{"ID":5935756,"CreatedAt":"2026-07-07T01:22:02.77346169Z","UpdatedAt":"2026-07-07T02:10:06.972658124Z","DeletedAt":null,"paper_url":"https://arxiv.org/abs/2607.03288","arxiv_id":"2607.03288","title":"Security Analysis for SCONE Logic Locking","abstract":"SCONE [DAC'25] expands a logic locking interface with additional encoded inputs derived from the original primary inputs, and admits two realizations: a \\textit{with-ES} variant, where the critical encoding stage is implemented in hardware, and a \\textit{without-ES} variant, where the locked design directly exposes an encoded interface of width $n+m$. We show that both realizations are vulnerable, but for different reasons. For the without-ES variant, we prove that, when the added encoded inputs are deterministic linear functions of the original inputs, the valid encoded-input space remains $n$-dimensional despite the nominal expansion to $n+m$ inputs. Hence, the widened interface does not yield $m$ additional or independent brute-force dimensions. For the with-ES variant, we present a polynomial-time white-box attack that exactly recovers the added-input count and the implemented linear encoding relation from the locked netlist, achieving 100\\% recovery over all evaluated instances. We also develop a black-box procedure that certifies the same dimensionality collapse from valid encoded-input samples without reconstructing the hidden encoder. Experiments on ISCAS-85 and ITC-99 benchmarks validate both results, and we further demonstrate exact white-box recovery on an ARM Cortex-M0 RTL benchmark. Finally, we propose a lightweight non-linear mitigation and show that it does not exhibit the vulnerabilities identified in this paper under all representative attack sets considered in SCONE.","short_abstract":"SCONE [DAC'25] expands a logic locking interface with additional encoded inputs derived from the original primary inputs, and admits two realizations: a \\textit{with-ES} variant, where the critical encoding stage is implemented in hardware, and a \\textit{without-ES} variant, where the locked design directly exposes an...","url_abs":"https://arxiv.org/abs/2607.03288","url_pdf":"https://arxiv.org/pdf/2607.03288v1","authors":"[\"Akashdeep Saha\",\"Mohammed Nabeel\",\"Johann Knechtel\",\"Michail Maniatakos\",\"Ozgur Sinanoglu\"]","published":"2026-07-03T12:57:29Z","proceeding":"cs.CR","tasks":"[\"cs.CR\"]","methods":"[]","has_code":false}
