Stealthy Dopant-Level Hardware Trojans

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8086)


In recent years, hardware Trojans have drawn the attention of governments and industry as well as the scientific community. One of the main concerns is that integrated circuits, e.g., for military or critical-infrastructure applications, could be maliciously manipulated during the manufacturing process, which often takes place abroad. However, since there have been no reported hardware Trojans in practice yet, little is known about how such a Trojan would look like, and how difficult it would be in practice to implement one.

In this paper we propose an extremely stealthy approach for implementing hardware Trojans below the gate level, and we evaluate their impact on the security of the target device. Instead of adding additional circuitry to the target design, we insert our hardware Trojans by changing the dopant polarity of existing transistors. Since the modified circuit appears legitimate on all wiring layers (including all metal and polysilicon), our family of Trojans is resistant to most detection techniques, including fine-grain optical inspection and checking against “golden chips”. We demonstrate the effectiveness of our approach by inserting Trojans into two designs — a digital post-processing derived from Intel’s cryptographically secure RNG design used in the Ivy Bridge processors and a side-channel resistant SBox implementation — and by exploring their detectability and their effects on security.


Hardware Trojans malicious hardware layout modifications Trojan side-channel 


  1. 1.
    Agrawal, D., Baktir, S., Karakoyunlu, D., Rohatgi, P., Sunar, B.: Trojan Detection using IC Fingerprinting. In: IEEE Symposium on Security and Privacy (SP 2007), pp. 296–310 (2007)Google Scholar
  2. 2.
    Brier, E., Clavier, C., Olivier, F.: Correlation Power Analysis with a Leakage Model. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 16–29. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  3. 3.
    Canright, D.: A very compact S-box for AES. In: Rao, J.R., Sunar, B. (eds.) CHES 2005. LNCS, vol. 3659, pp. 441–455. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  4. 4.
    Defense Science Board. Report of the Defense Science Board Task Force on High Performance Microchip Supply. US DoD (February 2005)Google Scholar
  5. 5.
    Gierlichs, B., Batina, L., Tuyls, P., Preneel, B.: Mutual Information Analysis. In: Oswald, E., Rohatgi, P. (eds.) CHES 2008. LNCS, vol. 5154, pp. 426–442. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  6. 6.
    Gorman, C.: Counterfeit chips on the rise. IEEE Spectrum 49(6), 16–17 (2012)CrossRefGoogle Scholar
  7. 7.
    Hamburg, M., Kocher, P., Marson, M.E.: Analysis of Intel’s Ivy Bridge Digital Random Number Generator. Technical Report, Cryptography Research INC. (March 2012)Google Scholar
  8. 8.
    Hicks, M., Finnicum, M., King, S.T., Martin, M.M., Smith, J.M.: Overcoming an untrusted computing base: Detecting and removing malicious hardware automatically. In: IEEE Symposium on Security and Privacy (SP 2010), pp. 159–172 (2010)Google Scholar
  9. 9.
    Intel. Intel Digital Random Number Generator (DRNG) Software Implementation Guide, revision 1.1 (August 2012),
  10. 10.
    King, S.T., Tucek, J., Cozzie, A., Grier, C., Jiang, W., Zhou, Y.: Designing and implementing malicious hardware. In: Proceedings of the 1st USENIX Workshop on Large-scale Exploits and Emergent Threats (LEET 2008), pp. 1–8 (2008)Google Scholar
  11. 11.
    Li, J., Lach, J.: At-speed delay characterization for IC authentication and Trojan horse detection. In: IEEE International Workshop on Hardware-Oriented Security and Trust (HOST 2008), pp. 8–14 (2008)Google Scholar
  12. 12.
    Lin, L., Kasper, M., Güneysu, T., Paar, C., Burleson, W.: Trojan Side-Channels: Lightweight Hardware Trojans through Side-Channel Engineering. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 382–395. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  13. 13.
    Markoff, S.: Cyberwar — Old Trick Threatens the Newest Weapons. New York Times (October 2009)Google Scholar
  14. 14.
    Moradi, A., Kirschbaum, M., Eisenbarth, T., Paar, C.: Masked Dual-Rail Precharge Logic Encounters State-of-the-Art Power Analysis Methods. IEEE Transactions on Very Large Scale Integration (VLSI) Systems 99, 1–13 (2011)Google Scholar
  15. 15.
    Nangate Inc. Nangate Open Cell Library, version PDKv1_3_v2010_12 (August. 2011),
  16. 16.
    Popp, T., Kirschbaum, M., Zefferer, T., Mangard, S.: Evaluation of the Masked Logic Style MDPL on a Prototype Chip. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 81–94. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  17. 17.
    Popp, T., Mangard, S.: Masked Dual-Rail Pre-charge Logic: DPA-Resistance Without Routing Constraints. In: Rao, J.R., Sunar, B. (eds.) CHES 2005. LNCS, vol. 3659, pp. 172–186. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  18. 18.
    Rajendran, J., Jyothi, V., Karri, R.: Blue team red team approach to hardware trust assessment. In: IEEE 29th International Conference on Computer Design (ICCD 2011), pp. 285–288 (October 2011)Google Scholar
  19. 19.
    Rajendran, J., Jyothi, V., Sinanoglu, O., Karri, R.: Design and analysis of ring oscillator based Design-for-Trust technique. In: 29th IEEE VLSI Test Symposium (VTS 2011), pp. 105–110 (2011)Google Scholar
  20. 20.
    Sanger, D., Barboza, D., Perlroth, N.: Chinese Army Unit Is Seen as Tied to Hacking Against U.S. New York Times (February 2013)Google Scholar
  21. 21.
    Shiyanovskii, Y., Wolff, F., Rajendran, A., Papachristou, C., Weyer, D., Clay, W.: Process reliability based trojans through NBTI and HCI effects. In: NASA/ESA Conference on Adaptive Hardware and Systems (AHS 2010), pp. 215–222 (2010)Google Scholar
  22. 22.
    SypherMedia International. Circuit Camouflage Technology - SMI IP Protection and Anti-Tamper Technologies. White Paper Version 1.9.8j (March 2012)Google Scholar
  23. 23.
    Waksman, A., Sethumadhavan, S.: Silencing hardware backdoors. In: IEEE Symposium on Security and Privacy (SP 2011), pp. 49–63 (2011)Google Scholar
  24. 24.
    Walker, J.: Conceptual Foundations of the Ivy Bridge Random Number Generator. Presentation at ISTS Computer Science Department Colloquium at Dartmouth College (November 2012),
  25. 25.
    Yier, J., Makris, Y.: Hardware Trojan detection using path delay fingerprint. In: IEEE International Workshop on Hardware-Oriented Security and Trust (HOST 2008), pp. 51–57 (2008)Google Scholar

Copyright information

© International Association for Cryptologic Research 2013

Authors and Affiliations

  1. 1.University of Massachusetts AmherstUSA
  2. 2.TU DelftThe Netherlands
  3. 3.ALaRI - University of LuganoSwitzerland
  4. 4.Horst Görtz Institut for IT-SecurityRuhr-Universität BochumGermany

Personalised recommendations