Breaking CAS-Lock and Its Variants by Exploiting Structural Traces

Logic locking is a prominent solution to protect against design intellectual property theft. However, there has been a decade-long cat-and-mouse game between defenses and attacks. A turning point in logic locking was the development of miterbased Boolean satisfiability (SAT) attack that steered the research in the direction of developing SAT-resilient schemes. These schemes, however achieved SAT resilience at the cost of low output corruption. Recently, cascaded locking (CAS-Lock) [SXTF20a] was proposed that provides non-trivial output corruption all-the-while maintaining resilience to the SAT attack. Regardless of the theoretical properties, we revisit some of the assumptions made about its implementation, especially about security-unaware synthesis tools, and subsequently expose a set of structural vulnerabilities that can be exploited to break these schemes. We propose our attacks on baseline CAS-Lock as well as mirrored CAS (M-CAS), an improved version of CAS-Lock. We furnish extensive simulation results of our attacks on ISCAS’85 and ITC’99 benchmarks, where we show that CAS-Lock/M-CAS can be broken with ∼94% success rate. Further, we open-source all implementation scripts, locked circuits, and attack scripts for the community. Finally, we discuss the pitfalls of point function-based locking techniques including Anti-SAT [XS18] and Stripped Functionality Logic Locking (SFLL-HD) [YSN+17], which suffer from similar implementation issues.


Introduction
With deep sub-micron technology, the capital cost considerations dictate outsourcing of integrated circuit (IC) manufacturing. Today, most of the semiconductor industry operates in a fabless manner, where foundries are organizationally and geographically separate from the design houses. However, such outsourcing to potentially untrusted entities has introduced threats such as intellectual property (IP) piracy [re112,re212,Tec17], IC counterfeiting/overbuilding [pen13], and hardware Trojans [big18]; such threats have become a pressing concern for commercial and government organizations alike. Besides, counterfeiting also poses significant security risks; according to a 2013 report by the Semiconductor Industry Association, 15% of all the "spare and replacement semiconductors" bought by the Pentagon are counterfeit [pen13].  called key-gates, into the design. One input of the key-gate is driven by a key-input that is driven from a tamper-proof on-chip memory, while the other input is the functional net. The design will work correctly only upon supplying the correct key, i.e., 110; otherwise, it produces incorrect outputs. A logic locking enabled IC design flow is shown in Fig. 2. The design is locked at the end of the design phase, and since only the IP owner possesses the secret key, the design is protected from any unauthorized access. After fabrication and testing, the chip is unlocked by loading the correct key onto the chip's memory.

Logic locking: Recent attacks
The concept was introduced in EPIC [ RKM10], followed by a set of works such as FLL [RZZ + 13] and SLL [YRSK15]. However, all these techniques were broken by a miterbased Boolean satisfiability (SAT) attack [SRM15], thereby exposing a serious vulnerability. It iteratively identifies distinguishing input patterns (DIPs) that eliminate incorrect keys from the search space. The computation of a DIP involves construction of a miter circuit with two copies of the locked circuit, where the two circuits share the primary inputs but have different key-inputs. When a SAT solver finds an assignment that satisfies the "miter" formula, this assignment is called a DIP. This DIP is applied to an oracle, i.e., a functional IC with the secret key loaded onto its memory, to prune out the incorrect keys in an iterative way. The SAT attack can break logic locking with a relatively small number of DIPs, and thus, the complexity of the attack, is low in terms of the number of DIPs required.
Naturally, several SAT-resilient techniques were developed by leveraging point functions that necessitated an exponential number of DIPs in the key-size such as SAR-Lock [YMRS16], Anti-SAT [XS18], SFLL [YSN + 17]. Nevertheless, the use of point functions introduced structural-analysis-based attacks [XSTF17, YMSR17, YTS19, SS20] as summarized in Table 1. Further, new schemes such as SFLL-fault [SNL + 20] suffer from low output corruption, thereby facilitating approximate circuit recovery for an incorrectly unlocked design [SLM + 17]. Other solutions include SAT-hard structures [KAHS19,SLPJ18] to thwart SAT attack by increasing the time taken by each iteration rather than increasing the number of iterations. These schemes, however, were recently broken by reduced-encoding approach and neural-network-based attacks [KAHS20, SHP20, AKHS20].   The authors establish the security of the schemes with rigorous proofs. However, in this work, we challenge such claims by exposing a set of structural vulnerabilities that can successfully break both CAS and M-CAS defenses. We define two adversarial threat models, viz., oracle-guided and oracle-less on which we carry out our attacks. The main contributions of this work are shown in Table 2, and are summarized below.

Contribution
• Attacking CAS. We propose two attacks against CAS in the oracle-guided model: -Identify flip signal (IFS). This attack exploits the structural traces to recover the original IP.
-Key-bit mapping & SAT (KBM-SAT). This attack exploits the connectivity of key-inputs, thereby enabling the SAT attack to decipher the secret key with only a polynomial number of queries as opposed to the theoretical expectation of an exponential number of queries in the key-size.
• Attacking M-CAS. We demonstrate an attack on M-CAS in the oracle-less model: -Identify flip signal & SAT (IFS-SAT). We exploit structural flaws in M-CAS, and upon identification, successfully launch SAT attack to recover the secret key. Note that our SAT attack can be launched in an oracle-less setting, whereas the original SAT attack requires an oracle, i.e., a functional IC with the secret key loaded onto its memory. To this end, we substitute the oracle with a generic CAS-block that will be described later.
• Finally, we establish the effectiveness of our attack under different technology libraries and synthesis tools, and as a caution urge the designers to refrain from merely relying on state-of-the-art synthesis tools for a secure implementation.

Background
Before delving into our attacks, we provide the details that would be necessary for the rest of the paper.

Adversarial threat model
Prior to analyzing the security of any scheme, it is critical to accurately identify, communicate, and assess the potential threats within the context of adversarial capabilities. Depending on these capabilities, we define two adversarial models: • Oracle-less. The adversary is assumed to reside at an untrusted foundry which is usually well-equipped with high-end tools, and thus can perform reverse-engineering.
Note that she has access to the GDSII representation of the logic-locked design IP, thus enabling her to reverse engineer the GDSII file to obtain the locked netlist. However, access to an oracle, i.e., a working chip with the correct key, is not considered as it only becomes available during later stages of the supply chain. The adversary's goal is to identify, isolate, and infer the secret key-bit values from the structure and examples include De-synthesis [MZGT17], SPS [YMSR17], FALL [SS20, YTS19] attacks. We demonstrate our IFS-SAT attack against M-CAS in this setting.
• Oracle-guided. The adversary has access to (1) an oracle, i.e., a working chip with the correct key loaded onto its memory, as well as (2) a reverse-engineered locked netlist. A likely scenario would be a colluding adversary at an untrusted foundry and during field-use. Besides, we assume full knowledge of the technology mapping, synthesis tools, etc. used during locking. Note that this is a valid assumption as off-the-shelf synthesis tools are available from major EDA vendors, such as Synopsys Design Compiler (DC) and Cadence RTL Compiler (RC). Now, the adversary can simulate the netlist to produce meaningful input patterns rather than brute-forcing and can apply these input patterns to the working chip to decipher the secret key which is unknown in simulations. Indeed, many attacks assume this threat model; well-known examples include sensitization attack [YRSK15] and SAT attack [SRM15]. We demonstrate our IFS and KBM-SAT attacks against CAS in this setting.

Design
The design of CAS directly follows Anti-SAT [XS18], which is shown in Fig. 3a. Note that Anti-SAT is a point function-based defense, where the outputs of two complementary Boolean functions g and g are ANDed together to generate the point function Y . This Y then flips a high observability net such as a primary output (PO). The two blocks g and g takes two different n-bit keys K l1 and K l2 ; it produces Y = 1 for incorrect keys, thereby, corrupting the PO. The internal architecture of the Anti-SAT block is shown in Fig. 3b. Note that setting K l1 equal to K l2 produces Y = 0 for all input patterns, thus, unlocking the chip and ensuring correct (corruption-free) functionality.

Security analysis
The security of Anti-SAT stems from the difficulty of setting the two n-bit keys as same, since the bit-wise mapping between them is unknown to the adversary. Note that if an adversary is able to figure out this bit-wise mapping, then setting K l1 = K l2 becomes trivial, and thus, leads to a successful attack. This is given by the following equation:  Figure 4 shows the architecture of CAS, where the outputs of two complementary Boolean functions g cas and g cas are ANDed together to produce the flip signal Y . However, instead of the AND-tree structure in Anti-SAT, CAS incorporates a daisy-chained structure of alternating AND-OR gates. The flip signal Y of CAS, when XORed with the primary output of the circuit, manifests error similar to Fig. 3a. As in Anti-SAT, a user must set the key K l1 same as K l2 to unlock the design. CAS improves over Anti-SAT on multiple fronts: 1) it is resilient against bypass attack [XSTF17], 2) it prevents AppSAT by ensuring high output corruption [SLM + 17], and 3) it prevents signal probability skew (SPS) attack [YMSR17].

CAS-Lock
Existing attack. Recently, a trivial yet highly effective attack has been demonstrated against CAS [SS19]. As powerful this attack may be, it can be thwarted by a relatively simple countermeasure by including a random combination of XOR/XNOR of key-inputs with the primary inputs (PI) before feeding it to the CAS block [SXTF20b]. This improved implementation ensures that the key for g CAS is never equal to that of g CAS , i.e., K l1 = K l2 . The random combination of XOR/XNORs can be expressed as follows: denotes the i-th bit of I, and K lj [i] denotes the i-th bit of K lj . Note that R lj is an n-bit binary string selected uniformly randomly from the set of all n-bit binary strings that is unknown to the adversary. K l1 , K l2 is a correct key for CAS iff This is clear from the following equation, For the remainder of this paper, we consider this improved version of CAS [SXTF20b] and take a deeper look into it. We also assume this improved version for Anti-SAT while carrying out attacks on it.

Attacking CAS
As described earlier, the security of CAS stems from the unintelligible mapping between the key-inputs following a series of compilation steps using a state-of-the-art synthesis tool. However, contrary to this assumption, all synthesis tools have been developed for cooptimizing area, power, and timing, and thus, security was never considered. Consequently, we expose a set of vulnerabilities in CAS, left behind by synthesis tools, to develop two new attacks: (1) identify flip signal (IFS) attack, and (2) key-bit mapping & SAT (KBM-SAT) attack. In the first attack, we show that the reliance on state-of-the-art synthesis tools leaves structural traces, enabling an adversary to recover the original IP through re-synthesis. In the second attack, we go one-step further by recovering the secret key. While both attacks can successfully recover the original design IP, the second attack is more potent than the first one since it can decipher the secret key; knowledge of the secret key enables an adversary to unlock overproduced chips.

Identify flip signal (IFS)
The security of CAS is critically linked to the synthesis of the locked circuit and the dissolution of the traces of the CAS block structure. In our attack, a simple re-synthesis of the reverse-engineered locked circuit reveals the structure of CAS, and thus, the flip signal Y . 2 Afterward, simply fixing Y to a constant logic zero eliminates the protection offered by CAS. This is shown in the equation below: The question that remains to be answered is how to identify the flip signal Y in the netlist. To this end, we utilize the following property of signal Y : -Merge condition: All the key-inputs always merge at Y (see Fig. 4).
Thus, any net containing all the key-inputs in its fanin cone, would constitute a likely candidate for Y . 3 Now, consider the path from Y to the locked PO, Y lock (see Fig. 3a). It is clear that all the nets in this path also satisfy the merge condition, and therefore, constitute multiple likely candidates. To uniquely identify the flip signal Y , we select the net that is topologically farthest from Y lock and also satisfies the merge condition. Accordingly, we develop the methodology shown in Algorithm 1, and describe it below.
Methodology. First, all the key-inputs K are identified from the locked netlist Y lock . Next, we obtain Y re from the reverse-engineered locked netlist Y lock by re-synthesizing with certain constraints. We define two variables, viz., cur and prev, initialized to the primary output (PO) and φ, respectively. Next, we check if the fanin cone of cur contains all key-inputs, i.e., if it satisfies the merge condition. If yes, then we iteratively trace backward, otherwise, we output prev as the flip signal. We recover the correct value of the flip signal prev using an automatic test pattern generation (ATPG) tool. We construct a miter-like circuit Y miter with two instances of the locked netlist, where the two circuits share the primary inputs as shown in Fig. 5b. In one instance, denoted by Y lock0 , we assign logic 0 to the prev signal, whereas in the other instance, denoted by Y lock1 , it is assigned logic 1. Next, an ATPG tool is leveraged to provide a test pattern IN tp that detects a stuck-at-0 fault (s-a-0) at the output of this miter-like circuit (i.e., return an input pattern for which the output becomes logic 1). Note that such IN tp guarantees that the outputs of Y lock0 and Y lock1 are different. Next, we query the oracle with IN tp , and obtain the corresponding output OU T tp . Further, we obtain output values for IN tp for each of the locked instances, viz., Y lock0 and Y lock1 . Finally, the correct value of the flip signal is identified by comparing the outputs of the oracle to that of these locked instances. Example. Consider the example in Fig. 5a, where the attack is launched on c432 circuit locked with a 20-bit key. Note that the CAS structure is easily discernible, as all the key-inputs (shown in red) merge into the flip signal Y (as shown in the zoomed figure). Fig. 5b showcases the approach using ATPG to decipher the flip value of Y by querying the oracle. The naming convention is consistent with Fig. 3a.

Algorithm 1: Identify Flip Signal (IFS) attack
Limitation. The above IFS attack suffers from two drawbacks. First, such exploitable flip signal may not always exist in the circuit. Second, it fails to decipher the secret key from the netlist. The following attack successfully overcomes these issues, described next.

Key-bit mapping & SAT (KBM-SAT)
We now propose a key-recovery attack using a two-step approach involving key-bit mapping, followed by the SAT attack [SRM15].

Key-bit mapping (KBM)
It is evident from Fig. 4 that the i-th key-input from both secret keys K l1 and K l2 are always XORed with the same primary input (PI). We say that the key-input pair (k a , k b ) is bit-symmetric if the following properties hold: k a and k b merge with a fanout from the same PI.
k a is the i-th bit of K l1 , and k b is the i-th bit of K l2 .
In Fig. 4, k 0 and k n , first key-inputs of the two secret keys K l1 and K l2 , respectively, are XOR-ed with I 0 . This establishes (k 0 , k n ) as a bit-symmetric pair. Intuitively, checking against the PI connection reveals the bit-symmetry for each pair of key-inputs. Note that due to different optimizations applied by the synthesis tool, at times the key-inputs may get connected to an internal net instead of a PI. However, we empirically verified that bit-symmetry still holds, i.e., i-th key-input from K l1 merges onto the same internal net as i-th key-input from K l2 . We exploit this bit-symmetry to successfully decipher the complete bit-wise mapping between the two secret keys.
Methodology. The methodology is shown in Algorithm 2. We initialize the search set S with all the key-inputs, and the map set M to NULL. A key-input k i is picked at random from the search set S, and checked for bit-symmetry. To this end, we list all the N that connect to k i , and all nets V that connect to the nets in N . If there exists a key-input k j in V and k j = k i , then (k i , k j ) is a bit-symmetric pair. Thus, we add this pair to map set M , and remove k i and k j from search set S. Otherwise, it fails to find bit-symmetric pair for k i , and is removed from S. We repeat these steps for all the key-inputs in S. In the end, the mapping M between the secret keys K l1 and K l2 is returned.
Example. Consider the example in Fig. 6, where the attack is launched on c432 circuit locked with a 20-bit key. Note that key-input k 0 (shown in red) is connected to the PI G118GAT (shown in yellow). If we trace PI G118GAT , we can see the connection to another key-input k 10 . This immediately establishes (k 0 , k 10 ) as a bit-symmetric pair.

Launching SAT
Note that despite identifying the complete bit-wise mapping, setting K l1 ⊕ K l2 = R is non-trivial as R is unknown to the adversary. This prompts us to derive the following mathematical condition that can successfully decipher the secret key by launching the SAT attack against CAS. From Eqn.
(2) we get, Without loss of generality (WLOG), let us assume that we can set K l1 = 0 as the bit-wise mapping is already known. It is immediately clear that K l1 = 0, K l2 = R constitutes a correct key for CAS according to Eqn. (2), Note that the security of CAS/Anti-SAT relies on the fact that the total key space is 2 2n , and a SAT solver can only eliminate 2 n incorrect keys at each iteration, thus forcing it to iterate an exponential number of times in the key-size n. However, fixing K l1 = 0 immediately refutes this property, as with K l2 = R, R being an unknown n-bit binary string, the total key space reduces to 2 n from 2 2n . This directly violates the SAT-resiliency of CAS/Anti-SAT, thereby deciphering the secret key within only a polynomial number of iterations as opposed to the exponential number of iterations in the key-size mandated by Anti-SAT/CAS. We showcase the success of KBM-SAT in Section 5.2.2, where it can successfully decipher the secret key for all the locked circuits. Note that setting K l1 = 0 may not always be possible for an adversary, however, as long as one of the i-th bits from K l1 or K l2 is fixed to a constant value, i.e., 0/1, the above property holds; i.e., the total key space reduces to 2 n , and is thus vulnerable to the SAT attack [SRM15]. Methodology. The methodology is shown in Algorithm 2. We first trace the netlist to identify bit-wise symmetric key-bit pairs. Next, we pick a random pair of key-bits {k i , k j } from the map set M . Afterward, we fix one of the key-inputs to a constant value, i.e., to 0/1, and leave the other key-input unknown. We repeat this step for all the mapped pairs in M , and finally launch the SAT attack with this partial key information. Finally, SAT attack returns the complete key K l1 , K l2 .

Improving on CAS
In all fairness, the authors did anticipate such structural attacks against CAS, and thus forwarded the following three strategies to thwart such attacks. Below, we discuss the strengths and weaknesses of each strategy.
• RLL-integrated CAS. The structure of CAS is obfuscated by incorporating random logic locking (RLL) in an asymmetric fashion [RKM10]. This prevents an adversary from performing structural analysis, as she has no knowledge of the RLL key. However, this poses little/no challenge, as RLL can be easily peeled off from any RLL-integrated compound locking technique using AppSAT [SLM + 17]. This is acknowledged in the paper itself, where CAS+RLL gets broken ∼50% of the time, and is thus, disregarded from further consideration.
• AND/OR-camouflaged CAS. The structure of CAS is obfuscated with AND/OR gate camouflaging [Syp17]. This thwarts any structural analysis as well, restricting the adversary to an oracle-less model. However, for a secure implementation of camouflaging, the foundry needs to be trusted, which directly breaks one of the fundamental promises of logic locking. Further, a camouflaged netlist can easily be transformed into an equivalent logic locked netlist [YS15], which can then be broken using AppSAT [SLM + 17] as in RLL-integrated CAS. Therefore, we discard AND/OR-camouflaged CAS from our attack, as it fails to provide any additional benefit to the overall security of CAS.
• Mirrored CAS (M-CAS). Finally, the authors also present an improved version of CAS, called Mirrored CAS (M-CAS), shown in Fig. 7. It is claimed to be secure against any structural attacks such as our proposed IFS and KBM-SAT attacks. In this light, we consider M-CAS as the strongest defense amongst the three strategies, and accordingly, devise an attack that we describe in detail in the next section.

Attacking M-CAS
An overview of Mirrored CAS (M-CAS) is shown in Fig. 7. M-CAS is implemented by locking the original circuit with two back-to-back CAS blocks with two keys K secret and K CAS . The key K secret for the first CAS block (shown in red), is hardcoded into the netlist; it is not an input that is driven from the tamper-proof memory. After integrating the first CAS block into the design, a second CAS block (shown in blue) is invoked with identical structure as the first one. However, here the key K CAS is applied from the tamper-proof memory through the key-input ports. Only upon applying K CAS = K secret , the correct functionality can be recovered as follows: The authors claim that this implementation is secure against structural attacks, as removing the key-controlled second CAS block Y CAS does not pose any threat. This is due to the fact that removing Y CAS leaves the adversary with a non-functional design Y mod (shown with the dashed box in Fig. 7), which is immediate from the following equation: Figure 7: Architecture of M-CAS which uses two CAS blocks with keys K secret and K CAS .
Challenge. The authors assume that as the key K secret is hardcoded into the design, proper synthesis steps such as constant propagation, bubble push, and technology mapping would dissolve any structural traces. Thus, any attempt to inspect the netlist for identifying the flip signal Y secret , and consequently recovering the key K secret is deemed futile. In this section, we re-examine this assumption, and subsequently disprove it. As the SAT resilience of M-CAS relies on this assumption, the defense can be compromised by developing an attack that targets this assumption. As such, we demonstrate an attack that can launch SAT on M-CAS to decipher the secret key K secret . Our attack, called IFS-SAT, aims to inspect the locked netlist for any structural traces to decipher the secret key K secret . It consists of three steps: (1) peel off Y CAS , (2) identify flip signal Y secret , and (3) launch SAT attack to decipher K secret .

Peel off Y CAS
This can be achieved in a couple of ways as discussed in Section 3, viz., IFS or KBM-SAT attack. Note that the security of M-CAS is solely reliant on Y secret , and not on Y CAS as acknowledged by the authors. Indeed this assumption is followed in other prior works such as SFLL [YSN + 17, SNL + 20]. It is assumed that the restore unit can easily be identified by tracing the key-inputs (analogous to IFS), and thus be removed from the design as shown in [SS20,YTS19]. However, removing Y CAS does not defeat the security of M-CAS, as the adversary only recovers Y mod shown in Eqn. (4). Thus, in this paper, we concentrate on the later part, i.e., breaking Y mod .

Identify flip signal Y secret
Next, we concentrate on identifying the flip signal Y secret (IFS part of IFS-SAT) from the Y mod block. Note that if this is possible, then the adversary can recover the original IP by simply setting Y secret = 0 as given below: The question is how to identify the flip signal Y secret . With careful observation, we identify the following three properties of the flip signal Y secret that could help us shortlist the possible candidates.
1. Fan-in cone of Y secret must contain exactly n PIs, where n is the number of PIs in CAS.
2. From Fig. 4, it is clear that the structure of Y secret contains at most 2n two-input gates, excluding buffers/inverters. Note that due to internal optimizations applied by the synthesis tools, few gates may get merged. However, the upper bound for the number of gates remains unaffected.
3. From Fig. 4, we see that Y secret block exhibits a linear structure. Note that due to alternate sequence of AND/OR gates, the scope of common optimization techniques such as path balancing is limited, and we can reasonably expect Y secret to retain this property after synthesis with a constrained library, i.e., with two-input gates. Fig. 8, where the c432 circuit locked with a 64-bit key using M-CAS is shown. Here we ignore Y CAS , and only concentrate on Y secret embedded with the original c432 circuit. The flip signal Y secret and its fanin cone are marked in red. We see that all the three preceding properties hold in this case; 1) the fan-in cone contains exactly 32 PIs, 2) the number of gates is 31, excluding buffers/inverters, and 3) it retains the linear structure.

Example. Consider the example in
Thus, the preceding three criteria help in shortlisting possible candidates for the flip signal Y secret . Note that in a few scenarios, a single one of the three criteria could be sufficient to uniquely identify the flip signal. If applying a criterion uniquely identifies the flip signal, we immediately stop and return the current candidate as the solution. However, if there exists ambiguity, i.e., there are multiple possible candidates, we move to the next criterion to further prune the candidate set. Therefore, we advocate applying the above criteria in sequence to minimize run-time.
We iteratively search all the nets in the circuit to uniquely identify the flip signal Y secret . Afterward, the correct value of the flip signal is identified by comparing the outputs of the oracle to that of the fixed flip-signal netlist similar to Algorithm 1. Finally, simply fixing the flip signal to the constant logic recovers the original IP.
Limitation. Although the previous steps do recover the original IP, it suffers from a couple of drawbacks. First, it succeeds in the oracle-guided model, i.e., deciphering the correct value of the flip signal requires a working oracle. Second, it fails to decipher the secret key K secret from the netlist. Thus, in the next section, we present a different attack that successfully overcomes these issues.

Decipher the key K secret
If K secret is recovered, then setting K CAS = K secret is trivial, and thus, the original IP can be recovered according to Eq. (3). To this end, we leverage the well-known SAT attack [SRM15], where we treat Y secret of the locked netlist which we can simulate, as the working oracle, and Y CAS as the logic-locked circuit. Thus, once the flip signal Y secret is identified, the SAT attack is launched on Y CAS [SRM15] to recover K SAT . Next, setting K CAS equal to K SAT unlocks the design. Note that the SAT attack could return a key K SAT = K secret , however, as long as it satisfies the condition Y CAS = Y secret , any K SAT suffices to unlock an M-CAS-locked IC. This is clear from Eqn (3). Contrary to all the illustrations of SAT attack in the literature that only succeed in oracle-guided model, our IFS-SAT attack is launched in an oracle-less setting. We accomplish this by considering the key-controlled CAS block as the locked circuit, and the extracted cone from flip signal Y (containing the hardcoded key) as the original circuit for the SAT attack, eliminating the need for an oracle. The complete methodology for IFS-SAT is shown in Algorithm 3.
Note that this is a direct counter-example to the theoretical SAT-resilience of M-CAS. At large, SAT is considered ineffective against M-CAS. However, state-of-the-art synthesis tools leave unintentional vulnerabilities in the circuit that allows us to apply various structural attacks such as IFS, followed by SAT attack to decipher the secret key K secret .

Experimental setup
In this section, the results are presented for our attacks on ISCAS-85 and ITC-99 benchmarks; we conduct our experiments on the largest logic cone of each circuit. 4 All the experiments are carried out on a 24 core Intel Xeon processor running at 2.5GHz having 264 GB RAM. The circuits are synthesized using Synopsys Design Compiler (DC) with 65nm GlobalFoundries LPe technology. Moreover, the ISCAS-85 benchmarks are locked with 64-bit key as proposed in CAS-Lock [SXTF20a], whereas ITC-99 benchmarks are locked with 160-bit key. Further, in our experiments, we use Cadence Conformal LEC to formally verify the logical equivalence between the recovered design and the original design, and thus the success of our attacks.

IFS attack
We present the results for this attack in the following scenarios: • Full library.  oracle as described in Algorithm 1. Note that due to the technology mapping and the optimizations applied by the synthesis tool, the flip value varies randomly among circuits. However, the signal trace still remains which is identified by the IFS attack.
Further, the third column shows the circuit depth from the PO at which such flip signals exist. It is evident that such signals are present close to the locked PO, except for c3540. The execution time for our attack is reported in the fourth column, where we see even for large circuits such as b17_C with 30K+ gates, the attack terminates within only a few seconds.
• Constrained library. In this particular case, we re-synthesize the circuits by using only two-input gates from the technology library. The results are reported in Table 3. The attack is able to break 14/15 circuits, i.e., at a success rate of ∼93%. Further, the attack terminates within only a few seconds for all circuits. Note that the attack success is independent of the type of library cells used. This is expected as IFS exploits connectivity of key-inputs to identify the flip signal instead of structural analysis such as SPS attack [YMSR17].

KBM-SAT attack
KBM attack. The results from launching KBM on the CAS-locked circuits are presented in Table 4. Column 2 highlights the number of key-bits successfully mapped. For ISCAS-85 benchmarks, there are a total of 64 key-bits, and all key-bits are successfully mapped for all circuits, whereas for ITC-99 benchmarks, there are a total of 160 key-bits, and all key-bits are successfully mapped for all circuits as well, except b18_C and b22_C.
SAT attack. Building on the key-bit mapping information from KBM attack, we launch the traditional SAT attack [SRM15] as described in Section 5.2.2. To this end, we fix one key-input from each identified pair to a constant value, and the resulting circuit is fed to the SAT solver to decipher the key. Columns 3, 4, and 5 report the corresponding results, where it can be seen that it breaks 15/15 circuits, i.e., a success rate of 100%. Note that the number of iterations required have reduced to 208 from the theoretically expected 2 32 for ISCAS-85 locked benchmarks, and to 1379 from the theoretically expected 2 80 for ITC-99 locked benchmarks. Finally, column 5 shows the execution time for the SAT attack, which is less than 4 minutes even for large circuits such as b18_C having 100K+ gates. Note that for certain instances such as b18_C and b22_C, KBM failed to identify all key-bit mappings; in such cases the unidentified key-inputs are left untouched, i.e., we did not fix them to any value, instead let the SAT solver handle them. However, it can be seen from the results that only a few unidentified key-inputs do not hinder the SAT solver in any significant way.
Effectiveness of KBM-SAT. To further validate the effectiveness of the KBM-SAT attack, we lock the c432 circuit with four different key sizes, viz., 14, 16, 18, and 20 with CAS, and perform SAT without and with the KBM information. The results are plotted  in Fig 9, where it can be seen that the number of SAT iterations and the execution time conform to the theoretically expected exponential growth in the key size without the KBM information, whereas with the KBM information, they grow only linearly in the key size, thereby breaking CAS.

Attacks on M-CAS
In this section, we highlight the results of IFS-SAT carried out on M-CAS in oracle-less model. As IFS-SAT consists of two major steps, namely, IFS and SAT, we present the results separately.

IFS attack
Similar to IFS against CAS, we conduct our experiments on M-CAS-locked circuits in two different settings: full technology library and constrained technology library.
• Full library. Table 5 summarizes the results of launching IFS attack on M-CASlocked circuits synthesized with a full technology library. It successfully identifies the flip signal in 14/15 circuits, i.e., has a success rate of ∼93%. In the second column, we report the flip signal value which can be deciphered by verifying the circuit output against a working oracle. Further, such signal always exists at a close proximity from the PO. The execution time of the attack remains within few seconds even for large circuits such as b17_C. Note that the attack fails to identify the flip signal for b18_C. As we are using full technology library, the flip signal might have truly merged within the circuit, though the chances of such an event remains low.
• Constrained library. We resort to constraining the technology library to only two-input gates, and launch IFS after re-synthesizing with this constrained library.
The results are summarized in Table 5, where it can be seen that the success rate is 14/15, i.e., ∼93%.

SAT attack
Post-IFS, we move to the SAT step to recover the secret key from the netlist. Table 5 also summarizes the results for IFS-SAT attack on M-CAS-locked circuits. The attack successfully deciphers the secret key for circuits whose flip signal has been identified during IFS. In the ninth column, we report the number of SAT iterations required by the SAT attack to break the circuits. The number of SAT iterations can be as small as 84 (c499) and as large as 6646 (c1355); we don't necessarily observe a trend in the number of SAT iterations against the circuit size.

Effectiveness of our attack
In this section, we discuss different aspects of our attack, and demonstrate its effectiveness across these settings.

Effect of key-size
Here, we investigate the effect of key size on the effectiveness of IFS-SAT on M-CASlocked circuits. The results are presented in Table 6, where the attack succeeds across key-sizes, viz., 64, 128, 160, and 256. Note that in all cases, the flip signal is present immediately before the PO. Further, the number of SAT iterations increases only linearly in key size, thereby, refuting the theoretical SAT-resilience that dictates an exponential increase.

Scalability
The execution time for IFS-SAT on M-CAS-locked circuits is reported in the last column of Table 5. It is clear that the SAT step is the heaviest and slowest component of the entire attack that takes up to few minutes to complete, whereas the IFS step takes only a few seconds. Yet, the overall attack time remains within few minutes even for large benchmarks such as b17_C having 30K+ gates, establishing the scalability of our attack.

Effectiveness of selection criteria
Recall that we discussed three properties of the flip signal that can be exploited to shortlist possible candidates, viz., 1) input size, 2) gate count, and 3) linearity. Here, we investigate the effectiveness of these criteria in identifying the flip signal in M-CAS. The results are presented in Table 7, where we report the number of candidates after applying each criterion. It is seen that the first criterion alone uniquely identifies the flip signal ∼53% of the time. For the remainder, we apply the second criterion, which successfully   identifies the flip signal in all but one case, i.e., c499. The third criterion, i.e., the linear structure is used only once for c499 to uniquely identify the flip signal. However, even if criterion #1 uniquely identifies a candidate for the flip signal for b18_C, the attack fails as the identified signal is not the actual flip signal. This could be attributed to the fact that the flip signal might indeed have merged with the original circuit, though the probability of such an event remains low as seen from our experiments.

Effect of technology nodes
Here, we investigate the effect of different technology nodes, viz., 32nm and 65nm on the effectiveness of our attack. Note that different technology nodes have different sets of cell types that can lead to varying optimizations by the synthesis tools. To this end, we launch the IFS attack on M-CAS-locked circuits synthesized with 32nm and 65nm technology libraries, and the corresponding results are reported in Table 8. It is clear that the attack is successful across technology nodes, except one, i.e., b18_C. However, the degree of difficulty of the attack varies among benchmarks. For example, the existence of the flip signal is unclear for b22_C in 32nm, as it lies deep inside the circuit structure. Nonetheless, the attack succeeds in 14/15 cases for both technologies, as well as the execution time remains within few seconds. Note that once IFS is successful, launching SAT attack becomes trivial, and is omitted for the sake of brevity.

Effect of synthesis tools
It is clear from the above results that state-of-the-art synthesis tools leave behind traces that enable different attacks. Thus, it is interesting to study the effects of different synthesis tools on IFS-SAT as they can lead to different optimizations, resulting in differing Table 9: Effect of Synopsys Design Compiler and Cadence RTL Compiler synthesis tools on the effectiveness of IFS on M-CAS-locked circuits for 65nm technology node. "-" indicates the attack failed to find the flip signal. locked netlists. To this end, we investigate the effect of two industry-leading synthesis tools on our attack, viz., Synopsys Design Compiler (DC) and Cadence RTL Compiler (RC), and the results are presented in Table 9. It can be observed that the effect of synthesis tools is minimal on the attack; the success rate for DC and RC is ∼93% and 100%. This is a further empirical evidence that synthesis tools fail to merge the structure of M-CAS, independent of tool/library/technology node used.

Applicability to other locking techniques
The attacks developed in this paper are not limited to CAS/M-CAS, and they can be easily extended to other variants of point function-based locking techniques such as Anti-SAT [XS18] or SFLL [YSN + 17]. The structural analysis carried out in IFS attack (see Section 3) against CAS, can also be applied to break the closely-related Anti-SAT technique. To this end, we launch our IFS attack on Anti-SAT, and the results are presented in Table 10. It can be seen that IFS breaks 14/15 circuits, i.e., a success rate of ∼93%.
Building on this result, we posit that the structural analysis of the IFS-SAT attack against M-CAS, can be leveraged against other techniques such as SFLL [YSN + 17] and SFLL-fault [SNL + 20]. As these techniques also rely on point functions for SAT resilience, the additional structure could be identified by tweaking the three criteria that are described in IFS (see Section 4.2), however, we leave it as an open problem for future work.
Nevertheless, the last step of the IFS-SAT attack, i.e., deciphering the secret key using SAT, is generic that can be applied to any structurally vulnerable point functionbased locking technique. Note that this is an improvement over the traditional SAT attack [SRM15] that only succeeds in the oracle-guided model, while, our IFS-SAT can be launched in an oracle-less model, where the flip signal is simulated as the oracle.

Limitation of state-of-the-art synthesis tools
To thwart the SAT attack, researchers have proposed several point function-based locking techniques such as Anti-SAT [XS18], SARLock [YMRS16], SFLL [YSN + 17], SFLLfault [SNL + 20], CAS-Lock [SXTF20a] etc. However, most/all of these techniques have been broken by different structural attacks [YMSR17, YTS19, SS20, XSTF17]. This is attributed to the fact that the implementation of point function requires insertion of additional circuit into the netlist such as an AND-tree [SNL + 20]. However, commercially available state-of-the-art synthesis tools fail to blend this structure into the circuit, leaving behind traces that subsequently leads to its identification as has been demonstrated in our attack, as well as in a plethora of other works [YMSR17, XSTF17, YTS19, SS20].
This naturally raises the following question, "is it possible to securely implement a point function-based locking technique that thwarts any structural attack?" In Meerkat, the authors argue that it is indeed possible [MZGT17]. The crux of the technique is to leverage canonical representations of boolean functionality via reduced ordered binary decision diagrams (ROBDDs) to achieve indistinguishability obfuscation (iO). Note that the application of an iO obfuscator allows a designer to prove that a locked netlist do not reveal any information about the secret key. However, ROBDD is inefficient, does not scale, and thus, can not be applied for practical purposes. Although efficient iO obfuscators do exist such as [GGH + 16], the power, performance, and area (PPA) overheads incurred are so large that they are of little practical interest at this time. When specifically talking about application specific integrated circuit (ASIC) design that can not tolerate the slightest of PPA degradation, application of such iO obfuscators is deemed totally impractical. 5 This leaves the designers at the mercy of commercially available state-of-the-art synthesis tools that unfortunately fail to provide adequate security against structural attacks.

Preventing structural attacks
Given the limitation of state-of-the-art synthesis tools, there are roughly three ways to achieve SAT-resilience without relying on such tools.
The first approach is to insert structures that create hard SAT instances, thereby, throttling the effectiveness of the SAT solver. Representative techniques following this approach include Full-Lock [KAHS19], where SAT-hard logic and routing blocks are inserted and InterLock [KAHS20], where inter-correlated logic and routing locking is used.
A second approach involves locking the scan chains in a circuit to thwart oracle access. Note that scan chains are inserted to facilitate thorough testing of the circuit. However, since SAT attack works only on combinational logic, it leverages these scan chains to access the internal combinational logic. Hence, obfuscating the stimuli and response of scan flip-flops can thwart the SAT attack [KCK18, KCK19, WZH + 17, KKC19]. But, caution must be taken as some schemes have been shown to be vulnerable to modeling-based attacks due to linear obfuscation of scan chains [AYL + 19, LS20].
Finally, a new direction to thwart SAT attack was proposed in DisORC, where the secret key is withdrawn from the key-register whenever access to scan chains is detected [LKK + 20]. Instead of obfuscating the scan stimuli and responses, DisORC detaches the secret key coming from tamper-proof memory and instead feeds user-defined key to the key-registers. SAT attack launched on this setup returns the key fed by the user, clearing any traces of the secret key in the outcome.
the SAT-resistant circuit. Further, compound locking schemes where traditional locking schemes are compounded with point function based techniques to thwart aforementioned attacks were also short-lived by variants of SAT-based attack [SLM + 17, LPS21]. However, the current CAS/M-CAS technique is secure against such an attack by construction that has been theoretically established in [SXTF20a].
Examples of structural attacks include signal probability skew (SPS) and AppSATguided removal attack (AGR) [YMSR17] that can identify and remove the SAT-resistant logic from the circuit, thereby recovering the original design IP. Though these attacks have successfully been mounted against Anti-SAT and SARLock, M-CAS remains secure against such attacks by virtue of its construction.
Recently, a functional analysis-based logic locking attack (FALL) [SS20] has been proposed against a similar locking technique SFLL [YSN + 17]. The attack exploits mathematical properties of Hamming distance (HD)-based SFLL techniques, viz., unateness, non-overlapping errors, and sliding window. These properties can successfully decipher a hardcoded key from a SFLL-locked netlist. However, these functional properties do not hold for CAS/M-CAS, and as such FALL cannot be applied. However, the unateness property applies individually to g cas and g cas , and thus, we believe that it may be applied to find possible candidates for the flip signal. Nevertheless, this would require further complex mathematical formulations, and the attack fails to break CAS/M-CAS in its current form.
A new structural analysis to identify the flip signal is presented in [YTS19], where the authors establish that the flip signal exhibits a tree-like structure. However, this attack relies on manual inspection of the netlist, whereas our attack is completely automated. Further, the tree-like structure characteristic is inapplicable to M-CAS, making M-CAS secure against [YTS19].
Concurrent to this work, a graph neural network-based work is introduced in [APK + 21]. This work leverages neural network to learn structural features of the SAT-resilient logic, and subsequently predict its existence. However, the prediction accuracy depends on the training data set, and unlike our attack, it fails to recover the secret key that can enable overbuilding.
A comparative overview of our attack against the state-of-the-art attacks is presented in Table 1, from which it is immediately clear that our attack complements the other attacks, as it is the only one which successfully breaks CAS/M-CAS.

Conclusion
In this paper, we present a series of attacks that break the newly proposed locking technique CAS/M-CAS. First, we present two new attacks against CAS, viz., IFS and KBM-SAT in the oracle-guided model that successfully defeat advanced versions of CAS by exploiting its implementation flaws. Next, we break the improved version of CAS, viz., mirrored CAS (M-CAS) by developing IFS-SAT that exploits certain structural characteristics of M-CAS; we launch this attack in an oracle-less setting.
Through extensive experiments, we establish the efficacy of our attacks against different technology libraries, for different library cells, against different synthesis tools, for varying key-sizes, and for multiple point function-based schemes. Further, these experiments support our claim that state-of-the-art synthesis tools can introduce unknown/unintentional pitfalls in a design and we urge researchers to consider these shortcomings while developing logic locking techniques.