Unraveling Latch Locking Using Machine Learning, Boolean Analysis, and ILP

Dake Chen1, Xuan Zhou1, Yinghua Hu1, Yuke Zhang1, Kaixin Yang1, Andrew Rittenbach2, Pierluigi Nuzzo1, Peter Beerel3
1University of Southern California, 2USC Information Sciences Institute, 3Univ. of Southern California


Abstract

Logic locking has become a promising approach to provide hardware security in the face of a possibly insecure fabrication supply chain. While many techniques have focused on locking combinational logic, an alternative latch-locking approach in which the sequential elements are locked has also gained significant attention. Latch locking duplicates a subset of the FFs of a design, retimes these FFs and replaces them with latches, and adds two types of decoy latches to obfuscate the netlist. It then adds control circuitry such that all latches must be correctly keyed for the circuit to function correctly. This paper presents a two-phase attack on latch-locked circuits that uses a novel combination of deep learning, Boolean analysis, and integer linear programming (ILP). The attack requires access to the reverse-engineered netlist but, unlike SAT attacks, is oracle-less, not needing access to the unlocked circuit or correct input/output pairs. We trained and evaluated the attack using the ISCAS'89 and ITC'99 benchmark circuits. The attack successfully identifies a key that is, on average, 96.9% accurate and fully discloses the correct functionality in 8 of the tested 19 circuits and leads to low function corruptibility (less than 4%) in 3 additional circuits. The attack run-times are less than 15 minutes.