Hide & Seek: Seeking the (Un)-Hidden key in Provably-Secure Logic Locking Techniques

Logic locking protects an IC from threats such as piracy of design IP and unauthorized overproduction throughout the IC supply chain. Out of the several techniques proposed by the research community, provably-secure logic locking (PSLL) has acquired a foothold due to its algorithmic and provable-security guarantees. However, the security of these techniques is questioned by attackers that exploit the vulnerabilities arising from the hardware implementation. Such attacks (i) are predominantly specific to locking techniques and (ii) lack generality and scalability. This leads to a plethora of attacks, and defenders, find it challenging to ascertain the security of newly developed PSLL techniques. Additionally, there is no repository of locked circuits that attackers can use to benchmark (and compare) their attacks. In this work, we develop a generalized attack that can recover the secret key across different PSLL techniques. To that end, we extract functional and structural properties depending on the hardware construction of the PSLL techniques and develop two attacks based on the concepts of VLSI testing and Boolean transformations. We evaluate our attacks on 30,000 locked circuits across 14 PSLL techniques, including nine unbroken techniques. Our attacks successfully recover the secret key (100% accuracy) for all the techniques. Our experimentation across different (I) technology libraries, (ii) synthesis tools, and (iii) logic optimization settings provide interesting insights. For instance, our attacks recover the secret key by only using the locked circuit when an academic synthesis tool is used. Additionally, designers can use our attacks as a verification tool to ascertain the lower-bound security achieved by hardware implementations. We shall release our artifacts, which could help foster the development of future attacks and defenses in the PSLL domain.