Scaling Attacks on Large Logic-Locked Designs

Researchers have developed numerous strategies to alleviate the threat of malicious third-party foundries, including logic locking and its numerous sophisticated variants for hardware intellectual property (IP) protection. Recent work at the register-transfer level has opened the door to “large-scale” locking of large IPs (comprising thousands of gates) with hundreds to thousands of key bits. Recent security evaluation of such techniques treats the locked design as a monolith and has suggested that large logic-locked designs are practically secure, even from powerful SAT-based attacks. In this work, we challenge such findings by proposing and evaluating a novel algorithmic method to de-obfuscate large logic-locked circuits by attacking a set of small sub-circuit cones. The algorithm chooses a sub-optimal set of sub-circuit cones and proposes an attack sequence on these cones by leveraging the observation that each locking key-bit is distributed across multiple sub-circuit cones of varying sizes. This Divide And Conquer SAT (DACSAT) attack framework can de-obfuscate large designs, like an AES IP comprising 300,000 gates, logic-locked with up to 50,000 keys in around 3600 seconds, while an out-of-the-box, state-of-the-art SAT attack tool fails.