Paper 2017/865

The First Thorough Side-Channel Hardware Trojan

Maik Ender, Samaneh Ghandali, Amir Moradi, and Christof Paar


Hardware Trojans have gained high attention in academia, industry and by government agencies. The effective detection mechanisms and countermeasures against such malicious designs are only possible when there is a deep understanding of how hardware Trojans can be built in practice. In this work, we present a mechanism which shows how easily a stealthy hardware Trojan can be inserted in a provably-secure side-channel analysis protected implementation. Once the Trojan is triggered, the malicious design exhibits exploitable side-channel leakage leading to successful key recovery attacks. Such a Trojan does not add or remove any logic (even a single gate) to the design which makes it very hard to detect. In ASIC platforms, it is indeed inserted by subtle manipulations at the sub-transistor level to modify the parameters of a few transistors. The same is applicable on FPGA applications by changing the routing of particular signals, leading to null resource utilization overhead. The underlying concept is based on a secure masked hardware implementation which does not exhibit any detectable leakage. However, by running the device at a particular clock frequency one of the requirements of the underlying masking scheme is not fulfilled anymore, i.e., the Trojan is triggered, and the device's side-channel leakage can be exploited. Although as a case study we show an application of our designed Trojan on an FPGA-based threshold implementation of the PRESENT cipher, our methodology is a general approach and can be applied on any similar circuit.

Available format(s)
Publication info
Published by the IACR in ASIACRYPT 2017
side-channel analysisthreshold implementationhardware Trojan
Contact author(s)
amir moradi @ rub de
2017-09-13: received
Short URL
Creative Commons Attribution


      author = {Maik Ender and Samaneh Ghandali and Amir Moradi and Christof Paar},
      title = {The First Thorough Side-Channel Hardware Trojan},
      howpublished = {Cryptology ePrint Archive, Paper 2017/865},
      year = {2017},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.