44 research outputs found
KRATT: QBF-Assisted Removal and Structural Analysis Attack Against Logic Locking
This paper introduces KRATT, a removal and structural analysis attack against
state-of-the-art logic locking techniques, such as single and double flip
locking techniques (SFLTs and DFLTs). KRATT utilizes powerful quantified
Boolean formulas (QBFs), which have not found widespread use in hardware
security, to find the secret key of SFLTs for the first time. It can handle
locked circuits under both oracle-less (OL) and oracle-guided (OG) threat
models. It modifies the locked circuit and uses a prominent OL attack to make a
strong guess under the OL threat model. It uses a structural analysis technique
to identify promising protected input patterns and explores them using the
oracle under the OG model. Experimental results on ISCAS'85, ITC'99, and HeLLO:
CTF'22 benchmarks show that KRATT can break SFLTs using a QBF formulation in
less than a minute, can decipher a large number of key inputs of SFLTs and
DFLTs with high accuracy under the OL threat model, and can easily find the
secret key of DFLTs under the OG threat model. It is shown that KRATT
outperforms publicly available OL and OG attacks in terms of solution quality
and run-time
SALSy: Security-Aware Layout Synthesis
Integrated Circuits (ICs) are the target of diverse attacks during their
lifetime. Fabrication-time attacks, such as the insertion of Hardware Trojans,
can give an adversary access to privileged data and/or the means to corrupt the
IC's internal computation. Post-fabrication attacks, where the end-user takes a
malicious role, also attempt to obtain privileged information through means
such as fault injection and probing. Taking these threats into account and at
the same time, this paper proposes a methodology for Security-Aware Layout
Synthesis (SALSy), such that ICs can be designed with security in mind in the
same manner as power-performance-area (PPA) metrics are considered today, a
concept known as security closure. Furthermore, the trade-offs between PPA and
security are considered and a chip is fabricated in a 65nm CMOS commercial
technology for validation purposes - a feature not seen in previous research on
security closure. Measurements on the fabricated ICs indicate that SALSy
promotes a modest increase in power in order to achieve significantly improved
security metrics
A Security-aware and LUT-based CAD Flow for the Physical Synthesis of eASICs
Numerous threats are associated with the globalized integrated circuit (IC)
supply chain, such as piracy, reverse engineering, overproduction, and
malicious logic insertion. Many obfuscation approaches have been proposed to
mitigate these threats by preventing an adversary from fully understanding the
IC (or parts of it). The use of reconfigurable elements inside an IC is a known
obfuscation technique, either as a coarse grain reconfigurable block (i.e.,
eFPGA) or as a fine grain element (i.e., FPGA-like look-up tables). This paper
presents a security-aware CAD flow that is LUT-based yet still compatible with
the standard cell based physical synthesis flow. More precisely, our CAD flow
explores the FPGA-ASIC design space and produces heavily obfuscated designs
where only small portions of the logic resemble an ASIC. Therefore, we term
this specialized solution an "embedded ASIC" (eASIC). Nevertheless, even for
heavily LUT-dominated designs, our proposed decomposition and pin swapping
algorithms allow for performance gains that enable performance levels that only
ASICs would otherwise achieve. On the security side, we have developed novel
template-based attacks and also applied existing attacks, both oracle-free and
oracle-based. Our security analysis revealed that the obfuscation rate for an
SHA-256 study case should be at least 45% for withstanding traditional attacks
and at least 80% for withstanding template-based attacks. When the 80\%
obfuscated SHA-256 design is physically implemented, it achieves a remarkable
frequency of 368MHz in a 65nm commercial technology, whereas its FPGA
implementation (in a superior technology) achieves only 77MHz
Evaluating Architectural, Redundancy, and Implementation Strategies for Radiation Hardening of FinFET Integrated Circuits
In this article, authors explore radiation hardening techniques through the design of a test chip implemented in 16-nm FinFET technology, along with architectural and redundancy design space exploration of its modules. Nine variants of matrix multiplication were taped out and irradiated with neutrons. The results obtained from the neutron campaign revealed that the radiation-hardened variants present superior resiliency when either local or global triple modular redundancy (TMR) schemes are employed. Furthermore, simulation-based fault injection was utilized to validate the measurements and to explore the effects of different implementation strategies on failure rates. We further show that the interplay between these different implementation strategies is not trivial to capture and that synthesis optimizations can effectively break assumptions about the effectiveness of redundancy schemes
An Area Aware Accelerator for Elliptic Curve Point Multiplication
This work presents a hardware accelerator, for the optimization of latency and area at the same time, to improve the performance of point multiplication process in Elliptic Curve Cryptography. In order to reduce the overall computation time in the proposed 2-stage pipelined architecture, a rescheduling of point addition and point doubling instructions is performed along with an efficient use of required memory locations. Furthermore, a 41-bit multiplier is also proposed. Consequently, the FPGA and ASIC implementation results have been provided. The performance comparison with state-of-the-art implementations, in terms of latency and area, proves the significance of the proposed accelerator