ATPG-Guided Fault Injection Attacks on Logic Locking

TL;DR

This paper introduces a novel fault injection attack using ATPG tools to efficiently break logic locking by determining secret keys through differential fault analysis, highlighting vulnerabilities in current security measures.

Contribution

It presents a new fault-based attack method that leverages ATPG-generated test patterns to efficiently recover secret keys in logic-locked circuits.

Findings

One test pattern can determine one key bit.

The attack can break any logic-locked circuit.

The method is efficient and generic.

Abstract

Logic Locking is a well-accepted protection technique to enable trust in the outsourced design and fabrication processes of integrated circuits (ICs) where the original design is modified by incorporating additional key gates in the netlist, resulting in a key-dependent functional circuit. The original functionality of the chip is recovered once it is programmed with the secret key, otherwise, it produces incorrect results for some input patterns. Over the past decade, different attacks have been proposed to break logic locking, simultaneously motivating researchers to develop more secure countermeasures. In this paper, we propose a novel stuck-at fault-based differential fault analysis (DFA) attack, which can be used to break logic locking that relies on a stored secret key. This proposed attack is based on self-referencing, where the secret key is determined by injecting faults in the key lines and comparing the response with its fault-free counterpart. A commercial ATPG tool can be used to generate test patterns that detect these faults, which will be used in DFA to determine the secret key. One test pattern is sufficient to determine one key bit, which results in at most |K| test patterns to determine the entire secret key of size |K|. The proposed attack is generic and can be extended to break any logic locked circuits.