Abstract
Digital hardware Trojans are integrated circuits whose implementation differ from the specification in an arbitrary and malicious way. For example, the circuit can differ from its specified input/output behavior after some fixed number of queries (known as “time bombs”) or on some particular input (known as “cheat codes”).
To detect such Trojans, countermeasures using multiparty computation (MPC) or verifiable computation (VC) have been proposed. On a high level, to realize a circuit with specification \(\mathcal{F}\) one has more sophisticated circuits \(\mathcal{F}^\diamond \) manufactured (where \(\mathcal{F}^\diamond \) specifies a MPC or VC of \(\mathcal{F}\)), and then embeds these \(\mathcal{F}^\diamond \)’s into a master circuit which must be trusted but is relatively simple compared to \(\mathcal{F}\). Those solutions impose a significant overhead as \(\mathcal{F}^\diamond \) is much more complex than \(\mathcal{F}\), also the master circuits are not exactly trivial.
In this work, we show that in restricted settings, where \(\mathcal{F}\) has no evolving state and is queried on independent inputs, we can achieve a relaxed security notion using very simple constructions. In particular, we do not change the specification of the circuit at all (i.e., \(\mathcal{F}=\mathcal{F}^\diamond \)). Moreover the master circuit basically just queries a subset of its manufactured circuits and checks if they’re all the same.
The security we achieve guarantees that, if the manufactured circuits are initially tested on up to T inputs, the master circuit will catch Trojans that try to deviate on significantly more than a 1/T fraction of the inputs. This bound is optimal for the type of construction considered, and we provably achieve it using a construction where 12 instantiations of \(\mathcal{F}\) need to be embedded into the master. We also discuss an extremely simple construction with just 2 instantiations for which we conjecture that it already achieves the optimal bound.
T. Lizurej—Stefan Dziembowski, Małgorzata Gałązka, and Tomasz Lizurej were supported by the 2016/1/4 project carried out within the Team program of the Foundation for Polish Science co-financed by the European Union under the European Regional Development Fund.
K. Pietrzak—Suvradip and Krzysztof have received funding from the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (682815 - TOCNeT).
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
We show that a small fraction of wrong outputs must be allowed in Sect. 2.4. The iid assumption can be somewhat relaxed, but as we don’t have a clean necessary condition we will not discuss this further in this paper. Informally, a sufficient condition seems to just require that there is no (efficiently recognisable) subset of inputs which appear rarely (not more than with probability around 1/T) but can come in “bursts”, say two such inputs are consecutive with prob. \(\gg 1/T^2\).
- 2.
It’s acceptable by our construction if the inputs are iid conditioned on some secret, so the master on input x and key k can forward (k, x) to the circuits. Alternatively the key k can be hard-coded in the circuit (probably not a good idea if the manufacturer is not trusted in the first place) or, if the circuits have some storage, one can give them k after receiving the circuits from the manufacturer.
- 3.
To encrypt m sample a random r and compute the ciphertext \((r,\mathcal{F}(k,r)\oplus m)\).
- 4.
We consider much stronger \(\mathsf{M}^*,\mathsf{T}^*\) for the lower bounds compared to what we require in the constructions as discussed in Sect. 2.5.
- 5.
Let us mention that the opposite is not true (it’s possible that for some \(i\ne j\) we have \(\mathsf{F}'_i(x)=\mathsf{F}'_j(x)=1\), while \(\mathsf{F}_i(x)\ne \mathsf{F}_j(x)\)). This just captures the observation that an adversary who wants to deviate as often as possible without being detected can wlog. always deviate to the same value.
References
Adee, S.: The hunt for the kill switch, spectrum (2008). https://tinyurl.com/j95zbmxa
Ateniese, G., Kiayias, A., Magri, B., Tselekounis, Y., Venturi, D.: Secure outsourcing of cryptographic circuits manufacturing. In: Baek, J., Susilo, W., Kim, J. (eds.) ProvSec 2018. LNCS, vol. 11192, pp. 75–93. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-01446-9_5
Bitansky, N., Canetti, R., Chiesa, A., Tromer, E.: From extractable collision resistance to succinct non-interactive arguments of knowledge, and back again. In: Goldwasser, S. (ed.) ITCS, pp. 326–349. ACM (2012). https://doi.org/10.1145/2090236.2090263
Cramer, R., Damgård, I., Nielsen, J.B.: Secure Multiparty Computation and Secret Sharing. Cambridge University Press, Cambridge (2015). http://www.cambridge.org/de/academic/subjects/computer-science/cryptography-cryptology-and-coding/secure-multiparty-computation-and-secret-sharing?format=HB&isbn=9781107043053
Dziembowski, S., Faust, S., Standaert, F.: Private circuits III: hardware trojan-resilience via testing amplification. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S. (eds.) ACM CCS, pp. 142–153. ACM (2016). https://doi.org/10.1145/2976749.2978419
Dziembowski, S., Pietrzak, K.: Leakage-resilient cryptography. In: FOCS, pp. 293–302. IEEE Computer Society (2008). https://doi.org/10.1109/FOCS.2008.56
Gennaro, R., Lysyanskaya, A., Malkin, T., Micali, S., Rabin, T.: Algorithmic Tamper-Proof (ATP) security: theoretical foundations for security against hardware tampering. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 258–277. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24638-1_15
Ishai, Y., Sahai, A., Wagner, D.: Private circuits: securing hardware against probing attacks. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 463–481. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_27
Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_9
Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_25
Maurer, U., Pietrzak, K., Renner, R.: Indistinguishability amplification. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 130–149. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74143-5_8
Mitra, S., Wong, H.S.P., Wong, S.: Stopping hardware trojans in their tracks, spectrum (2015). https://tinyurl.com/5emst8f2
Mukhopadhyay, D., Chakraborty, R.S.: Hardware Security: Design, Threats, and Safeguards, 1st edn. Chapman & Hall/CRC, Boca Raton (2014)
Pietrzak, K.: A leakage-resilient mode of operation. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 462–482. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-01001-9_27
Standaert, F.-X., Malkin, T.G., Yung, M.: A unified framework for the analysis of side-channel key recovery attacks. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 443–461. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-01001-9_26
Tehranipoor, M., Salmani, H., Zhang, X.: Integrated Circuit Authentication: Hardware Trojans and Counterfeit Detection. Springer, Cham (2013). https://doi.org/10.1007/978-3-319-00816-5
Wahby, R.S., Howald, M., Garg, S., Shelat, A., Walfish, M.: Verifiable ASICs. In: IEEE SP, pp. 759–778. IEEE Computer Society (2016). https://doi.org/10.1109/SP.2016.51
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 International Association for Cryptologic Research
About this paper
Cite this paper
Chakraborty, S., Dziembowski, S., Gałązka, M., Lizurej, T., Pietrzak, K., Yeo, M. (2021). Trojan-Resilience Without Cryptography. In: Nissim, K., Waters, B. (eds) Theory of Cryptography. TCC 2021. Lecture Notes in Computer Science(), vol 13043. Springer, Cham. https://doi.org/10.1007/978-3-030-90453-1_14
Download citation
DOI: https://doi.org/10.1007/978-3-030-90453-1_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-90452-4
Online ISBN: 978-3-030-90453-1
eBook Packages: Computer ScienceComputer Science (R0)
