Security Analysis for SCONE Logic Locking

📅 2026-07-03
📈 Citations: 0
Influential: 0
📄 PDF
🤖 AI Summary
This work systematically analyzes the security vulnerabilities of the SCONE logic locking scheme under both with-ES and without-ES implementations. For the with-ES variant, we present a polynomial-time white-box attack that precisely recovers the encoded relationships. For the without-ES variant, we formally demonstrate that its input space dimensionality is not meaningfully expanded and develop a black-box verification method to exploit this weakness. Through formal modeling, linear algebraic analysis, and RTL-level circuit evaluation on ISCAS-85, ITC-99, and ARM Cortex-M0 benchmarks, we achieve 100% recovery of the locking encoding, thereby uncovering for the first time the critical issue of dimensional collapse in both variants. We further propose a lightweight nonlinear mitigation strategy that effectively thwarts existing attacks.
📝 Abstract
SCONE [DAC'25] expands a logic locking interface with additional encoded inputs derived from the original primary inputs, and admits two realizations: a \textit{with-ES} variant, where the critical encoding stage is implemented in hardware, and a \textit{without-ES} variant, where the locked design directly exposes an encoded interface of width $n+m$. We show that both realizations are vulnerable, but for different reasons. For the without-ES variant, we prove that, when the added encoded inputs are deterministic linear functions of the original inputs, the valid encoded-input space remains $n$-dimensional despite the nominal expansion to $n+m$ inputs. Hence, the widened interface does not yield $m$ additional or independent brute-force dimensions. For the with-ES variant, we present a polynomial-time white-box attack that exactly recovers the added-input count and the implemented linear encoding relation from the locked netlist, achieving 100\% recovery over all evaluated instances. We also develop a black-box procedure that certifies the same dimensionality collapse from valid encoded-input samples without reconstructing the hidden encoder. Experiments on ISCAS-85 and ITC-99 benchmarks validate both results, and we further demonstrate exact white-box recovery on an ARM Cortex-M0 RTL benchmark. Finally, we propose a lightweight non-linear mitigation and show that it does not exhibit the vulnerabilities identified in this paper under all representative attack sets considered in SCONE.
Problem

Research questions and friction points this paper is trying to address.

logic locking
security analysis
dimensionality collapse
white-box attack
encoded interface
Innovation

Methods, ideas, or system contributions that make the work stand out.

logic locking
security analysis
dimensionality collapse
white-box attack
non-linear mitigation
🔎 Similar Papers
No similar papers found.