Understanding Logic Locking

Preface
Contents
1 Basics of VLSI Design
	1.1 Introduction to VLSI Design
		1.1.1 Steps of VLSI ASIC Design Flow: Specification to Packaged IC
		1.1.2 EDAs, Equipment, and Entities in VLSI ASIC Design Flow
	1.2 Advances in VLSI Design: Horizontal Model
	1.3 Future of VLSI Design: What to Expect
	References
2 Basics of VLSI Testing and Debug
	2.1 Overview of VLSI Testing: Cost, Yield, and Quality
	2.2 Fundamentals of VLSI Testing: Fault Simulation to ATPGs
		2.2.1 Logic and Fault Simulation
		2.2.2 Testability Measures
		2.2.3 Combinational and Sequential ATPG
	2.3 Design for Testability: From Scan Chain to BIST
		2.3.1 Built-in-Self-Test (BIST)
	2.4 Design Testability and Security: Double-Edged Sword
	References
3 IP Protection: A Historical View
	3.1 The First (National to Global) Action for IP Protection
		3.1.1 The First Protection: Semiconductor Chip Protection Act (SCPA)
		3.1.2 From the US SCPA to International Acts
	3.2 Notable Cases Discussing the Violation of IP Protection
		3.2.1 A Simple Profit-Oriented Case: Smartphone Patent Wars
	3.3 The Importance of IP Protection Against Malicious Intentions
	References
4 Making a Case for Logic Locking
	4.1 Horizontal IC Supply Chain: Threats
		4.1.1 Technology Stealing: Reverse Engineering
		4.1.2 Illegal Reuse: Piracy and Overproduction
		4.1.3 Malicious Modification and Tampering: Hardware Trojan
		4.1.4 Information Leakage: Side-Channel Attack
	4.2 Physical Action: DfTr Countermeasure Solutions
		4.2.1 IP Encryption
		4.2.2 IP Watermarking and Fingerprinting
		4.2.3 IC Metering
		4.2.4 Split Manufacturing
		4.2.5 IC Camouflaging
	4.3 Why Logic Locking? What to Expect?
	References
5 Fundamentals of Logic Locking
	5.1 What Logic Locking Means in a Logic Circuit?
		5.1.1 Forming and Activating Logic Locking
	5.2 Characteristics of Logic Locking
		5.2.1 Abstraction Level(s) of Logic Locking
		5.2.2 Logic Locking Types
		5.2.3 Logic Locking (Key) Secret Size and Uniqueness
		5.2.4 Output Corruptibility in Logic Locking
		5.2.5 Logic Locking Overhead
	5.3 Security Evaluation of Logic Locking: Modeling the Threat
		5.3.1 Invasivity in De-obfuscation
		5.3.2 Obtaining Reference in De-obfuscation: Oracle
		5.3.3 Extra Access in De-obfuscation: DFT
		5.3.4 Priming the Design for De-obfuscation: Malicious Insertion
	References
6 Infrastructure Supporting Logic Locking
	6.1 Traditional View of Trust Enabled by Logic Locking
	6.2 A Big Assumption: Testing Before or After Activation?
	6.3 Forward Trust Required for Logic Locking
	6.4 Composition of Trusted Communication and Logic Locking
	6.5 Dummy Key-Based Testing for Logic Locking
		6.5.1 Improving the Quality of Dummy Keys for Testing
	References
7 Impact of Satisfiability Solvers on Logic Locking
	7.1 Fundamentals of SAT Solvers: From SAT to SMT to BMC
		7.1.1 Building SAT Problems and Solving Procedure
		7.1.2 Extension of SAT for Wider Set of Applications
		7.1.3 The Usage of SAT for Representing Logic Circuits
	7.2 SAT Solver for VLSI Design Testing
	7.3 Solvers Against Logic Locking: Building Algorithmic Attacks
		7.3.1 Assumptions in SAT/BMC Attack on Logic Locking
		7.3.2 Flow of SAT/BMC Attack on Logic Locking
	7.4 Challenges of SAT-/BMC-Based Attack on Logic Locking
	References
8 Post-satisfiability Era: Countermeasures and Threats
	8.1 A High-Level View on Defenses and Attacks: Pre- vs. Post-SAT
	8.2 Pre- vs. Post-SAT Logic Locking Countermeasures
		8.2.1 Primitive Logic Locking
		8.2.2 Point Function Logic Locking
			8.2.2.1 Compound Logic Locking
		8.2.3 Cyclic-Based Logic Locking
		8.2.4 LUT/MUX-Based Logic/Routing Locking
		8.2.5 FSM/Sequential Logic Locking
		8.2.6 Behavioral (Timing-Based) Locking
		8.2.7 High-Level Abstraction Logic Locking
		8.2.8 eFPGA-Based Logic Locking
	8.3 Pre- vs. Post-SAT Attacks on Logic Locking
		8.3.1 Oracle-Guided (OG) on Combinational Circuits
			8.3.1.1 OG Combinational ATPG-Based Attacks
			8.3.1.2 OG Combinational Algorithmic (SAT)-Based Attacks
			8.3.1.3 OG Combinational Structural/Functional Attacks
			8.3.1.4 Summary of OG Combinational Attacks
		8.3.2 Oracle-Guided (OG) on Sequential Circuits
			8.3.2.1 OG/OL Sequential on FSM Locking
		8.3.3 Oracle-Less (OL) Attacks on Logic Locking
			8.3.3.1 OL Structural Synthesis-Based Attacks
			8.3.3.2 OL Structural ATPG-Based Attacks
			8.3.3.3 OL Structural ML-Based Attacks
			8.3.3.4 OL Tampering Attacks
			8.3.3.5 OL Probing Attacks
			8.3.3.6 Summary of Oracle-Less (OL) Attacks
	References
9 Design-for-Testability and Its Impact on Logic Locking
	9.1 Why DFT Structure Must Be Protected?
		9.1.1 Post-SAT Logic Locking Countermeasures
	9.2 IC Testability Using DFT-Based Techniques
	9.3 Primitive Secure Scan Chain Architectures for Crypto
		9.3.1 Threat Models and Assumptions
		9.3.2 Flipping the Scan Chain Using Static InverterNetworks
		9.3.3 Feedback XOR in Scan Chain
		9.3.4 State-Dependent Scan Flip-Flop
		9.3.5 Scrambled Secure Scan
		9.3.6 Decoupling Sensitive Data Using Mirror Key Register
		9.3.7 Division of Scan Chain to Sub-chains withRandomness
		9.3.8 Partial Secure Scan Chain Architecture
	9.4 Advanced Secure Scan Chain Architectures for Logic Locking
		9.4.1 Threat Models and Assumptions
		9.4.2 Scan Chain Blockage vs. Scan Chain Locking
	9.5 Locking the Scan Chain in the Presence of Logic Locking
		9.5.1 Encrypt Flip-Flop
		9.5.2 Dynamically Logic Locking of the Scan Chain
		9.5.3 Attacks on Logic Locked Circuits with Restricted Scan
			9.5.3.1 Primitive Sequential SAT Attack
			9.5.3.2 KC2
			9.5.3.3 RANE
			9.5.3.4 ScanSAT on Both Static and Dynamic Scan Chain Logic Locking
		9.5.4 Dynamicity in Encrypt Flip-Flop Technique
		9.5.5 DynUnlock Attack: Breaking Dynamic Encrypt Flip-Flop
		9.5.6 Crypto Macros in Scan-Based Logic Locking
	9.6 Blocking the Scan Chain in the Presence of Logic Locking
		9.6.1 R-DFS: Robust Design for Security in Logic Locking
		9.6.2 Shift-and-Leak Attack on R-DFS
		9.6.3 mR-DFS: Modified Robust Design for Security
		9.6.4 mR-DFS Architectural Drawbacks
		9.6.5 kt-DFS: Key-Trapped Design for Security
		9.6.6 DisORC: Oracle Dishonesty with Scan Blockage: Key-Trapped Design for Security
		9.6.7 Comparison of Scan Blockage Techniques
	9.7 Comparison Between Scan Chain Locking/BlockingTechniques
	References
10 Emergence of Cutting-Edge Technologies on Logic Locking
	10.1 Probing Techniques and Its Impact on the Threats Models
		10.1.1 Tamper- and Read-Proof Memory
		10.1.2 Potential Adversaries in Probing-Based Attacks
	10.2 Overview of Probing Approaches at Circuit Level
		10.2.1 Contactless Probing
		10.2.2 Contact-Based Probing
	10.3 Misuse of Probing: Circuit Security Threats
		10.3.1 Probing-Based Attacks on FPGAs
		10.3.2 Probing-Based Attacks on ASICs
		10.3.3 Probing-Based Attacks on Memories
	10.4 A Case Study: Probing Attack on Logic Locking
		10.4.1 Main Steps of the Optical Probing Attack
		10.4.2 Experimental View: How Probing Breaks Logic Locking
			10.4.2.1 Probing Targeted Device: Microsemi PolarFire
			10.4.2.2 Key Extraction from the Targeted Device
	10.5 Challenges in Probing-Based Attacks
	10.6 Advanced Misuse of Probing: Observing to Modification
	References
11 Multilayer Approach to Logic Locking
	11.1 Abstraction Layers and Core Components of Logic Locking
		11.1.1 Key Storage Element
		11.1.2 Interconnects
		11.1.3 Key Delivery Unit
		11.1.4 Design-for-Test (DFT)
		11.1.5 Logic-Locked Hardware
	11.2 Defense in Depth: Multilayer Logic Locking
	11.3 Security Analysis of Core Components
		11.3.1 Vulnerabilities of the Key Storage Element
		11.3.2 Vulnerabilities of the Interconnects
		11.3.3 Vulnerabilities of the Key Delivery Unit
		11.3.4 Vulnerabilities of the DFT
		11.3.5 Vulnerabilities of the Logic Locking Technique
		11.3.6 Security Breach Through Hardware Trojan Insertion
		11.3.7 Summary of Vulnerabilities of the Core Components
	11.4 Detailed IC Supply Chain Threat Model Analysis
		11.4.1 Vulnerability Analysis in IC Supply Chain
		11.4.2 Potential Adversaries in IC Supply Chain
	11.5 Architecture for a Multilayer Defense-in-Depth Solution
	11.6 Security Measures of a Defense-in-Depth Architecture
	11.7 What Is Next in Logic Locking: Future Trend
	References
12 Logic Locking in Future IC Supply Chain Environments
	12.1 Vulnerabilities and Shortcomings of Logic Locking
		12.1.1 Lack of Formal Model
		12.1.2 Dynamic/Expanding Nature of Threat Modeling
		12.1.3 Cutting-Edge Technologies/Devices Against Logic Locking
		12.1.4 (Mis)use of Machine Learning over Logic Locking
	12.2 Possible Futuristic Directions in Logic Locking
		12.2.1 Security Evaluation of Logic Locking Using Formal Models
			12.2.1.1 Metric for Algorithmic Attacks
			12.2.1.2 Metric for Physical Attacks
			12.2.1.3 Metric for Structural Attacks
			12.2.1.4 From Metric to Method for Building Logic Locking
		12.2.2 Multilayer Logic Locking
		12.2.3 Logic Locking in Zero-Knowledge Environment
			12.2.3.1 Indiscernibility for Logic Locking
			12.2.3.2 Early-Stage Logic Locking
			12.2.3.3 Granularity of Adding Ambiguity via Logic Locking
	References
13 Locking Your IP: A Step-by-Step Guide
	13.1 A Top View on Logic Locking
	13.2 Implementing Logic Locking at Gate Level
		13.2.1 Building Gate-Level Representation: Logic Synthesis
		13.2.2 Required Conversion: The Usage of BENCH Format
		13.2.3 Gate-Level Logic Locking by SLE
		13.2.4 Gate-Level Logic Locking by NEOS
	13.3 Implementing Logic Locking at Register Transfer Level
		13.3.1 RT Level Logic Locking by ReTrustFSM
		13.3.2 RT Level Logic Locking by EvoLUTe
	13.4 Post Locking Verification: Equivalency Check
	13.5 Logic Locking Efficiency: Collecting PPA Overhead
	13.6 Pre-activation Test
	References
14 Security Evaluation of a Locked IP: A Step-by-Step Guide
	14.1 A Top View on De-obfuscation Attacks on Logic Locking
	14.2 Combinational De-obfuscation Attack on Logic Locking
		14.2.1 Input Format for Attack Vector
		14.2.2 Oracle-Guided Combinational Attack by SLD
		14.2.3 Oracle-Guided Combinational Attack by NEOS
	14.3 Sequential De-obfuscation Attack on Logic Locking
		14.3.1 Oracle-Guided Sequential Attack by RANE
			14.3.1.1 Assigning Solver for De-obfuscation
			14.3.1.2 The Support of Hierarchical Design for De-obfuscation
			14.3.1.3 Running Sequential De-obfuscation Equipped with JasperGold Formal Method
	14.4 Evaluation Metrics for De-obfuscation Attacks
	References
Index