This study uncovers a previously unrecognized runtime threat posed by logic locking: erroneous key loading induces severe leakage of sensitive signals—particularly cryptographic keys. We systematically evaluate the impact of logic locking on runtime data confidentiality via path-activation analysis and automatic test pattern generation (ATPG) to derive test vectors, applied across three representative logic-locking schemes and open-source cryptographic benchmark circuits. Our experiments reveal, for the first time, that a single malicious key can expose over 70% of the bits in an encrypted key; furthermore, under adversarial control of auxiliary inputs, full key recovery becomes feasible. This work transcends conventional security assessments focused solely on key-reverse engineering, providing the first empirical evidence that logic locking itself can serve as a runtime data leakage channel. It thus introduces a novel dimension to hardware security evaluation—runtime data integrity under incorrect key conditions.

Logic locking secures hardware designs in untrusted foundries by incorporating key-driven gates to obscure the original blueprint. While this method safeguards the integrated circuit from malicious alterations during fabrication, its influence on data confidentiality during runtime has been ignored. In this study, we employ path sensitization to formally examine the impact of logic locking on confidentiality. By applying three representative logic locking mechanisms on open-source cryptographic benchmarks, we utilize an automatic test pattern generation framework to evaluate the effect of locking on cryptographic encryption keys and sensitive data signals. Our analysis reveals that logic locking can inadvertently cause sensitive data leakage when incorrect logic locking keys are used. We show that a single malicious logic locking key can expose over 70% of an encryption key. If an adversary gains control over other inputs, the entire encryption key can be compromised. This research uncovers a significant security vulnerability in logic locking and emphasizes the need for comprehensive security assessments that extend beyond key-recovery attacks.