AFIA: ATPG-Guided Fault Injection Attack on Secure Logic Locking

The outsourcing of the design and manufacturing of integrated circuits has raised severe concerns about the piracy of Intellectual Properties and illegal overproduction. Logic locking has emerged as an obfuscation technique to protect outsourced chip designs, where the circuit netlist is locked and can only be functional once a secure key is programmed. However, Boolean Satisfiability-based attacks have shown to break logic locking, simultaneously motivating researchers to develop more secure countermeasures. In this paper, we present a novel fault injection attack to break any locking technique that relies on a stored secret key, and denote this attack as AFIA, ATPG-guided Fault Injection Attack. The proposed attack is based on sensitizing a key bit to the primary output while injecting faults at a few other key lines that block the propagation of the targeted key bit. AIFA is very effective in determining a key bit as there exists a stuck-at fault pattern that detects a stuck-at 1 (or stuck-at 0) fault at any key line. The average complexity of number of injected faults for AFIA is linear with the key size and requires only |K| test patterns to determine a secret key, K. AFIA requires a fewer number of injected faults to sensitize a bit to the primary output, compared to 2|K|-1 faults for the differential fault analysis attack [26].