Machine Learning Aided Key-Guessing Attack Paradigm Against Logic Block Encryption

Hardware security remains as a major concern in the circuit design ow. Logic block based encryption has been widely adopted as a simple but effective protection method. In this paper, the potential threat arising from the rapidly developing field, i.e., machine learning, is researched. To illustrate the challenge, this work presents a standard attack paradigm, in which a three-layer neural network and a naive Bayes classifier are utilized to exemplify the key-guessing attack on logic encryption. Backed with validation results obtained from both combinational and sequential benchmarks, the presented attack scheme can specifically accelerate the decryption process of partial keys, which may serve as a new perspective to reveal the potential vulnerability for current anti-attack designs.


Introduction
In the course of achieving trusted and reliable application specific integrated circuit (ASIC) designs, hardware security remains as a paramount concern to be confronted over the past few decades. Emerging from its vulnerabilities to the attacks at different design levels, hardware security issue involves a wide range of countermeasures to enhance protection, where secret key based static authentication is one of the common techniques [1] . In this context, the original logic block is often equipped with a tamper-proof encryption module to authorize the user. The encryption methods may vary from simple logic gates to huge memory units. Logic block encryption offers several merits, including low design overhead and functional camouflage, thus mitigating the risks of malicious counterfeiting, piracy and hardware trojans [2] . However, despite the virtues above, logic block en-cryption may be greatly challenged by the novel attacks with the aid of machine learning (ML) [3][4][5][6] . To retrieve the keys in the encryption module, people used to believe that an adversary needs to verify every key combination; therefore the traversal complexity is exponential to the length of keys. Nevertheless, the stereotype should be abandoned as numerous algorithms, like feature extraction in a supervised learning task, can support the adversary in effectively mining the data derived from the logic block and interpreting the encryption trace. As a result, the key-guessing process is largely accelerated, while the protection techniques become invalid. Most of the existing researches have concentrated on the application of machine learning in enhancing sidechannel analysis (SCA) attacks. SCA attacks usually leverage physical information, such as processing time, power consumption and electromagnetic emanation, to reveal the cryptographic keys. However, the main is-sue remains as the feature extraction and classification problem for the physical trace data. In the literature, Hospodar et al. [3] exemplified firstly the usage of least squares support vector machines as the learning algorithm. Gilmore et al. [4] proposed principal component analysis for dimensional reduction and fed the data into a neural network to realize decryption. Besides, Maghrebi et al. [5] articulated the attack schemes that utilize convolutional neural network (CNN), autoencoder, long and short term memory (LSTM) and multilayer perceptron (MP). Moreover, Das et al. [6] constructed a fully-connected deep neural network to execute the SCA attack on multiple devices.
Whereas, it is notable to address the efficiency of ML-aided SCA attack which may be dramatically hindered by the fluctuation of power pin noise and power camouflage tricks [7,8] , which directly deteriorates the data quality and thus limits the learning accuracy. The ML-aided SCA attack also brings forward a demand of sampling precision and denoising ability for test facilities as well as data post processing, such as the alignment for power traces, which may restrict its feasibility and practicality.
Hence, for the sake of avoiding the flaws, we introduce the ML-aided attack techniques to another attack category, namely logic cryptanalysis, to implement decryption operation. In the context, the ML-aided attack shall mine the correlation trace of the exact logic values rather than physical parameters to deduce the cryptographic keys. The data source used for decryption can be easily and reliably obtained from the input/output pins by applying a certain volume of vector patterns.
In brief, the key contributions of this work can be concluded as follows.
• This work introduces the machine learning based attack to logic cryptanalysis rather than previous SCAbased counterparts, but also steps further to transform the decryption process to an optimization problem that can be handled by existing mathematical tools.
• This work establishes a standard logic keyguessing attack paradigm, and then elaborates how an adversary can use reasonable computing resources to implement a successful key-guessing attack against logic encryption.
• This work helps accelerate the decryption process by employing light-weighted ML methods to firstly deal with the "easy keys". As the keys remaining to be deciphered have been reduced to a small number after several epochs, the total decryption time consumed will be compressed.
• This work analyzes the potential logic correlation during the encryption phase, reveals the vulnerability of current logic block encryption, and finally helps enhance hardware security by exploring some possible countermeasures.
As for the organization, Section 2 presents the machine learning aided key-guessing attack paradigm and lists the related knowledge and methods. Section 3 implements the attack paradigm on ISCAS'85/89 and ITC'99 benchmarks to exemplify its feasibility and effectiveness. Section 4 discusses the underlying mathematical mechanism that supports our machine learning based logic attack and explores the potential antiattack countermeasures, and Section 5 concludes the paper.

Machine Learning Aided Attack Paradigm
As the major focus of this paper, we present a standard key-guessing attack paradigm. The paradigm rests upon the assumption of the existence of an encrypted netlist as well as an additional activated integrated circuit (IC), as depicted in Fig.1.
Definition 1 (Encrypted Netlist). An encrypted netlist consists of the gate-level information of the encrypted IC, which can be obtained from reverse engineering.
Definition 2 (Activated IC). An activated IC is a functional circuit that produces resultant outputs when applying arbitrary input patterns, which can be purchased from the open market.
The activated IC has been authorized, formally equivalent to the encrypted netlist when right keys are applied. Mathematically, the encrypted netlist and the activated IC can be expressed as the following logic functions, respectively: (2) where the encrypted netlist f (·,·) produces output O en when applying input I en and key K en , and functions the same as the activated IC when right key K right is applied. In view of the independence between I and K as they are both input variables, the inverse function K = g(I, O) can be further simplified as K = g(O).
Generally, only when the inverse function g(·) is explicitly expressed can we reveal the keys K right . How- ever, it proves solving the inverse function g(·) is even harder than NP-complete problems [9] .
Despite the complexity of figuring out a precise solution, machine learning can deduce the right keys in a totally different way. Basically, when provided with sufficient logic trace data, one can use supervised learning to construct a fitting function r(·) for the target function g(·). The data pairs (O en , K en ) collected from the encrypted netlist, serving as labelled training datasets, are learned in the training phase, while the data O right derived from the activated IC, serving as the test datasets, will be substituted to the trained fitting function r(·) so as to approximately estimate the key values K right as r(O right ) in the inference phase.

Logic Encryption
In general, logic encryption refers to a built-in locking mechanism by inserting additional key gates to accomplish encryption within a logic block, where encryption nodes are carefully chosen and adequately mixed with the original circuit [2] . Fig.2 depicts a simple implementation for logic encryption. By mixing XOR/XNOR gates or MUXs to the original circuit, the encryption units will serve as buffers or inverters (or fault nodes) according to the key values. Only when the correct keys K 1 = 1, K 2 = 0, K 3 = 1 and K 4 = 0 are applied will the modified circuit work properly.
Logic encryption outperforms other encryption methods for its convenience and low overhead to implement as well as obfuscation with the original circuits [9,10] . It has already been implemented to both combinational and sequential circuits, e.g., full adder and subtractor [11] , pseudorandom number generator (PRNG) [12] , flip-flop [13] , and scalable multi-module designs [14] .
On account of the selection of the cryptographic nodes, EPIC [9] , the first to present the concept of logic encryption, suggested inserting additional key gates randomly to enhance circuit security. Later work, namely the fault analysis based logic encryption in [10], chose the highest fault impact (FI) nodes to maintain 50% Hamming distance. [15] modifies the strategy by selecting a majority of keys based on FI while the others for preventing path sensitization. Other innovations on decreasing the overhead of logic encryption were previously discussed in reusing key-based logic gates [16] and low-overhead implementation [17] .
Previous researches have demonstrated effective attacks on logic encryption. Except for SCA attacks like differential power analysis (DPA) in [18], they can be roughly divided into two categories: topologyindispensable or not. The former may refer to the sensitization attack [19] (which propagates key ports to be observed on outputs) and the logic cone analysis attack [20] (which distinguishes logic cones, then "divide-and-rule"). They must resort to specific logical structures to sensitize key information. Hence their attack efficiency highly hinges on the topology of the target logic block. In contrast, the Hill-climbing [21] or the Boolean satisfiability (SAT) attack [22] performs only on the external input, key and output ports re-gardless of the detail of the netlist. Hence mitigating this type of attacks has become the so-called hot topics in recent years [23][24][25][26][27][28] . It is notable that authors in [21] and [22] already adopted similar principles widely used in machine learning, such as the gradient descent algorithm. In this work, we step further to present the attack paradigm with general machine learning methods.

Neural Network
A fully-connected (FC) neural network (NN) consists of an input layer, several hidden layers and an output layer (in Fig.3). Between adjacent layers, it organizes as every neuron is connected to all the neurons in its front and back layers. The training method we use here is the feed-forward backprop (BP) algorithm, which is the most common in supervised learning and is well supported by current mathematical tools.
In the forward phase, the network propagates input vectors forward and produces resultant output vectors. Each neuron sums up all the weighted inputs and modulates the sum through a nonlinear activation function, tanh(·) in (3). As the output vector o undergoes a comparison process with the labelled vector t, loss function E is derived in (4).
In the backward phase, the network propagates the loss function E back and adjusts the weights based on the gradient descent algorithm, where η is the learning

Naive Bayes Classifier
Naive Bayes classifier is a widely adopted tool for binary classification. Given the fitting function r(·) derived from the feature variables x, Bayes classification rule h * is decided by: Naive Bayes classifier is known as the optimal classifier when assuming strong independence between the variables. Once the fitted values r(x) for secret keys are obtained, the naive Bayes classifier will judge the keys as logic 1 if their values are above 1/2 and vice versa, as a typical binary classification problem.
For a more comprehensive look at the preliminaries mentioned above, hereinafter we will address more about their roles. Firstly, on the basis of the assumption of our attack paradigm, the kernel problem has been transformed to solving the inverse function g(·) as the secret keys can be derived from K right = g(O right ), where the circuits are encrypted by logic encryption. Secondly, in order to deduce a possible fitting function for g(·) in reasonable time, we introduce the neural network trained and inferred by using the datasets collected from the encrypted netlist and the activated IC, respectively. The reason why we use the neural network lies on the issue that the network architecture can be easily manipulated, which helps extract some high dimensional features if not too overfitted. Thirdly, after training, the fitted value r(x) for right keys K right can be derived by substituting O right into the trained neural network, but generally it produces an output within the range of [0, 1]. In order to classify them as exact logic 1 or 0, naive Bayes classifier is finally adopted to binarize r(x).
To facilitate reading, we list the most frequently used symbols in Table 1. 3 Implementation

Procedure of the Attack Paradigm
In terms of the implementation procedure, Fig.4 exemplifies how an adversary conducts a machine learning aided attack against logic block based encryption. 1) The target circuits are encrypted by a specific nodeselecting strategy beforehand, i.e., random inserting or the highest fault impact (FI) encryption with XORs or MUXs. 2) By applying random input vectors I en and random key vectors K en , resultant training datasets (O en , K en ) as well as test dataset O right are collected.
3) A certain machine learning algorithm is adopted to calculate the fitting function for inverse function g(·), and here the neural network is employed, where the number of the neurons in the input and the output layer is consistent with the number of output nodes and key nodes, respectively. 4) Finally, the keys values inferred by substituting O right into r(·) of the trained network are fed into the naive Bayes classifier to accomplish classification.  The encryption algorithm is embodied as Algorithm 1. A designer may choose to insert either XOR/XNOR or MUXs on random or the highest FI location as key gates arbitrarily. For the latter, the highest FI for an internal node i is formulated as (7) in [14]: where N oP 0 denotes the number of patterns that detect stuck-at-0 fault at the output and N oO 0 denotes the total number of the output bits that get affected by the fault, while N oP 1 and N oO 1 represent the stuckat-1 fault and the total number of the affected output bits correspondingly.
Algorithm 1. Logic Block Encryption Algorithm [9,14] Input: all the internal nodes of a logic block; Output Detect the s-a-0 fault (N oP 0 ) and the affected bit ratio (N oO 0 );

3:
Detect the s-a-1 fault (N oP 1 ) and the affected bit ratio (N oO 1 );

4:
Compute F I i := (N oP 0 × N oO 0 + N oP 1 × N oO 1 ); 5: end for 6: Select the highest FI nodes to encrypt using XOR/XNOR gates; A node with the highest FI can affect most of the outputs for most of the input patterns if a fault occurs. FI is used to enhance the Hamming distance in [14]. Mathematically, (7) should be equivalent to the total affected bits when one reverses the logical value of a certain node. Therefore, one can reverse each internal node and apply random vectors on the inputs to figure out how many outputs are affected by the reversed node, and then find the nodes with the highest impact. Here Table 2 displays the internal nodes with the highest FI values for the C432 benchmark for instance, which has been regularized to [0, 1]. The selected nodes are encrypted by either logic 1 or 0 arbitrarily. Afterwards, the decryption process is executed as the flow described in Algorithm 2. Firstly, the encrypted netlist and the activated IC are fed with random input vectors (I en , K en ) and I en to produce the resultant outputs O en and O right , respectively, in which the volume of the two datasets equals the number of random vectors. For training the neural network, the training datasets (O en , K en ) need to be observed and collected on the encrypted netlist. In the meanwhile, the test dataset O right should be obtained on the activated IC. Next, one utilizes the BP algorithm to minimize the loss function of the network by feeding the training pairs (O en , K en ). Once training gets finished, test data O right will be substituted to the input layer in a typical inference phase. As the network has been trained to a fitting function r(·) for g(·), the output layer shall produce the inferred values r(O right ) for K right . The values r(O right ), being decimals within the range of [0, 1] in general, shall be further binarized as exact logic 1 or 0, where the quantization problem is tackled by employing the naive Bayes classifier with a decision boundary of 0.5. Ultimately the decryption process can be accomplished, and the binary values for those cryptographic keys can be determined.

Algorithm 2. Logic Block Decryption Algorithm
Input: Oen, Ken for the encrypted circuit and O right for the activated circuit; Output: retrieved key values K right ; 1: for (k := 1, k the number of the input/output pair vectors, k + +) 2: Train the neuron network by using the training dataset (Oen, Ken); 3: end for 4: for (k := 1, k the number of the input/output pair vectors, k + +) 5: Infer the key values K right by substituting test dataset O right ; 6: end for 7: Judge the keys K right as logic 0 or 1 by the Naive Bayes classifier;

Attack Demonstration on C432 Benchmark
For a more comprehensive illustration of the decryption procedure, hereinafter, we will employ the C432 benchmark as an example to expound the attack details based on Fig.5.
The target C432 benchmark contains 36 inputs and 7 outputs as well as 20 key nodes whose values are encrypted as Table 2 (logic 0: encrypted with XOR; logic 1: encrypted with XNOR).
Above all, as Fig.5(a) draws, a random vector generator generates a set of (50%, 50%) vectors I en , K en (50% probability of being logic 0 and 50% probability of being logic 1) for the encrypted netlist, and the same I en for the activated IC, where the number of inputs, keys and outputs are 36, 20, and 7, respectively. As this is the first epoch, no keys have been retrieved before, hence they are all fed with random vectors and expressed as "?".
Upon reaching a certain volume of random vectors, the training pair (O en , K en ) is then fed into the neural network to get trained, serving as its input layer and target output label, respectively. The number of input and output neurons is natural to decide, which should be equal to the number of C432 outputs and keys. The main issue lies on the hidden layers. In order to determine a reasonable network structure, here in Fig.5(b) we have tested a so-called typical network (structured as 7-100-20), a fat network (7-10000-20) and a 10-hidden-layer deep network (7-100-. . . -100-20) to fit inverse function g(·). Results show that the loss function value does not decline more as the width enlarges or the depth deepens. They are all around 0.213 as depicted in Fig.5(c). A possible reason for this is overfitting in these large and deep networks. Therefore, in the context of efficiency and performance, a typical 3-layer network is chosen as a reasonable network in our implementation hereinafter.
Once the training gets finished, the test data O right is substituted into the input layer, and one can collect the expected values for K right from the output layer of the trained network. As the network output, r(O right ) is generally a value within [0, 1]; thus it will undergo a classification process in terms of its exact value, in which the decimal will be binarized as logic 0 or 1 by naive Bayes classifier. The full attack flow above is summarized in Fig.5(d).
Note that in each epoch, there will be part of keys being retrieved. During the next epoch, those keys should be fixed as their inferred values while the rest of keys will still be applied random vectors. As an iterative process, decryption is conducted successively. For better comprehension, Figs.6(a)-6(c) illustrate the decryption implementation conducted on the C432 benchmark.
In the first epoch, seven keys are explicitly revealed in comparison with the decision boundary of 0.5, in which K 1 , K 6 , K 17 and K 3 are logic 1 while K 2 , K 18 and K 5 are logic 0. Then the seven key values are fixed while the rest keys are still applied by the random vectors (expressed as "?" in Fig.5(a)). The reason why we fix the retrieved ones is that they conceal the correlation between the benchmark outputs with the rest key nodes. As the epoch goes on, more information about the secret keys will be exposed. Hence in the second epoch, 11 keys can be retrieved and fixed; while in the third epoch, as 18 keys have been fixed, the last two keys are revoked, ultimately resolving all the 20 cryptographic keys.
The evolution curves delineated in Fig.6 are achieved by increasing the training pair vectors gradually, ranging from 5 to 100 000. It is notable that those curves can converge within 1 000-5 000 vectors, where the time used for training is much less than 1s. With regard to the key values listed in Table 2, the proposed neural network succeeds in retrieving all the keys correctly.
To further testify the efficiency of the proposed attack paradigm on the C432 benchmark encrypted with other techniques, including different node selection methods like random inserting or the highest fault impact inserting and encryption gates like XOR/XNOR and MUXs, we conduct the attack implementation as summarized in Table 3.    Note: C432 EPIC XOR means that the benchmark is C432, the encryption method is EPIC (random inserting) and the inserted logic gate is XOR/XNOR. x/y: number of retrieved keys/number of total encrypted keys.
For the four cases listed above, the proposed attack scheme performs better on FI inserting than on random inserting, and on MUXs than on XOR/XNOR encryption. When encrypted by FI inserting and MUXs, one can reveal all the keys within three epochs even when the key number increases to 40. A possible reason for better performance on FI inserting can refer to the augment on Hamming distance, as the encryption method unconsciously amplifies the correlation between the key nodes with the outputs. For MUXs, compared with XOR/XNOR gates, there is an additional fault node to be selected, which may also introduce unconscious statistical correlation between two logic cones.

Extending to Other Benchmarks
To further demonstrate the efficiency of the proposed attack paradigm, the same attack flow is implemented on the ISCAS'85, ISCAS'89 and ITC'99 benchmarks. The target logic blocks contain both combinational and sequential circuits with various topographies and have been successively used as a basis for comparing results in the area of test generation or circuit validation. For strictly validating the proposed attack scheme, encryption is conducted by referring to EPIC [9] to randomly insert XOR and XNOR gates at internal nodes (because decryption may be harder in this case according to Table 3). The number of the secret keys varies with the size of the benchmarks, ranging from 4 for the smaller circuit C17 to 100 for larger circuit C2670 and B04.
In practical terms, the proposed attack paradigm exhibits a different attack efficiency on each benchmark, which is reasonable in view of their unique topological structures. Some representative key curves in their first epoch are depicted in Fig.7. For each benchmark, the input, output and key port layouts are displayed in Fig.7(a). And the evolution curves for secret keys are portrayed in Fig.7(b). As the vector number (horizontal axis in log scale) increases from 5 to 100 000, the evolution curves may firstly oscillate around the classification boundary 0.5 due to random fluctuation. Then when the vector number gets larger, conservatively like 20 000 vectors (in vertical dash line), it will be feasible to obtain a converged evolution curve in which the expectation for each key takes on a stable value, probably above or below the boundary. Fig.8 describes the time consumption to implement the attack flow on the above benchmarks for one epoch. Each data box describes the time distribution for 10 different attempts. The plots are divided into blue, green and purple groups, representing 20 000, 50 000 and 100 000 training pairs, respectively. As 20 000 vectors are conservative enough to obtain a converged evolution curve, the time consumed is quite acceptable. Table 4 summarizes the implementation results on the benchmarks. The same attack is conducted for three epochs with each testing up to 100 000 vectors. The attack efficiency may hinge on the topography of the benchmarks, as the attack scheme is most suitable for retrieving the keys that expose most information to the outputs, namely "easy keys". The ratio of the keys retrieved is relatively low, which is reasonable when considering the strict condition, i.e., randomly inserting XOR/XNOR gates. There are cases in which a wrong key has no effect on the outputs, and the correct key combination is more than one. Moreover, more keys may be successively retrieved in the next epochs. But in view of their relatively low confidence level, we ignore that. Note: x/y: number of retrieved keys/number of total encrypted keys.   As a comparison with other attack schemes in logic cryptanalysis, the ML-aided attack paradigm does not ask for detailed netlist to sensitize special paths between key nodes and outputs like [19] and [20]. And it can retrieve the "easiest keys" in each epoch successively, which may also be useful to compress the decryption time if combined with tricks in [21] and [22], as they are hindered a lot if the number of keys is too large. One can utilize the limited computation resources to decipher the "easy keys" as priority, and resort to traditional methods to tackle the rest, which may be suitable for many more scenarios.

Discussion
It has been demonstrated in Section 3 that typical logic encryption is vulnerable to the proposed ML-aided attack paradigm. Here, we will try to concentrate on the underlying mathematical basis that supports the attack and move on to explore some potential anti-attack countermeasures.

Underlying Mathematical Comprehension
The proposed attack paradigm essentially hinges on the mathematical correlation between output O en and key K en to build a fitting function r(·) to deduce the proper keys K right . Its foundation even lies on the basic logic gates. Specifically, the relevance between two logic nodes can be evaluated by the Pearson correlation coefficient as (8): where cov(·,·) is covariance, var(·) represents variance and ρ(·,·) describes the correlation extend.
Considering an AND logic gate in Fig.9, when applying random vectors (1 − p 1 , p 1 ) on input A (the probability of being logic 1 is p 1 ) and (1 − p 2 , p 2 ) on B, ρ(A, O) and ρ(B, O) can be quantified. Fig.9(a) illustrates when p 2 is closer to 1, input A and output O are much more positively relevant. Similarly, for OR gate in Fig.9(b), when p 2 is closer to 0, output O will be dependent on input A.
Correlation analysis helps us understand the logic dependency on digital systems. Fig.10 shows the Pearson correlation coefficient on the C17 benchmark. As anticipated, N 7 has no relationship with N 10 , N 11 , N 16 and N 22 that belong to another logic cone, while sensitizing its influence on N 19 and N 23 . The underlying mathematical principle for keys in logic encryption remains the same. Any modification of the original circuit will be propagated to certain nodes as correlation somehow. By tracking the correlation traces, the machine learning aided attack finally retrieves the keys and breaks the encryption.
As a supplementary experiment, a similar attack of linear regression is included in Fig.11. The experimental results confirm that any mathematical methods, not restricted to machine learning, can also be utilized to model the fitting function g(·), but they may not be ef-  ficient enough to extract the high-dimensional features, compared with the neural network.

Enhancing Logic Encryption
In fact, typical logic encryption does not conceal the encryption track but even exposes it to an experienced attacker. Some previous camouflage tricks such as the current domain signature attenuation [7] and the machine learning assisted countermeasure [8] in SCA-resistant designs may not be appropriate for logic attack-resistant design as the logic outputs cannot be reasonably manipulated as the power trace. This is because a good encryption also needs to ensure its obscureness, i.e., a wrong key should result in a wrong output for all input patterns [29] . However, when deliberately eliminating the correlation between keys and outputs, an applied wrong key may affect only a few output bits, which shall deteriorate the encryption efficacy.
Therefore, as our consideration, in order to mitigate the potential risks, a promising encryption algorithm can refer to the attempts of, for instance, adding a key generation unit [30] , physical unclonable function (PUF) [31] to separate the outputs with the intermediate keys rather than the real key ports, and trying to conceal the internal details. Nevertheless, logically concealing the huge block also remains as a complicated issue and is therefore beyond the scope of this work.

Conclusions
In this paper, a machine learning aided attack scheme against logic block encryption was presented. Above all, a standard attack paradigm was defined, in which we adopted random and the highest FI inserting as the encryption mechanisms and selected a three-layer neural network as the decryption tool to exemplify how a successful attack can be executed. With the aid of the simple neural network and naive Bayes classifier, the proposed attack scheme has been implemented on the ISCAS'85/89 and ITC'99 benchmarks, succeeding in retrieving partial keys in three epochs. We also shed light on the vulnerability of the logic block based encryption and explored some preliminary countermeasures. It is notable that the underlying mathematical principle for the attack still hinges on the correlation between keys and outputs, and a possible anti-attack scheme could explore the possibility of maintaining logic obscureness and correlation confusion at the same time.