Keywords

1 Introduction

Logic encryptionFootnote 1 hides the functionality and the implementation of a design by inserting additional gates into the original design [4,5,6]. In order for the design to exhibit its correct functionality (i.e., produce correct outputs), a valid key has to be applied to the encrypted design. The gates inserted for encryption are the key-gates. Upon applying a wrong key, the encrypted design will exhibit a wrong functionality (i.e., produce wrong outputs).

Example. Consider the circuit shown in Fig. 3.1 which is encrypted using key-gates K1 and K2. The inputs I1–I6 are the functional inputs, and K1 and K2 are the key-inputs connected to the key-gates. On applying the correct values of the keys (K1 \(=\) 0 and K2 \(=\) 1), the design will produce a correct output; otherwise, it will produce a wrong output.

Fig. 3.1
figure 1

a Original circuit. b A circuit encrypted using two key-gates K1 and K2 based on the technique proposed in [1]. By applying the input pattern 100000, an attacker can sensitize key-bits K1 and K2 to the outputs O1 and O2

Full size image
Fig. 3.2
figure 2

The top blue box represents the EPIC design flow [1]. The design is in the encrypted form in the untrusted design regime. In the untrusted regime, an attacker can obtain the encrypted netlist from (1) the IC design or by reverse engineering the (2) layout, (3) mask, or (4) a fabricated IC, and (5) the functional IC from the market. Using this attack, the attacker can get a deciphered netlist and make pirated copies

Full size image

EPIC [1] incorporates logic encryption into the IC design flow, as shown in Fig. 3.2. In the untrusted design regime, the IC is encrypted, and its functionality is not revealed. Post-fabrication, the IP vendor activates the encrypted design by applying the valid key. The key is stored in a tamper-evident memory inside the design to prevent access to an attacker.

Logic encryption prevents attacks such as piracy and hardware Trojans. Since the design is encrypted by the designer, the foundry cannot use any copies or overproduce ICs without the secret keys. Furthermore, it prevents an attacker from analyzing the structural behavior of the design, thereby hindering Trojan insertion.

Outline of the chapter. Section 3.2 explains the protocol on how logic encryption can be used in an IC supply chain, and Sect. 3.3 defines the threat model for logic encryption, listing out the capabilities of the attackers and their limitations. Section 3.4 lists the different security properties and metrics for logic encryption. Since its introduction in 2008, several attacks have been introduced against logic encryption. Section 3.5 details a set of attacks that enables an attacker to learn the correct outputs of the design, even when the design is subjected to logic encryption. In another set of attacks explained in Sect. 3.6, an attacker can learn the correct key used for logic encryption, by observing input–output pairs. Additionally, this section also explains the set of countermeasures against this class of attacks. Recently, new vulnerabilities due to an untrusted test facility have undermined the security of logic encryption. Unlike the previous attacks, this class of attacks relies only on the test patterns and responses. Section 3.7 details this class of attacks. Finally, there are several techniques that rely on the security offered by logic encryption, which are explained in Sect. 3.8. Section 3.9 concludes this chapter by comparing different attacks and their countermeasures.

2 Protocol

The protocol for logic encryption is as follows [1].

Step 1: The designer encrypts the design with a common key, CK. This is the key shown in Fig. 3.2. On applying CK, the encrypted design produces correct outputs. The target IC is then designed along with the encrypted design, a public key cryptographic algorithm (e.g., RSA) and an on-chip random number generator. The IC also has a master public key (Master-Pub). Master-Pub’s private pair is master private key (Master-Pri), which is not stored on-chip.

Step 2: The designer sends this design to the untrusted foundry, where the chip is manufactured. The manufactured chip is then sent to the designer.

Step 3: The designer activates the on-chip random number generator to generate a public–private key pair, RCK-Pub and RCK-Pri, respectively. RCK-Pub is known to everyone. The designer encrypts CK with MK-Pri and RCK-Pub. The resultant ciphertext is called input key (IK).

Step 4: IK is given to the user of this chip. The user applies IK to the chip to activate it. The public key cryptographic module within the chip decrypts IK with MK-Pub and RCK-Pri to obtain CK. The on-chip infrastructure applies CK to the encrypted design and makes the IC functional. This process is called activation. Since IK is encrypted with public–private key pairs, it does not reveal CK. Thus, the user may not be able to unlock (i.e., reverse engineer) the design, even if he is able to unlock his chip (i.e., make the IC functional).

Identifying MK-Pri and RCK-Pub will help an attacker to overproduce the ICs. An attacker does not need design to a new mask. He can reuse the existing mask and unlock them by determining their IKs using MK-Pri and RCK-Pub. Identifying CK will help an attacker to pirate the design and identify “safe” places in a design to insert TrojansFootnote 2. An attacker can extract the protected design (without the public key cryptographic algorithm and on-chip random number generator), unlock it using CK, create a new mask, and manufacture the pirated ICs. For the rest of this chapter, we will consider how an attacker can extract CK. We refer to CK as the “key.”

3 Threat Model

The attacker can be either in the foundry or be the end user. The objective of the attacker is to determine the secret keys used for logic encryption. By determining the keys, he/she can decipher the functional netlist, make pirated copies, and sell them illegally, thereby defeating the purpose of logic encryption. Furthermore, with the knowledge of the keys, he/she can analyze the structural behavior of the design, thereby inserting Trojans at “safe places.”

The attacker needs the encrypted netlist and a functional IC. He/she can obtain the encrypted netlist from (1) the IC design, or by reverse engineering the (2) layout, (3) mask, or (4) a manufactured IC as shown in Fig. 3.2. The functional IC, (5) in Fig. 3.2, is bought in the open market.

4 Security Properties and Metrics

In the rest of this chapter, we focus on security of logic encryption assuming that the common key (CK) is the most critical security asset. Indeed, if CK is compromised, the attacker learns the IC’s intended functionality, thus compromising the designer’s IP and opening the door to hardware Trojan insertion. Furthermore, we note that even though the EPIC protocol does protect against overbuilding even if CK is compromised (each chip is activated only after the designer supplies the chip-specific IK), a determined attacker can still overbuild ICs using a new mask in which CK is hardwired to its compromised value. Such an attack is easily within the range of capabilities of a foundry attacker.

To thwart these attacks, a logic encryption technique has to satisfy the following properties:

  1. 1.

    Correctness. A logic encryption technique should produce a correct output upon applying the correct key. If it produces an incorrect output upon applying the correct key, the encrypted IC/design will violate the design specification, and the design will be considered “defective.”

  2. 2.

    Resilient against output-guessing attacks . A logic encryption technique should prevent an attacker from guessing the correct outputs from previously observed input–output pairs. To thwart such attacks, the output entropy upon applying the wrong key should be maximized. In other words, the Hamming distance between the outputs of the design upon applying the incorrect key should be 50%, as this value maximizes the entropy [4].

  3. 3.

    Entanglement. One should not be able to remove the key-gates from the protected circuit. Otherwise, an attacker can remove the key-gates, analyze the unprotected components, and obtain the original design.

  4. 4.

    Resilient against key-guessing attacks . A logic encryption technique should prevent an attacker from guessing the correct key value from previously observed input–output pairs. To thwart such attacks, key-gates should be inserted such that the number of input–output pairs required to obtain the key value is exponential to the size of the key.

  5. 5.

    Overhead. The logic encryption technique should aim to minimize area, delay, and power overheads, but not at the expense of the security objectives listed above.

5 Thwarting Output-Guessing Attacks

In logic encryption, different combinational logic elements are inserted in a circuit to conceal the functionality of a design. These elements can be XOR/XNOR gates [1, 4, 5, 9], AND/OR gates [6], MUXes [3, 4], or a combination of these elements [10]. One of the inputs to these gates serves as a key-input, which is a newly added signal driven by a tamper-evident on-chip memory. Unless the correct key is loaded onto the on-chip memory, a design will not work correctly. The activation of a encrypted IC can be conducted either prior to or after the manufacturing test. Secure communication infrastructure is needed if the keys are to be loaded remotely onto the chip [9, 11].

EPIC [9] is a logic encryption framework which inserts XOR/XNOR gates, referred as key-gates, such that these gates have minimal impact on circuit delay. One can configure these gates as buffers or inverters using these key-inputs. The insertion of the gates is done after logic synthesis and before physical synthesis. The design can then be resynthesized. If the key-gates were left as such without any other modifications to the circuit, the key-bits could be extracted by inspecting if a key-gate is XOR or XNOR. To eradicate such a simple deduction analysis of the key-gate types and the key values, the netlist can be synthesized such that the XOR/XNOR key-gates are replaced with other gates like AND/OR/NAND, or the inverters in the design can be moved around to change the polarity of the key-gates.

Since EPIC inserts the key-gates based on only delay overhead as a constraint, there is no guarantee that an incorrect key produces incorrect output for all the input patterns. Rajendran et al. [4, 5] developed a method, based on the principles of VLSI testing, that inserts XOR/XNOR gates or MUXes to achieve controllable corruption of the output bits. This technique maximizes the Hamming distance between the correct output and the incorrect outputs on applying a random incorrect key.

Testing principle-based insertion of key-gates Key-gates should be inserted in such a way that any wrong key causes a wrong output. This is similar to the situation where a circuit produces a wrong output when it has a fault that has been excited and propagated to the outputs. The following observations relate logic encryption and fault analysis in IC testing. These observations are used to insert XOR/XNOR gates.

Fault excitation: Application of a wrong key can be associated with the activation of a fault. For a wrong key, either a stuck-at-0 (s-a-0) or a stuck-at-1 (s-a-1) fault will get excited when key-gates are used for encryption.

Consider the C17 circuit (from the ISCAS’85 benchmark set) encrypted with one XOR gate (E1) as shown in Fig. 3.3(b). Here, E1 is the key-gate. If a wrong key (K1 \(=\) 1) is applied to the circuit, the value of net B is the negated value of net A. This is the same as exciting an s-a-0 (when A \(=\) 1) or an s-a-1 (when A \(=\) 0) fault at the output of G7 as shown in Fig. 3.3(a). Please note that s-a-0 (s-a-1) fault activation can be attributed to the case where the net in question is supposed to yield a value of 1 (0) during the functional mode of operation.

Fig. 3.3
figure 3

Relation between logic encryption and IC testing: a fault excitation, b propagation, and c masking

Full size image

Fault propagation: Not all wrong keys can corrupt the output as the effects of a wrong key may be blocked for some of the input patterns. This is similar to the scenario where not all input patterns can propagate the effect of a fault to the output [12].

Consider the circuit shown in Fig. 3.3(b). Let a wrong key (K1 \(=\) 1) be applied to the circuit. For the input pattern 00000, an s-a-0 fault gets excited at the output of E1 and propagates to both outputs. The value at the output of E1 is 0 instead of 1, and the output is 11 instead of 00. For the input pattern 01110, even though the s-a-0 fault gets excited at the output of E1, the output is 11, which is the correct output, as the fault effects have been blocked.

To propagate the effect of an excited fault, in our case the wrong key, non-controlling values should be applied to the other inputs of the gates that are on the propagation path of the fault. Since not all input patterns guarantee the non-controlling values on the fault propagation path, a wrong key will not always corrupt the output.

Fault masking: Inserting a single key-gate and applying a wrong key are equivalent to exciting a single stuck-at fault. Likewise, inserting multiple key-gates and applying a wrong key are equivalent to simultaneously exciting multiple stuck-at faults. However, when multiple faults are excited, they might mask one another. Therefore, in logic encryption, when multiple key-gates are inserted, the effect of one key-gate might mask the effect of other key-gates.

Consider the encrypted circuit shown in Fig. 3.3(c). When the key-bits are 000, the correct functional output is 00 for the input pattern 00000. However, if the key-bits are 111 (wrong key), the effect introduced by the XOR gate, E1, is masked by the XOR gates E2 and E3. Consequently, the design produces the correct output, 00. Similar to fault masking in IC testing, the effect of one XOR gate is masked by the effect of the other two XOR gates.

Fault impact. To insert an XOR/XNOR as a key-gate, one needs to determine the location in the circuit where, if a fault occurs, it can affect most of the outputs for most of the input patterns. To determine this location, one uses fault impact defined by Eq. 3.1. From a set of test patterns, one can compute the number of patterns that detect the s-a-0 fault (\(NoP_0\)) at the output of a gate Gx and the total number of output bits that get affected by that s-a-0 fault (\(NoO_0\)). Similarly, \(NoP_1\) and \(NoO_1\) for s-a-1 faults are computed.

$$\begin{aligned} \text {Fault impact = } (NoP_0 \times NoO_0) + (NoP_1 \times NoO_1) \end{aligned}$$
(3.1)

By inserting an XOR/XNOR key-gate at the location with the highest fault impact, an invalid key will likely have the most impact on the outputs (i.e., the wrong out-puts appear), indirectly enabling the logic encryption technique to reach the 50% Hamming distance metric.

Improving fault analysis-based insertion. XOR/XNOR key-gates are combined with MUX key-gates to achieve a Hamming distance closer to 50% [10]. Dupuis et al. [6] propose a technique that inserts AND/OR key-gates to minimize the number of low controllability locations in a circuit, making it difficult to insert hardware Trojans in the circuit.

6 Key-Guessing Attacks

Multiple attacks have been presented against existing logic encryption techniques. The objective of an attacker is to figure out the key used for encryption of the circuit [3, 10, 13]. These attacks assume that the attacker has access to an encrypted netlist and a functional IC, on which one can apply inputs and observe outputs. There are two main types of attacks — key propagation and SAT attacks — that are described below:

6.1 Key Propagation Attacks [13]

The value of an key-bit can be determined if it can be sensitizedFootnote 3 without being masked/corrupted by the other key-bits and/or inputs. By observing the output, the value of sensitized key-bit can be determined, given that other key-bits (similar to unknown X-sourcesFootnote 4) do not interfere with the sensitized path.

Once an attacker determines an input pattern that sensitizes the key-bit to an output without any interference, it is applied to the functional IC, i.e., the IC with the correct keys. Now, this pattern will sensitize the correct value of the key-bit to an output. An attacker can observe this output and resolve the value of the key.

Example: Consider the key-input K1 in Fig. 3.1. It will be sensitized to output O1 if the value at the other input of gate G6 is 0 (non-controlling value for an OR gate). This can be achieved by setting I1 \(=\) 1, I2 \(=\) 0, and I3 \(=\) 0. As the attacker has access to the functional IC, he/she can apply this pattern and determine the value of K1 on O1. For example, if the value of O1 is 0 for that input pattern, then K1 \(=\) 0; otherwise, K1 \(=\) 1.

6.2 Boolean Satisfiability (SAT) Attacks [13, 14]

The SAT attack iteratively rules out incorrect key values using distinguishing input patterns (DIPs). A distinguishing input pattern \(X_d\) is an input value for which at least two different key values, k1 and k2, produce differing outputs, o1 and o2, respectively. Since o1 and o2 are different, at least one of the key values or both of them are incorrect. It is possible for a single DIP to rule out multiple incorrect key values.

Fig. 3.4
figure 4

Miter-like circuit to determine DIPs [13]

Full size image

The DIPs are found by constructing a miter-like circuit as illustrated in Fig. 3.4. The primary inputs are common to the two copies of the encrypted circuit, while the key-inputs are left independent. The corresponding outputs of the two circuits are XORed and then ORed to generate diff signal. The conjunctive normal form (CNF) of the resultant circuit is generated and passed to a SAT solver. The SAT solver finds a DIP \(X_d\) for which diff = 1, i.e., the outputs of the two circuits are different. \(X_d\) is applied to the functional IC, and correct output \(I_{d}\) is obtained. The input–output pair \((X_d,I_{d})\) is used to identify incorrect key values.

Fig. 3.5
figure 5

SAT attack on logic encryption [13]

Full size image
Fig. 3.6
figure 6

Logic encryption using XOR/XNOR gates [1]. The correct key value is 110. This technique is vulnerable to SAT attack [13]

Full size image
Fig. 3.7
figure 7

Analysis of the SAT attack against logic encryption [13]. Columns k0–k7 show the encrypted circuit’s output for different key values. Red entries in each row denote an incorrect output. The correct key is k6

Full size image

A single pattern may not rule out all incorrect keys. Hence, an iterative process is used in the SAT attack, as shown in Fig. 3.5. A new pair \((X_d,I_{d})\) is added to the SAT formula in each iteration, and the SAT formula is updated. The generated DIP is applied to the functional IC, and the set of keys that results in an incorrect output is eliminated. The attack is successful when no further DIP is found, which implies that all incorrect key values have been pruned. Example. Let us consider the application of the SAT attack on the encrypted example circuit in Fig. 3.6. Figure 3.7 presents the output of the original circuit in column Y and the output of the encrypted circuit for different key values in the following columns. For three key-inputs, there are eight possible key values, which are represented as k0, k1,..., k7. When the SAT attack is launched on the encrypted circuit, it takes four DIPs to identify the correct key [13]. In iteration 1, the DIP 011 is used. For this DIP, the key value k4 alone produces a wrong output as highlighted in red. Thus, only one incorrect key is ruled out in the first iteration. In the second and third iterations, key values k1 and k7 are ruled out, using the patterns 111 and 101, respectively. The pattern 100, used in the fourth iteration, eliminates all incorrect keys and the attack successfully identifies the correct key as k6.

The attack could have succeeded in the first iteration with a single DIP 100, if this input pattern was tried first. Thus, the execution time of the attack depends on the order in which the input patterns are applied for the SAT attack. The SAT attack, however, chooses the DIPs arbitrarily [13]. The larger the number of incorrect key values ruled out per DIP, the fewer the patterns needed for the attack, which implies a smaller execution time of the attack algorithm.

6.3 Countermeasures to Attacks

Countermeasures to Key Propagation Attacks

In order to thwart key propagation attacks, key-gates are inserted such that an attacker cannot propagate the output of a single key-gate [15]. This way, the observed output value is a function of multiple key-gates. Key-gates are inserted such that their sensitization path is blocked by each other. Such key-gates form a “clique.” As the size of the clique increases, the attacker’s effort increases.

Example. Consider the circuit shown in Fig. 3.8 which is the same functional circuit shown in Fig. 3.1, but the two key-gates K1 and K2 are at different locations. Here, if the attacker has to propagate the effect of either of the keys, then one has to force a “0” (non-controlling value of NOR gates) on the other input of G4. In order to force this value, one has to control the key-inputs, which are inaccessible. Thus, one cannot propagate the effect of a key to an output, failing to determine the values of the key.

Fig. 3.8
figure 8

A circuit encrypted using two key-gates K1 and K2 based on the technique proposed in [15]. This prevents key propagation attacks

Full size image

To break this scheme, the attack proposed in [10] targets the logic cones with the smallest number of key-inputs and recovers the secret key by employing brute force. The process is then repeated for the remaining logic cones in the circuit, sorted in an increasing order by the logic cone size. To increase the complexity, the number of MUX key-gates is increased to increase the size of the logic cone.

Countermeasure to SAT-Based Attacks [16]

To thwart this attack, clique-based insertion is used along with a cryptographic primitive called one-way random functions (ORFs) [17]. ORFs, such as AES with a fixed secret key, prevent an attacker from determining the inputs from the output [18]. First, the designer synthesizes an AES design with a fixed secret key (unknown to the attacker). The resultant design implements a random function. Then, he applies a randomly selected input to the AES with the fixed secret key, which serves as the key for logic encryption. The output of the AES (with fixed secret key) is connected to a subset of XOR/XNOR key-gates added for logic encryption. The designer knows the fixed secret key to the AES and the input applied to AES, and he can configure the key-gates as XOR/XNORs accordingly. This technique is illustrated in Fig. 3.9. The original netlist is encrypted with \(K = K1 + K2\) number of key-bits. K1 key-inputs of the encrypted netlist are connected to the output of the AES (with fixed secret key) circuit, and the remaining K2 key-inputs are connected to the on-chip memory.

This modified scheme will now withstand the SAT attack. A property of the AES is that it is computationally infeasible to determine the inputs of AES from its outputs when the key is unknown [18]. Thus, one cannot backtrace from the outputs of the design and determine the inputs to the AES. In other words, the input to the AES is the secret key for logic encryption.

The limitation of this scheme is it assumes the function-to-be-protected is an unknown logic. Thus, it cannot protect against known functions, because an attacker can “carve out” the logic implemented by the known function. It also assumes that the AES with a fixed key implements a random function. When this random function is cosynthesized with the target unknown function, an attacker cannot classify whether a given gate in the resultant design is part of the random function or the function-to-be-protected.

Fig. 3.9
figure 9

ORF-based countermeasure against SAT-based attacks. K1 out of K key-inputs in the encrypted netlist is connected to the ORF circuit

Full size image

7 Impact of Testing on Logic Encryption

7.1 Motivation

Each fabricated chip goes through a manufacturing test that screens out the defective chips. Design for testability (DfT) engineers target generating test patterns that maximize the fault coverage, minimize test pattern count, and reduce test power consumption [19]. The state-of-the-art logic encryption frameworks pursue two different activation models, pretest and post-test activations, that differ in the time of activation of an IC with respect to the manufacturing test. The two models are illustrated in Fig. 3.10 and highlighted in red and green colors, respectively.

Fig. 3.10
figure 10

Logic encryption and IC activation in the IC design flow. Pretest activation and post-test activation models

Full size image

Pretest activation. The ICs are activated prior to the manufacturing test, typically conducted in the foundry or outsourced to an OSAT. Since the IP owner does not want to reveal the secret key to the untrusted foundry, on-chip public key cryptographic infrastructure [1] is used to load the secret key securely on the chip. On passing the manufacturing test, the ICs are shipped for assembly/sales directly from the foundry, which is useful in meeting time-to-market constraints.

Post-test activation. The ICs are activated after performing the manufacturing test. Either remote activation [20] or in-house activation [21] can be employed. In-house activation requires shipping of the encrypted IC from the foundry to the trusted facility, eliminating the need for on-chip cryptography.

Evolving business and threat models. Fabless and fab-lite are the evolving business models for semiconductor companies [22]. Fabless companies, such as Apple Inc., outsource IC fabrication (to Samsung and TSMC [23]), testing, and assembly services. Fab-lite companies such as TI [22] may outsource IC fabrication (to SMIC [24]) and testing, but conduct packaging and assembly in-house. Given the above business models, Apple may activate the ICs remotely using pretest activation, and TI may activate the ICs in-house using post-test activation. However, the test and security implications of these scenarios have never been studied.

7.2 Pretest Activation

In pretest activation, the secret key is loaded onto the IC prior to the manufacturing test. The manufacturing test can be conducted in the foundry or a separate test facility (OSAT [25]). Since an IP owner wants to protect the secret key from being exposed to either the foundry or the OSAT, he can load the secret key securely on the chip using public key cryptography infrastructure. Such infrastructure can incur significant area overhead [1].

As the test is to be conducted with the key in place, the secret key values are applied as constraints on the key-inputs during the test generation phase, which can impact the test quality and costs, as well as the security of logic encryption.

7.2.1 Threat Model

The attacker is a person in the foundry or test facility with access to the following:

  1. 1.

    An encrypted netlist \(E_{K}\), which can be obtained by reverse engineering  [26] or IP piracy  [27].

  2. 2.

    Test stimuli T and responses \(\varGamma \).

Impact on Security

To highlight the security vulnerabilities of pretest activation, we develop a test data mining attack that can reveal the secret key used in pretest activation of logic encryption.

Attack methodology. During the test pattern generation phase, a DfT engineer will apply the correct key \(K_{corr}\) as a constraint and obtain a set of test patterns that maximize fault coverage.

An attacker can therefore apply the test stimuli as input constraints and the test responses as output constraints and search for the potentially correct key \(K_{P}\) that maximizes the fault coverage under the specified constraints. The attack is an optimization problem: The objective is to maximize the fault coverage FC under the test stimulus T and test response \(\varGamma \) constraints, as follows:

$$\begin{aligned} \begin{aligned}&{\text {maximize}} \quad FC\\&\text {subject to}&\underset{1 \le i \le N}{\forall } E_{K} (K_{P},T_{i}) = \varGamma _{i} \; \\&{\text {solve for}} \; \quad K_{P} \end{aligned} \end{aligned}$$
(3.2)

The rationale for the attack to return the correct key is that the test patterns have been generated with the objective of maximizing the fault coverage in the presence of the correct key as a constraint. When the same set of test patterns are used as constraints, the key that maximizes the fault coverage will be the one that is used to generate the patterns.

Equation 3.2 formulates a system of Boolean equations which can be solved using techniques such as Boolean satisfiability (SAT) or integer linear programming (ILP) [28]. Test generation (ATPG) algorithms are capable of solving a system of Boolean equations while maximizing the fault coverage at the same time; ATPG is, therefore, a natural candidate for solving the optimization problem in Eq. 3.2. The complexity of the attack is NP-hard [29].

Let us consider the netlist shown in Fig. 3.8. When the correct key value \(K_{corr} = 00\) is used as a constraint, eight test patterns are generated by the ATPG tool as listed in Table 3.1. An attacker will launch the attack described in Eq. 3.2 by applying the test stimuli and responses as constraints and search for the potential key \(K_{P}\) that maximizes the fault coverage. The only key \(K_{P}\) that maximizes the fault coverage and satisfies these test pattern constraints is 00, and the corresponding fault coverage is \(82.43\%\). None of the other key values satisfies the test pattern constraints.

Table 3.1 Test patterns (pretest activation) for the netlist in Fig. 3.8. The correct key \(K_{corr}\) is used as a constraint during ATPG
Full size table

7.3 Post-test Activation

In post-test activation, the manufacturing test is conducted on an encrypted IC with the rationale that manufacturing test is a “structural” test and that the chip need not be functional during the test. The IC can be activated post-test in one of the following ways:

  1. 1.

    After manufacturing test, defect-free ICs are shipped to a trusted facility, activated by the IP owner, and shipped out for sale.

  2. 2.

    Tested ICs can also be activated remotely, similar to the case of pretest activation, via public key cryptography infrastructure [30].

Impact on security. In post-test activation, both test pattern generation and manufacturing test are conducted in the absence of the secret logic encryption key. Any analysis performed by the attacker will only reveal these arbitrary key values and not the secret key value. Therefore, post-test activation has no detrimental impact on the security of logic encryption.

7.4 Hill Climbing Attack

The hill climbing search-based attack [21] uses test data information to guess the secret key for pretest activated ICs. The attack tries to achieve zero Hamming distance \(HD_{O}\) between the test response and the encrypted circuit, for multiple random key guesses. The individual bits in the initial key guess are flipped if the flip minimizes the Hamming distance \(HD_{O}\).

Example. Consider the circuit shown in Fig. 3.8 and the test patterns shown in Table 3.1. In iteration 1, the hill climbing attack starts with a random key value, say 00. With this key value, the test patterns are applied and the responses are collected. The cumulative Hamming distance between the collected responses and the responses from the test set is calculated. In this case, it is 12. Now, one of the key-bits will be flipped, say the new key is 01. The cumulative Hamming distance between the collected responses and the responses from the test set is now reduced to 6. Since there is a reduction in the cumulative Hamming distance, the second bit is retained as 1. Now, the remaining bit is flipped (key \(=\) 00) and the cumulative Hamming distance is 0. Thus, the attacker identifies that 00 is the correct key.

8 Other Techniques Based on Logic Encryption

Logic encryption is used not only in the context of IP protection, but also in other applications as well. Two of them are described below:

8.1 Secure Split Test (SST) [20, 30]

An untrusted test facility can mark a defective IC, which failed the test, as a good quality one. Consequently, a designer unknowingly sells low-quality ICs, spoiling his reputation. Further, a test facility can also label “good” ICs as “faulty” ICs and sell them in the black market. Such an attack is possible only when the attacker (malicious tester) can identify whether an IC is defective or not. In order to prevent this attack, a designer should hide the test responses. For this purpose, the test infrastructure should be protected. Logic encryption aids in protecting the test infrastructure, thereby hiding the correct responses.

8.2 Securing Processor Architectures [31]

Modern processors are equipped with several security modules to aid detection and prevention of attacks. These modules usually inform the processor pipeline about the attack through a signal, which is carried by a wire. Unfortunately, such wires are susceptible to Trojan attacks, enabling an attacker to modify the target signal value at will. Detecting a Trojan that modifies a single wire is difficult. Consequently, he can launch traditional software attacks and still go undetected.

To prevent such attacks, logic encryption encrypts a processor module and stores the key within a security module. The security module, instead of sending the signal, sends the correct key to unlock a processor pipeline, when it does not detect an attack. When it detects an attack, it sends a wrong key, resulting in an incorrect computation. Since the size of Trojan required to mask/modify a multibit key is bigger than the one required to modify a single wire, such Trojans can be easily detected.

Table 3.2 A comparison of the attacks against logic encryption
Full size table

9 Conclusion

Logic encryption is an emerging technique to thwart IP piracy , reverse engineering , and hardware Trojans. Initially, most of the techniques proposed in the literature are based on VLSI testing principles. However, recent attacks have broken these techniques, even though the complexity of those techniques is NP-hard. Researchers are now trying to adopt concepts from cryptography and apply them to logic encryption.

Table 3.2 summarizes the different attacks and their countermeasures on logic encryption. Clique-based insertion of key-gates can prevent sensitization attacks but is susceptible to SAT attacks. Strong logic encryption can prevent both SAT and sensitization attacks, but it is applicable only for random unknown logic. Test data mining attack is applicable only when the attacker has access to test patterns and responses, which are generated for the correct key; they can be prevented by post-test activation.