### Centrality Indicators For Efficient And Scalable Logic Masking

**Brice Colombier** 

#### Lilian Bossuet, David Hély

Univ Lyon, UJM-Saint-Etienne, CNRS Laboratoire Hubert Curien UMR 5516 F-42023, SAINT-ETIENNE, France

June 19, 2017







#### **Objective:**

Fight against **counterfeiting** and **illegal copying** of integrated circuits and IP cores.

#### **Objective:**

Fight against **counterfeiting** and **illegal copying** of integrated circuits and IP cores.



#### **Objective:**

Fight against **counterfeiting** and **illegal copying** of integrated circuits and IP cores.



#### **Proposition:**

**Before** it has been **unlocked**, the circuit must operate as **abnormally** as possible, until the **correct activation word** is fed.

#### **Proposition:**

**Before** it has been **unlocked**, the circuit must operate as **abnormally** as possible, until the **correct activation word** is fed.

#### Solutions:

We want to be able to controllably:

- Force the outputs to a fixed logic value: **locking**<sup>1</sup>.
- Alter the outputs as much as possible: masking<sup>2</sup>.

<sup>1</sup>B. Colombier, L. Bossuet, and D. Hély. "Reversible Denial-of-Service by Locking Gates Insertion for IP Cores Design Protection". *Cryptarchi.* 2015. <sup>2</sup>J. A. Roy, F. Koushanfar, and I. Markov. "EPIC: Ending Piracy of Integrated Circuits". *DATE*. 2008.

## Combinational logic masking

#### Principle

Insert **XOR/XNOR** gates at **specific** locations in the netlist, so that internal nodes can be controllably inverted to alter the internal state if the wrong activation word is fed.



#### Principle

Insert **XOR/XNOR** gates at **specific** locations in the netlist, so that internal nodes can be controllably inverted to alter the internal state if the wrong activation word is fed.



AW: *n*-bit activation input.

AW<sub>ref</sub>: Reference activation word.

S: Correct outputs of the netlist.

*S<sub>mod</sub>*: Masked outputs of the netlist.

Metrics based on:

AW: *n*-bit activation input.

AW<sub>ref</sub>: Reference activation word.

S: Correct outputs of the netlist.

*S<sub>mod</sub>*: Masked outputs of the netlist.

Metrics based on:

• Corruptibility: 
$$P(S_{mod} = S | AW \neq AW_{ref}) = 0$$

AW: n-bit activation input.

AW<sub>ref</sub>: Reference activation word.

S: Correct outputs of the netlist.

*S<sub>mod</sub>*: Masked outputs of the netlist.

#### Metrics based on:

• Corruptibility: 
$$P(S_{mod} = S | AW \neq AW_{ref}) = 0$$

Hamming distance:

$$\boxed{\frac{1}{2^{n}}\sum_{AW=0}^{2^{n}-1}HD(S,S_{mod})=50\%}$$

AW: n-bit activation input.

AW<sub>ref</sub>: Reference activation word.

S: Correct outputs of the netlist.

*S<sub>mod</sub>*: Masked outputs of the netlist.

#### Metrics based on:

• Corruptibility:  $P(S_{mod} = S | AW \neq AW_{ref}) = 0$ 

Hamming distance:

$$\frac{1}{2^{n}}\sum_{AW=0}^{2^{n}-1}HD(S,S_{mod})=50\%$$

Bitwise correlation:

$$\sqrt{\frac{1}{n}\sum_{i=0}^{\text{\#outputs}-1}\rho^2\left(S[i], S_{mod}[i]\right)} = \mathbf{0}$$

AW: *n*-bit activation input.

AW<sub>ref</sub>: Reference activation word.

S: Correct outputs of the netlist.

*S<sub>mod</sub>*: Masked outputs of the netlist.

#### Metrics based on:

• Corruptibility:  $P(S_{mod} = S | AW \neq AW_{ref}) = 0$ 

Hamming distance:

$$\frac{1}{2^n}\sum_{AW=0}^{2^n-1} HD(S, S_{mod}) = 50\%$$

Bitwise correlation:

$$\sqrt{\frac{1}{n}\sum_{i=0}^{\text{\#outputs}-1}\rho^2\left(S[i], S_{mod}[i]\right)} = \mathbf{0}$$

How to optimise these metrics ?

#### Selection heuristic

Random<sup>1</sup>

<sup>1</sup>J. A. Roy, F. Koushanfar, and I. Markov. "EPIC: Ending Piracy of Integrated Circuits". *DATE*. 2008.

<sup>2</sup>R. S. Chakraborty and S. Bhunia. "HARPOON: An Obfuscation-Based SoC Design Methodology for Hardware Protection". *IEEE Trans. on CAD of IC and Syst.* (2009).

<sup>3</sup>J. Rajendran et al. "Security analysis of logic obfuscation". DAC. 2012.

<sup>4</sup>J. Rajendran et al. "Security analysis of integrated circuit camouflaging". *ACM Conference on Computer & communications security*. 2013.

#### Selection heuristic

Random<sup>1</sup> Fan-in/fan-out cones<sup>2</sup>

<sup>1</sup>J. A. Roy, F. Koushanfar, and I. Markov. "EPIC: Ending Piracy of Integrated Circuits". *DATE*. 2008.

<sup>2</sup>R. S. Chakraborty and S. Bhunia. "HARPOON: An Obfuscation-Based SoC Design Methodology for Hardware Protection". *IEEE Trans. on CAD of IC and Syst.* (2009).

<sup>3</sup>J. Rajendran et al. "Security analysis of logic obfuscation". DAC. 2012.

<sup>4</sup>J. Rajendran et al. "Security analysis of integrated circuit camouflaging". *ACM Conference on Computer & communications security*. 2013.

#### Selection heuristic

Random<sup>1</sup> Fan-in/fan-out cones<sup>2</sup> Random + interf. graph<sup>3</sup>

<sup>1</sup>J. A. Roy, F. Koushanfar, and I. Markov. "EPIC: Ending Piracy of Integrated Circuits". *DATE*. 2008.

<sup>2</sup>R. S. Chakraborty and S. Bhunia. "HARPOON: An Obfuscation-Based SoC Design Methodology for Hardware Protection". *IEEE Trans. on CAD of IC and Syst.* (2009).

<sup>3</sup>J. Rajendran et al. "Security analysis of logic obfuscation". DAC. 2012.

<sup>4</sup>J. Rajendran et al. "Security analysis of integrated circuit camouflaging". *ACM Conference on Computer & communications security*. 2013.

#### Selection heuristic

Random<sup>1</sup> Fan-in/fan-out cones<sup>2</sup> Random + interf. graph<sup>3</sup> Random + interf. graph + corrup.<sup>4</sup>

 $^1 J.$  A. Roy, F. Koushanfar, and I. Markov. "EPIC: Ending Piracy of Integrated Circuits". <code>DATE. 2008.</code>

<sup>2</sup>R. S. Chakraborty and S. Bhunia. "HARPOON: An Obfuscation-Based SoC Design Methodology for Hardware Protection". *IEEE Trans. on CAD of IC and Syst.* (2009).

<sup>3</sup>J. Rajendran et al. "Security analysis of logic obfuscation". DAC. 2012.

<sup>4</sup>J. Rajendran et al. "Security analysis of integrated circuit camouflaging". *ACM Conference on Computer & communications security*. 2013.

| Selection<br>heuristic                                                                                                                                                          |  |
|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|
| Random <sup>1</sup><br>Fan-in/fan-out cones <sup>2</sup><br>Random + interf. graph <sup>3</sup><br>Random + interf. graph + corrup. <sup>4</sup><br>Fault analysis <sup>5</sup> |  |

<sup>1</sup>J. A. Roy, F. Koushanfar, and I. Markov. "EPIC: Ending Piracy of Integrated Circuits". *DATE*. 2008.

<sup>2</sup>R. S. Chakraborty and S. Bhunia. "HARPOON: An Obfuscation-Based SoC Design Methodology for Hardware Protection". *IEEE Trans. on CAD of IC and Syst.* (2009).

<sup>3</sup>J. Rajendran et al. "Security analysis of logic obfuscation". DAC. 2012.

<sup>4</sup>J. Rajendran et al. "Security analysis of integrated circuit camouflaging". *ACM Conference on Computer & communications security*. 2013.

| Selection<br>heuristic                        | Masking<br>efficiency |
|-----------------------------------------------|-----------------------|
| Random <sup>1</sup>                           | ×                     |
| Fan-in/fan-out cones <sup>2</sup>             | ×                     |
| Random + interf. graph <sup>3</sup>           | ×                     |
| Random + interf. graph + corrup. <sup>4</sup> | ×                     |
| Fault analysis <sup>5</sup>                   | $\checkmark$          |

 $^1 J.$  A. Roy, F. Koushanfar, and I. Markov. "EPIC: Ending Piracy of Integrated Circuits". <code>DATE. 2008.</code>

<sup>2</sup>R. S. Chakraborty and S. Bhunia. "HARPOON: An Obfuscation-Based SoC Design Methodology for Hardware Protection". *IEEE Trans. on CAD of IC and Syst.* (2009).

<sup>3</sup>J. Rajendran et al. "Security analysis of logic obfuscation". *DAC*. 2012.

<sup>4</sup>J. Rajendran et al. "Security analysis of integrated circuit camouflaging". *ACM Conference on Computer & communications security*. 2013.

| Selection<br>heuristic                        | Masking<br>efficiency | Computational complexity |
|-----------------------------------------------|-----------------------|--------------------------|
| Random <sup>1</sup>                           | ×                     | $\checkmark$             |
| Fan-in/fan-out cones <sup>2</sup>             | ×                     | $\checkmark$             |
| Random + interf. graph <sup>3</sup>           | ×                     | $\checkmark$             |
| Random + interf. graph + corrup. <sup>4</sup> | ×                     | $\checkmark$             |
| Fault analysis <sup>5</sup>                   | $\checkmark$          | ×                        |

<sup>1</sup>J. A. Roy, F. Koushanfar, and I. Markov. "EPIC: Ending Piracy of Integrated Circuits". *DATE*. 2008.

<sup>2</sup>R. S. Chakraborty and S. Bhunia. "HARPOON: An Obfuscation-Based SoC Design Methodology for Hardware Protection". *IEEE Trans. on CAD of IC and Syst.* (2009).

<sup>3</sup>J. Rajendran et al. "Security analysis of logic obfuscation". DAC. 2012.

<sup>4</sup>J. Rajendran et al. "Security analysis of integrated circuit camouflaging". *ACM Conference on Computer & communications security*. 2013.

Towards a better trafe-off between masking efficiency and computational complexity

Social media network connections among Twitter users



Created with NodeXL (http://nodexl.codeplex.com) from the Social Media Research Foundation (http://www.smrfoundation.org)

Copyright Marc Smith on Flickr under license CC BY 2.0

Centrality:

Closeness,

#### **Definition:**

Inverse of the sum of distances to all the other vertices.



Centrality:

- Closeness,
- Betweenness,

#### **Definition:**

Ratio of shortest paths going through this vertex.



Centrality:

- Closeness,
- Betweenness,
- Current-flow betweenness,

#### **Definition:**

Current flowing through this vertex with others as source and sink.



Centrality:

- Closeness,
- Betweenness,
- Current-flow betweenness,

#### **Definition:**

Current flowing through this vertex with others as source and sink.



Centrality:

- Closeness,
- Betweenness,
- Current-flow betweenness,
- Current-flow closeness,

#### **Definition:**

Sum of effective resistances to all other vertices.



#### Indicators that only account for shortest paths

Closeness, betweenness.

#### **Comparison of centrality indicators**

#### Indicators that only account for shortest paths

Closeness, betweenness.

#### Indicators that weigh paths according to their length

Current-flow betweenness and closeness centralities.

#### **Comparison of centrality indicators**

Indicators that only account for shortest paths

Closeness, betweenness.

Indicators that weigh paths according to their length

Current-flow betweenness and closeness centralities.



| Convert the netlist into a graph |  |                   |  |
|----------------------------------|--|-------------------|--|
| Nodes<br>Gates                   |  | vertices<br>edges |  |







XOR/XNOR gates are inserted on the vertices for which the chosen centrality indicator is the **highest**.



#### **Trade-off**



#### Trade-off



#### Conclusion

Bitwise correlation is **almost as low** as for the fault analysis-based heuristic, for a run-time **1000x shorter**.

**Centrality indicators**, in particular current-flow closeness centrality, as node selection heuristic for logic masking:

- allow to disturb the outputs efficiently,
- have a manageable computational complexity,
- offer a better trade-off than existing heuristics,
- could be parallelized...

**Centrality indicators**, in particular current-flow closeness centrality, as node selection heuristic for logic masking:

- allow to disturb the outputs efficiently,
- have a manageable computational complexity,
- offer a better trade-off than existing heuristics,
- could be parallelized...

# — Questions ? —