TGA: An Oracle-less and Topology-Guided Attack on Logic Locking

Due to the outsourcing of semiconductor design and manufacturing, a number of threats have emerged in recent years, and they are overproduction of integrated circuits (ICs), illegal sale of defective ICs, and piracy of intellectual properties (IPs). Logic locking is one method to enable trust in this complex IC design and manufacturing processes, where a design is obfuscated by inserting a lock to modify the underlying functionality so that an adversary cannot make a chip to function properly. A locked chip will only work properly once it is activated by programming with a secret key into its tamper-proof memory. Over the years, researchers have proposed different locking mechanisms primarily to prevent Boolean satisfiability (SAT)-based attacks, and successfully preserve the security of a locked design. However, an untrusted foundry, the adversary, can use many other effective means to find out the secret key. In this paper, we present a novel oracle-less and topology-guided attack denoted as TGA. The attack relies on identifying repeated functions for determining the value of a key bit. The proposed attack does not require any data from an unlocked chip, and eliminates the need for an oracle. The attack is based on self-referencing, i.e., it compares the internal netlist to find the key. The proposed graph search algorithm efficiently finds a duplicate function of the locked part of the circuit. Our proposed attack correctly estimate a key bit very efficiently, and it only takes few seconds to determine the key bit. We also present a solution to thwart TGA and make logic locking secure.