Logic locking is a holistic countermeasure that protects an integrated circuit (IC) from hardware-focused threats such as piracy of design intellectual property and unauthorized overproduction throughout the globalized IC supply chain. Out of the several techniques proposed by the hardware security community, provably-secure logic locking (PSLL) has acquired a foothold due to its algorithmic and provable-security guarantees. However, the security of these techniques are regularly questioned by attackers that exploit the vulnerabilities arising from the underlying hardware implementation. Unfortunately, such attacks (i) are predominantly specific to locking techniques and (ii) lack generality and scalability. This leads to a plethora of attacks and researchers, especially defenders, find it challenging to ascertain the security of newly developed PSLL techniques. Additionally, there is no public repository of locked circuits that attackers can use to benchmark (and compare) their developed attacks. Driven by these challenges, we aim to develop a generalized attack that can recover the secret key across a breadth of PSLL techniques. To that end, we first categorize the existing PSLL techniques into two generic categories. Then, we extract functional and structural properties depending on the underlying hardware construction of the PSLL techniques and develop two attacks based on the concepts of VLSI testing and Boolean transformations. We evaluate our attacks on 30,000 locked circuits across 14 PSLL techniques, including nine unbroken techniques. Our attacks successfully recover the secret key (100% accuracy) for all the considered techniques. Further, our experimentation across different (i) technology libraries, (ii) commercial and academic synthesis tools, and (iii) logic optimization settings provide several interesting insights. For instance, our attacks can recover the secret key by only using the locked circuit when an academic synthesis tool is used. Additionally, designers can use our attacks as a verification tool to ascertain the lower-bound security achieved by hardware implementations. Finally, we release our artifacts, which could help foster the development of future attacks and defenses in the PSLL domain.

中文翻译：

---

捉迷藏：在可证明安全的逻辑锁定技术中寻找（未）隐藏的钥匙


逻辑锁定是一种整体对策，可保护集成电路 (IC) 免受以硬件为中心的威胁，例如设计知识产权盗版和整个全球化 IC 供应链中未经授权的过度生产。在硬件安全社区提出的多种技术中，可证明安全逻辑锁定 (PSLL) 因其算法和可证明安全保证而获得了立足点。然而，这些技术的安全性经常受到利用底层硬件实现中的漏洞的攻击者的质疑。不幸的是，此类攻击（i）主要针对锁定技术，并且（ii）缺乏通用性和可扩展性。这导致了大量的攻击，研究人员，尤其是防御者，发现确定新开发的 PSLL 技术的安全性具有挑战性。此外，没有锁定电路的公共存储库可供攻击者用来对他们开发的攻击进行基准测试（和比较）。在这些挑战的推动下，我们的目标是开发一种通用攻击，可以通过广泛的 PSLL 技术恢复密钥。为此，我们首先将现有的 PSLL 技术分为两个通用类别。然后，我们根据 PSLL 技术的底层硬件构造提取功能和结构属性，并基于 VLSI 测试和布尔变换的概念开发两种攻击。我们评估了 14 种 PSLL 技术对 30,000 个锁定电路的攻击，其中包括 9 种未破坏的技术。我们的攻击成功地恢复了所有考虑的技术的密钥（100% 准确度）。 此外，我们对不同（i）技术库、（ii）商业和学术综合工具以及（iii）逻辑优化设置的实验提供了一些有趣的见解。例如，当使用学术综合工具时，我们的攻击可以仅使用锁定电路来恢复密钥。此外，设计人员可以使用我们的攻击作为验证工具来确定硬件实现所实现的下限安全性。最后，我们发布了我们的工件，这可以帮助促进 PSLL 领域未来攻击和防御的发展。