skip to main content

Title: Security Vulnerabilities of Obfuscated Analog Circuits
Vulnerabilities of key based analog obfuscation methodologies that modify the transistor dimensions of a circuit are evaluated. Two attack vectors on a common source amplifier, differential amplifier, operational amplifier, and voltage controlled oscillator are developed. The first attack exploits the lack of possible key combinations permitted around the correct key, which is a result of requiring a unique key to lock the circuit. An average of 5 possible key combinations were returned in an average of 5.47 seconds when executing the key spacing attack. The second attack vector utilizes the monotonic relationship between the sizing of the transistors and the functional response of the circuit to determine the correct key. The average time to execute the attack, while assuming process, voltage, and temperature (PVT) variation of 10%, was 1.18 seconds. Both equal key spacing and non-monotonic key dependencies are discussed as ways to mitigate the threats to future analog obfuscation techniques.
Authors:
; ;
Award ID(s):
1751032
Publication Date:
NSF-PAR ID:
10225151
Journal Name:
Proceedings of the IEEE International Symposium on Circuits and Systems (ISCAS)
Page Range or eLocation-ID:
1 to 5
Sponsoring Org:
National Science Foundation
More Like this
  1. In this paper, an approach is described for enhancing the security of analog circuits using Satisfiability Modulo theory (SMT) based design space exploration. The technique takes as inputs generic circuit equations and performance constraints and, by exhaustively exploring the design space, outputs transistor sizes that satisfy the given constraints. The analog satisfiability (aSAT) methodology is applied to parameter biasing obfuscation, where the width of a transistor is obfuscated to mask circuit properties, while also limiting the number of keys that produce the target performance requirements. The proposed methodology is used in the design of a differential amplifier and a two stage amplifier. The widths determined through aSAT analysis are shown to meet the gain, phase margin, and power consumption requirements for both a differential amplifier and a two-stage amplifier. However, a 7 MHz offset in the gain-bandwidth of the two-stage amplifier is observed from the target value of 30 MHz. The total gain of the two stage amplifier is masked with a 24 bit encryption key that results in a probability of 5.96x10-08 to determine the correct key. The simulated results indicate that the proposed analog design methodology quickly and accurately determines transistor sizes for target specifications, while also accountingmore »for obfuscation of analog circuit parameters.« less
  2. Similar to digital circuits, analog and mixed-signal (AMS) circuits are also susceptible to supply-chain attacks, such as piracy, overproduction, and Trojan insertion. However, unlike digital circuits, the supply-chain security of AMS circuits is less explored. In this work, we propose to perform "logic-locking" on the digital section of the AMS circuits. The idea is to make the analog design intentionally suffer from the effects of process variations, which impede the operation of the circuit. Only on applying the correct key, the effect of process variations are mitigated, and the analog circuit performs as desired. To this end, we render certain components in the analog circuit configurable. We propose an analysis to dictate which components need to be configurable to maximize the effect of an incorrect key. We conduct our analysis on the bandpass filter (BPF), low-noise amplifier (LNA), and low-dropout voltage regulator LDO) for both correct and incorrect keys to the locked optimizer. We also show experimental results for our technique on a BPF. We also analyze the effect of aging on our locking technique to ensure the reliability of the circuit with the correct key.
  3. Similar to digital circuits, analog circuits are also susceptible to supply-chain attacks. There are several analog locking techniques proposed to combat these supply-chain attacks. However, there exists no elaborate evaluation procedure to estimate the resilience offered by these techniques. Evaluating analog defenses requires the usage of non-Boolean variables, such as bias current and gain. Hence, in this work, we evaluate the resilience of the analog-only locks and analog and mixed-signal (AMS) locks using satisfiability modulo theories (SMTs). We demonstrate our attack on five analog locking techniques and three AMS locking techniques. The attack is demonstrated on commonly used circuits, such as bandpass filter (BPF), low-noise amplifier (LNA), and low-dropout (LDO) voltage regulator. Attack results on analog-only locks show that the attacker, knowing the required bias current or voltage range, can determine the key. Likewise, knowing the protected input patterns (PIPs), the attacker can determine the key to unlock the AMS locks. We then extend our attack to break the existing analog camouflaging technique.
  4. Logic encryption, a method to lock a circuit from unauthorized use unless the correct key is provided, is the most important technique in hardware IP protection. However, with the discovery of the SAT attack, all traditional logic encryption algorithms are broken. New algorithms after the SAT attack are all vulnerable to structural analysis unless a provable obfuscation is applied to the locked circuit. But there is no provable logic obfuscation available, in spite of some vague resorting to logic resynthesis. In this paper, we formulate and discuss a trilemma in logic encryption among locking robustness, structural security, and encryption efficiency, showing that pre-SAT approaches achieve only structural security and encryption efficiency, and post-SAT approaches achieve only locking robustness and encryption efficiency. There is also a dilemma between query complexity and error number in locking. We first develop a theory and solution to the dilemma in locking between query complexity and error number. Then, we provide a provable obfuscation solution to the dilemma between structural security and locking robustness. We finally present and discuss some results towards the resolution of the trilemma in logic encryption.
  5. A technique to enhance the security of analog circuits using Satisfiability Modulo Theory (SMT) based design space exploration is described. The analog satisfiability (aSAT) technique takes as inputs generic circuit equations and performance constraints and, by exhaustively exploring the design space, outputs transistor sizes that satisfy the given constraints. The aSAT methodology is applied to parameter biasing obfuscation, where the width and length of a transistor are obfuscated to mask circuit properties. The proposed methodology was used in the design of a differential amplifier and an operational amplifier, where the widths and lengths determined through aSAT analysis were shown to meet the target circuit specifications. For the operational amplifier, transistor dimensions determined through aSAT analysis for a set of performance constraints were characterized and were found to meet the performance targets, however, there was a 7 MHz reduction in the gain bandwidth product. The simulated results indicate that the developed design methodology achieves a fast and accurate determination of transistor sizes for target specifications.