semia: self-similarity based ic integrity analysisswarup.ece.ufl.edu/papers/j/j53.pdf · 2015. 12....

0278-0070 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. Seehttp://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI10.1109/TCAD.2015.2449231, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems

1

SeMIA: Self-Similarity based IC Integrity AnalysisYu Zheng, Student Member, IEEE, Shuo Yang, Student Member, IEEE and

Swarup Bhunia, Senior Member, IEEE

Abstract—Counterfeit chips in the supply chain as well ashardware Trojan attacks pose serious threats to the semicon-ductor industry. If undetected before deployment, they can leadto serious consequences including system performance/reliabilityissues during field operation and potential revenue/reputationloss for a trusted manufacturer. Currently, no unified detectionmethod is available that can simultaneously address these in-tegrity violations in integrated circuits (ICs). In addition, mostexisting detection approaches require a set of golden chips as areference, which significantly increases the test cost and complex-ity. Furthermore, in some scenarios, it may be extremely difficultto obtain golden chips. In this paper, we present a novel unifiedIC integrity analysis approach that can effectively detect bothrecycled counterfeit ICs (the most dominant form of counterfeit-ing) as well as Trojan attacks in ICs without the need of goldenchips. The proposed approach, referred to as SeMIA, exploitsintrinsic structural self-similarity in a design (e.g., multiple cores,multiple functional units of the same type, different parts of anadder) to isolate recycled chips and hardware Trojan attacksunder large inter- and intra-die process variations. It comparesdynamic current (IDDT ) signatures between two adjacent similarcircuit structures using an appropriate isolation metric to detectsuch attacks with high degree of confidence. SeMIA does not relyon any embedded structure for authentication, thus it comes atvirtually zero hardware overhead and can be applied to chipsalready produced. Through extensive simulations, we show thatfor 15% inter- and 10% intra-die variations in threshold voltagefor a 45nm CMOS process, over 98% of recycled chips canbe reliably identified. Finally, experimental measurements onField Programmable Gate Array (FPGA) chips demonstrate theeffectiveness of SeMIA for protection against both attacks.

Index Terms—Counterfeit chips, Hardware Trojan, Golden-free detection, Self-similarity, Dynamic current, Process varia-tion, BTI.

I. INTRODUCTION

Security has emerged as an important design and test param-eter for integrated circuits (ICs) in recent years. The long andglobally distributed supply chain of ICs has greatly increasedthe opportunity of IC counterfeiting attacks at different stagesof the distribution cycle. On the other hand, increasing relianceon third-party Intellectual Properties (IPs) and design tools,and IC fabrication in external (and potentially untrusted)foundry have significantly reduced a designer’s control on themanufactured chips, providing opportunities to adversaries forhardware Trojan (HT) attacks. Counterfeit IC and HT attacksconstitute two major security threats arising form integrity

Yu Zheng, Shuo Yang and Swarup Bhunia are with the Department of Elec-trical Engineering and Computer Science, Case Western Reserve University,Cleveland, OH 44106, USA. E-mail: {yxz402,sxy390,skb21}@case.edu.

The work has been funded in part by National Science Foundation grants1054744, 1245756, and 1441705.

We acknowledge extensive support on hardware experiments from GeorgeDaher in Sears Lab, EECS, Case Western Reserve University.

violation during IC design, manufacturing and distribution pro-cess [1]–[3]. A counterfeit IC is an electronic component withdiscrepancy on the material, performance or characteristics,but sold as a genuine one. On the other hand, an HT canbe defined as a malicious design modification that tampers atrusted design to incorporate undesired functional/parametricbehavior. Fig. 1 shows the typical life cycle of an IC fromthe design (by a manufacturer) to the deployment in a system(by a system designer) through a supply chain that typicallyincludes trading partner, distributor and retailer. The IC supplychain in Fig. 1, consists of multiple untrusted entities andis vulnerable to potential compromise by an attacker, whocan insert counterfeit chips at any level in the chain. HTscan be introduced at different stages during the IC designand manufacturing process, e.g., tampering the design by anuntrusted Computer-Aided Design (CAD) tool during System-on-Chip (SoC) integration, or a malicious implantation in anuntrusted foundry [2], [4].

Counterfeit ICs typically come in various types, includingan unauthorized copy, remarked/recycled die (e.g., selling aused chip as new), cloned design through piracy or reverseengineering, and failed or overproduced real part [5]. The costof counterfeiting and piracy is estimated to rise to a staggering1.2 to 1.7 trillion dollars by 2015 [5]. Among all counterfeittypes, the recycled (i.e., aged/used) chip, often scavenged fromused electronic goods, is the most dominant one with over80% share in total counterfeit chips in the market [6]. Thisis primarily because reselling used chips from old discardedelectronics is relatively easy low-cost process, which, unlikecloning and other forms of counterfeiting attacks, requires littleor no complex infrastructure. Due to aging effects, recycledchips suffer from degraded device threshold voltage (Vth), thusleading to reduced reliability and/or performance. On the otherhand, HT can potentially compromise an IC’s functional orparametric behavior in a way that can evade conventional post-silicon test and validation process. The HTs are expected tobe rarely activated during production test and to induce onlyminor variation in side-channel parameters, such as path delayor power. In addition to the revenue and reputation loss to thegenuine IC designer, counterfeiting or HT attacks in ICs maylead to severe consequences with potentially degraded quality,reliability, integrity, and performance in field operation [3]. Inparticular, they pose serious threats in many mission-criticalapplications involving our military, communication, aviation,power-grid, and other national infrastructures.

Existing industry-standard methods and tools for counterfeitIC detection, such as [7], [8], primarily depend on functionalor parametric tests, which are typically not effective in isolat-ing counterfeit chips of all types. To address this growing need,new approaches are emerging from academia and industry. A



2

Hardware Trojan

DESIGN

HOUSE

SYSTEM

DESIGNER

�� IC

SU

PP

LY

CH

AIN

�� F

OU

ND

RY

Recycled

chips

Trading

Partner

Distributor

Retailer

Fig. 1. Typical stages in an IC supply chain. Many of these stages arevulnerable to counterfeiting or HT attacks as shown.

design is locked and can be activated only by the original man-ufacturer through an authentication process [9]–[11]. To detectused chips, researchers have proposed inserting sensors into adesign to track shift in device Vth due to aging [12]. PhysicalUnclonable Functions (PUFs) [13] have been considered aseffective means for counterfeit chip isolation. They aim atproducing unique identifier from each chip instance. However,they often incur considerable design and hardware overheadand cannot be applied to legacy chips in the market. Otherdetection methods rely on analysis of physical parameters(e.g., dynamic power, path delay) during post-manufacturingtest on genuine chips. In [14], a scan based characterizationof circuit delay is proposed to detect cloned chips. To addressrecycled chips, path delays are employed to form a fingerprint[15]–[17]. However, the target parameters are often difficult tomeasure for these approaches and the detection accuracy cansuffer under large process/temporal variations. On the otherhand, existing countermeasures against HT attacks primarilyfocus on non-destructive test solutions, primarily side-channelanalysis approaches. The central idea behind side-channelanalysis based HT detection is to distinguish a Trojan effectin a physical parameter (e.g., supply current or path delay)from process and temporal variations. While side-channelanalysis provides a promising HT detection paradigm, a majorchallenge with these approaches lies in the need of a set ofgolden or reference ICs, which are used to calibrate intrinsicprocess noise. Obtaining a set of golden ICs can be extremelydifficult since it may require exhaustive testing or destructivereverse-engineering based trust validation of these ICs [18].

In order to build a trustworthy system, a system designerneeds to ensure the integrity of each IC before using it ina system. To the best of our knowledge, there is no unifieddetection method that can verify the integrity of an IC againstboth recycling and HT attacks. In this paper, we proposea golden-free IC integrity validation framework based ondynamic current (IDDT ) analysis, referred to as Self-similarity

Chip 2

Chip 3

Chip 4

Chips under test

Chip 1

Dist. (d1)

Isolation

metric

Limit Line Th

Trend

line

Combine the

normalized ��

FromICSupplyChain

Dist. (d2)

From IC designer

Chips under test

( )i

DDTI

( )i

DDTI

( ')i

DDTI

( ')i

DDTI

(1) Test vectors

(2) Th

Fig. 2. Illustration of the proposed recycled/HT-affected chip isolationprocess.

based Microchip Integrity Analysis (SeMIA), to simultane-ously identify ICs that are recycled or tampered by HT attacks.SeMIA leverages on the structural self-similarity among circuitblocks in a chip. It compares the side-channel signature (e.g.,IDDT ) of one block with another self-similar block on thesame chip. The key idea is that different self-similar blocks(e.g., parts of an adder, comparator, memory, and logicaldatapath) experience different stress (hence, different agingprofiles) due to widely varying level of activities, or exhibitasymmetric side-channel signatures due to HT attacks. Forexample, the datapath units in a processor may experiencedifferent activities in their upper (most significant bits i.e.,MSBs) and lower (least significant bits, i.e., LSBs) parts, dueto the abundance (> 50%) of narrow-width operands i.e.,



3

eliminates the effect of inter-die and intra-die systematicvariations. The intra-die random variation effect (e.g.,due to random dopant fluctuations) is minimized byconsidering switching of reasonable number of gatesduring vector selection and use of multiple test vectors.Moreover, we present an IDDT measurement methodthat can maximize the discrepancy of circuit parametersbetween similar logic blocks.

• It validates the effectiveness of SeMIA through extensivecircuit-level simulations with Hspice under a realisticprocess variation model for a 45nm CMOS technology aswell as through hardware measurements. In our evalua-tion, among various aging effects, we consider the effectof negative bias temperature instability (NBTI) in Vthusing MOSRA tool from Synopsys integrated into Hspice[21]. It is well accepted that NBTI poses the most criticalreliability issue that largely determines the lifetime ofa circuit in nanoscale CMOS processes. The proposedapproach, however, can also work under other agingeffects. We evaluate the effectiveness of the approachfor common circuit blocks such as carry-lookahead adder(CLA), array multiplier, equality comparator as wellas a larger design, namely a five-stage pipelined DLXprocessor. The simulation results show that over 98%recycled or HT-affected chips can be identified correctly.We also validate SeMIA with hardware measurementsusing Field Programmable Gate Array (FPGA) chips thatemulate unbalanced aging and HT attacks.

The rest of the paper is organized as follows. Section IIdescribes the related work and the motivation behind theproposed solution. The problem with golden-free integrityanalysis is formalized in Section III. The methodology ofSeMIA is described in Section IV. Section V and Section VIpresent the simulation and experimental results, respectively.Section VII discusses possible attacks on SeMIA and itsextension. We conclude in Section VIII.

II. BACKGROUND AND MOTIVATION

Large volume of prior research has aimed at separatelyaddressing the threat of counterfeit ICs and HT attacks.

A. Related Work

In case of recycled chips, usually transistor threshold volt-age Vth is elevated due to aging effect e.g., Negative BiasTemperature Instability (NBTI). Methods to detect these chipscan be classified into two broad categories: (1) analysis ofcircuit parameters, and (2) age estimation with integrated agingsensors. Among circuit parameters, several works employ pathdelay [15] [16]. However, in case of [15], a large numberof test vectors is required to obtain reliable path delay fin-gerprints. As a result, it cannot be applied when the netlistof the original design or test vectors are difficult to obtain.It also relies on accurate characterization of all forms (inter-and intra-die) of process variations. The effectiveness of theapproach in [16] is limited considering the difficulty to findtwo paths among vast set of available ones with sufficientaging-induced path delay discrepancy. On the other hand,

aging sensor based approaches rely on embedding one or moresensors into a chip for tracking the Vth shift due to aging,thereby isolating aged chips from new ones [12]. However,aging sensors are well-known to suffer from poor accuracyunder large process variations. Moreover, the low-overheadaging sensors typically provide low sensitivity, which limits itsability to detect aged chips used for relatively short duration(e.g., 6 months). Furthermore, they require design modification(also incur hardware overhead), and cannot be applied to chipsalready in market.

Protection against HT attacks can be classified into twobroad categories: destructive and non-destructive methods.Destructive reverse engineering based HT detection methodsare highly complex and expensive and do not scale well withthe growing complexity of ICs. Furthermore, trust validationfor a set of chips through destructive process does not ruleout HT attack in the remaining chips. Non-destructive meth-ods can be based on (1) Design-for-Security (DfS) and (2)post-fabrication test as well as characterization approaches.DfS approaches work towards making HT implantation dif-ficult/ineffective or facilitating HT detection. For example,a design can be modified by inserting dummy/shadow flip-flops for improving observability and controllability of internalnodes which helps in detecting hard-to-trigger/observe HTs[23]. Similarly a design can be modified to accomplish on-line monitoring of path delay [24] or frequency shift of ringoscillators (ROs) built into circuit paths [25], [26]. In [27],a transparent mode is introduced in a design with a FSMto enhance the controllability and observability of internalnodes. Researchers have also shown that high-precision delaystructure or current sensing circuit can be embedded into adesign to improve HT detectability [28], [29]. Functional fillercells are inserted into unused space to prevent HT insertion[30]. However, the above approaches often incur considerablehardware overhead and suffer from poor HT coverage.

HT detection approaches, on the contrary, primarily relyon analysis of side-channel information of ICs such as,dynamic current (IDDT ), path delays, or quiescent current(IDDQ) [31]–[33]. The activity of HT impacts dynamic powertrace of a design, which can be isolated from process noisethrough statistical analysis e.g., Karhunen-Loeve expansion[31]. Researchers have also proposed using the combinationalpath delays to isolate HT-infected ICs by constructing thefingerprint for golden ICs, in which the effect of processvariation is mitigated through principle component analysis[32]. The approach in [33] uses unexpected deviation inIDDQ to detect HT. In [34], the authors show that HTbreaks the leakage power correlation under different thermalconditioning. In [35], [36], a design is divided into severalsmall regions to improve the sensitivity of HT detectionby analyzing dynamic current signature of a region. Thecorrelation between maximum frequency and dynamic currentcan be exploited to identify small HT circuits in the presenceof large process variations [37]. These side-channel analysisapproaches, however, require a set of golden chips for accuratecharacterization of process noise.

Researchers have also explored spatial as well as temporalself-referencing based side-channel analysis to improve the de-



4

tection sensitivity or eliminate the need of golden ICs. In [38],a self-referencing approach that compares transient currentsignatures between two circuit blocks (similar or dissimilar)is proposed. The approach however requires a set of goldenchips to effectively eliminate process variations. In [39], agolden-free temporal self-referencing approach is proposed toidentify HT effect in current signature by comparing transientcurrent waveforms from two different time windows. However,it only targets sequential designs and sequential HT circuits. Arecently reported self-referencing approach [40] compares pathdelays between similar paths to observe HT-induced deviation.Although it eliminates the need of golden chips, it requires theoriginal netlist for test generation and is likely to suffer fromreduced detection sensitivity for HTs which have negligibleimpact on critical path delays. Another golden-free schemeis presented in [41] in which fingerprint of original ICs isextracted from Monte-Carlo simulation with realistic processvariations. It depends on accurate model of process variationswhich may be difficult to obtain. Furthermore, none of theseapproaches target detection of recycled counterfeit chips.

B. Motivation

Modern digital ICs usually include many similar (or sym-metric) structures over multiple levels of hierarchy. Fig. 3shows an example architecture of a multi-core superscalarprocessor with structural self-similarity at multiple levels,e.g., across cores, functional units (FUs), and sub-circuitsof FUs (e.g., full adder). Such structural self-similarity canbe observed in other chips e.g., graphics engine, DigitalSignal Processors (DSPs), many application-specific integratedcircuits (ASICs), as well as memory subsystem (e.g., SRAM,DRAM and FLASH) with hierarchically regular blocks [42].In addition, custom and reconfigurable hardware accelerators(e.g., image encoder/decoder, filtering units, security engine)are often designed based on a systolic array e.g., coarse-grained reconfigurable architectures (CGRAs), with identicalsub-structures [43]. Finally, Modern SoC designs are oftendatapath dominant, where datapath elements with high degreeof replication take most of the die area, as opposed to controllogic. Hence, there is high probability that the signals in theseregions can be used to design HTs (e.g., triggers or payload).Thus, an HT detection approach targeting these regions canprovide high coverage. Moreover, existing approaches that aimat detecting HT in sequential logic including control logic[39] can be effectively combined to provide comprehensiveHT coverage. The possible attacks and limitations of SeMIAare analyzed in detail in Section VII-A.

We note that such intrinsic structural self-similarity providesopportunity for efficient golden-free IC integrity analysis inpresence of process noise. Based on this observation, we havedeveloped the proposed approach, SeMIA, for IC integrityanalysis. In SeMIA, we consider comparison of IDDT insteadof path delay or IDDQ. This is because it allows: (1) selec-tively activating small region of logic circuits, which improvesdetection sensitivity compared to IDDQ based approaches;(2) easier vector generation compared to path delay basedapproaches; and (3) better HT coverage than both IDDQ and

Core 1 Core 2 Core n

FPU ALU

ADDADD MUL

FA1

FA2

FAk

MEM

FPU ALU

MUL�� Fig. 3. Structural self-similarity in a multi-core processor can be observedat different levels of hierarchy.

(a) (b)

0.005 0.01 0.015 0.02 0.025 0.03 0.035 0.04 0.045 0.050

20

40

60

80

100

120

Vth shift (V)

#ofPMOStransistors

More PMOS

transistors with Vthshifted by more than

30 mV

0.005 0.01 0.015 0.02 0.025 0.03 0.035 0.04 0.045 0.050

10

20

30

40

50

60

70

80

Vth shift (V)

#ofPMOStransistors

Vth shifts of most

transistors are

between 10 mV

and 35 mV

Fig. 4. The histogram of Vth shift in a 32-bit carry lookahead adder forone-year aging: (a) lower 16-bit part, and (b) upper 16-bit part.

delay-based approaches, since many HT circuits may not causeappreciable change in these parameters.

The key idea in SeMIA is to compare IDDT between twoidentical structures and observe deviation due to HT attacksor aging effects. It is worth noting that, the IDDT in similarmodules should be virtually identical in the absence of processvariations. If an HT is inserted into module i′, the IDDTwould deviate from that in the original module i under certaintest vector pair that induces higher HT activity. On the otherhand, in a recycled chip, PMOS transistors in each structurewould have different stress/recovery duration depending onapplication scenarios (that change input workload or vectors),thus experiencing variable NBTI-induced Vth shifts. We usedMOSRA tool in Hspice to observe NBTI effect in a 32-bitCLA. Since typically more than 50% operands in a processorfor benchmark applications are narrow-width [19], upper 16-bit of the inputs are most often all zero or all one. It is well-known that the distribution of Vth shift is dependent on theworkload [20]. To simulate the scenario, we applied 16-bitrandom inputs with high activity (0.5) to the lower 16-bit,while all-zero and all-one with low activity (0.2) to the upper16-bit. From Fig. 4, we can observe a significant difference inVth increase between the upper and lower 16-bit logic of theCLA for one-year aging. On the other hand, major componentsof process variations (inter-die and intra-die systematic) induceuniform shift in Vth. Hence, IDDT can be used to isolate agedchip under process variations by observing the nature of Vthshift in two similar and adjacent structures.



5

III. PROBLEM FORMULATION AND ANALYSIS

In this section, first we analyze ways to reduce the maskingeffect due to process variations. Then we describe the ICintegrity validation problem that eliminates the need of goldenchips.

A. Process Variation Mitigation

The correlation of IDDT from similar and adjacent circuitstructures can be employed to distinguish between the genuineand recycled/HT-affected chips. We consider both inter-die andintra-die Vth variations in a CMOS process. The inter-die Vthvariation is shared by transistors on the same die and variesfrom die to die. The intra-die variation results in random andsystematic Vth shifts across transistors within a die. Assumethe nominal Vth is V

(nom)th , the inter-die shift for chip c is

∆V (c)th and the intra-die shift for gate g in chip c is ∆V(c,g)th .

The gates in module i sensitized by test vector pair j are inset Gi,j . According to [44], the average IDDT induced by testvector pair j in chip c is:

I(c)(Gi,j) =∑

g∈Gi,jβg(VDD − V (c)th −∆V (c,g)th )α (1)

where βg is a gate-dependent constant and V(c)th = V

(nom)th +

∆V (c)th . By Taylor’s expansion, (1) can be re-written as:

I(c)(Gi,j) =∑

g∈Gi,jβg((VDD − V (c)th )α − γg∆V (c,g)th ) (2)

where γg = α(VDD−V (c)th )α−1. Assume module i′ is adjacentto module i and the activated gates are in set G(c)i′,j . We canobtain the following relationship:

I(c)(Gi′,j) = I(c)(Gi,j) + Srand (3)

Srand =∑

g∈Gi,j βgγg∆V(c,g)th -

∑g∈Gi′,j βgγg∆V

(c,g)th is as-

sociated with intra-die variation of Vth. The subtraction inSrand cancels out intra-die systematic variation due to thestrong spatial correlation between adjacent similar modules.The summation and hence averaging on Srand helps to miti-gate the effects of intra-die random variation, assuming consid-erable (e.g., 10− 25) number of gates switch simultaneously.Under no intra-die variation, module i and i′ should generatenearly the same IDDT for a transition induced by test vectorpair j. Hence, the trend line of (3) will be y = x. From (3),we can observe that the inter-die variation causes the shift ofpoint (I(c)(Gi,j), I(c)(Gi′,j)) along the trend line; the intra-die variation and aging effects lead to deviation from the trendline.

B. Golden-free Integrity Analysis

Based on availability of symmetric structures in a chip,we formulate the problem of golden-free detection of agedor HT-affected chips. The effect of non-uniform aging onIDDT of a module pair {i, i′} can be modeled as Saged =∑

g∈Gi,j βgγgδV(c,g)th −

∑g∈Gi′,j βgγgδV

(c,g)th , where δV

(c,g)th

corresponds to the aging-induced Vth shift for gate g in chip

c. Hence, the unbalanced aging effect can be incorporated into(3) as:

I(c)(Gi′,j) =I(c)(Gi,j) + Srand + Saged (4)

The detection of recycled chip is formulated as isolat-ing Saged in (4). Assume d

(c)i,j is the distance from point

(I(c)(Gi,j), I(c)(Gi′,j)) to the trend line y = x. With theincrease of Saged, d

(c)i,j becomes larger.

Next, let us consider the modification of (3) in the presenceof HT in module i′. The activity of HT can increase theaverage IDDT by I(c)(HTi′,j) as shown in (5), where HTi′,jdenotes the gates in HT circuit activated by test vector pair jin module i′.

I(c)(Gi′,j) = I(c)(Gi,j) + I(c)(HTi′,j) + Srand (5)

The detection of HT is formulated as isolating I(c)(HTi′,j) in(5). Clearly, I(c)(HTi′,j) contributes to the increase of d

(c)i,j .

The common effect of HT and unbalanced aging profilein IDDT is the deviation from the trend line, which can beconsidered as a unified objective in the proposed frameworkto detect these attacks. Intuitively, if d(c)i,j is large enough, wecan infer with high confidence that the circuit under test hasan integrity violation, e.g., affected by either an unbalancedaging profile or an HT. Fig. 5 illustrates the calculation ofd(c)i,j . The point (xj , yj) is obtained by solving:{

y = xy = −x + I(c)(Gi,j) + I(c)(Gi′,j)

as xj = yj = (1/2)(I(c)(Gi,j) + I(c)(Gi′,j)). As a result,|I(c)(Gi,j) − xj | = |I(c)(Gi′,j) − yj | = |(1/2)(I(c)(Gi′,j) −I(c)(Gi,j))|. Considering the sign, it can be derived that

d(c)i,j = (

√2/2)(I(c)(Gi′,j)− I(c)(Gi,j)) (6)

Combining (3), (4) and (5) for only process variation, unbal-anced aging profile and HT, we can obtain that

d(c)i,j =

Srand(Gi,j , Gi′,j)Srand(Gi,j , Gi′,j) + SagedSrand(Gi,j , Gi′,j) + I(c)(HTi′,j)

(7)

( ) ( )

, ',( ( ), ( ))c c

i j i jI G I G

y=x

( )

,

c

i jd

IDDT of

module i’

IDDT of

module i

( , )j jx y

Fig. 5. The distance d(c)i,j from the trend line is used to determine both anHT and aging effects.

The mathematical expectation of d(c)i,j (denoted as E(d(c)i,j ))

is zero with only Srand(Gi,j , Gi′,j) for a genuine chip. How-ever, it becomes nonzero in the presence of unbalanced aging



6

t

IDDT

(a)t

IDDT

(b)

module i

module i’maxt

0tD

1t

2t

1tD

Extra Vth shift

leads to a

slower charging

on module i’Extra

power

from HT

Fig. 6. (a) An appropriate TW to measure average IDDT , and (b) shift inTW with Vth change due to aging.

profile or HT. E(d(c)i,j ) should be estimated with only a suspectchip (i.e., no golden chips). Note that E(di,j) = 0 holdsfor all the test vector pairs. We consider T test vector pairsj = 1, 2, ...T with little or no overlap in switching gates, andcalculate E(d(c)i,j ) in a chip by self-referencing as:

E(d(c)i,j ) =T∑

j=1

d(c)i,j /

√I(c)(Gi,j)2 + I(c)(Gi′,j)2 (8)

where d(c)i,j /√

I(c)(Gi,j)2 + I(c)(Gi′,j)2 mitigates the differ-ence on nominal IDDT for different test vector pairs. Hence,the detection problem is formalized as:

authc =

{recycled or HT if |E(d(c)i,j )| > Thauthentic otherwise

(9)where Th is an acceptable limit. It basically reflects the residueof intra-die random variations that cannot be eliminatedthrough averaging over multiple-gate switching. Th can beobtained through Monte-Carlo simulation under different intra-die process variations, which requires no actual measurementon golden chips or measurement of variations from a set ofchips under test. To improve accuracy, we can enhance thesensitivity of Saged and I(c)(HTj) to IDDT of similar andadjacent module i and i′, as described in Section IV-A. SeMIA,however, cannot further differentiate a recycled chip from HT-affected one when |E(d(c)i,j )| > Th.

IV. METHODOLOGY

In this section, we discuss the IDDT measurement processto increase the sensitivity to unbalanced aging profile or HTactivity. Next we describe the golden-free procedure to checkthe integrity of chips through IDDT analysis.

A. IDDT Measurement

We consider the time window (TW) for IDDT measurementas well as the influence from VDD, to maximize the sensitivityto HT and unbalanced aging profile. The location and sizeof a TW should be selected properly when measuring theaverage value of IDDT . Fig. 6(a) shows the shape of IDDTin time domain, as well as a proper TW to average it. TW isrepresented as a time interval [t0, t1] (t1 ≥ t0) that captures

a large fraction of dynamic power for a test vector pair, andsatisfies

min t1 − t0s.t.

∫ t1t0

IDDT (t)dt ≥ ηVDDCL,t(10)

where CL,t is the overall capacitance of Gi,j and Gi′,j ; η isa control factor for charging (e.g., 0.9). In (10), we minimizet1 − t0 to increase the sensitivity of IDDT to Vth. AlgorithmA is proposed to implement (10). In Step 1, tmax is thetime when the maximum transient current I(i)DDT (tmax) occurs.Hence, t0 = tmax −∆t0 and t1 = tmax + ∆t1 are employedto form an appropriate TW for computing average IDDT inSteps 2-4.

Fig. 6(b) shows the IDDT shape of module pair {i, i′} withdifferent aging profiles for the same test vector pair. The gatesactivated in module i′ have larger Vth shift. Hence, IDDT of{i, i′} (blue and black triangle) in Fig. 6(b) do not completelyoverlap, creating a small shift in the time of the maximumIDDT and the charge/discharge duration. If the TW of modulei′ is changed to track such shift, the average IDDT mayonly show small discrepancy from that in module i. Hence,the difference of Vth shift is not fully reflected on IDDTmeasurement.

Algorithm A: Measure Avg. IDDT under Gi,j and Gi′,jInput: I(i)DDT (t) and I

(i′)DDT (t) for module {i, i′}

1. Find the time tmax with max. I(i)DDT (t)

2. Specify ∆t0 and ∆t1 for∫ tmax+∆t1

tmax−∆t0 I(i)DDT (t)dt ≥

ηVDDCL,t3. Compute the average IDDT of module i in chip cas I(c)(Gi,j) = 1∆t0+∆t1

∫ tmax+∆t1tmax−∆t0 I

(i)DDT (t)dt

4. Compute the average IDDT of module i′ in chipc as I(c)(Gi′,j) = 1∆t0+∆t1

∫ tmax+∆t1tmax−∆t0 I

(i′)DDT (t)dt

Output: I(c)(Gi,j) and I(c)(Gi′,j)

To address it, the computation of average IDDT in Step 3-4is based on the same TW obtained in Step 2 to enhance thedifference. Next, we consider the effectiveness of AlgorithmA on HT detection. As shown in Fig. 6(b), if an HT inmodule i′ is sensitized, most power is concentrated in the TWof module i or i′ (as observed in Hspice simulation). Hence,the power discrepancy due to HT can also be enhancedfollowing the steps in Algorithm A.

VDD affects IDDT , and thus the effectiveness of AlgorithmA. The charging duration t2 − t1 can be approximately

(t2 − t1) ∝ CL,tVDDβ(VDD − Vth)α (11)

In (11), the increase in VDD leads to smaller t2 − t1. Hence,dynamic power is more concentrated around the time with themaximum IDDT . The effectiveness of Step 3-4 in AlgorithmA is therefore enhanced with the increase of VDD until itachieves a certain value. ∆t decreases with a larger VDD(∆t → 0 as VDD → ∞). For a given TW, the influenceof VDD on detecting recycled chip is shown through Hspicesimulations and FPGA experiments in Section V.



7

Input: a suspect chip i, test

vector pairs in set T, .

Measure the average IDDT for

test vector j in chip i, according

to Algorithm A(A) Test vectors

(B) TW

(C) Th

Chip manufacturer

Compare with Th according to

Eqn. (9)

(A), (B)

(C)

GenuineAged or

HT

Th< Th ³

Compute di,j as Eqn. (7)

1j¬

Compute the isolation metric

according to Eqn. (8)

j



8

(a) (b)

0.01 0.015 0.02 0.025 0.03 0.035 0.04 0.0450

5

10

15

20

25

30

35

40

45

Vth shift (V)

#ofPMOStransistors

The Vth shifts

concentrate on

certain value due to

low activation rate

0.01 0.015 0.02 0.025 0.03 0.035 0.04 0.0450

2

4

6

8

10

12

14

16

18

Vth shift (V)

#ofPMOStransistors

Some transistors

have large Vth shifts

Fig. 8. The Vth shifts of comparator used for one year: (a) lower 16-bitpart, (b) upper 16-bit part.

1 2 3 4 5 6

x 10-3

1

2

3

4

5

6x 10

-3

IDDT

of lower 16-bit comp. (A)

I DD

T o

f upper

16-b

it c

om

p. (A

)

Authentic

Recycled

2 4 6 8 10

x 10-3

0

0.002

0.004

0.006

0.008

0.01

IDDT

of lower 16-bit adder (A)

I DD

T o

f upper

16-b

it a

dder

(A) Authentic

Recycled

(a) (b)

The trend line

Higher probability of recycled

chips under the trend line

The trend line

Higher probability of

recycled chips under

the trend line

Fig. 9. IDDT correlation for (a) the adder, and (b) the comparator.

usage, e is further reduced to 0.25% and 0.5%, respectively.Hence, SeMIA works effectively to identify recycled chips.Moreover, e is reduced with more usage duration. It is usefulfor recycled-chip detection, since it provides higher confidencein detecting more severely aged chips, which impose moreserious reliability concerns when used.

VDD affects the sensitivity of IDDT to unbalanced agingprofile. The average IDDT is measured under different VDDafter one-year aging. Fig. 12 shows that when VDD becomes1.1 V and 0.9 V, e rises up to 14.3% and 4.3% for theadder, which are 6.8% and 6.0% for the comparator. Hence,it is helpful to select a proper value of VDD for each circuitstructure to achieve a smaller e. This can be done by a chipdesigner in dynamic power analysis during design time.

C. Analysis for HT Detection

The average IDDT of adder in lower 16-bit part withactivated HT is larger than that without HT. Hence, E(d(c)i,j )is non-zero that leads to the HT identification as (9). InFig. 13, we can find that the isolation metrics are obviouslydifferent for the genuine and aged chips. The values of Thare 1.06× 10−2 and 3.1× 10−3 for the adder and multiplier,respectively. Fig. 13 shows that even though the size of HT issmall (2.1% for adder and 1.6% for multiplier), the proposedisolation metric can successfully differentiate the HT-affectedchips from genuine ones. Specifically, e is 2% and 2.5% foradder and multiplier, respectively under VDD = 1 V.

Similar to aged chip detection, e also changes with VDD asshown in Fig. 14. When VDD is 0.9 V and 1.1 V, e becomes2.5% and 14.5% for the adder. However, the trend is differentfor the multiplier. e decreases to 2.0% for VDD = 0.9 V, whichbecomes 5.0% when VDD rises to 1.1 V.

-2 -1 0 1 2

x 10-4

0

100

200

300

400

Minimum distance d(c)i,j

# o

f d

(c)

i,j insta

nces

-1 -0.5 0 0.5 1

x 10-3

0

200

400

600

800

Minimum distance d(c)i,j

# o

f d

(c)

i,j insta

nces

(a) (b)

Approximately

follow the

Gaussian

distribution

Approximately

follow the

Gaussian

distribution

Fig. 10. The histogram of {d(c)i,j } for (a) the adder, and (b) the comparatorin authentic chips.

0 50 100 150 200-0.03

-0.02

-0.01

0

0.01

Chip #

Isola

tion m

etr

ic

Authentic

Recycled

0 50 100 150 200-0.04

-0.03

-0.02

-0.01

0

0.01

0.02

Chip #

Isola

tion m

etr

ic

Authentic

Recycled

(a) (b)

ThTh

Fig. 11. The isolation metrics of 200 authentic chips and 200 used (for oneyear) chips: (a) the adder, and (b) the comparator.

D. Aging and HT Detection in DLX Processor

The proposed validation approach can be scaled to largerdesigns including both datapath and control logic. To demon-strate this aspect, we verified the effectiveness of SeMIA in a5-stage pipelined processor, namely DLX. We integrated theadders with unbalanced aging profile and HTs into the EXstage of the DLX processor. To mitigate the non-negligiblecurrents produced from control logic and other datapaths, wechose a sequence of instructions that induces transition in onlyone pipelined stages in each cycle. Fig. 15(a) shows an exam-ple that accurately captures IDDT from ‘ADD’ instruction andthe test vector pair (T1, T2) activating the gates in the upper16-bit of the 32-bit adder. By using the same method, theIDDT from the lower 16-bit part is obtained with differentoperands. The background IDDT from the program counterand FSM transition can be mitigated by the correlation ofIDDT from the upper and lower 16-bit parts. Fig. 15(b) showsthe comparison of error rates for a separate adder and theadder integrated into the DLX processor. We can observe thatthe difference is very small under different VDDs. Specifically,for VDD = 1.0 V, the error rate of recycled detection becomes3.5% when the adder is placed inside the DLX processor, whileit is 2.5% when testing the adder separately. It demonstratesthe effectiveness of SeMIA for larger designs comprising ofdatapath modules and control logic.

VI. EXPERIMENTAL RESULTS

In this section, we validate SeMIA through experimentswith a set of commercial Altera DE0 boards as shown in Fig.16. Since these boards do not come with a current sensingmechanism, we modified them to incorporate a sense resistor(one ohm) between the VDD port of the regulator and thesupply input of the FPGA chips. The voltage drop across theresistor is measured by an oscilloscope to obtain the IDDT



9

0.9 0.95 1 1.05 1.1 1.150

0.05

0.1

0.15

0.2

VDD

(V)

Err

or

rate

of one-y

ear

usage

Adder

Comparator

The error rate

changes with VDD

Fig. 12. In recycled chip detection, the error rate e changes for the adderand the comparator at different VDDs.

0 50 100 150 200-0.015

-0.01

-0.005

0

0.005

0.01

Chip #

Isola

tion m

etr

ic

Authentic

W/ HT

0 50 100 150 200-0.04

-0.03

-0.02

-0.01

0

0.01

0.02

Chip #

Isola

tion m

etr

ic

Authentic

W/ HT

Th Th

Fig. 13. Isolation metric for (a) 32-bit adder and (b) 8-bit multiplier.

trace. The design under test (DUT) is a 32-bit array multiplier.We select a suitable TW for the test vectors to measure theaverage IDDT according to algorithm A.

A. Analysis for Recycled Chip Detection

In our Hspice simulation, the unbalanced aging profile forone year and five years can be reliably detected by SeMIA.However, such long aging duration in an experiment is likelyto cause malfunction of FPGA chips. Hence, we focus onidentifying the existence of unbalanced aging in datapathsimplemented in FPGAs. In our experiment, two 32-bit arraymultipliers (Mult1 and Mult2) were synthesized into certainregions of FPGA by the Altera Quartus-II toolset. Two chipswere aged for 10, 20 and 30 hours under high temperature(55◦ C) and high VDD (1.4 V) to observe IDDT variation.The activities of test vectors applied to the two multipliers are0.2 and 0.5, respectively, with the input frequency of 5 MHz.

After the aging on Mult1 and Mult2, we employed fivetest vector pairs to produce transient IDDT profile underVDD = 1.2 V and 1 MHz clock, which were captured in anoscilloscope. Algorithm A is employed to compute the averageIDDT denoted as IDDT,1 and IDDT,2. Fig. 17 shows thechange of |IDDT,1 − IDDT,2| in three chips that are aged forup to 30 hours. We can find that |IDDT,1− IDDT,2| increasesrapidly with aging duration. Specifically, it achieves 0.25 mAon average after 30-hour aging, compared to only 0.1 mAbefore aging. For different VDDs (i.e., 1.1 V and 1.3 V),we observed a similar trend. The experimental results supportthe existence of unbalanced aging profile under different testvectors for aging. Hence, a recycled chip with aging durationof few months or higher can be reliably identified by SeMIA.

0.9 0.95 1 1.05 1.1 1.150

0.05

0.1

0.15

0.2

VDD

(V)

Err

or

rate

of one-y

ear

usage

Adder

Multiplier

The error rate

changes with VDD

Fig. 14. In HT detection, the error rate e changes for the adder and thecomparator at different VDDs.

ADDT1

IF ID EX MEM WB

ADDT1 ADDT1 ADDT1 ADDT1

ADDT2 ADDT1 ADDT1 ADDT1 ADDT1





Clo

ck

cycle

Act.

stage

(a) (b)

0.9 0.95 1 1.05 1.1 1.150.02

0.04

0.06

0.08

0.1

0.12

0.14

0.16

0.18

0.2

VDD

(V)

Err

or

rate

Adder_aged

DLX_aged

Adder_HT

DLX_HT

Fig. 15. (a) Activation of a pipelined stage under test vector pair T1 andT2, and (b) comparison of error rate between a separate adder and the adderintegrated into DLX.

B. Analysis for HT Detection

The platform for HT detection is shown in Fig. 18, includinga phase-locked loop (PLL), a memory block, a design undertest (DUT0) and its duplication with HT (DUT1). The PLLoutputs a clock with frequency 10 MHz as the interval oftest vector input. The memory block stores the test vectors.Signal HT en is used to control the activation of gates in anHT. When it is 0, DUT0 and DUT1 have identical switchingand no test vectors can flip the gates in the HT. As a result,the correlation of the IDDT can mimic the case that no HT isinserted into DUT1. When HT en is 1, the HT in DUT1 can beactivated by certain test vectors. A test vector pair is read outfrom the memory and input into DUT0 and DUT1, controlledby the clock. The average IDDT is measured repeatedlyin an oscilloscope to eliminate the effect of temporal andmeasurement noises. The sequential HT [47] including a 32-bit counter takes 2.3% area of the DUT.

Fig. 19(a) and (b) show the IDDT correlation of DUT0and DUT1 for VDD of 1.1 V and 1.2 V, respectively. If noHT is present, the corresponding points for ten FPGAs arescattered around the trend line y = x. However, when thetest vectors induce switching activity in the HT, the points fallbelow y = x, which closely matches the simulation results.Fig. 19(c) and (d) show that the isolation metrics without HTare close to zero. Hence, a design with HT can be identifiedwith negligible error rate.



10

Resistor for IDDT senseShow voltage

Fig. 16. The experimental platform on DE0 board.

0 10 20 300.1

0.15

0.2

0.25

0.3

0.35

Aging hours

|ID

DT

,1-I

DD

T,2| (m

A)

IDDT difference becomes

larger with more aging hours

Fig. 17. IDDT difference between Mult1 and Mult2 with aging durationfrom 10 hours to 30 hours.

VII. DISCUSSION

A. Attacks and Countermeasures

The aging effects in recycled chips depend on the appli-cation scenario and therefore infeasible to be controlled byadversaries. It may be argued that an unbalanced aging profilecan be eliminated by increasing Vth shift on the transistorswith less aging. However, it is difficult to select proper testvectors to achieve the similar histogram of Vth deviation. Itmay not also be practically feasible to enforce balanced aginginto large number of self-similar structures in a chip, e.g., aprocessor. Moreover, it is a complex (e.g., involving agingequipment) and expensive process, since the Vth should bemonitored accurately in a long time.

We have focused on possible HT attacks in regular symmet-ric structures. If an HT is inserted into non-similar instances,it can evade detection by SeMIA. However, it is worth notingthat, typically the die-area taken by modules with regularityor high degree of replication is substantial, as noted in diversecontexts [42]. Hence, SeMIA is expected to provide high HTcoverage. In order to detect HT instances in random logicsuch as control unit of a processor, we can combine SeMIAwith existing HT detection approach with complementarycapabilities such as [39].

B. Extension of SeMIA

SRAM is widely incorporated into modern SoCs, whichincludes an array of cells (e.g., 6-T, 8-T) organized in aregular structure. Due to abundance of narrow-width operands

PLL

Memory

DUT w/ HT

DUT w/o HTTest

vectors

HT_en

clock

clock

IDDT

FPGA

Fig. 18. The circuit structure for HT test in Cyclone-III FPGA.

0.0195 0.02 0.0205 0.021 0.02150.0195

0.02

0.0205

0.021

0.0215

IDDT

of a 32-bit mult. (A)

I DD

T o

f a r

ef. 3

2-b

it m

ult. (A

) W/O HT

W/ HT

0.0135 0.014 0.0145 0.0150.0134

0.0136

0.0138

0.014

0.0142

0.0144

0.0146

IDDT

of a 32-bit mult.(A)

I DD

T o

f a r

ef. 3

2-b

it m

ult.(

A) W/O HT

W/ HT

0 2 4 6 8 10-5

-4

-3

-2

-1

0

1

2x 10

-3

Chip #

Isola

tion m

etr

ic

Authentic

W/ HT

0 2 4 6 8 10-6

-4

-2

0

2x 10

-3

Chip #

Isola

tion m

etr

ic

Authentic

W/ HT

(a) (b)

Trend line y=x

(c) (d)

Trend line y=x

Th Th

Fig. 19. (a) IDDT correlation for multipliers under VDD = 1.1 V, (b)IDDT correlation for multipliers under VDD = 1.2 V, (c) isolation metricsunder VDD = 1.1 V, and (d) isolation metrics under VDD = 1.2 V.

in real applications [19], MSBs in a word store ‘0’ (or ‘1’)most of the time. The contents in LSBs are altered morefrequently. Hence, the aging profile of MSBs is different fromthat in LSBs. Furthermore, an embedded memory usually hasseparate power grid that simplifies IDDT measurement onmemory core with reduced noise. Hence, it can be a goodcandidate to determine aging of a chip by employing SeMIA.

In addition to digital circuits, SeMIA is also promisingfor mixed-signal circuits. For example, a pipelined analog-to-digital converter (ADC) includes several stages of similarstructure. The aging effect of each stage is expected to bedifferent, since ADC works in the middle of transfer functionmost of the time to reduce the influence of differential non-linearity (DNL). As a result, the activity of MSBs would belower than LSBs, which leads to aging discrepancy.

Finally, in addition to IDDT , SeMIA can also use pathdelays (such as in [40]) to form the isolation metric as (8), ifthe test vectors for path activation are provided by the chipdesigner. As a result, the HTs (or aging effects) impacting pathdelays can be detected by SeMIA reliably.



11

VIII. CONCLUSION

We have presented SeMIA, a golden-free methodology todetect both recycled counterfeit ICs as well as hardwareTrojan attacks by exploiting the discrepancy in IDDT betweentwo self-similar structures. Using extensive simulations underrealistic process variations, we have shown that it can identifythese integrity issues reliably with high sensitivity. It requiresno design modification and hence can be applied to legacychips. We have also validated SeMIA through experiments inFPGA chips with example Trojan instances and practical agingprofiles.

Modern complex SoCs include many regular self-similarstructures at different levels of hierarchy that experiencedifferent level of stress during operation. Therefore, SeMIAcan be effectively employed to isolate aged chips of varyingcomplexity. Similarly, since a hardware Trojan attack is ex-pected to be localized in a logic block, SeMIA can effectivelywork for detecting Trojan attacks in these SoCs. Since self-comparison automatically eliminates the effect of inter-dieand intra-die systematic variations, it is easily scalable tolarge designs. When combined with complementary Trojandetection techniques such as self-referencing based Trojan de-tection in sequential logic, SeMIA can provide comprehensiveTrojan coverage. Although we focus on IDDT in our study ofSeMIA, other parameters such as path delay can be appliedfor fingerprint construction. Furthermore, SeMIA also canwork for digital signal processing units, crypto chips, as wellas mixed-signal chips such as data converters and telemetryunits, which increasingly use digital components of regularstructure. Finally, although SeMIA does not require any designmodification, design-for-security approaches that incorporateor enhance self-similarity across circuit blocks, can improveits effectiveness.

REFERENCES

[1] M. Tehranipoor and F. Koushanfar, “A survey of hardware Trojan taxon-omy and detection,” IEEE Design & Test of Computers, vol. 27, no. 1,pp. 10-25, 2010.

[2] F. Wolff. C. Papachristou, S. Bhunia, and R.S. Chakraborty, “TowardsTrojan-free trusted ICs: problem analysis and detection schemes,” DATE,2008, 1362-1365.

[3] F. Koushanfar et al., “Can EDA Combat the Rise of Electronic Counter-feiting?,” DAC, 2012, pp. 133-138.

[4] R. S. Chakraborty, S. Narasimhan and S. Bhunia, “Hardware Trojan:threats and emerging solutions,” HLDVT, 2009, pp. 166-171.

[5] U. Guin, M. Tehranipoor, D. DiMase and M. Megrdichian, “CounterfeitIC detection and challenges ahead,” ACM SIGDA, March 2013.

[6] L. W. Kessler and T. Sharpe, “Faked Parts Detection,” [Online]http://www.circuitsassembly.com/

[7] Counterfeit IC detection, Integra Technologies Inc., [Online]http://www.integra-tech.com/index.php/test-services/counterfeit

[8] SENTRY Counterfeit IC Detector, ABI Electronic Inc., [Online]http://www.abielectronics.co.uk/Products/SENTRYCounterfeitICDetector.php

[9] Y. Alkabani and F. Koushanfar, “Active Hardware Metering for Intellec-tual Property Protection and Security,” USENIX Security, 2007.

[10] J. Rajendran, Y. Pino, O. Sinanoglu and R. Karri, “Logic encryption: afault analysis perspective,” DATE, 2012.

[11] A. Basak, Y. Zheng and S. Bhunia, ‘Active defense against counterfeitingattacks through robust antifuse-based on-chip locks,” VTS, 2014, pp. 1-6.

[12] U. Guin, X. Zhang, D. Forte, and M. Tehranipoor, “Low-cost On-ChipStructures for Combating Die and IC Recycling,” DAC, 2014, pp. 1-6.

[13] G. E. Suh and S. Devadas, “Physical Unclonable Functions for DeviceAuthentication and Secret Key Generation,” DAC, 2007, pp. 9-14.

[14] Y. Zheng, X. Wang and S. Bhunia, “SACCI: scan-based characterizationthrough clock phase sweep for counterfeit chip detection,” IEEE Trans.on VLSI systems (TVLSI), vol. 23, no. 5, pp. 831-841, 2015.

[15] X. Zhang, K. Xiao, and M. Tehranipoor, “Path-delay fingerprinting foridentification of recovered ICs,” DFT, 2012, pp. 13-18.

[16] R. Moudgil, et al., “A novel statistical and circuit-based technique forcounterfeit detection in existing ICs,” GLSVLSI, 2013, pp. 1-6.

[17] K. Huang, J. M. Carulli and Y. Makris, “Parametric counterfeit ICdetection via support vector machines,” DFT, 2012, pp. 7-12.

[18] S. Bhunia, M. Hsiao, M. Banga and S. Narasimhan, “Hardware Trojanattacks: threat analysis and countermeasures,” Proceeding of the IEEE,vol. 102, no. 8, pp. 1229-1247, 2014.

[19] D. Brooks and M. Martonosi, “Dynamically exploiting narrow widthoperands to improve processor power and performance,” HPCA, 1999,pp. 13-22.

[20] H. Kukner et al., “Degradation analysis of datapath logic subblocksunder NBTI aging in FinFET Technolgy,” Int. Sym. on Quality ElectronicDesign (ISQED), 2014, pp. 473-479.

[21] Synopsys, HSPICE user guide: simulation and analysis, 2010.[22] X. Wang, M. Tehranipoor and J. Plusquellic, “Detecting malicious

inclusions in secure hardware: challenges and solutions,” HOST, 2008,pp. 15-19.

[23] H. Salmani, M. Tehranipoor and J. Plusquellic, “New design strategyfor improving hardware Trojan detection and reducing Trojan activationtime,” HOST, 2009, pp. 66-73.

[24] J. Li and J. Lach, “At-speed delay characterization for IC authenticationand Trojan horse detection,” HOST, 2008, pp. 8-14.

[25] X. Zhang and M. Tehranipoor, “RON: an on-chip ring oscillator networkfor hardware Trojan detection,” DATE, 2011, pp. 1-6.

[26] J. Rajendran, V. Jyothi, O. Sinanoglu and R. Karri, “Design and analysisof ring oscillator based design-for-trust technique,” VTS, 2011, pp. 105-110.

[27] R. S. Chakraborty, S. Paul and S. Bhunia, “On-demand transparency forimproving hardware Trojan detectability,” HOST, 2008, pp. 48-50.

[28] C. Lamech and J. Plusquellic, “Trojan detection based on delay vari-ations measured using a high-precision, low-overhead embedded teststructure,” HOST, 2012, pp. 75-82.

[29] Y. Cao, C. H. Chang and S. Chen, “A cluster-based distributed activecurrent sensing circuit for hardware Trojan detection,” IEEE Trans. onInfo. Froensics and Security, 2014.

[30] K. Xiao and M. Tehranipoor, “BISA: Built-in self-authentication forpreventing hardware Trojan insertion,” HOST, 2013, pp. 45-50.

[31] D. Agrawal, S. Baktir, D. Karakoyunlu, P. Rohatgi and B. Sunar, “Trojandetection using IC fingerprinting,” IEEE Symp. Security Privacy, 2007,pp. 296-310.

[32] Y. Jin and Y. Makris, “Hardware Trojan detection using path delayfingerprint,” HOST, 2008, pp. 51-57.

[33] Y. Alkabani and F. Koushanfar, “Consistency-based characterization forIC Trojan detection,” ICCAD, 2009, pp. 123-127.

[34] S. Wei, S. Meguerdichian and M. Potkonjak, “Gate-level characteri-zation: foundation and hardware security applications,” DAC, 2010, pp.222-227.

[35] M. Banga and M. S. Hsiao, “A region based approach for the identifi-cation of hardware Trojan,” HOST, 2008, pp. 43-50.

[36] S. Wei and M. Potkonjak, “Scalable segmentation-based maliciouscircuitry detection and diagnosis,” ICCAD, 2010, pp. 483-486.

[37] S. Narasimhan et al., “Multiple-parameter side-channel analysis: a non-invasive hardware Trojan detection approach,” HOST, 2010, pp. 13-18.

[38] D. Du, S. Narasimhan, R. S. Chakraborty and S. Bhunia, “Self-referencing: a scalable side-channel approach for hardware Trojan de-tection,” CHES, 2010, pp. 173-187.

[39] S. Narasimhan et al., “TeSR: A Robust Temporal Self-ReferencingApproach for Hardware Trojan Detection,” HOST, 2011, pp. 71-74.

[40] N. Yoshimizu, “Hardware Trojan detection by symmetry breaking inpath delays,” HOST, 2014, pp. 107-111.

[41] Y. Liu, K. Huang and Y. Makris, “Hardware Trojan detection throughgolden chip-free statistical side-channel fingerprint,” DAC, 2014, pp. 1-6.

[42] P. Subramanyan, N. Tsiskaridze, K. Pasricha, D. Reisman, A. Susnea andS. Malik, “Reverse engineering digital circuits using functional analysis,”DATE, 2013, pp. 1277-1280.

[43] K. K. Parhi, “VLSI Digital Signal Processing Systems: Design andImplementation,” Wiley, first ed., 1999.

[44] T. Sakurai and A. R. Newton, “Alpha-power law MOSFET model andits applications to CMOS inverter delay and other formulas,” JSSC, vol.25, no. 2, pp. 584-594, 1990.

[45] Y. Zheng, A. Basak and S. Bhunia, “CACI: Dynamic current analysistowards robust recycled chip identification,” DAC, 2014, pp. 1-6.



12

[46] Predictive Technology Model, [Online] http://ptm.asu.edu/[47] X. Wang, S. Narasimhan, T. Mal-Sarkar and S. Bhunia, “Sequential

hardware Trojan: side-channel aware design and placement,” ICCD, 2011,pp. 297-300.

semia: self-similarity based ic integrity analysisswarup.ece.ufl.edu/papers/j/j53.pdf · 2015. 12....

Documents