1 Introduction

With an ever growing of economic globalization, fabless has become a main trend in the integrated circuits (ICs) market. Although such trend dramatically lowers the fabrication cost and reduces the time to market, it also provides an opportunity for adversary to implant hardware Trojan into the original design. Once the hardware Trojan is triggered, it can cause functional changes, information leakage, privilege escalation or even system failure. As a well-designed malicious modification, hardware Trojan has become a serious threat to the security of critical applications spanning on the domains of space, military, communication, finance, and so on [45].

Given the catastrophic consequences caused by hardware Trojan, various detection approaches have been explored over the past decades. It can be broadly classified into: 1) destructive (e.g. reverse engineering) and 2) non-destructive (e.g. logic testing, run-time monitoring and side-channel analysis) [17]. Among all existing Trojan detection approaches, side-channel analysis approaches have been widely recognized by researchers. Starting with the global power consumption-based method presented in [1], numerous side-channel parameters, including the leakage current [10, 40], transient current [29], path delay [24, 26], electromagnetic emanation [4, 27, 43], temperature [5], thermal signal [37, 46], as well as multiple parameters combinations [33, 36], have been explored to strengthen the side-channel analysis approaches. The primary part of side-channel analysis approaches is golden chips, which are exploited as golden reference to identify the existence of hardware Trojan by comparing with chips under test. However, the real case is that the golden chips are extremely difficult to achieve, thus, side-channel analysis approaches have always been criticized for its applicability.

To address this issue, several golden chip-free Trojan detection approaches are proposed over the past few years, which shift the need of fabricated golden chips to golden model and identify the Trojan by comparing with the simulated traces of golden model [11, 13, 20,21,22, 30, 35, 47,48,49, 51, 53]. Majority of existing golden chip-free Trojan detection approaches concentrate on the gate-level simulation, however, several problems introduced by place and route, such as the timing imbalances, parasitic effects and coupling effects, are not taken into consideration during the golden model establishment process. Only in [30], the post-layout simulation data serves as the golden reference, but the intra-die variations and random noise are not taken into account during the model calibration process.

In this paper, a golden model instead of fabricated golden chips is proposed for practical application of hardware Trojan detection approaches. For the golden modeling, layout data is used to perform the post-layout simulation, and the simulated voltage variations at different process corners are regarded as golden reference. Further, a model calibration algorithm, including the data denoising process and model compensation process, is proposed to calibrate the golden model with the measured traces. During the model calibration, a data denoising algorithm is exploited to reduce the random noise mixed into the measured traces, and then a model compensation algorithm is proposed to compensate the golden model with the denoised traces. Finally, the partitioning around medoids algorithm (PAM) is used to classify the calibrated traces and denoised traces, and the hardware Trojan is identified when it falls outside the class of golden model. The main contributions are listed as follows.

  • A golden layout model is established and the simulated voltage variations generated from the golden layout model serve as golden reference. There is no need for fabricated golden chips during detection.

  • A model calibration algorithm is exploited to calibrate the golden model, which makes the golden model matches well with the actual silicon measurements.

  • Fabricated chips instead of Field Programmable Gate Arrays (FPGAs) are utilized to validate the proposed approach, and the Trojan chips are identified correctly using the PAM algorithm.

The remainder of this paper is organized as follows. Section 2 investigates the attack model, related works about the golden chip-free Trojan detection approaches and power simulation methods. Section 3 presents the theoretical analysis of golden layout modeling methodology, and Section 4 gives the Trojan detection framework, model calibration algorithm and partitioning around medoids algorithm. Section 5 analyzes the experimental results and Section 6 concludes this paper.

2 Background

2.1 Attack Model

Through outsourcing the manufacturing process to the third party foundry, a malicious adversary in foundry may insert hardware Trojans into the fabricated chips. Therefore, the hardware Trojan attack scenario is mainly at the third party foundry, and the synthesized gate-level netlist and layout are assumed to be trusted. The supply voltage variation is chosen as the side-channel parameter instead of other parameters like electromagnetic emanation, delay, thermal and so on, because there exist several matured commercial simulation tools (e.g. HSPICE, Nanosim [23] and Spectre [8]) to obtain the voltage variations accurately.

2.2 Golden Chip-Free Trojan Detection Approaches

Most existing side-channel analysis approaches require several golden chips for reference, however, fabricated golden chips are not always available during detection. To address this problem, several golden chip-free Trojan detection approaches have been proposed over the past decades, which replace the requirement of golden chips with golden model. The method presented in [20] proposes golden electromagnetic model. In [30], a golden current model is built using the HSPICE. Besides, authors regard the hardware Trojan detection as a two-class classification problem in [48] and train the classification algorithms using the simulation data. The Trojan chips are identified when it fall outside the classification boundary. Due to the randomness over the manufacturing process, it is extremely difficult to obtain an accurate model of process variations and thus there exist obvious differences between the simulated traces of golden model and the measured traces of fabricated chips in real applications. Therefore, such approaches suffer from low detection sensitivity with ever-decreasing Trojan size because the influences of well-designed Trojans are minute and carefully hidden within the design margins allowed for process variations.

Taking the side-channel traces as its own reference, self-referencing method eliminates the influences of inter-die variations and avoids the requirement of fabricated golden chips at the same time, which has become a popular research direction. A regional self-referencing approach is proposed to divide a large design into several small sub-regions, and then the relationship of transient current among the different sub-regions is analyzed and the hardware Trojan is identified when the relationship is changed [11, 22, 47]. This idea is also extended to detect the recycled chips [53]. However, some types of Trojans, like always-on and parametric changes type, this approach is unable to detect it. Besides, a temporal self-referencing approach is presented in [35], the transient current with its own at two different time windows is compared to detect the Trojan and improvements are made in [21]. Such approaches are effective in identifying the rarely-activated sequential Trojans, but it is only applied to the case that fully aware of the implementation of Trojan during detection. Moreover, a spatial self-referencing approach is proposed in [13, 49, 51], which identifies the path of implanted hardware Trojan when the delay differences among the symmetry paths exceed the threshold value. Indeed, there exist millions of paths that possibly inserted the hardware Trojan and the verification effort has increased exponentially for achieving a high detection sensitivity.

2.3 Power Simulation Methods

Concerning the power simulation of circuit, several papers have been explored over the past several decades. In general, some circuit simulators, like the HSPICE, Nanosim and Spectre, are exploited to carry out the power simulation. Four models, including the Hamming distance [9], Hamming weight [7], Hamming distance zero to one and Hamming distance one to zero [32, 39], are proposed to obtain the power traces of cryptographic circuit. Moreover, Daisuke et al. [14] introduce a time series divided parasitic capacitance model to acquire the power traces quickly for performing the side-channel attacks. From [34], the ON current of a switching gate is presented and the total transient current is obtained by adding up all the switching gates. In [19], a failure physics model is proposed, which simplifies the digital circuit as a second-order band pass filter.

While there are some works giving similar solutions already, they mainly concentrate on the gate-level simulation [7, 9, 14, 20, 30, 32, 34, 39, 48]. However, some problems, like the timing imbalances, parasitic effects and coupling effects and so on, introduced by the place and route have not taken into account in the gate-level simulation. As the technology today has shrunk to nanometer dimensions, these problems become more and more evident which affect the side-channel traces seriously. Addressing this issue, the post-layout simulation has been explored over the past decades, including the side-channel attack evaluation [6, 44], circuit performance prediction [25, 31, 52], Trojan detection [30] and so on. Accordingly, the post-layout simulation is performed and regarded as golden reference in this paper, and this golden reference matches well with the actual silicon measurements by comparing with the [30]. This is mainly because the inter-die variations, intra-die variations and random noise are all considered during the model calibration process.

3 Golden Layout Modeling Methodology

In this section, the switching characteristics of a basic logic gate, i.e. inverter, are analyzed firstly, and then the simplified switch-based model of an inverter is given. Further, the simplified switch-based model of chip is deduced by summing over all the switching gates, and the Trojan detection based on the simplified switch-based model is presented finally.

Figure 1 illustrates the traditional structure and simplified switch-based model of an inverter. When the input Vin switches from logic “1” to logic “0”, the load capacitance C is charged and the charging current Ic flows from the power port VDD to the ground port GND. Contrarily, C is discharged and there exist a discharging current Id between the C and NMOS. The charge-discharge process of an inverter is illustrated in Fig. 1a. The I-V characteristics of an inverter can be modelled as charging and discharging process of a series RLC circuit depicted as the Fig. 1 (b). Where R1, L1 and C1 respectively are the lumped resistance, inductance and capacitance, which can be extracted from the layout using the Calibre xRC [8]. When the Vin switches from logic “1” to logic “0”, the switch K1 and \(\overline {K_{\text {{1}}}}\) are turn on and off respectively, and C1 is charged. On the contrary, K1 and \(\overline {K_{\text {{1}}}}\) are turn off and on respectively, and C1 is discharged. According to the engineering circuit analysis theory [18], the transient current Ig(t) flows through the ground port is presented in Eq. 1. Where the voltage \(V_{\text {C}_{1}}\)(0) across the C1 is equal to VDD and 0 respectively before the C1 is discharged and charged.

$$ {{L}_{1}}\frac{\mathrm{d}{{I}_{g}}(\textit{t})}{\mathrm{d}{t}}+{{R}_{1}}{{I}_{g}}(\textit{t})+\frac{1}{{{C}_{1}}}{\int}_{0}^{{t}}{{{I}_{g}}(\textit{t}){\mathrm{d}{t}}}-{{V}_{\text{{C}}_{1}}}(0)=0 $$
(1)

The Laplace transformation of Eq. 1 is presented in Eq. 2.

$$ {{L}_{1}}{{C}_{1}}{{s}^{2}}{{I}_{g}}({s})+{{R}_{1}}{{C}_{1}}s{{I}_{g}}(s)+{{I}_{g}}({s})=0 $$
(2)

By using the inverse Laplace transformation to Eq. 2, Ig(t) is obtained and depended on the R1, L1 and C1.

For a large-scale digital chip which consists of millions or billions of gates, the total transient current flows to the ground plane is determined by adding up the transient current of all switching gates of chip. Thus, the simplified switch-based model of a gate described in Fig. 1b is parallel with each other to form the switch-based model of chip which is depicted in Fig. 2.

Fig. 1
figure 1

Traditional structure and simplified switch-based model of an inverter. a Traditional structure and charge-discharge process of an inverter. b Simplified switch-based model and charge-discharge process of an inverter

Full size image
Fig. 2
figure 2

The simplified switch-based model of chip

Full size image

Summing over all the switching gates in the chip, the total transient current Itot_g(t) of golden chip is described in Eq. 3. Where n is the total number of switching gates of chip. In addition, several correlations between the switching characteristics of the different CMOS gates are also taken into account. For example, the output of a CMOS gate feeds to the input of another gate would certainly cause their switching times to cascade, overlap, and so on. Where Δtg is the switching time difference of Ig(t) caused by correlations between the switching gates.

$$ {{I}_{\text{tot\_g}}}(t)=\sum\limits_{g=1}^{n}{{{I}_{g}}}(t-{\Delta} t_{g}) $$
(3)

In the presence of a hardware Trojan in the chip, the total transient current Itot_t(t) of Trojan chip is shown in Eq. 4. Where Iht(t) is the total transient current incurred by h switching gates of hardware Trojan. Although hardware Trojan keeps silence in the majority of life, the Trojan’s trigger part keeps active and monitors the internal logic value or state all the time. Therefore, h is always greater than 0 and the Iht(t) makes it possible to detect the Trojan. Moreover, the structural changes of chip introduced by the hardware Trojan, may change the value of parasitic parameters of m switching gates near the hardware Trojan, and the \({\Delta }I_{\text {tot\_g}}\)(t) is the total current fluctuations of these switching gates.

$$ {{I}_{\text{{tot\_t}}}}(\textit{t})={{I}_{\text{\text{tot\_g}}}}(\textit{t})+{{I}_{\text{{ht}}}}(\textit{t})+{\Delta}{I_{\text{tot\_g}}}(t) $$
(4)

Comparing the Eqs. 3 and 4, hardware Trojan distorts the total transient current of chip, and these distortions (\({\Delta }I_{\text {tot\_g}}\)(t) and Iht(t)) make it possible to detect the Trojan.

4 Golden Chip-Free Statistics Side-channel Analysis and Hardware Trojan Detection

4.1 Trojan Detection Framework

The overall framework of golden chip-free Trojan detection is shown in Fig. 3, including the pre-silicon simulation phase, model calibration phase, and Trojan detection phase. In the pre-silicon simulation phase, the spice netlist, parasitic parameters, and stimuli are feed into the power simulator and the simulated traces of golden model at different process corners are obtained, which is IS(t). In the model calibration phase, the measured traces IF(t) of fabricated chips are acquired using the ASIC-platform, and a data denoising algorithm is utilized to eliminate the random noise mixed into the IF(t), and a model compensation algorithm is exploited to calibrate the IS(t) with the IDG(t). The denoised traces of golden chips and chips under test respectively are IDG(t) and IDC(t), while the calibrated traces of golden model are IM(t). Finally, the partitioning around medoids algorithm (PAM) is exploited to classify the IM(t) and IDC(t), and the chips under test are classified as golden chips or Trojan chips during the Trojan detection phase.

Fig. 3
figure 3

Overall framework of Trojan detection

Full size image

4.2 Golden Model Calibration

The principal basis of golden chip-free Trojan detection methodology is to find the differences between the simulated traces generated from golden model and the measured traces of chips under test. To ensure a better Trojan detection sensitivity, golden model should be designed for matching well with the actual silicon measurements. However, random noise and process variations exist in the real experiment, and affect the side-channel traces of fabricated chips seriously. For a well-designed Trojan, the influences of Trojan are minor and easily hidden within these differences, thus, the detection sensitivity is reduced with decreasing Trojan sizes and increasing circuit sizes [20, 21]. Therefore, process variations and random noise should be taken into consideration during the golden model establishment process, and a model calibration technique is necessary in order to make the golden model matches well with the actual silicon measurements.

4.2.1 Denoising Analysis

As for the random noise, a data denoising algorithm combines empirical mode decomposition (EMD) with the Savitzky-Golay filter is exploited to reduce the influences of random noise mixed into the measured traces. Compared with the other traditional decomposition methods, EMD decomposes the signal into a set of intrinsic mode functions (IMFs) without any predefined basic functions [3]. After the decomposition process, the random noise mixed into each IMF is filtered out using the Savitzky-Golay filter [42], and several denoised IMFs are summed to obtain the denoised signal.

The first trace \({I_{\text {F}_{1}}}\) of IF(t) is used to explain the whole denoising process, and the decomposed signal IMFa after the decomposition process is presented in Eq. 5. Where c is the number of IMFs, r is the final residue, and IMFi is the i-th IMF.

$$ I_{\text{F}_{1}}=\text{IMF}_{\text{{a}}}+\textit{r}=\sum\limits_{\textit{i}=1}^{c}{{\text{IMF}_{i}}}+\textit{r} $$
(5)

The decomposition process is completed until the current residue r is monotonic. The decomposition process is described in Eq. 6. Where IMF0 is the measured trace \({I_{\mathrm {{F_{1}}}}}\), and mi− 1 is the mean value of the upper and lower envelope of IMFi− 1.

$$ {\text{IMF}_{i}}={\text{IMF}_{i-1}}-{{m}_{i-1}} $$
(6)

After decomposed by the EMD, all IMFs are denoised using the Savitzky-Golay filter, and the denoised trace \({I_{\text {D}_{1}}}\) is obtained as described in Eq. 7. Where IMF\(_{i}^{\prime }\) is the denoised IMFi.

$$ I_{\text{D}_{1}}=\sum\limits_{\textit{i}=1}^{c}{{\text{IMF}_{i}^{\prime}}} $$
(7)

4.2.2 Golden Model Compensation

Radial basis function neural network (RBFNN) is a feed-forward neural network, which is consisted of three layers shown in Fig. 4: input layer, pattern layer and output layer. For the RBFNN, the multilayer feed-forward network structure not only avoids the cumbersome calculations in back-propagation network, but also overcomes the problem of local minimum in the gradient descent algorithm. Moreover, RBFNN involves a hybrid learning process and the weights between hidden layer and output layer are adaptive adjusted dynamically. In summary, the simple structure, fast learning process and high approximation accuracy have made RBFNN an ideal choice to be used in the nonlinear regression applications. For the influences introduced by process variations, there exist some mismatches between the simulated traces and measured traces, however, these mismatches between the IS(t) and IDG(t) can be determined with any given accuracy using the radial basis function neural network (RBFNN) [2, 16, 28, 41]. The IS(t) and IDG(t) are used to explain the nonlinear regression process of RBFNN, and the relationship f between IS(t) and IDG(t) is presented in Eq. 8.

$$ {I_{\mathrm{S}}}{(t)}\overset{f}{\rightarrow}{I_{\text{DG}}(t)}\Rightarrow{I_{\text{DG}}(t)}=f({I_{\mathrm{S}}}{(t)}) $$
(8)
Fig. 4
figure 4

Traditional structure of RBFNN

Full size image

The input layer with n neurons (e.g. x1, x2, ⋯, xn) receives n-dimensional input data set IS(t)={\(I_{S_{1}}\), \(I_{S_{1}}\), ⋯, \(I_{S_{1}}\)}. The hidden layer calculates the radial basis function value Φ(X, C, D) of each hidden neuron, which is presented in Eq. 9. To ensure the local approximation ability, the Gaussian function is used as the radial basis function in this paper. Where the C(i)={ci1, ci2, ⋯, cin} and D(i)={di1, di2, ⋯, din} are the center and spread of i-th hidden neuron respectively. The value of output layer is the sum of the multiplications of the weights and the output values of hidden neurons and shown in Eq. 10. Where yj is the j-th output neuron and wij is the weight between the j-th output neuron and i-th hidden neuron.

$$ {\Phi}(I_{S}(t),C_{i},D_{i})=exp\left( - \left\| \frac{I_{S}(t)-C_{i}}{D_{i}} \right\|^{2}\right) $$
(9)
$$ y_{j}=\sum\limits_{i=m}^{m}w_{ij}{\Phi}(I_{S}(t),C_{i},D_{i}) $$
(10)

Finally, in the following Eq. 11, the root mean square error RMSE between the output layer and expect output (denoted as IDG(t)) is calculated to evaluate the fitting performance. Where k is the number of output neurons and IDG(t)={IDG,1, IDG,2, ⋯, IDG,k}. The nonlinear regression process is completed when the RMSE is less than the fitting error 𝜖, otherwise, the weight wij, center Ci and spread Di are adjusted iteratively using the gradient descent algorithm.

$$ RMSE=\sqrt{\frac{{\sum}_{j=1}^{k}(y_{j}-I_{DG,j})^{2})}{k}} $$
(11)

For n fabricated golden chips, the side-channel traces are always differed from the pre-designed one due to the effect of process variations, which are denoted as \({I_{\text {DG}_{1}}}\)(t), \({I_{\text {DG}_{2}}}\)(t), ⋯, and \({I_{\text {DG}_{n}}}\)(t), thus, the corresponding relationship f is not consistent with each other. The Eq. 8 can be re-written as the Eq. 12. Where fi is the mapping relationship between the IS(t) and \({I_{\text {DG}_{i}}}\)(t).

$$ \left\{\begin{array}{llll}I_{\text{DG}_{1}}(t) \\ I_{\text{DG}_{2}}(t) \\ \vdots \\ I_{\text{DG}_{n}}(t) \end{array}\right\}=\left\{\begin{array}{llll}f_{1}(I_{\mathrm{S}}(t)) \\f_{2}({I_{\mathrm{S}}(t)}) \\ \vdots \\f_{n}({I_{\mathrm{S}}(t)}) \end{array}\right\} $$
(12)

In the real scenario, only a small amount of fabricated golden chips required from the model calibration process can be verified using reverse engineering, which incurs additional verification cost and time undoubtedly. Considering the catastrophic consequences caused by hardware Trojan, we have to sacrifice the cost and time to improve the precision of the golden model. To further compress the cost and time, Monte Carlo simulation is used to further emulate the other fabrication processes for reducing the number requirement of golden chips. The threshold value of PMOS and NMOS is shifted with ± 5%, ± 10% and ± 15% Gauss random variations, and the circuit is simulated with those modified predictive technology model, and k simulated Monte Carlo traces (e.g. \({I_{\text {S}_{1}}}\)(t), \({I_{\text {S}_{2}}}\)(t), ⋯, \({I_{\text {S}_{k}}}\)(t)) are obtained. Using the relationship f presented in the Eq. 12, the calibrated traces IM(t) are constructed as Eq. 13. Where \({I_{\text {M}_{ij}}}\)(t) is the image of j-th simulated trace \({I_{\text {S}_{j}}}\)(t) under the mapping relationship fi.

$$ \begin{array}{@{}rcl@{}} I_{\mathrm{M}}(t)&=&\left\{\begin{array}{llll}I_{\mathrm{M}_{11}}(t), & I_{\mathrm{M}_{12}}(t), &\cdots, & I_{\mathrm{M}_{1k}}(t) \\ I_{\mathrm{M}_{21}}(t), & I_{\mathrm{M}_{22}}(t), &\cdots, & I_{\mathrm{M}_{2k}}(t) \\ {\vdots} & {\vdots} & {\ddots} & \vdots \\ I_{\mathrm{M}_{n1}}(t), & I_{\mathrm{M}_{n2}}(t), &\cdots, & I_{\mathrm{M}_{nk}}(t) \end{array}\right\}\\&=&\left\{\begin{array}{llll}f_{1}(I_{\text{S}_{1}}(t)), & f_{1}(I_{\text{S}_{2}}(t)), & \cdots, & f_{1}(I_{\text{S}_{k}}(t)) \\f_{2}({I_{\text{S}_{1}}(t)}), & f_{2}(I_{\text{S}_{2}}(t)), & \cdots, & f_{2}(I_{\text{S}_{k}}(t)) \\ {\vdots} & {\vdots} & {\ddots} & \vdots \\f_{n}({I_{\text{S}_{1}}(t)}), & f_{n}(I_{\text{S}_{2}}(t)), & \cdots, & f_{n}(I_{\text{S}_{k}}(t)) \end{array}\right\} \end{array} $$
(13)

4.3 Trojan Detection Based on Partitioning Around Medoids Algorithm

After the model calibration, the golden model matches well with the actual silicon measurements, thus, IM(t) is approximate to IDG(t), i.e. IM(t) ≈ IDG(t). Accordingly, the IM(t) of golden model can substitute for the side-channel traces of fabricated golden chips in the real case. As described in the Eq. 4, the hardware Trojan distorts the side-channel traces of chips, so, the denoised traces IDT(t) of Trojan chips can be re-written as the Eq. 14. Where ΔIht(t) is the difference between the IM(t) and IDT(t), and ΔIht(t)≈ΔIht(t)+\(I_{\text {tot\_g}}\)(t).

$$ I_{\text{DT}}(t)=I_{\text{DG}}(t)+I_{\text{ht}}(t)+{\Delta} I_{\text{tot}_{g}}(t)\approx I_{\mathrm{M}}(t)+{\Delta} I_{\text{{ht}}}(t) $$
(14)

Therefore, Trojan detection can be formulated as outlier detection. Partitioning around medoids algorithm (PAM) is a data clustering algorithm based on the similarity of data sets [12, 38, 50], and is very suitable for identifying the existence of Trojan. The IDG(t), IDC(t) and IM(t) form the data sets \(\mathcal {D}\), and all samples in \(\mathcal {D}\) are classified as two classes: 1 (Golden class) and 2 (Trojan class). In the PAM, 2 centroids are chosen from the \(\mathcal {D}\) randomly, and each sample is assigned to the closest centroid based on the similarity measure \(\mathcal {Z}\). The \(\mathcal {Z}\) of \(\mathcal {D}_{j}\) is described in Eq. 15. Where ψi is the centroid of the i-th class, and \(\mathcal {D}_{j}\) is the j-th sample of \(\mathcal {D}\).

$$ \mathcal{Z}=\mathop{\arg\min}_{\mathcal{D}_{j}\in\psi_{i}}\left\| \mathcal{D}_{j}-\psi_{i} \right\|^{2} $$
(15)

After the data clustering, the cost function \(\mathcal {F}\) is used to evaluate the clustering quality, which is shown in Eq. 16. \(\mathcal {F}\) is defined as the sum of total intra-class distance between the samples and the centroid of each class. Where L1 and L2 are the sample number of two classes, and N is the total sample number of \(\mathcal {D}\), and L1 + L2=N. The classes of all samples in \(\mathcal {D}\) are determined until the \(\mathcal {F}\) reaches the minimum value, otherwise, 2 centroids are chosen from the \(\mathcal {D}\) randomly and the clustering quality is evaluated iteratively.

$$ \mathcal{F}=\sum\limits_{i=1}^{2}\sum\limits_{j=1}^{L_{i}}\left\| \mathcal{D}_{j}-\psi_{i} \right\|^{2} $$
(16)

5 Experimental Results and Analyses

5.1 Experiment Setup

An ASIC-platform is set up to acquire the voltage variations of fabricated chips, which is composed of a test board, personal computer (PC), DC power supply (DP1380A), dual-channel signal generator (DG5000) and mixed signal oscilloscope (MSO4054), as depicted in Fig. 5. PC provides the stimulus to test board and receives the feedback via serial interface. The test board with a chip socket is utilized to replace the fabricated chips, and 1 Ω precision resistor (R) is used to measure the voltage variations of fabricated chips and the voltage variations are recorded by the oscilloscope with the 2.5 GHz/s sampling rate. According to the Ohm’s law, the voltage variation across the R is equal to the current flowing through the power pin of chip. The DC power supply provides 3.3 V and 1.8 V stable voltage source to the test board, and the dual-channel signal generator supplies a 1.5 MHz clock signal to the chip. A 128-bit advanced encryption system is adopted as the golden circuit, which is denoted as AES_G, and 4-bit (denoted as Trojan1), 8-bit (denoted as Trojan2) and 12-bit (denoted as Trojan3) counter are applied as Trojan, which occupy 0.36%, 0.72% and 1.09% of the size of golden circuit respectively. The average power of Trojan1, Trojan2, and Trojan3 are 1.1μ W, 1.6μ W and 3.4μ W respectively, while the delay of Trojan1, Trojan2, and Trojan3 are 12 ps, 16.8 ps and 22.5 ps respectively. All parasitic parameters, like the parasitic resistance, capacitance and inductance, are extracted from the layout using the Calibre xRC. To emulate the influences of process variations (PVs), both the inter-die and intra-die variations are set to ± 5%, ± 10% and ± 15% Gauss random variations respectively. The chips are fabricated in Chartered 180 nm technology [15], and this library provided by foundry is utilized to carry out the post-layout simulation.

Fig. 5
figure 5

Experiment setup. a Block diagram of ASIC-Platform. b Photograph of ASIC-Platform

Full size image

5.2 Golden Reference Generation

Monte Carlo simulations under ± 5% PV, ± 10% PV and ± 15% PV are performed in HSPICE, and 20 simulated traces under ± 5% PV randomly selected are illustrated in Fig. 6. Each trace represents the voltage variations of circuit during an encryption process. From Fig. 6, it can be observed that all traces are similar and there exist several differences at some points actually. Analysis results show that process variations can vary the maximum difference within 44.8 mV, and more than 90% differences in magnitude fall in 8.7 mV. Euclidean distance is an effective similarity measurement method, which can be used to differentiate the hardware Trojan when the differences exceed the threshold value. The Euclidean distances between the voltage variations of golden circuit and Trojan circuit are calculated and the results are shown in Fig. 7. Regarding Fig. 7, the Euclidean distances are ranged from 0.1 to 0.22, and the Euclidean distances of Golden, Trojan1, Trojan2 and Trojan3 overlap with each other. This results indicate that the side-channel differences caused by hardware Trojan are minor and easily masked by the process variations. Therefore, the hardware Trojan cannot be differentiated with simple measurement.

Fig. 6
figure 6

20 simulated traces of golden model

Full size image
Fig. 7
figure 7

Euclidean distances between the golden circuit and Trojan circuit

Full size image

Besides, the voltage variations of fabricated chips are exposed to all kinds of random noise in the real experiment and thus the differences between the simulated traces and measured traces are further increased. Therefore, a model calibration technique is exploited to make the golden model matches well with the real case.

5.3 Golden Model Validation

The calibrated results are shown in Fig. 8. The denoised traces IDG(t) are denoted as Golden_actual, while the traces denoted as Golden_sim5, Golden_sim10, and Golden_sim15 respectively represent the IM(t) under ± 5% PV, ± 10% PV and ± 15% PV. From results in the Fig. 8a, Golden_actual is an over-damped response, and all traces are too similar to distinguish the obvious differences from each other. Actually, there exist a few differences at some points as shown in Fig. 8b.

Fig. 8
figure 8

Model calibration results at different process corners

Full size image

Figure 9 shows the distribution histogram of these differences. The differences between the Golden_actual and Golden_sim5, Golden_sim10, Golden_sim15 respectively are denoted as Error_5, Error_10 and Error_15. More specifically, the maximum difference is only 29.65 mV and more than 90% differences in magnitude fall 10.86 mV. This kind of differences mainly caused by the process variations, the influences of ultra_small Trojan are easily masked by these differences. In this paper, Trojans are set as always activated for validating the proposed approach better and a test generation technique is considered to activate the hardware Trojan effectively in the future.

Fig. 9
figure 9

Distribution histogram of the differences between the IM(t) and IDG(t)

Full size image

To further demonstrate the whole similarity between the IM(t) and IDG(t), the correlation analysis is performed after the model calibration, and the distribution histogram of correlation coefficients between the Golden_actual and Golden_sim5 is shown in Fig. 10. It is clear from this figure, the correlation coefficients are greater than 98.85%. Similarly, the correlation coefficients under ± 10% PV and ± 15% PV are greater than 98.81%. On the whole, the calibrated golden model matches well with the actual silicon measurements. Therefore, the simulated data of calibrated golden model can substitute for the measured data of fabricated chips even in the presences of process variations and random noise.

Fig. 10
figure 10

Distribution histogram of correlation coefficient results

Full size image

5.4 Trojan Detection

After the model calibration, the calibrated traces IM(t) and denoised traces (IDG(t) and IDC(t)) are clustered to two classes using the PAM. The centroids of two classes are determined when the cost function \(\mathcal {F}\) reaches the minimum value, and the Euclidean distance between each sample and the centroid (denoted as Centroid_G) of golden class is calculated to evaluate the Trojan detection results.

As mentioned in Section 4.2, the random noise can not be eliminated in the real experiment completely, and the process variations are extremely difficult to emulate accurately, and the Euclidean distances vary accordingly. Fig. 11 shows the fluctuation of Euclidean distances under ± 5% PV. The Euclidean distances between the Centroid_G and IM(t) are denoted as S_Dist, while the Euclidean distances between the Centroid_G and the IDC(t) of AES_G, AES_Trojan1, AES_Trojan2 and AES_Trojan3 respectively are denoted as G_Dist, T1_Dist, T2_Dist and T3_Dist. Regarding Fig. 11, S_Dist and G_Dist are more similar than the others, and T1_Dist, T2_Dist and T3_Dist respectively are all greater than the S_Dist or G_Dist. More specifically, the maximum value of G_Dist is 177.25, and the minimum value of T1_Dist is 378.09, and thus the margin is 200.84. Thus, any Euclidean distance that exceeds the 177.25 can be considered as the hardware Trojan, otherwise, there does not exist the hardware Trojan. This margin reduces with the increasing process variations, and the margin is 135 under ± 15% PV, however, it is large enough to identify the hardware Trojan in the real experiment. Therefore, the PAM is capable of detecting the hardware Trojan correctly at different process corners.

Fig. 11
figure 11

Fluctuation of Euclidean distances under ± 5% PV

Full size image

Moreover, the averaged Euclidean distance of 100 traces is used to represent the robustness of proposed approach in the real experiment. Figure 12 illustrates the averaged Euclidean distance at different process corners. From the Fig. 12, G_Dist is greater than the S_Dist, and T1_Dist, T2_Dist, T3_Dist respectively are much greater than the S_Dist at different process corners. The differences between S_Dist and G_Dist mainly caused by process variations, however, the differences Trojan introduced can be identified even under the process variations. Therefore, the proposed approach is robust to the Trojan detection in the presence of process variations and random noise.

Fig. 12
figure 12

The averaged Euclidean distance at different process corners

Full size image

6 Conclusion and Future Work

In this paper, a hardware Trojan detection approach based on the golden layout model is presented, which eliminates the requirement of fabricated golden chips during detection. The simulated voltage variations at different process corners match well with the measured traces that can be used as the golden reference, and the hardware Trojan is identified using the PAM correctly in the presence of process variations.

While the proposed approach is success, but it is not limited to detect the Trojans in the cryptographic chips and the scalability of large designs (e.g. microprocessor and system on chip) may be explored in the future. Simultaneously, efficient test generation techniques are considered to activate the hardware Trojan and magnify the influences of Trojan effectively, and the limitation of the proposed approach against ultra-small Trojans is also further analyzed. Furthermore, there exist numerous types and insertions of hardware Trojan, and the side-channel influences of Trojans may be varied, and the proposed method against various Trojans are further studied.