EPIC: Ending Piracy of Integrated Circuits

1
EPIC Ending Piracy of Integrated Circuits

• Jarrod Roy,Farinaz Koushanfarand Igor
  Markov

University of Michigan and Rice University
2
Problem Piracy of ICs

• Semiconductor manufacturing is outsourcedto
  foreign countries, especially E. S.E. Asia
• LSI recently sold its last fab quit the
  business
• TI and Freescale outsourced sub-65nm
  manufacturing
• Qualcomm one top 10 IC producers, Summer 2007
• Rampant piracy in E. S.E. Asia
• Clothing, software, consumer electronics, chips
• Fake NEC corporation discovered in China
• US is initiating anti-piracy proceedingsagainst
  China in WTO
• CeBIT raids on March 6, 2008
• Masks can be stolen, used for free
• Produced chips will be identical

3
Similar to Software Piracy ?

• Software is easy to copy
• Activation keys, e.g., MS Office
• Every CD requires its own key
• But this key can be copied too
• SW is easy to modify cracked versions abound
• E.g., computer games on Bit-Torrent, etc
• HW is drastically different
• No known techniques for physically copying ICs
• Reproducing IC requires masks access to a fab
• Modifying a chip requires FIB very slow
  expensive (impractical in large quantities)

4
IC Design, Fabrication Test

• Three entities
• Chip designer
• Holder of IP rights for the chip
• Manufacturer (fab) circuit tester
• Challenges
• Do not allow fabs to sell excess chips
• Make the theft of masks (by or from fab)
  insufficient to produce working chips
• Our solution EPIC
• A chip-locking system where each chiprequires a
  different code to operate
• Without the right code, chips fail test

Usually same
5
EPIC Ending Piracy of ICs

• Additional hardware
• A novel lightweight locking system
• Public-key crypto with random key
  generation(available on Niagara2)
• Additional pins for encrypted keys
• Keys
• Common key (CK) built into gate-level circuit
• Master keys (MK) owned by holder of IP
  rightsprivate key never transmitted, cannot be
  deduced
• Random chip keys (RCK) public/private keys
• Input key (IK) key entered to unlock the chip

6
EPIC Design Flow
DFY DFM
7
EPIC Activation and Testing
Cutting andpackaging
X
8
Details Combinational Locking

• Modifies combinational circuits
• E.g., control logic datapaths
• Adds
• k new XOR gates
• k new inputs for bits of common key
• Uses these identities
• x? 0x, x? 1x
• x? y x? y (x? y)
• Accommodates any key

Insert XORs
Select wires
One bit of common key
1
0
1
1
4-bit common key
9
Spurious Common Keys ?

• Consider circuit C(x) and a locked variant
  C(x,y)such that for a designated key y0 ?x C(x,
  y0)C(x)
• To find a working common key,must solve this
  Boolean equation? y0 ?x C(x, y0)C(x)
• Our locking construction guarantees solution
• Note that this problem is beyond NP
• Can there be multiple solutions ? - Yes
• Consider initial circuit cXOR(x1,x2)
• Locked variant cXOR(XOR(x1,y1),XOR(x2,y2))
• Common keys (0,0) and (1,1)

10
Unique Common Keys

• Ideally we have ?? y0 ?x C(x, y0)C(x)
• This can be checked for a given circuit
• Build BDDs of C(x) and C(x, y)
• Build BDD of the miter C(x,y)C(x)
• Quantify out (?) the variable x
• Count paths in the resulting BDD (linear time)
• Expected result a single path
• To ensure unique common keys
• Each wire should affect an outputnot affected by
  other wires (? no cancellations)

11
Length of Common Key (1)

• In digital circuits, inversion of a single
  wirewill usually affect the output
• Sufficient to disable the circuit
• Insufficient to hide the key (can try 0 and 1)
• Brute-force enumeration
• Requires the ability to try many different
  keys(not necessarily a specific key !)
• For many different keys, run circuit test,wait
  until it passes
• Common key must be long enoughto defeat
  brute-force enumeration, e.g., 64 bits

12
Length of Common Key (2)

• Suppose that 32 bits lock an adderand another 32
  bits lock a multiplier
• Can apply brute force to the adder first
• Then to multiplier
• 232 232 ltlt 264
• This is only slightly better than locking the
  adder and multiplier with the same 32-bit key
• If a key locks n independently-testable blocks,
  its effective length (EL) is ? log2 ((2k1
  2k2 2kn) / working keys)
• when bits are not reused for multiple blocks

13
EPIC Vulnerability Assessment

• Main scenarios
• Fab selling excess chips
• Forgers stealing masks using fabs
• Additional cases, when forgers can
• Reverse-engineer and modify masks
• Modify chips in large quantities (FIB required)
• Observe individual transient signals on chip
• Also must consider
• Stolen RTL, gate-level netlist
• Stolen layouts (placed routed)
• Stolen test vectors correct responses

14
Technology Context

• Operational assumptions
• Public-key crypto cannot be broken or reversed
• RCK is random (available in Suns Niagara 2)
• RCK is generated once per chip (burned into
  fuses)
• Common Key is unique (or has very few variants)
• By construction empirically checked
• Multiple levels of protection
• Some keys are never transmitted (e.g.,
  MK-Private)
• Some keys are not in RTL (CK), or layout (RCK)
• To break EPIC, must have both Master Keys
  (MK),Common Key (CK) and RCK-Public for each chip

15
EPIC Guarantees

• Knowing a good CKis not sufficient to pirate ICs
• Chip can only be unlocked with good IK
• Good IK good CK encryptedwith MK-Private
  RCK-Public
• Good IKs are as random as RCKs
• Same number of good CKs good IKs
• A good IK can only be decrypted by the chip
• MK-Private and RCK-Private never transmitted
• Good IK for one chip does not unlock another

16
Guarantees due to Public-Key Crypto

• Public Chip Key Master Key do not
  revealinformation about their private
  counterparts(which are never transmitted)
• Input Key for one chip gives no infofor other
  chips
• Knowing Common Key, all Public Keys and all
  Random Chip Keys does not allow creating a good
  Input Key

17
Discussion of Attacks (1)

• Guessing, stealing or reverse-engineeringthe
  Common Key is insufficient
• Common Key is produced by decrypting Input Key
• Intercepting communications from/to the chipis
  insufficient
• Guarantees provided by public-key crypto
• In particular, Input Keys cannot be reused
• Inspecting a working chip and havinga full
  understanding of masks is insufficient
• Only provides Common Key,Chip Keys and Public
  Master Key

18
Discussion of Attacks (2)

• Suppose that the forger
• Found Common Key (by mask inspection)
• Found Public Master Key (by mask inspection)
• Powered-up a chip
• Discovered Random Chip Keys (power analysis?)
• The forger must now generate a good Input Key
• But this requires Private Master Key
• Private Master Key is never transmittedand
  cannot be deduced from Public Master Key
• Brute-forcing Input Key or Random Chip Keys
• Infeasible Chip Keys are burned into fuses

19
Source-level Protection

• Source files are not transmitted to the fab?
  much harder to steal
• But what if RTL and gate-level netlist are stolen
  ?
• Common Key is added after placement
• Random Chip Keys are created on power-up
• The attacker cannot activate normal chips
• What if placed routed layout is stolen? this
  might help finding Common Key, but
• Need locked original netlists (or test
  responses)
• Finding Common Key is worse than NP-complete
• Having Common Key does not enable piracy

20
Additional Protection Mechanisms

• Multipliers are harder to unlock even at gate
  level
• Transmit serial numbers and current
  datetimewith public key during activation
• Restrict activation to one chipin 10 seconds
  during certain hours
• Encrypted communication between the chip and the
  holder of IP rights authenticated by fab
• Stronger encryption can be added, changed
• Curb man-in-the-middle denial-of-service
  attacks
• Better accountability, easier to trace forgers
• Motivate fab to guard information

21
Dealing With the Human Factor

• Spies infiltrate the main office and steal
• Common Key both Master Keys
• During chip activation
• Random Chip Key -publicappears on output pins,
  encrypted by MK-public
• The forger can decrypt it using MK-private
• Then encrypt CK with MK-private and RCK-public
• Enter it as Input Key (IK)
• EPIC can deal with this !
• Add another layer with Fab Keys (public
  private)
• Only the intended fab can perform chip activation

22
Technologically Advanced Forger ?

• W/o spies, must change the masks
• Having that ability seems to defeat many possible
  protection schemes, at least in principle
• Full understanding of the masks complete info
  about a working chip reveals Common Key
• Masks can be changed to hardwire Common Key
  disconnect it from Public-Key Crypto module
• In practice, this seems infeasible
• Below 90nm, mask analysis is very hard due to OPC
• Watching a working chip is even harder
• Producing a modified chip requires a fab or FIB

23
Financial Limitations of Piracy

• Pirated ICs must be cheaper than original ICs
• A pirate cannot advertise
• lower volumes
• Pirates risk is higher
• higher margins required
• Pirates investment ? (sales of pirated ICs) -
  margins
• A pirate cannot invest much !
• Modifying each chip using FIB is very slow
• Running PR, DFM DFY incurs NRE costs
• Using a different fab requires yield ramp-up

24
Delay, Power, Verification Test

• Only non-critical wires are selected (after
  placement)
• Inserted XORs do not touch critical paths
• Common key fixed no new switching activity
• A slight penalty for inserted XOR gates
• Old test vectors responses remain valid
• The activated circuit is just like the original
• Turn off RNG Crypto after activation

25
Area Overhead of EPIC

• 2-3 new package pins for Input Key
• Use scan chains to scan-in the IK
• True random number generator small(Su97,
  Blaauw06, etc)available on Niagara2
• Public-key crypto bulk of EPIC overhead
• Available on Niagara2, small area
• Does not have to be fast
• Can be sequential can use CPU, but not SW

26
Empirical Evaluation

• Select large combinational circuits for locking
  (we used ISCAS85)
• Randomly select wires andperform combinational
  locking
• Check ? y0 ?x C(x, y0)C(x) using BDDs
• Confirm unique common key or count keys
• Results
• Very few duplicate keys with random wire
  selection
• 64-bits sufficient to thwart brute force
• gt 100 years using 10000 machines

27
EPIC Conclusions

• Hardware piracy a growing threat
• Current efforts barely go beyond serial numbers
• We propose a robust mechanismto protect against
  piracy of ICs
• Lock embedding
• Combinational locking with common key
• Random chip-key generation upon 1st power-up
• Public-key cryptography with holder of IP rights
• Input key activates a chip (different for each
  chip)
• Overhead and attacks analyzed

28
Questions ?
29
Selecting Wires for Common Key

• For each wire, count the number of signal paths
  traversing it (pseudo-linear time)
• Select one of the wires with most paths
• Find all outputs in its fanout cone
• Find an output with least wires in its fanin cone
• Mark those wires as prohibited
• If any unmarked wires remain, goto 2
• Theorem for the wires selected by the above
  procedure, there will be a unique common key

30
Limits on Key Length

• A small circuit cannot accommodate long keys
• Our wire-selection algorithm cannot pickmore
  wires than primary outputs in the circuit
• POs is not an upper bound, buthelps proving
  uniqueness
• Multiple working keys may be OK
• Used by tell who activated the circuit
• But would decrease effective key length

31
Why not Insert XORs on FF inputs ?

• Our algorithm can insert XORs on FF inputs if
  that is deemed useful
• Each XOR will affect only a single output
• Easier to reverse-engineer
• Limits key size (but not more than our algorithm)
• This is very likely to affect critical paths

32
EPIC Keys
Master Key (MK)
Designer
IP
RCK-Public
Public Key
Input Key (IK)
Public Key Crypto
Foundry
Private Key
Common Key (CK)
Chip Key Pair (RCK)
Unlocking the Control Logic
Control Logic Locked
33
EPIC Ending Piracy of ICs

• Every chip generates a Random Chip Key (RCK) upon
  first power-up
• Using a true random number generator
• Collisions rare harmless
• Control logic is locked by Common Key (CK),but
  CK cannot be entered directly
• CK is compd by public crypto from Input Key (IK)
• IK is sent by the holder of IP rightsin response
  to RCK-Public
• Can only be generated from master key (MK)
• Can only be decrypted with RCK-Private

34
Encrypting Common Key

• The Common Key can be discovered, stolen,
  reverse-engineered, etc
• The leakage of Common Key does not break EPIC
• Successful activation requires Input Key
• Common Key produced by decrypting the Input
  Keywith Private Random Chip-Key Public Master
  Key
• Public Master Key is hardwired on the chip
• To produce IK, need RCK-Public and MC-Private
• Random Chip Keys do not repeat among chips
• Public Random Chip Key is transmittedto the
  holder of Master Key

35
Locking Scan Chains ?

• Does not affect the main circuitwith respect
  to delay, power
• Requires a large number of scan chains(one bit
  per chain)
• Scan chains are independent ? the effective
  length of such key will be very small
• When locking a module, also locking its scan
  chain(s) will complicate test-based attacks

36
Other Considerations Ideas

• Locking clock wires seems like a bad idea
• Adds clock skew significant power overhead
• Easier to reverse-engineer
• Locking multipliers good as an extra
• Not an essential functionality, but common
• Attempts to reverse-engineer using SAT,BDD or
  other techniques would be hopeless

37
Which Circuit Modules To Lock ?

• Possible strategies
• Lock the most vital modulesto make the chip
  useless in all cases
• Lock corner-case behavior, make failures subtle
• Lock performance, unlocked chips will run slower
• Comprehensive locking in a microprocessorlock
  control logic
• No need to lock all pipeline stages if one is
  disabled, others cannot work
• Lock stages with more logic wider circuit
• Subtle locking forwarding logic
• Performance locking branch predictors, caches