An efficient multi-parameter approach for FPGA hardware Trojan detection

Journal Pre-proof

An Efficient Multi-parameter Approach for FPGA Hardware Trojan Detection Apostolos P. Fournaris , Lampros Pyrgas , Paris Kitsos PII: DOI: Reference:

S0141-9331(18)30510-6 https://doi.org/10.1016/j.micpro.2019.102863 MICPRO 102863

To appear in:

Microprocessors and Microsystems

Received date: Revised date: Accepted date:

30 November 2018 23 July 2019 4 August 2019

Please cite this article as: Apostolos P. Fournaris , Lampros Pyrgas , Paris Kitsos , An Efficient Multiparameter Approach for FPGA Hardware Trojan Detection, Microprocessors and Microsystems (2019), doi: https://doi.org/10.1016/j.micpro.2019.102863

This is a PDF file of an unedited manuscript that has been accepted for publication. As a service to our customers we are providing this early version of the manuscript. The manuscript will undergo copyediting, typesetting, and review of the resulting proof before it is published in its final form. Please note that during the production process errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain. © 2019 Published by Elsevier B.V.

An Efficient Multi-parameter Approach for FPGA Hardware Trojan Detection Apostolos P. Fournaris1,3, Lampros Pyrgas1, 2, *Paris Kitsos1,2, 1. Industrial Systems Institute of “Athena” RIC in ICT and Knowledge Technologies, Patras, Greece 2. Electrical and Computer Engineering Dpt., University of Peloponese, Greece 3. Faculty of Information Technology, Monash University, Melbourne, Australia * Collaborating faculty with the Industrial Systems Institute of “Athena” RIC in ICT and Knowledge Technologies. e-mails: {fournaris, pyrgas, pkitsos}@isi.gr

Abstract—Hardware Trojan (HT) detection in the wild is a challenging endeavor since the inspector cannot have access to “golden chips” or special and trusted test measurements in order to be assisted in his assessment. Apart from detection, a HT analyzer sometimes needs to be able to understand the behavior of a HT, its activation principles and preconditions. In this paper an FPGA based HT detection and analysis methodology is proposed that uses multiple parameter processing in order to detect a HT and analyze its behavior without the presence of “golden” chip or measurements. The methodology introduces a series of scientifically sound stages to be followed in order to refine the HT detection process and proposes the scientific interconnection between these steps that makes this refinement possible. More specifically, in the paper, we propose the appropriate combination of a logic testing method, a run-time method and a side-channel analysis method to structure the proposed methodology and we apply this methodology on a design implemented in an off-the-shelf FPGA board in order to detect a HT and analyze its behavior. The logic testing and side-channel analysis methods are non-invasive. The run-time method is an invasive one where on-chip digital sensors are used to detect unexpected differentiations in the layout of the Integrated Circuit (IC). The side channel analysis method uses power or Electromagnetic emission signals during the cryptography process in order to perform a proposed statistical analysis approach and correlate logically the outcomes of the analysis collected with the previous methods’ results. The proposed approach does not rely on the presence of a “Golden chip” or any trusted known test values for detecting the HT. On the contrary, it proposes a statistical, heuristic, analysis using specific features, to reduce false positive HT detections, to analyze HT activations, find what triggers them and in what point in time that happens. The overall methodology is implemented, showcased and evaluated on an actual FPGA board using actual experiments and results that validate our assumptions. To the best of our knowledge this is the first attempt at combining three different parameter analysis methods for HT detection without using “trusted” measurements or chips on an off-the-shelf FPGA board. Keywords— Combinatorial Testing, Hardware Trojans, Side Channel Analysis, Ring Oscillator, Security, VLSI Design

I.

INTRODUCTION

Until a few years ago the security of an electronic system has been related only to the security of its software part. In recent years and due to the globalization of the semiconductor industry, serious concerns related to the authenticity and security of an IC are continuously raised. One of the most serious attacks to an IC is a Hardware Trojan (HT), a malicious modification to ASICs / FPGAs or microprocessors or IoT device[1-2], inserted at different stages of the IC’s life cycle, that can change the functional behavior of the hardware, downgrade its performance or provide a back door through which sensitive information can be leaked. An intruder is expected to make a HT that is stealthy in nature and can evade detection through conventional testing. Specifically, a HT is a small circuit inserted into an IC that consists of two parts: The first part is the trigger circuit that activates the HT when some rare event take place in the input of the HT. The second part is the payload circuitry that executes the HT’s malicious function when it is activated. A well-designed HT remains inactive under normal conditions, but ready to be triggered when a special, specific condition occurs in the IC in order to execute its malicious purpose [3]. HTs can be classified according to their trigger condition into analog or digital [4]. The digitally triggered HTs, can be divided into combinational and sequential types according to the type of their circuitry. HT detection techniques are divided into destructive, that permanently destroy the IC, and non-destructive [5-7]. The non-destructive techniques can be further divided into two categories: Invasive techniques (e.g. run-time methods), that modify the layout of the circuit and non-invasive techniques (e.g. logic testing or side channel analysis methods) that do not. Logic testing methods *8+ use special test vectors, based on the Trojan’s design philosophy, in order to activate potential HTs. They manage to detect HT by probing for erroneous outputs or signs of other activity of the HT (e.g.

consumption of more power etc.). Run-time methods [9] can detect a HT by adding special monitoring circuits, such as compact on-chip sensors, usually in a grid formation, that can capture any unexpected differentiation (power, current, temperature etc.) in the IC caused by the presence of a HT. Side channel analysis has been used extensively for performing attacks [10][11] but have also been used in methods [12] that can detect a HT presence by measuring the change in some physical parameters of the IC, such as Electromagnetic (EM) emission, when a structural modification has taken place in the circuit. Already, there are various works that focus on side channel analysis methods in order to detect the presence of a HT in an IC [6] [12] [21]. While those methods have the advantage that they do not require triggering of the HT, most of them rely on the existence of a golden chip or a golden model derived from the chip, in order to assess if a HT is present in the IC. Recently, side channel analysis methods, for HT detection, that do not require a golden chip or golden model have been proposed. However, even these methods require “golden” trusted measurements and simulation models *21] [22]. Moreover, the experiments based on these methods are contacted on specialized FPGAs (Sakura boards) [21]. Nevertheless, side channel analysis, and in particular EM side channel analysis [21], constitutes a realistic and promising method for HT detection, especially in actual, non-specialized FPGA boards, with no power stabilization scheme, where the collection of clear power consumption signals would, almost always, require dismantling of the board’s electronics elements. To achieve more accurate HT detection without “Golden chips”, we propose to combine various, different, parameters and analyzed them holistically. So, in this paper an FPGA HT detection methodology based on multiple parameter analysis is proposed that can be applicable on actual FPGA chips. To structure our approach, we applied three different methods for HT detection that complement each other, a logical testing, a run-time and a sidechannel analysis method. Logical testing and side-channel analysis methods are non-invasive while the run-time method is invasive and uses on-chip digital sensors in order to detect unexpected differentiations in the layout of the IC. Combining the three methods, we propose a three stage methodology that is deployed at the design time of an FPGA IP core and is extended during its operation. In the final stage of the methodology we refine the collected results by using a heuristic, statistical analysis on the collected side channel information in order to enhance the HT detection process, to reduce HT detection false positives and to provide HT activation and triggering source analysis based on the statistical features of Euclidean distance, mean value, skewness and kurtosis. Furthermore we evaluate the proposed methodology and showcasing its results for an AES based implementation that includes a HT thus validate its applicability. To the best of our knowledge this is the first attempt of combining these different methods for HT detection in a non-specialized, commercial, FPGA. The paper is organized as follows: In Section II the attack model that was used is presented. In Section III, we describe the proposed methodology in detail and in section IV we describe the experimental setup that was used in order to perform experiments using the proposed solution and in Section V the actual validation of our proposal is performed using an actual HT enabled FPGA AES implementation. Finally, Section VI concludes our paper. II.

ATTACK MODEL

In most cases, the attacker, through some external input (usually the key), controls the activation of the HT. In order to form the triggering logic, the attacker selects a number of the key’s bits. When a specific pattern is detected, the HT is activated. On the other hand, the defender has to exhaustively test all possible inputs, in order ensure that the IC is HT free. In reality, this task is impossible due to the extremely large number of the possible inputs. Luckily, approaches that greatly reduce the number of the necessary input test vectors are already very well documented. In [13-14], an approach based on the combinatorial testing (CT) principles that utilizes the mathematical construct of covering arrays is presented in detail. In our paper, we opted for a HT triggering logic that while it is small enough to avoid detection from design automation tools, does not render the HT activation trivial. It is formed from seven of the key’s bits. As for the input test vectors, we chose the ones that are generated by using the CT-based approach, that is presented in [13-14]. This approach has two very significant advantages: first, for a seven bit HT triggering logic, we need only 2,462 input test vectors, for the guaranteed activation of the HT (this cannot be achieved by the use of random vectors), and second, the HT is activated multiple times, specifically up to eleven times in our case.

III.

PROPOSED METHODOLOGY

The proposed methodology is split into three stages. In the first stage, during the design time of a security VLSI design (eg. of an FPGA design) the installment of an appropriate grid of on-chip digital sensors, based on RingOscillators (ROs), is made. The RO’s frequency depends on the IC’s operating characteristics (e.g., local temperature and voltage, both affected by the signals’ toggles around the RO) and its process variation. Therefore, any small alteration of the circuit or its operation around a sensor results in a different oscillation frequency [15]. This method is already widely used and well documented [16-19]. In our approach and the experiments that were contacted (as described in the following section), each of the on-chip sensors consists of a RO, a small Residue Number System (RNS) ring counter and a control multiplexer. The RNS ring counter has already been used and presented in detail in [17-19]. In this paper, however, in order to acquire more accurate measurements and have lower levels of selfheating phenomena [20], we have opted for a smaller and better 3-stage RO implementation than those in [17-19], that uses only 2 LUTs. The implementation of the RO is shown in Fig. 1. This new design, also, uses an open latch between each element, to further improve the sensitivity of the RO. Each open latch is available near each LUT in the FPGA slices and it acts as an additional transistor-based wire. The infused in-chip sensors are used for the runtime analysis performed in stage 2 of the proposed method.

CFGLUT5

enable

Open Latch

Open Latch

Open Latch

ro_out

INIT=33335555

Fig. 1. The 3-stage RO implementation that uses 2-LUTs

In stage 2 of the proposed methodology, a combination of logical testing analysis and run time analysis is performed while in parallel side channel measurements are collected for the third and final stage of our approach. Initially, a device profiling is performed in order to identify the best possible side channel leakage signal to be collected. This process is very important for types of side channel trace collection based on Electromagnetic Emission. In such case, the signal usability considerably relies on the exact spot over the chip where emission is collected. After finding the optimal side channel collection conditions, we employ a Logic testing method for analysis in which a test suite, consisting of a very small number of test vectors, is used for the guaranteed activation of the HT. This suite is generated using combinatorial testing (CT). It was introduced in [13] and was well established in [14]. This method can reliably detect the presence of HTs that alter the output of an IC. However, more sophisticate HTs usually target other parts of the IC (e.g. they can downgrade its performance, increase the power consumption and/or the path delay, transmit sensitive information through a side channel) rather than its output. Such HTs cannot be detected by this method. Nevertheless, the use of this suite of test vectors, that guarantees the activation of the HT, can be used as the first step in another method. When a HT is active the signals’ switching activity is increased, leading to increased power consumption and EM emission of the IC, which can be detected by our employed on-chip digital sensors and side channel analysis technique. The logic testing approach that we follow guarantees that with a relatively small number of test inputs we can trigger a possible HT in our Design Under Test [14] (without knowing when or how the HT is triggered) thus enabling further analysis. To simplify the other procedures of stage two, we do not provide test vector values as a continuous stream of inputs but divide them logically in test blocks of G values

that we call bins. Bins act as time windows for consecutive cryptographic executions over time (that may or may not include HT triggers). The remaining analysis of the second stage is done in two parallel procedures. In the first procedure, the outcome of the on-chip sensors, that were introduced at design time (on stage 1), are collected using a run-time method. The collected measurements are used for the calculation of each sensor’s count value for each bin through the use of the Chinese Remainder Theorem. The same process is repeated for each one of the remaining bins of ta sensor and for all sensors. Thus, after the calculations, each sensor has a series of constant values (on for each bin). Each value, representing G inputs (or similarly executions) overtime, must have a similar value with the remaining values of the same sensor. A considerably different value indicates a change of the execution regularity in a specific time window (a bin) that is caused be a HT triggering. While the procedure can detect HTs triggering, it provides a general approximation of what triggered the HT and when exactly in time during a time window (a bin) did the triggering happen. This can only be found during the third state were a post measurement analysis is done using the outcome of both the first and second procedure of the second stage. The second procedure of the second stage is closely related to the collection of side channel measurements during the test vector input executions of the logic test analysis. For this reason, a side channel method using Power Consumption (PC) or Electromagnetic Emission (EM) side channel trace collection is performed. Using this procedure, the HT analyzer is capable of manually detecting differentiations in power consumption and EM variations due to the presence of a HT. This method, which is used in combination with the other two methods, primarely aims to detect HTs that do not alter the IC’s output but also provides a refinement on the results of the run-time method by detecting when the HT was triggered and what input triggered it. The side channel HT detection and analysis proposed in this paper does not need a “golden” or a “gold” method/simulation/measurements. The third and final stage of the proposed methodology performs a combined analysis on the collected outcomes of the previous stages primarely focusing on the post-collection, refinement and analysis of the side channel information and on how the side channel analysis results are combined with the run-time analysis results and the test vector inputs. Due to the importance of this stage, this stage is described in the following autonomous subsection. rd

A. Proposed methodology 3 stage: Side channel Trace Refinement, Analysis and multiparametric combination

The final stage of the proposed method consists of three phases in order to extract reliable HT analysis results. These phases are the side channel information refinement phase, the interesting points multiparametric identification phase and the final post-collection refinement/analysis phase. Initially, the side channel information collected during the second stage cannot be used “as is” for extracting metrics and signal analytic features, due to the presence of noise. Thus, a denoising process must be executed in order to obtain useful side channel signals. In this paper, we suggest a denoising process that relies on several existing techniques in the research literature. First, we assume that the collected side channel signals are averaged in order to generate a side channel trace useful for analysis. Thus, during the stage 2 of the proposed methodology, the runtime method can be executed multiple times (the same inputs are fed to the Device Under Test multiple times) and the collected signal can be averaged accordingly. This process by itself may reduce the amount of noise, however, it might not be enough. During stage 3 of the proposed methodology, the averaged traces are transformed from the time domain to the frequency domain. After performing a Fast Fourier Transformation (FFT) significant additional, unnecessary signals at high frequencies but also at very low frequencies than the one used by the Device under Test clock can be revealed and must be removed. For this reason, a lowpass or bandpass filter can be applied so that such frequency values will not interfere with the analysis process. This technique can considerably denoise the side

channel trace so that it can become fit for analysis. In our experiments, described in the following sections, the above techniques were enough to provide useful traces, however, further denoising can be performed as described in several research works. The above activities constitute the side channel information refinement phase. After this refinement phase, we can perform an initial analysis of the denoised trace in order to identify interesting points (interesting points multiparametric identification phase). Interesting points are defined as sample values of the side channel trace at specific time points or intervals that are considered considerably different from the rest of the samples within the same trace. Such values if associated with the runtime method results can pinpoint to specific HT triggers in time. This phase results are mostly manually inspected by a human HT inspector that observes outlier values from the graphic representation of the trace and identifies possible interesting points. The final phase of the proposed methodology’s stage 3 is aiming to refine the interesting point identification by performing a post trace collection analysis using heuristics methods and statistical analysis in order to extract signal processing features and identify outlier values in them that will act as interesting points. So, in this phase we do not identify interesting points on the actual trace but rather identify such points on the metadata (features) extracted from the trace. Thus, we further explore the variation on the identified interesting points by performing several post trace collection calculations in an effort to automate and refine the HT detection process. The crucial factor in the identification of the HT presence within the FPGA IC computation is the statistical difference of some samples from the rest of the collected samples. This difference can be described through several statistical metrics. In this paper, we propose a side channel trace analysis based on the Euclidean distance metric, using a similar concept as the one described in [21]. Euclidean distance is typically defined on two different points in the Euclidean space and quantifies the difference between those two points. It is a simple method for detecting anomalies and outlier behavior between actual and expected data. Euclidean distance can be extended to provide single value differences beyond simple points. It can be used for finding the distance between vectors. We take advantage of this fact in order to describe, with a single value, the difference between blocks of the collected trace’s samples (corresponding to specific time windows each). To further refine the above process, let’s assume that we have trace Tn consisting of n samples and that Ci is the i-th block of samples (a timewindow) consisting of s samples where . We can then split Tn into ⌈ ⌉ different sample blocks Ci for all {

⌈ ⌉} i.e.

{

⌈ ⌉

}. Using this notation, we can find the Euclidean distance Vi,j that each sample block Ci {

has with each one of the remaining sample blocks Cj of Tn for all distance Vector

[

⌈ ⌉

⌈ ⌉}. Thus, we can obtain for each Ci an Euclidean

] . By calculating the Euclidean distance vectors for all

{

⌈ ⌉} we can generate an

⌈ ⌉ ⌈ ⌉ Euclidean distance Matrix V describing the distances between all sample blocks as described in equation (1). ⌈ ⌉

[

] ⌈ ⌉

(1)

⌈ ⌉⌈ ⌉

The above matrix provides an accurate viewpoint of outlier behavior in the collected trace. If a single or few Euclidean distance values Vi,j are considerably higher that the remaining values of the same row then this values indicate a time window where a HT is active. Similarly, if most of the Vi,j values on a single row are considerably higher than the values on most of the other rows then the Ci sample block (i.e time window) is an outlier and the corresponding time window has a HT activation. This viewpoint can be adjusted by changing the sample number s for each Ci. As s becomes smaller we gain insight regarding outlier points in

smaller parts of the trace (fine grain approach) but we may end up with complex Euclidean distance vector plot patterns that are hard to interpret and identify as HT activations. To generate V the following algorithm (Algorithm 1) can be used. Algorithm 1. Euclidean Distance Matrix Generation Algorithm (EDM_Gen) Input: Collected Trace Tn, number of samples per block s, Trace sample number n, Output: Euclidean Distance Matrix V * +. ⌈ ⌉ different sample blocks i.e. 1. Break trace Tn into 2. For i=1 to d a. For j=1 to d i.

√∑

( ()

( ))

where C(t) is the t-th sample in the sample block C

b. End 3. End 4. Return V The construction of the Euclidean distance matrix V must be prosessed in order to reveal HT activations at specific time windows (beyond optical observation) and to identify false positive and false negative HT activations. Extracting statistical features from the matrix may accomplish this goal. Finding the mean value of each Euclidean distance vector Vi can be the simplest way to identify HT activations since at vectors describing Ch1 sample blocks the Euclidean distances with all other sample blocks will be considerably higher compared to other vector outcomes. Also, skewness and kurtosis metrics seem to be ideal for revealing signficant outlier behavior. More specifically, skewness reflects the shape or asymmetry of a distribution: if skewness is negative, the data spread out more on values smaller than the distribution mean, while if it is positive, the data spread out more as values higher than the distribution mean. So, skewness can reveal positive or negative significant differences from the mean value of an Euclidean distance vector Vi thus providing an indication of outlier behavior (i.e. HT activations). Similarly, kurtosis can showcase how outlier-prone a distribution can be. Assuming a normal distribution, kurtosis has a value of 3. When a Vi vector distribution has many singnificant outlier values (from a normal distribution) kurtosis metric will be greater than 3. Having in mind the above three metrics, we can apply them on all the sample block Euclidean distances of each vector Vi of V, obtain mean, skewness and kurtosis values for each one of them and create mean, skewness and kurtosis vectors. Most of those values in each vector will be similar apart from those that depict Ch block samples that include some HT activation. The final step in this approach is to normalize and interpolate the created vectors (kutrosis or skewness with mean vector) with the side channel trace to further refine the interesting point identification process. This refinement has to do with the combination of interesting points that are already identified on actual trace with interesting points that are identified in the extracted feature vectors. Finding interesting points in the same time frames/intervals for all feature vectors (and the original trace) will be considered a true positive of HT trigger. In other cases, the existance of various feature vectors (with associated interesting points in each one of them) give to the HT detection analyzer a more detailed view of possible HT activation, as can be seen in the experiments described in the following section. The identified interesting points matching HT actications can be associated with the time points when the HT was triggered (it can be found from the side channel trace). Knowing the time sequence of test vectors that were inputted on the Device under Test we can identify the exact test vector that triggers the HT. Thus, the HT analyzer can have a full profile of the HT that was placed on the Device under Test. In the following Figure (Figure 2) the methods that are used in each stage of the proposed methodology are presented graphically.

1

we assume that the h-th block includes a HT activation

Stage 1 Method Process

Observation

Sensor Grid (Design time) Use of on-chip digital sensors Accurate on chip Placement and routing

Stage 2 Sensor Grid (Run time)

Side channel analysis

Use of special test vectors

Use of on-chip digital sensors

Evaluation and analysis of Traces

Activation of HT

Differentiations in the oscillation frequency

Power consumption variations EM variations

Logic testing

Stage 3 Method

Side channel analysis

Side channel analysis

Sensor Grid (Run time)

Process

Denoising Interesting Point Identification

Feature Extraction

Interpolation with Side Channel Information

Use of special test vectors

Identification of HT time point activation

Identification of HT triggering test vector

Observation

Interesting points in combination with Feature Vector Interesting points runtime method results combined with runtime method results

Logic testing

Fig. 2. Overview of the methodology stages and the HT detection methods that are used in each stage.

B. Proposed Methodology overview

Considering the above various techniques for HT detection and their usage in the proposed methodology, it can be concluded that they complement each other and help to collaboratively analyze the HT behavior and its triggering inputs thus moving beyond simple detection approaches. Also, the utilized techniques do not require the use of gold chip or “golden” simulation. The 2three stage proposed methodology that uses the described combination can be formalized algorithmically in Algorithm 2.

Algorithm 2. Multiparameter Hardware Trojan Detection and Analysis proposed methodology Input: A IC to be evaluated Output: HT detected points in time, HT activation Plaintest or Key values Stage 1: 1. At design time introduce on-chip sensors in the FPGA fabric near security sensitive circucuitry 2. Generate a suite of input test vectors using the logical test suite technique [14]. Stage 2: 3. Perform IC profiling to identify maximum side channel leakage points on chip 4. Input the test vectors to the IC serially and in parallel collect EM or Power consumption Trace Tn, 5. Collect the on-chip sensor values (vector OC) after conclusion of the security related process (eg. after AES encrypion) for all test vector inputs Stage 3: 6. Denoise Side Channel Traces (Phase 1) 7. Identify high values on OC vector and associate them with specific time window (vector W). High values indicate the HT presence (Phase 2) 8. Using Tn find the Euclidean Distance Matrix V (Phase 3) 9. Calculate statistical features from V: Mean value vector, Skewness vector and Kurtosis vector 10. Interpolate the three feature vectors for the time window W 11. Points in time where all three features have excesively high values indicate that there is a true positive HT activation. 12. Record HT activations time point and associate it to the test vector value (or values) inputted in the chip at this time

IV.

METHODOLOGY EXPERIMENTAL VALIDATION SETUP

In order to access the practicality and applicability of the proposed HT detection and analysis methodology, validation was performed in an actual of-the-shelve FPGA board where the 128-bit plaintext/key AES block cipher that is provided in [23] was implemented. More specifically, the Digilent Basys 3 FPGA development board [24] was selected as the target of the actual implementation. We opted for an FPGA board that is not optimized for side channel leakage collection and, therefore, is an actual representation of a typical board in real security frameworks. On top of the AES implementation, in order to integrate the second part of our methodology, we placed 20 onchip sensors, in a 4x5 grid, a grid big enough to cover the whole implementation area, but at the same time dense enough so that any HT is very close to a sensor of the grid. The additional hardware resources needed for our sensor grid is only 1.5 % of the total FPGA resources. Finally, a 64-bit Linear Feedback Shift Register (LFSR) was added on top of the preview implementation, in order to emulate the dynamic impact and the EM emission of any sequential HT. When the pattern ‘1111111’ occurs in specific bits (chosen at random) of the key (specifically when the bits 118, 96, 77, 61, 45, 29, 8 are all set to '1') the HT/LFSR is activated. The HT was placed close to sensor 13 (Line 4, Column 1). The layout with the 20 sensors (yellow color) and the HT (red color) is shown in Fig. 3.

Fig. 3. The layout of AES, the grid of sensors (yellow) and the HT (red)

The testing equipment setup, for the side channel analysis leakage collection, that was used in our experiments consists of a Langer-EMV RF 2 electromagnetic probe RF-B 3-2 that is connected through a PA 203 Preamplifier to a Lecroy Teledyne Waverunner 6 Zi series Digital Signal Oscilloscope (DSO). All Electromagnetic emission (EM) traces were collected at 2.5 GSamples/sec. Because the FPGA’s actual EM signal in real conditions was very noisy, further noise reduction techniques, based on the appliance of appropriate high pass and/or band pass filters, were used for the removal of very low or very high noise frequencies from the trace.

V.

METHODOLOGY VALIDATION PROCESS

A. Triggering with CT based Test Vectors (Logical Testing)

The input test vectors, that, as it was already mentioned, are very few and activate the HT 100% of the time, are fed as keys into the AES algorithm. Any HT that alters the output of the algorithm is easily detected by comparing the

actual output with the expected one. However, for sophisticated HTs an erroneous output is not usually the target. Even in those cases, the test suit is still a vital part in the other two following methods. B. Measurements of Digital Sensors (On-chip Sensors)

Before the execution of this stage of the experiment, the input test vectors are equally divided into ten bins (groups). As previously mentioned, multiple test vectors can activate the HT. These test vectors can be present in more than one bin. This experiment’s stage begins with the activation of the sensors and the execution of the AES algorithm on the IC two times for each test vector of the first bin. The next step is measurement collection from all sensors. This is done automatically. The collected measurements are then used for the calculation of each sensor’s count value through the use of the Chinese Remainder Theorem in MATLAB. The same process is repeated for each of the remaining bins. The experiment is then repeated for a total of 200 times and the mean value for each count value is calculated. In Fig. 4 the count values for the sensors 2, 5, 9, 10, 13, 18 are presented (the results for the other sensors are similar to those not adjacent to the HT). By comparing the sensors’ count values, it is apparent that for sensor #13, which is adjacent to the HT, a significant difference is observed between the count values that correspond to bins that include test vectors that trigger the HT and the others.

(a) Sensor # 2

(b) Sensor # 5

(c) Sensor # 9

(d) Sensor # 10

(e) Sensor # 13 (Trojan adjacent)

(f) Sensor # 18

Fig. 4. Count values (for all bins) for six representative sensors

Based on the results of our experiment, the grid-based approach is capable of reliably detecting a HT. Two are the main reasons for the success of our method: first, the correct selection of the initial test vectors using the CT approach that ensures the triggering of the HT and second, the compact sensors that allows for the placement of a grid which covers the whole implementation area but at the same time requires very few resources. However, this method alone cannot detect the exact test vectors that trigger the HT, only that the test vector is part of a specific group of the test suite. The solution to this problem is presented in the following subsection and is the combination of the on-chip sensor method with the EM Side Channel Analysis method. C. Side Channel Trace Collection Evaluation and Analysis

The final part of our proposed multiparameter detection approach focuses on refining and confirming the results, from the previous method, regarding HT detection using the EM side channel. It also plays a vital part in evaluating the ability of the proposed mechanisms to detect even HTs that do not alter the IC’s output. The first and necessary step is an initial profiling of the EM side channel information leaking from the IC. In order to cover all possible cases, we have implemented two distinct AES designs, one with a HT and one Trojan free. To these implementations we provided three input scenarios in order to assess the behavior of the IC’s electromagnetic emission. One of the most important factors in any side channel analysis method is the levels and distribution of noise. Therefore, it is vital to know these two parameters for every part of the FPGA chip on the Digilent Basys 3 board when the AES implementation is present. By downloading the AES circuit in the FPGA and by then providing the appropriate input vectors we can find an optimal point where the EM signal is strong, and the level of noise is at an acceptable rate compared to the AES associated leakage. Specifically, this manual mapping, was done by first performing 4940 (two times the 2462 input test vectors, rounded by padding with vectors of zeros) encryptions in a row and collecting their trace. This was done by using a trigger pulse at the beginning of this process (when the first encryption starts). The above process was then repeated for various parts of the FPGA. The part where the AES circuit (along with the on-chip sensors and later the HT) is implemented inside the FPGA can be configured through the Xilinx toolset. For a more accurate profiling we repeated the experiment by also feeding the AES implementation with 4940 identical test vectors. In all experiments the plaintext was the same. Finally, the point where the characteristic AES encryption pattern was more visible throughout the electromagnetic emission was selected as the target for the AES implementation. The next step was the profiling of the AES implementation. We focused in two cases: an AES implementation without a HT and one where a HT is present. Initially, we downloaded the Trojan free AES implementation in the FPGA and collected traces containing 4940 AES encryptions each, run with a constant input test vector for all of them. Then we repeated the same experiment for the AES implementation that contains the HT. We collected 200 traces for each of the two AES implementations and in order to reduce noise we averaged them in both cases.

The averaged traces were then transformed from the time domain to the frequency domain. After performing a Fast Fourier Transformation (FFT) significant additional signals at high frequencies but also on very low frequencies were revealed. Apart from the frequency from the AES clock that was chosen to be 66 MHz, we observed the presence of additional frequencies at around 100 MHz or higher. These frequencies that interfere with our signal can be addressed to noise, to the board’s crystal that provides a clocking frequency of 100MHz for non AES related FPGA components and to the presence of the grid of the on-chip sensors that oscillate at frequencies higher than the 66 MHz clock frequency of the AES implementation. These dominant frequencies, which add noise to the EM leakage trace information, can be as big as 265 MHz or as low as 16 MHz, as it can be seen in Fig. 5.

Fig. 5. Multiple AES encryptions Trace with fixed test vector on HT free IC

In order to discard all excessive, too high and too low, frequencies that only add noise to the collected trace we applied a bandpass filter to the averaged trace. By applying the bandpass filter to the trace and taking its FFT outcome, all the samples are resampled around 66 MHz, as we can observe in Fig. 6, and therefore the trace now contains mostly information related to the implementation of the AES algorithm.

Fig. 6. Multiple AES encryptions Trace with fixed test vector on HT free IC

In Fig. 7, the subpart of the overall averaged trace after filtering, with the expected peaks, for an AES implementation with no HT is presented. As already stated, this AES implementation has a constant test vector as input. Similarly, in Fig. 8 the subpart of the trace for an AES implementation including a HT is presented. This implementation has also a constant test vector, which is known to always trigger the HT, as input. Note that inputs to the AES implementation are provided at a constant rate in order to retain 100% utilization. Thus, when an AES operation is concluded, a new AES operation begins in the next clock cycle.

Fig. 7. Multiple AES encryptions Trace with fixed test vector on HT free IC

Fig. 8. Multiple AES encryptions Trace with fixed test vector that activates the HT

In both the above figures, it can be seen that both positive and negative peak points appear in a repeating pattern outside the area between the mean high and mean low values of the overall trace. This pattern is a clear indication of when the AES algorithm’s execution happened in time. Closer observation revealed that the position of these peaks directly correlates with the beginning of AES encryptions. For the next step of our analysis we compared the trojan free AES trace with the AES trace where the HT was activated in every AES encryption. As it can be observed, the peaks in Fig. 8 (AES trace with HT activation) are considerably higher than the mean maximum value of the measurement compared to similar peaks of Fig. 7 (trojan free AES trace). This notable difference between the two traces, is a clear indication that the activation of the HT leads to higher power consumption. This difference between the traces can be used for detecting HTs that do not alter the output of the encryption.

For the third and final experiment of our approach, an AES implementation that included a HT was downloaded on the IC’s FPGA and the on-chip sensor HT detection method was executed in parallel with the EM side channel analysis method as described in subsection IV. The AES implementation was fed with bins of selected the test vectors in a serial manner. After the conclusion of this process, for each bin of vectors, the on-chip variation (measurements) were collected. For some bins of test vectors we observed considerable variation that indicated that a HT exists in the IC and that some test vectors in those bins triggered it. This is similar to what is observable in Fig. 4 for sensor #13. At the same time, we collected the traces of these AES encryptions through the EM side channel, using the same trace collection and refinement process as the one in the previous trace collection experiments. In Fig. 9, a snapshot of the averaged collected trace, after filtering, is presented.

Fig. 9. Multiple AES encryptions Trace with test vectors that may activate the HT (part of the overall trace) with some interesting points (red dots)

In the above figure, there are observable positive and negative peaks (marked with red dots) that are considerably higher (or lower) than the mean high value (or mean low value) of the overall trace. The fact that these peaks appear at specific points in time is an indication that a HT is triggered and activated at these points. For the next step of our aproach, we collected the output values from the on-chip sensor #13 that is adjacent to the HT and can reliably detect it and combined them with the collected EM trace in a common time frame, after normalizing both of them. This unified graph is presentied in Fig. 10.

Fig. 10. Combining the logical testing, on-chip sensors and side channel (EM) analysis to detect HTs and test vectors that trigger them

In Fig. 10, both positive and negative samples along with the peaks of interest are presented by their absolute values in order to visually simplify the EM Trace results. As already noted, each of the on-chip sensors produces one value as a result for 247 AES

encryptions (a bin of test vectors). High values indicate that an HT activation has taken place within that 247 AES encryptions while low values indicate that none of the test vectors in that bin activated the HT. Furthermore, by compining the results from all the presented methods, we can identify which input test vector (out of the 247) has triggered the HT, by determing the place, in time, where the peak has occur in each bin. Note that this match is not always observed due to the presence of noise in the EM trace (i.e. some high peaks are lost in the noise). The above mentioned validation process realizes Stages 1, Stage 2 and the 1 st and 2nd phase of Stage 3 in the proposed methodology. As mentioned, the Stage 3 2nd phase relies in finding interesting points (where HT may be present/enabled) from manual optical observation of the side channel trace and may include several false positive detected HT activations. The various possible HT activations identified in Fig 9 and 10, in reality constitute interesting points that need to be further explored in order to access if they constitute actual HT triggering. The exploration is done in the final phase of Stage 3 of the proposed methodology as follows. Due to the applied logical testing method during trace collection, it is guaranteed that if a HT exists, it will be activated several times during the 4940 AES encryptions. This activation will be visible in the trace collection, as shown in Figure 10. Therefore, we expect to find sample values (or blocks of samples) that have non trivial euclidean distance from the rest of the samples (or block of samples). This will provide a numerical indication (not based on optical observation) of the timeframe when the HT is activated and thus associate it with a specific input test vector automatically. We apply the decribed analysis of section III for feature extraction on the collected trace of Fig.8 where several HT activations are taking place. Initially we execute Algorithm 1 on the collected trace and obtain the Euclidean Distance Matrix using s = 480 samples. This choice was made using the fact that in aproximately 480 samples one full AES execution is concluded. In the following figures (Fig. 11 and 12), the Euclidean Distance Vectors for i=100 and i=1281 are presented. In each one of these figures, there is a value where Euclidean distance is zero. This is the outcome after calculating the distance of the corresponding Ci with itself and is ommitted in the consecuritve feature extraction process. As it can be observed, in Fig. 11 where the Ci does not contain any HT activation , Vi has high regularity i.e. the Euclidean distance variates in a predictable way while in Fig. 11 the overall pattern of the plotted distanses is offsetted higher than in Fig 11 and also low Euclidean distance values are observed at specific time slots. These low value indicate high resamplance of the specific C i (in this case i=h=1281 where HT activation occurs) with some specific sample blocks. Such sample blocks may also include HT activations.

Fig. 11. An Euclidean Distance vector for a Ci not containing a HT activation

Fig. 12. An Euclidean Distance vector for a Ci that contains a HT activation

By observing the mean value metrics figure (i.e. Fig 13) some of the above remarks become more evident. In Fig. 13, the X axis represents the number of sample block (the i number) while the Y Axis represents the mean value of the whole Euclidean distance vector on each sample block. As can be seen, in compliance with the Fig. 11 and 12 comments, the mean has significantly high peak values for some sample blocks. Such blocks represent Euclidean distance vectors like the one of Fig. 12 where HT activation takes place.

Fig. 13. The mean of all Vi vectors

By normalizing the mean value vector to match the collected trace of Fig. 9 (by apointing one constant mean value for every 480 samples) we obtain Fig. 14 and 15. There is a close match between peak values of the collected trace with peak values of the mean value vector. However, this matching does not always occur, providing indication that there are false positive results regarding HT activation when considering only the collected trace peaks. It can be concluded that the inclusion of the mean value metric when detecting HT activations can further refine the overall process and reduce false positives. However, using just the mean value feature, we can identify only the increase of the mean value in an Euclidean distance vector due to the existance of possible HT activation and not the presense of low Euclidean distance values within the vector indicating similarity of the power trace at specific points in time (implying the existance of a common HT activation power trace pattern). Note that Fig. 12 observations reveal the existance of such values.

Zoomed area Fig. 14. Interpollation of the mean values vector on the original collecteed trace

Fig. 15. Zoomed plot of Figure’s 14 interpollation

Therefore, we propose to further refine the intersting points on Fig. 9 (characterizing possible HT activations) through the kyrtosis and skewness features in an effort to identify outlier low values in Eclidean distance vectors. Those features can be extracted, in a similar way to the mean vector calculation, from the collected trace of Fig. 9. We can create kyrtosis and skewness

vectors where each value in the vector indicate the kyrtosis/skewness of an Euclidean distance vector. When a kyrtosis or skewness value deviates considerably from the graph’s mean value then we can conclude that in this specific Euclidean distance vector there exist several outlier values and we should investigate this vector further. As can be concluded from Fig. 16 and 17. (kyrtosis and skewness graphs respectively), both of them provide similar information. In the kyrtosis graph we have excesively low values at some specific points of the X axis while in the skewness graph we have excesively high values at the same points in the X axis. Both graphs indicate that at the indicated points in the X-axis (representing specific Vi ) further investigation must be made.

Fig. 16. The Kyrtosis of all Vi vectors

Fig. 17. The Skewness of all Vi vectors

Without loss of generality, we can focus our analysis on the skewness feature. By normalizing and consolidating the skewness plot of Fig. 17 with the mean value plot of Fig. 13 we can produce a view of the possible interesting points that are found bith due to overall high Euclidean distance Vector values (using the mean vector) but also due to outlier values (using the

kyrtosis/skewness vectors). In most cases, the compined graph will verify what the individual features show but as can be seen in Fig. 18 there are cases where some interesting points get elevated importance when combining all features. In Fig. 18 we highlight some use case examples (interesting areas 1-6) that verify our expectations. In the following table (Table I) conclusions for the Fig. 18 interesting areas are presented when one feature is used and when all features are combinded.

Table 1. Interesting Areas conclusions using one or multiple features INTER. AREAS NUMBER

ONE FEATURE

MULTIPLE FEATURES

Using the mean value feature only one interesting point (one peak can be identified) is identified. Using only the skewness feature there various interesting points that are of equal importance. If only the mean feature was used several interesting points would not have been identified

Compining all features, we can evaluate more than one point (that was identified by the mean vector) and process them in hierarchical order, starting with the interesting point that exists in both feature vectors and proceeding with the ones in the skewness vector.

Using only the mean feature we observe two peaks of medium importance.

Combining all features (skewness+mean) the two interesting points (peaks) become highly important and can be marked as HT activations

3

Using the mean value feature only few interesting points (one peak can be identified). Using only the skewness feature there various interesting points that are of equal importance. If only the mean feature was used several interesting points would not have been identified

Compining all features, we can evaluate more than one point (that are identified by the mean vector) and process them in hierchical order, starting with the interesting point that exists in both feature vectors and proceeding with the ones in the skewness vector.

4, 5, 6

One or many interesting points (peak value) that exists only in skewness vector and not in the mean feature. If only the mean feature is used the interesting points would not be identified

Combining all features (skewness+mean) the found point (skewness peak) become important and can be evaluated as HT activation

1

2

Mean

Skewnes s

1

2

3

4

Fig. 18. Some interesting points when combining Skewness and mean feature vectors.

5

6

DISCUSSION AND CONCLUSIONS

VI.

The indicated measurements suggest that the proposed introduction, evaluation and analysis of invasive and noninvasive parameters may provide a well refined HT Detection approach. The EM side channel information, leaking from an IC that contains a HT can give us some faint indications of the trojan’s presence even if a “golden” chip, model, method or simulation does not exist. However, the statistical analysis using Euclidean distance and extracting specific features can improve the HT detection process and reduce false positive HT activations. Furthermore, using our proposed approach, we can analyze basic characteristics of an activated HT trojan like when it was activated, or which input activated it. Overall, the proposed approach can lead to a very dynamic way of HT detection and analysis that bypasses the need for trusted measurements. The multiparameter approach enables us to detect various HTs, a result that a single parameter approach may fail to achieve. For example, we can detect HT footprints (proof of their existence) even if the HTs do not alter the IC’s output (thus bypassing the on-chip sensor detection) through the side channel analysis. The proposed methodology (Algorithm 2) relied on a series of parameters that need to be correctly specified in order to achieve a high detection rate. Such parameters are associated with the trace collection mechanism (Oscilloscope bandwidth, sampling frequency, buffer memory) but also with the number of samples s in each Ci block used for Euclidean Distance Vector generation. To achieve a highly refined HT detection/activation estimation the s value needs to include the samples of at least one security operation (eg. one AES execution). The above proposed method can detect several categories of Hardware Trojans:       

HTs that alter output values HTs that change IC characteristics (power consumption, path delay, temperature, frequency, EM radiation etc.) HTs that introduce small errors difficult to detect (i.e. change the functionality) HTs that are used in order to leak information through EM radiation HTs that prevent system availability (i.e. denial of service) Sequential HTs HTs ranging from small to medium size (where "size" means hardware resources)

ACKNOWLEDGMENT We acknowledge support of this work by the project “Ι3Τ - Innovative Application of Industrial Internet of Things (IIoT) in Smart Environments” (MIS 5002434) which is implemented under the “Action for the Strategic Development on the Research and Technological Sector”, funded by the Operational Program "Competitiveness, Entrepreneurship and Innovation" (NSRF 2014-2020) and co-financed by Greece and the European Union (European Regional Development Fund). DECLARATION OF INTERESTS The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

REFERENCES

[1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] [19] [20] [21] [22] [23] [24]

M. Tehranipoor and F. Koushanfar, "A Survey of Hardware Trojan Taxonomy and Detection", IEEE Design Test Comput., vol. 27, no. 1, pp. 10–25, Jan. 2010. J. Dofe, J. Frey, and Q. Yu, "Hardware Security Assurance in Emerging IoT Applications", IEEE Int. Symp. Circuits Syst. (ISCAS), May 2016, pp. 2050– 2053. R. Rad, J. Plusquellic and M. Tehranipoor, "A Sensitivity Analysis of Power Signal Methods for Detecting Hardware Trojans Under Real Process and Environmental Conditions", IEEE Transactions on Very Large Scale Integration (VLSI) Systems, vol. 18, no. 12, pp. 1735-1744, 2010. R. S. Chakraborty, S. Narasimhan, and S. Bhunia, "Hardware Trojan: Threats and emerging solutions", IEEE Int. High Level Design Validation Test Workshop (HLDVT), Nov. 2009, pp. 166–171. P. Kitsos and A. G. Voyiatzis, “Towards a Hardware Trojan Detection Methodology”, 2nd EUROMICRO/IEEE Workshop on Embedded and CyberPhysical Systems (ECYPS 2014), Budva, Montenegro, 15-19, June 2014. S. Bhasin and F. Regazzoni, "A survey on hardware trojan detection techniques," 2015 IEEE Inter national Symposium on Circuits and Systems (ISCAS), Lisbon, 2015, pp. 2021-2024 H. Li, Q. Liu, J. Zhang, "A survey of hardware Trojan threat and defense", Integration, the VLSI journal Vol. 55, pp: 426–437, 2016. M. L. Flottes, S. Dupuis, P. S. Ba and B. Rouzeyre, "On the limitations of logic testing for detecting Hardware Trojans Horses", 10th International Conference on Design & Technology of Integrated Systems in Nanoscale Era (DTIS), Naples, pp: 1-5, 2015. X. T. Ngo, J. L. Danger, S. Guilley, Z. Najm and O. Emery, "Hardware property checker for run-time Hardware Trojan detection", 2015 European Conference on Circuit Theory and Design (ECCTD), Trondheim, 2015, pp. 1-4. Louiza Papachristodoulou, Apostolos P. Fournaris, Kostas Papagiannopoulos, Lejla Batina, “Practical Evaluation of Protected Residue Number System Scalar Multiplication”, IACR Transactions on Cryptographic Hardware and Embedded Systems (TCHES) journal, vol.1, 2019 A. Moschos, A. P. Fournaris, O. Koufopavlou, “A Flexible Leakage Trace Collection Setup for Arbitrary Cryptographic IP Cores”, in proc. of IEEE International Symposium on Hardware Oriented Security and Trust 2018 (IEEE HOST 2018), Washington DC, USA, April 30 - May 4, 2018 J. Zhang, H. Yu and Q. Xu, "HTOutlier: Hardware Trojan detection with side-channel signature outlier identification", 2012 IEEE International Symposium on Hardware-Oriented Security and Trust, San Francisco, CA, 2012, pp. 55-58. P. Kitsos, D. E. Simos, J. Torres-Jimenez, A. G. Voyiatzis "Exciting FPGA Cryptographic Trojans using Combinatorial Testing", 26th IEEE International Symposium on Software Reliability Engineering (ISSRE 2015), Gaithersburg, MD, USA, November 2 -5, 2015, pp. 69-76. A. G. Voyiatzis, K. G. Stefanidis, P. Kitsos, "Efficient Triggering of Trojan Hardware Logic", 19th IEEE International Symposium on Design and Diagnostics of Electronic Circuits and Systems (DDECS 2016), Kosice, Slovakia, April 20-22, 2016, pp. 200-205. H. Yu, P. H. W. Leong, H. Hinkelmann, L. Moller, M. Glesner, P. Zipf, "Towards a Unique FPGA-based Identification Circuit Using Process Variations", International Conference on Field Programmable Logic and Applications, Prague, Czech Republic, August 31 - September 2, 2009, pp. 397-402. X. Zhang and M. Tehranipoor, "RON: An on-chip ring oscillator network for hardware Trojan detection", Design, Automation & Test in Europe 2011, Grenoble, France, 14-18 March, 2011, p.1-6. K. M. Zick and J. P. Hayes, "Low-cost sensing with ring oscillator arrays for healthier reconfigurable systems", ACM Transaction Reconfigurable Technology and Systems, vol. 5, no. 1, pp. 1:1–1:26, Mar. 2012. L. Pyrgas, F. Pirpilidis, A. Panayiotarou, P. Kitsos, "Thermal Sensor Based Hardware Trojan Detection in FPGAs", 20th Euromicro Conference on Digital Systems (DSD'17), Vienna, Autria, August 30 - September 1, 2017. L. Pyrgas and P. Kitsos, "A Hybrid FPGA Trojan Detection Technique Based-on Combinatorial Testing and On-chip Sensing", 14th International Symposium on Applied Reconfigurable Computing (ARC 2018), Santorini, Greece, May 2-4, 2018. N. Rahmanikia, A. Amiri, H. Noori, F. Mehdipour, "Performance evaluation metrics for ring-oscillator-based temperature sensors on FPGAs: A quality factor", Integration the VLSI journal, Vol. 57, pp: 81–100, 2017. J. He, Y. Zhao, X. Guo and Y. Jin, "Hardware Trojan Detection Through Chip-Free Electromagnetic Side-Channel Statistical Analysis," IEEE Transactions on Very Large Scale Integration (VLSI) Systems, vol. 25, no. 10, pp. 2939-2948, Oct. 2017. Y. Liu, K. Huang, and Y. Makris, “Hardware Trojan Detection through Golden Chip-Free Statistical Side-Channel Fingerprinting,” in Proceedings of the The 51st Annual Design Automation Conference on Design Automation Conference - DAC ’14, 2014, pp. 1–6. https://opencores.org/project,aes_core. https://www.xilinx.com/products/boards-and-kits/1-54wqge.html.

Apostolos P. Fournaris received his PhD degree from the Electrical and Computer Engineering department, University of Patras, Greece in 2008. He has worked for the Sophia Antipolis Hitachi Europe SAS R-D Centre for two years and he is currently a Principal Researcher (Research Associate Professor) in the Industrial Systems Institute, Research Center ATHENA as well as the University of Patras. He is also a Sessional Lecturer in Monash University, Melbourne, Australia where he lectures courses on Cryptography, Computer and Network security. His research interests include Asymmetric cryptography, Side Channel Attacks and Analysis, Hardware attack resistance, WSN security and Trusted systems. He is the author of more than 80 research papers and a member of IACR, IEEE, IEEE Computer society and IEEE Circuits and System society.

Lampros Pyrgas received the B.Sc. degree and Msc in Physics from the University of Patras and he is currently a research assistant in the Industrial Systems Institute, Research Center ATHENA in Greece and an Adjunct Lecturer in Technological Educational Institute of Western Greece. He has published at least 3 papers in Hardware Trojan Detection and his main research interests are Hardware security, Hardware Trojan Detection and VLSI Design for cryptography applications.

Paris Kitsos received the B.Sc. degree in Physics in 1999 and a Ph.D. in 2004 from the Department of Electrical and Computer Engineering, both at the University of Patras. Currently he is an Associate Professor in the Electrical and Computer Engineering Dpt. University of Peloponnese. His research interests include VLSI design, algorithms and architectures for data security and efficient circuit implementations. Dr. Kitsos has published more than 100 scientific articles and technical reports, as well as is reviewing manuscripts for International Journals and Conferences/Workshops in the areas of his research. He has participated to international journals and conferences organization, as Program/Technical Committee Member, Program Committee Chair and Guest Editor. Also, is a member of the Institute of Electrical and Electronics Engineers (IEEE).