Hide and Seek: Seeking the (Un)-Hidden Key in Provably-Secure Logic Locking Techniques

Logic locking is a holistic countermeasure that protects an integrated circuit (IC) from hardware-focused threats such as piracy of design intellectual property and unauthorized overproduction throughout the globalized IC supply chain. Out of the several techniques proposed by the hardware security community, provably-secure logic locking (PSLL) has acquired a foothold due to its algorithmic and provable-security guarantees. However, the security of these techniques are regularly questioned by attackers that exploit the vulnerabilities arising from the underlying hardware implementation. Unfortunately, such attacks (i) are predominantly specific to locking techniques and (ii) lack generality and scalability. This leads to a plethora of attacks and researchers, especially defenders, find it challenging to ascertain the security of newly developed PSLL techniques. Additionally, there is no public repository of locked circuits that attackers can use to benchmark (and compare) their developed attacks. Driven by these challenges, we aim to develop a generalized attack that can recover the secret key across a breadth of PSLL techniques. To that end, we first categorize the existing PSLL techniques into two generic categories. Then, we extract functional and structural properties depending on the underlying hardware construction of the PSLL techniques and develop two attacks based on the concepts of VLSI testing and Boolean transformations. We evaluate our attacks on 30,000 locked circuits across 14 PSLL techniques, including nine unbroken techniques. Our attacks successfully recover the secret key (100% accuracy) for all the considered techniques. Further, our experimentation across different (i) technology libraries, (ii) commercial and academic synthesis tools, and (iii) logic optimization settings provide several interesting insights. For instance, our attacks can recover the secret key by only using the locked circuit when an academic synthesis tool is used. Additionally, designers can use our attacks as a verification tool to ascertain the lower-bound security achieved by hardware implementations. Finally, we release our artifacts, which could help foster the development of future attacks and defenses in the PSLL domain.