quite resilient to SAT and KC2 attacks. One major drawback was the large number of correct static keys (KC). This is due to the inherent nature of the FSM design structures used, where any key from the correct key state space if fed as seed to the DKG module could produce the correct dynamic sequence. Since these DKGs are concatenated according to the key size, the possibility and range of Kc increases exponentially. To overcome this limitation two methods which could limit Kc were proposed. These two methods were tested
80 against SAT and KC2 attacks. The results showed only two out of the 22 benchmarks were decrypted while the rest remained unattackable, proving that SLED is a robust sequential logic encryption technique.
The current implementation of this technique incurs a large area overhead for smaller benchmarks while the area and power overhead seem to be negligible. The area overhead of the Dynamic Key Generation unit constituting the primary component in the SLED architecture ranged from 80% for smaller benchmarks to 0% (no overhead) for larger circuits. The power overhead for most of the circuits stayed under 20%. It can be asserted that the SLED locking technique exhibits good attack resiliency with minimal cost overhead.
The vulnerability of SLED was reduced by the two variations introduced to Limit Kc using the random selection method and the comparator block added. This de- creases the ability of the attacker to reverse engineer the encrypted circuit by brute force, SAT or KC2 attacks, making the encryption efficient and robust.
5.2 Future Work
This section mentions some of the techniques that can be used to reduce the area over-head incurred and also provides better methods to produce Kc.
1. Better Approach to Limiting Kc - The downside to the current enhancement is the area over-head, although the design it is SAT- Resilient. The DKG design can be constructed more efficiently to select a particular static key input for the correct key value. This can help reduce the overhead caused by the comparator block used to limit Kc .
2. Designing an FSM with inherent Limited Kc - Designing an FSM using LFSR or CA with more unique properties which would help realize the state transitions with just one or two correct static key values from the entire state
81 space of correct keys. These keys acts as the correct keys without the conditional trigger logic used to limit Kc in the current method.
3. Constructing the DKG through signals within the circuit – It is well known that the RTL of the designs provide more information about the state space on comparison to a synthesized netlist. Finding an approach to construct the DKG block by exploiting the state space within the circuit(instead of cre- ating a new DKG module) to generate dynamic keys might yield better results and reduce area overhead.
5.3 Summary
In this chapter, we summarized the effectiveness and shortcomings of the encryption technique proposed, and we also summarize at potential future research scope.
82 References
[1] G. Moore, “Cramming more components onto integrated circuits, reprinted from electronics, volume 38, number 8, april 19, 1965, pp.114 ff.,” IEEE Solid-State Circuits Newsletter, vol. 20, pp. 33–35, 2006.
[2] “Nicolas mokhoff. semi industry fab costs limit industry growth. 2012..” [Online]. Available: http://www.eetimes.com/document.asp?doc_id=1264577..
[3] “Wikimedia commons. integrated circuit design. 2012..” [Online]. Available: https://commons.wikimedia.org/w/index.php?curid=18276753..
[4] S. Bhunia, M. S. Hsiao, M. Banga, and S. Narasimhan, “Hardware trojan at- tacks: Threat analysis and countermeasures,” Proceedings of the IEEE, vol. 102, no. 8, pp. 1229–1247, 2014.
[5] M. Rostami, F. Koushanfar, and R. Karri, “A primer on hardware security: Mod- els, methods, and metrics,” Proceedings of the IEEE, vol. 102, no. 8, pp. 1283– 1295, 2014.
[6] R. Quijada, A. RaventAs,˜ F. TarrA˜ c s, R. DurA,˜ and S. Hidalgo, “The use of digital image processing for ic reverse engineering,” in 2014 IEEE 11th Inter- national Multi-Conference on Systems, Signals Devices (SSD14), 2014, pp. 1– 4.
[7] F. Koushanfar, S. Fazzari, C. McCants, W. Bryson, P. Song, M. Sale, and M. Potkonjak, “Can eda combat the rise of electronic counterfeiting?” In DAC Design Automation Conference 2012, 2012, pp. 133–138.
[8] L. Mazur and M. Novotn´y,“Differential power analysis on fpga board: Bound- aries of success,” in 2017 6th Mediterranean Conference on Embedded Computing (MECO), 2017, pp. 1–4.
[9] J. Rajendran, M. Sam, O. Sinanoglu, and R. Karri, “Security analysis of inte- grated circuit camouflaging,” in Proceedings of the 2013 ACM SIGSAC confer- ence on Computer & communications security, ACM, 2013, pp. 709–720.
[10] R. Jarvis and M. McIntyre., “Split manufacturing method for advanced semi- conductor circuits.,” 2007.
83 [11] P. Subramanyan, S. Ray, and S. Malik, “Evaluating the security of logic encryp- tion algorithms,” in 2015 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), 2015, pp. 137–143.
[12] Y. Kasarabada, S. Chen, and R. Vemuri, “On sat-based attacks on encrypted sequential logic circuits,” in 20th International Symposium on Quality Electronic Design (ISQED), 2019, pp. 204–211.
[13] K. Shamsi, M. Li, D. Z. Pan, and Y. Jin, “Kc2: Key-condition crunching for fast sequential circuit deobfuscation,” in 2019 Design, Automation Test in Europe Conference Exhibition (DATE), 2019, pp. 534–539.
[14] S. W. Golomb, “Shift register sequences – a retrospective account,” in Sequences and Their Applications – SETA 2006, 2006, pp. 1–4.
[15] B. Voorhees, “Additive cellular automata,” in Encyclopedia of Complexity and Systems Science, R. A. Meyers, Ed. New York, NY: Springer New York, 2009, pp. 63–80, isbn: 978-0-387-30440-3. doi: 10.1007/978- 0- 387- 30440- 3_4. [Online]. Available: https://doi.org/10.1007/978-0-387-30440-3_4.
[16] J. A. Roy, F. Koushanfar, and I. L. Markov, “Epic: Ending piracy of integrated circuits,” in 2008 Design, Automation and Test in Europe, 2008, pp. 1069–1074.
[17] M. Yasin, J. J. Rajendran, O. Sinanoglu, and R. Karri, “On improving the security of logic locking,” IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, vol. 35, no. 9, pp. 1411–1424, 2016.
[18] M. Yasin, B. Mazumdar, J. J. V. Rajendran, and O. Sinanoglu, “Sarlock: Sat attack resistant logic locking,” in 2016 IEEE International Symposium on Hard- ware Oriented Security and Trust (HOST), 2016, pp. 236–241.
[19] Y. Xie and A. Srivastava, “Anti-sat: Mitigating sat attack on logic locking,” IEEE Transactions on Computer-Aided Design of Integrated Circuits and Sys- tems, vol. 38, no. 2, pp. 199–207, 2019.
[20] M. Yasin, A. Sengupta, M. T. Nabeel, M. Ashraf, J. J. Rajendran, and O. Sinanoglu, “Provably-secure logic locking: From theory to practice,” in Proceed- ings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, Dallas, Texas, USA, 2017, pp. 1601–1618.
[21] K. Shamsi, M. Li, T. Meade, Z. Zhao, D. Z. Pan, and Y. Jin, “Cyclic obfuscation for creating SAT-unresolvable circuits,” in Proceedings of the on Great Lakes Symposium on VLSI 2017, ACM, 2017, pp. 173–178.
[22] S. Roshanisefat, H. M. Kamali, and A. Sasan, “SRCLock: Sat-resistant cyclic logic locking for protecting the hardware,” in Proceedings of the 2018 on Great Lakes Symposium, ACM, 2018, pp. 153–158.
84 [23] M. Yasin, B. Mazumdar, O. Sinanoglu, and J. Rajendran, “Removal attacks on logic locking and camouflaging techniques,” IEEE Transactions on Emerging Topics in Computing, pp. 1–1, 2017.
[24] D. Sirone and P. Subramanyan, “Functional analysis attacks on logic locking,” IEEE Transactions on Information Forensics and Security, vol. 15, pp. 2514– 2527, 2020.
[25] Y. Kasarabada, S. R. Thulasi Raman, and R. Vemuri, “Deep state encryption for sequential logic circuits,” in 2019 IEEE Computer Society Annual Symposium on VLSI (ISVLSI), 2019, pp. 338–343.
[26] J. Rajendran, H. Zhang, C. Zhang, G. S. Rose, Y. Pino, O. Sinanoglu, and R. Karri, “Fault analysis-based logic encryption,” IEEE Transactions on Comput- ers, vol. 64, no. 2, pp. 410–424, 2015.
[27] N. Karousos, K. Pexaras, I. G. Karybali, and E. Kalligeros, “Weighted logic locking: A new approach for ic piracy protection,” in 2017 IEEE 23rd Inter- national Symposium on On-Line Testing and Robust System Design (IOLTS), 2017, pp. 221–226.
[28] A. Biere, “Lingeling, plingeling and treengeling entering the sat competition 2013.”
[29] N. S¨orenssonand N. Een, “Minisat v1.13 - a sat solver with conflict-clause minimization. 2005. sat-2005 poster. 1 perhaps under a generous notion of “part- time”, but still concurrently taking a statistics course and leading a normal life,” Tech. Rep., 2002.
[30] “P. subramanyan, decryption tool binaries and benchmark circuits. 2015..” [Online]. Available: https : / / bitbucket . org / spramod / host15 - logic - encryption.
[31] M. Yasin, A. Sengupta, B. C. Schafer, Y. Makris, O. Sinanoglu, and J. J. Rajen- dran, “What to lock? functional and parametric locking,” in Proceedings of the on Great Lakes Symposium on VLSI 2017, New York, NY, USA: Association for Computing Machinery, 2017, 351–356, isbn: 9781450349727.
[32] R. S. Chakraborty and S. Bhunia, “Harpoon: An obfuscation-based soc design methodology for hardware protection,” IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, vol. 28, no. 10, pp. 1493–1502, 2009.
[33] J. Dofe and Q. Yu, “Novel dynamic state-deflection method for gate-level de- sign obfuscation,” IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, vol. 37, no. 2, pp. 273–285, 2018.
[34] S. Roshanisefat, H. M. Kamali, K. Zamiri Azar, S. M. Pudukotai Dinakarrao, N. Karimi, H. Homayoun, and A. Sasan, “Dfssd: Deep faults and shallow state
85 duality, a provably strong obfuscation solution for circuits with restricted access to scan chain,” in 2020 IEEE 38th VLSI Test Symposium (VTS), 2020, pp. 1–6. doi: 10.1109/VTS48691.2020.9107629.
[35] R. Karmakar, S. S. Jana, and S. Chattopadhyay, “A cellular automata guided ob- fuscation strategy for finite-state-machine synthesis,” in 2019 56th ACM/IEEE Design Automation Conference (DAC), 2019, pp. 1–6.
[36] “K. shamsi. neos decryption tool binarie. 2019..” [Online]. Available: https: //bitbucket.org/kavehshm/neos/..
86