破壞與修正（CAC）邏輯鎖定是一種硬體安全技術，旨在保護 IC/IP 設計免受 IP 盜版、逆向工程、過度生產和未經授權的使用。此方法通過插入額外的電路來保護電路。它首先使用破壞/擾動單元來破壞原始電路的功能，然後使用修正/恢復單元將電路修復回其正確的功能。只有在應用正確的密鑰時，電路才能保持其正確功能。

破壞與修正 (CAC) 邏輯鎖定可以分為兩種類型：單次翻轉鎖定技術（SFLTs），如 Anti-SAT 和 SARLock，以及雙次翻轉鎖定技術（DFLTs），包括 TTLock、SFLL-HD、SFLL-flex、SFLL-fault 和 SFLL-rem。儘管這些技術都能抵禦 SAT 攻擊，但它們仍然易遭受到結構性攻擊，這些攻擊利用邏輯合成工具留下的結構痕跡來恢復被加密的電路，使其回到原始形態。

在本文中，我們提出了一種僅使用 OFF-set 來破壞電路的新方法。此方法有助於將額外加入的電路更好地與原始電路融合，從而抵擋結構性攻擊，同時保持對 SAT 攻擊的抵抗力。此外，我們證明了我們提出的方法相較於之前的方法可以減少功能剝奪電路的面積。實驗結果顯示，我們提出的方法在面積開銷上比 SFLL-rem 的 4.13% 達到了更低的 2.61%。

Corrupt-and-Correct (CAC) Logic Locking is a hardware security technique designed to protect IC/IP designs from IP piracy, reverse engineering, overproduction, and unauthorized use. This method secures circuits by inserting additional circuitry. It first employs a corrupt/perturb unit to strip the functionality of the original circuit, then uses a correct/restore unit to flip the output back to its correct functionality. The circuit retains its correct functionality only when the correct key is applied.

CAC Logic Locking can be categorized into two types: Single Flip Locking Techniques (SFLTs) such as Anti-SAT and SARLock, and Double Flip Locking Techniques (DFLTs) including TTLock, SFLL-HD, SFLL-flex, SFLL-fault, and SFLL-rem. Although these techniques are resilient to SAT-based attacks, they remain vulnerable to structural attacks, which exploit structural traces left by the synthesis tool to recover the encrypted circuit back to its original form.

In this paper, we will propose a new method that uses only the OFF-set to corrupt the circuit. This approach helps the added circuitry better merge with the original circuit, thereby thwarting structural attacks while maintaining resilience to SAT-based attacks. Additionally, we demonstrate that our proposed method can reduce the area of the functionality stripped circuit compared to previous methods. Experimental results show that our proposed method achieves a lower area overhead of 2.61% compared to SFLL-rem, which exhibits 4.13%.

Acknowledgements
摘要 i
Abstract ii
1 Introduction 1
2 Previous Work 4
2.1 Corrupt-and-Correct Logic Locking . . . . . . . . . . . . . . . . . . . . . . . 4
2.2 Structural Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.3 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3 Properties 8
3.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3.1.1 Logic Locking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3.1.2 Logic Synthesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3.1.3 Design for Testability . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3.2 Properties of OFF-set Only Corrupting Unit . . . . . . . . . . . . . . . . . . . 11
4 Using OFF-set to Corrupt Circuit 20
4.1 Design Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
4.2 Finding Protected Input Pattern P IP . . . . . . . . . . . . . . . . . . . . . . . 21
5 Security Analysis 26
5.1 Boolean Satisfiability (SAT) Attack . . . . . . . . . . . . . . . . . . . . . . . 26
5.2 Sparse Prime Implicant (SPI) Attack . . . . . . . . . . . . . . . . . . . . . . . 27
5.3 Valkyrie . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
6 Experimental Results 30
6.1 Effectiveness of Area Overhead Using ABC . . . . . . . . . . . . . . . . . . . 30
6.2 Effectiveness of PPA Overhead Using Commercial EDA Tool . . . . . . . . . 31
6.3 Comparison with Existing CAC Locking Techniques . . . . . . . . . . . . . . 35
6.3.1 Comparison Using HIID . . . . . . . . . . . . . . . . . . . . . . . . . 35
6.3.2 Comparison with SFLL-rem [1] . . . . . . . . . . . . . . . . . . . . . 38
6.4 Effectiveness of SAT and Valkyrie Attacks . . . . . . . . . . . . . . . . . . . . 38
7 Conclusions and Future Work 41
References 42

[1] A. Sengupta, M. Nabeel, N. Limaye, M. Ashraf, and O. Sinanoglu, “Truly stripping functionality for logic locking: A fault-based perspective,” IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, vol. 39, no. 12, pp. 4439–4452, 2020.
[2] A. Kahng, J. Lach, W. Mangione-Smith, S. Mantik, I. Markov, M. Potkonjak, P. Tucker, H. Wang, and G. Wolfe, “Watermarking techniques for intellectual property protection,” in Proceedings 1998 Design and Automation Conference. 35th DAC. (Cat. No.98CH36175), pp. 776–781, 1998.
[3] J. Rajendran, M. Sam, O. Sinanoglu, and R. Karri, “Security analysis of integrated circuit camouflaging,” in Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, CCS ’13, (New York, NY, USA), p. 709–720, Association for Computing Machinery, 2013.
[4] F. Imeson, A. Emtenan, S. Garg, and M. Tripunitara, “Securing computer hardware using 3d integrated circuit (IC) technology and split manufacturing for obfuscation,” in 22nd USENIX Security Symposium (USENIX Security 13), (Washington, D.C.), pp. 495–510, USENIX Association, Aug. 2013.
[5] P. Tuyls, G.-J. Schrijen, B. Škorić, J. van Geloven, N. Verhaegh, and R. Wolters, “Read-proof hardware from protective coatings,” in Cryptographic Hardware and Embedded Systems - CHES 2006 (L. Goubin and M. Matsui, eds.), (Berlin, Heidelberg), pp. 369–383, Springer Berlin Heidelberg, 2006.
[6] J. A. Roy, F. Koushanfar, and I. L. Markov, “Epic: Ending piracy of integrated circuits,” in 2008 Design, Automation and Test in Europe, pp. 1069–1074, 2008.
[7] J. Rajendran, Y. Pino, O. Sinanoglu, and R. Karri, “Security analysis of logic obfuscation,” in DAC Design Automation Conference 2012, pp. 83–89, 2012.
[8] J. Rajendran, H. Zhang, C. Zhang, G. S. Rose, Y. Pino, O. Sinanoglu, and R. Karri, “Fault analysis-based logic encryption,” IEEE Transactions on Computers, vol. 64, no. 2, pp. 410–424, 2015.
[9] J. Rajendran, Y. Pino, O. Sinanoglu, and R. Karri, “Security analysis of logic obfuscation,” in DAC Design Automation Conference 2012, pp. 83–89, 2012.
[10] P. Subramanyan, S. Ray, and S. Malik, “Evaluating the security of logic encryption algorithms,” in 2015 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), pp. 137–143, 2015.
[11] M. Yasin, B. Mazumdar, J. J. V. Rajendran, and O. Sinanoglu, “Sarlock: Sat attack resistant logic locking,” in 2016 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), pp. 236–241, 2016.
[12] Y. Xie and A. Srivastava, “Anti-sat: Mitigating sat attack on logic locking,” IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, vol. 38, no. 2, pp. 199–207, 2019.
[13] M. Yasin, B. Mazumdar, O. Sinanoglu, and J. Rajendran, “Removal attacks on logic locking and camouflaging techniques,” IEEE Transactions on Emerging Topics in Computing, vol. 8, no. 2, pp. 517–532, 2020.
[14] X. Xu, B. Shakya, M. M. Tehranipoor, and D. Forte, “Novel bypass attack and bdd-based tradeoff analysis against all known logic locking attacks,” in Cryptographic Hardware and Embedded Systems – CHES 2017 (W. Fischer and N. Homma, eds.), (Cham), pp. 189–210, Springer International Publishing, 2017.
[15] M. Yasin, B. Mazumdar, J. J. V. Rajendran, and O. Sinanoglu, “Ttlock: Tenacious and traceless logic locking,” in 2017 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), pp. 166–166, 2017.
[16] M. Yasin, A. Sengupta, M. T. Nabeel, M. Ashraf, J. J. Rajendran, and O. Sinanoglu, “Provably-secure logic locking: From theory to practice,” in Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS ’17, (New York, NY, USA), p. 1601–1618, Association for Computing Machinery, 2017.
[17] A. Sengupta, M. Nabeel, M. Yasin, and O. Sinanoglu, “Atpg-based cost-effective, secure logic locking,” in 2018 IEEE 36th VLSI Test Symposium (VTS), pp. 1–6, 2018.
[18] M. Yasin, B. Mazumdar, O. Sinanoglu, and J. Rajendran, “Security analysis of anti-sat,” in 2017 22nd Asia and South Pacific Design Automation Conference (ASP-DAC), pp. 342–347, 2017.
[19] D. Sirone and P. Subramanyan, “Functional analysis attacks on logic locking,” IEEE Transactions on Information Forensics and Security, vol. 15, pp. 2514–2527, 2020.
[20] Z. Han, M. Yasin, and J. J. Rajendran, “Does logic locking work with EDA tools?,” in 30th USENIX Security Symposium (USENIX Security 21), pp. 1055–1072, USENIX Association, Aug. 2021.
[21] N. Limaye, S. Patnaik, and O. Sinanoglu, “Valkyrie: Vulnerability assessment tool and attack for provably-secure logic locking techniques,” IEEE Transactions on Information Forensics and Security, vol. 17, pp. 744–759, 2022.
[22] K. Shamsi, M. Li, T. Meade, Z. Zhao, D. Z. Pan, and Y. Jin, “Appsat: Approximately deobfuscating integrated circuits,” in 2017 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), pp. 95–100, 2017.
[23] Y. Shen and H. Zhou, “Double dip: Re-evaluating security of logic encryption algorithms,” in Proceedings of the Great Lakes Symposium on VLSI 2017, GLSVLSI ’17, (New York, NY, USA), p. 179–184, Association for Computing Machinery, 2017.
[24] A. Sarabi, N. Song, M. Chrzanowska-Jeske, and M. A. Perkowski, “A comprehensive approach to logic synthesis and physical design for two-dimensional logic arrays,” in Proceedings of the 31st Annual Design Automation Conference, DAC ’94, (New York, NY, USA), p. 321–326, Association for Computing Machinery, 1994.
[25] R. K. Brayton and A. Mishchenko, “Abc: An academic industrial-strength verification tool,” in International Conference on Computer Aided Verification, p. 24–40, 2010.
[26] NanGate, “Nangate freepdk45 open cell library.” http://www.nangate.com/?page_id=2325.
[27] L. Aksoy, “Hiid: A logic locking tool.” https://github.com/leventaksoy/HIID.
[28] H. K. Lee and D. S. Ha, “On the generation of test patterns for combinational circuits,” Tech. Rep. 12_93, Virginia Polytechnic Institute and State University, Department of Electrical Engineering, 1993.
[29] F. Corno, M. Reorda, and G. Squillero, “Rt-level itc’99 benchmarks and first atpg results,” IEEE Design & Test of Computers, vol. 17, no. 3, pp. 44–53, 2000.
[30] F. Almeida, L. Aksoy, Q.-L. Nguyen, S. Dupuis, M.-L. Flottes, and S. Pagliarini, “Resynthesis-based attacks against logic locking,” in 2023 24th International Symposium on Quality Electronic Design (ISQED), pp. 1–8, 2023.