Is Register Transfer Level Locking Secure?
Chandan Karfa1,a, Ramanuj Chouksey1,b, Christian Pilato2, Siddharth Garg3,c and Ramesh Karri3,d
1Indian Institute of Technology Guwahati, India
ackarfa@iitg.ac.in
br.chouksey@iitg.ac.in
2Politecnico di Milano, Italy
christian.pilato@polimi.it
3New York University, USA
csiddharth.garg@nyu.edu
drkarri@nyu.edu
ABSTRACT
Register Transfer Level (RTL) locking seeks to prevent intellectual property (IP) theft of a design by locking the RTL description that functions correctly on the application of a key. This paper evaluates the security of a state-of-theart RTL locking scheme using a satisfiability modulo theories (SMT) based algorithm to retrieve the secret key. The attack first obtains the high-level behavior of the locked RTL, and then use an SMT based formulation to find so-called distinguishing input patterns (DIP)1. The attack methodology has two main advantages over the gate-level attacks. First, since the attack handles the design at the RTL, the method scales to large designs. Second, the attack does not apply separate unlocking strategies for the combinational and sequential parts of a design; it handles both styles via a unifying abstraction. We demonstrate the attack on locked RTL generated by TAO [1], a state-of-the-art RTL locking solution. Empirical results show that we can partially or completely break designs locked by TAO.