This article has been accepted for publication in a future issue of this journal, but has not been
fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TC.2016.2576444, IEEE
Transactions on Computers
> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) <
Latch-Based Structure: A High Resolution and
Self-Reference Technique for Hardware Trojan
Detection
Ghobad Zarrinchian and Morteza Saheb Zamani
AbstractHardware Trojan detection has been the subject of
many studies in the realm of hardware security in the recent
years. The effectiveness of current techniques proposed for
Trojan detection is limited by some factors, process variation
noise being a major one. This paper introduces latch-based
structures as a self-reference detection technique which uses in-
circuit path delays as golden reference models. By addressing
process variation, these structures can achieve high accuracy in
detection resolution. The proposed method is a complementary
approach to current side-channel techniques to cover their poor
performance in detecting small Trojans. Simulation results show
that this technique can detect small Trojans at the scale of only
one logical gate with 90% probability on average.
Index TermsHardware Trojan, Latch-Based Structures,
Process variation, Self-Reference detection.
I. INTRODUCTION
H ARDWARE Trojans (or HT, for short) are extra
functionalities that may be added to a circuit with the aim
of leaking information or distorting the circuit from its
intended functionality. The goals behind implanting HTs in
digital circuits could be various. Degrading the performance of
a circuit to produce a low quality device, leaking information
in critical applications, such as keys used for encryption, and
disrupting the functionality of the circuit in highly critical
scenarios, such as real-time or military applications, all could
be strong incentives to change a circuit by an attacker.
Although HTs could be inserted at different design phases,
it is usually assumed that the final netlist and the generated
layout are free of HT, and possible attacks are done at later
stages, for example, at the manufacturing stage where the
designer may have no control over the manufacturing process.
This lack of control stems from ever-outsourcing digital
designs to third-party fabrication plants (also known as fab)
for manufacturing. The main driver for outsourcing designs is
the billion dollar investments needed to establish fabrication
G. Zarrinchian is a Ph.D. student at the Department of Computer
Engineering and Information Technology of Amirkabir University of
Technology, Tehran, Iran. (e-mail: zarrinchian@aut.ac.ir).
M. Saheb Zamani is with the Department of Computer Engineering and
Information Technology of Amirkabir University of Technology, Tehran,
Iran. (e-mail: szamani@aut.ac.ir).
0018-9340 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
1
houses, and many design companies choose not to fabricate
their own products and thus outsource them to other equipped
and up-to-date fabs [1], [2]. Such an issue is getting more
severe in recent technologies since upgrading fabs for newer
technologies is not affordable for many companies. That is
why many leading companies such as AMD and Texas
Instruments have chosen to outsource some of their production
lines to third-party fabs (often located in Asia) [3].
Consequently, because of limited designers control over
the production phase, some rogue employees in the fab can
alter the design for their adversary goals. For this reason,
designers may not simply trust their produced chips and need
a dependable way to measure their chips and detect any
unwanted functionality. This issue has led to the introduction
of HT detection methods. These methods attempt to use
different characteristics of Trojans to detect them1. Trojans
can have different characteristics and show various behaviors.
A complete review of Trojan properties and their
characteristics is beyond the scope of this paper and interested
readers can refer to related studies [4][7].
Generally, Trojans can be functional or parametric.
Functional Trojans are those that alter the functionality of the
circuit in specific conditions. On the other hand, the Trojans
that only affect the performance of a design are known as
parametric Trojans. Since a wise attacker tries to hide his/her
Trojan in the circuit, Trojans are usually activated by
triggering very rare conditions on internal or external signals
of the design. This would ensure that the design would
probably pass the manufacturing test without any indication of
miss-behavior.
Currently, there are two broad approaches for Trojan
detection. Logic testing approaches detect HTs by applying
test vectors and revealing the erroneous behavior of the
design. These approaches can only detect functional Trojans.
Side-channel analysis is another technique which attempts to
use performance signature of the circuit. Since any extra
functionality in the circuit would result in side-channel effects,
such as extra power consumption or extra path delay,
recognizing these effects are a useful mean to detect abnormal
behavior, even if the Trojan is not of functional type. For this
reason, side-channel-based techniques are strong methods and
have gained more attention in the literature compared to the
1
For the rest of the paper, we use the terms HT and Trojan
interchangeably.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TC.2016.2576444, IEEE
Transactions on Computers
> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) <
logic testing approaches. Despite their strength, side-channel
analysis methods pose a major drawback, i.e., their
vulnerability to process variation which causes some kind of
Trojans, especially smaller ones, to be undetected. Currently,
the main challenge in detecting HTs is to address high process
variation in fabricated chips and offering higher resolution
methods, especially in newer technologies in which process
variation is getting more severe.
In this paper, we propose a method which uses path delay as
a side-channel parameter to detect HTs. In this method, latch-
based structures are created in the circuit, which convert any
extra delay caused by Trojans into the changes observable in
the functionality of the circuit. As we explain later, the new
method is capable of addressing process variation and can
remove its effects considerably. In some cases, the new
technique could be even used in a manner that the designer is
relieved from having golden chips and use the method as a
self-reference technique. By employing the proposed method
in parts of a design where available side-channel approaches
perform poorly, we can cover hard-to-detect Trojans and
improve the applicability of conventional side-channel
approaches.
The organization of this paper is as follows. In Section II,
an overview on previous studies on HT detection is provided.
In Section III, the main concept of our latch-based structure
and its capabilities to detect hardware Trojans is presented.
Section IV discusses the details of the proposed approach and
its implementation. In Section V, simulation results are
reported and performance of the technique is evaluated in
terms of HT detection probability and area overhead. A
discussion on advantages, limitations and security analysis of
the technique is presented in Section VI. Finally, Section VII
concludes the paper.
II. PREVIOUS WORK
There are many studies addressing HT detection. These
studies can be grouped into two categories, namely, logic
testing and side-channel analysis. Logic testing methods
suppose that the HT has stealthy nature and is activated under
rare conditions. Therefore, these methods try to remove such
conditions by eliminating low activity nodes in various ways.
Chakraborty et al. [8] proposed an algorithm, called MERO,
to generate a set of test vectors that increase signal activity of
a set of given circuit nodes up to a desired threshold point. An
improvement over MERO was proposed in [9] by selecting a
more compact and more effective set of test vectors to cover
rare conditions. In this study, the authors used genetic
algorithm together with a SAT (satisfiability) technique to
generate the test vectors. The authors also considered hard-to-
trigger Trojans for which the payload effect cannot be
propagated to the output, and reduced the state space of rare
combinations by excluding this type of Trojans. Studies in
[10][12] follow a similar idea and base their work on special
test pattern generation. The study in [13] proposed to invert
polarity of logic gates to obtain inverted functionality. Using
this method, AND and OR gates act as NAND and NOR
gates, respectively, (and vice versa) and low-transition states
0018-9340 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
2
become high-transition. Using dummy scan flip flops is
another method in logic testing [14]. In this method, the
activity of internal low-transition nodes is increased by
inserting dummy flip flops which are only used in the test
mode and do not affect the normal operation of the design.
The main drawbacks of logic testing techniques are two
folds. Firstly, these methods are only able to detect functional
Trojans. Secondly, the condition under which a Trojan could
be fully activated is not known a priori to the designer, and
the state space of triggering a Trojan could be generally vast.
As a result, the designer could not test all possible conditions
to reveal the malicious activities. Such methods are only
applicable for detection of small Trojan circuits with few
triggering inputs.
Because of the issues mentioned, side-channel analysis
approaches have been used extensively. In these methods,
performance parameters of the circuit to be authenticated are
extracted and compared with those obtained from the golden
circuits. Any extra functionality is detected by the footprint of
the Trojan on circuit performance parameters, such as
transient power (IDDT), leakage power (IDDQ) and delay.
Due to the Trojans impact on circuit performance, detecting
such effects is an appropriate way for HT detection purposes.
Studies in [15][22] are some of the proposed methods
based on path delay. The authors of [15] introduced shadow
registers to measure the timing slack of combinational paths in
the design and then compare their measurements with those
obtained from golden chips for detection purposes.
Studies in [16][19] take advantage of ring oscillators
(ROs) to measure the delay. ROs are useful structures for
measuring path delay across a chip, which are implemented by
creating a logical loop covering a path with odd number of
inverting stages and measuring the frequency using a counter.
The work in [20], known as clock sweeping, is similar to
[15], but instead of using shadow registers, the frequency of
system clock is increased up to a point where the delay faults
are observed. Such frequencies for different paths are used as
signatures of the design, and compared with the signatures
obtained from the golden designs. Since overclocking for low-
delay paths may have some difficulties, the authors in [21]
proposed a special structure to provide zero-slack clock cycle
to measure the delay of any arbitrary path in the design.
As delay-based HT detection is done more accurately in
shorter paths due to lower process noise, Shekarian et al. in
[22] proposed a retiming technique to shorten the long paths
of the designs and reported higher HT detection probability.
Since any extra circuit affects leakage power of a design,
some studies have focused on detecting Trojans based on
consumed leakage power. The work in [23] is one of the
studies that measure the leakage power for special test vectors
applied to the chip. As the leakage power due to a Trojan
circuit could be negligible compared to the total circuit
leakage power, the study in [24] proposed to measure the
leakage from different power ports individually, instead of a
global measurement, to enhance the resolution of detection.
IDDT current or transient power is another performance
parameter used in malicious circuitry detection [25][27].
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TC.2016.2576444, IEEE
Transactions on Computers
> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) <
Since transient power of a circuit has direct relation to its
internal nodes switching activity, a promising way to enhance
the strength of detection is to increase the Trojan circuit
activity or to decrease the main circuit activity. Based on this,
Banga et al. in [25] partition a circuit into different regions
and attempt to investigate each region, individually, for the
existence of a Trojan. In this study, specific test vectors are
applied to the circuit such that the activity of the region under
consideration is increased while the activity of other regions is
kept low. All regions are investigated in this manner. The
work in [26] follows a different strategy to increase the
activity of the regions. This study takes advantage of scan
chain flip flips (SFFs), and reorders them such that SFFs
located in the neighborhood of each other are connected
together. This provides the possibility of increasing switching
activity in a local region and keeping the activity of other
regions as low as possible by feeding appropriate logical
values into the scan chain. The sensitivity of transient power
to Trojan circuits and enhancing detection resolution using
calibration techniques are investigated in [27].
The main strength of side-channel-based detection methods
lies in the fact that every Trojan has effects on circuit
performance, and detecting such effects would indicate
existence of unwanted circuits, regardless of the type of
Trojan (functional or parametric). However, there are two
main drawbacks that limit the effectiveness of these
approaches. First of all, performance parameters of fabricated
chips are strongly affected by process variations and
measurement noise. Process, Voltage and Temperature (PVT)
variations result in the performance parameters to be expanded
in a wide range. Thus, the shift in golden chip parameters
range due to Trojan could be negligible, especially for small
Trojan circuits. Therefore, distinguishing Trojan effects may
not be simply feasible, especially in newer technologies with
higher variation effects. Despite different techniques used for
removing variation effects, such as local measurement and
calibration techniques, this problem is still posing itself as a
main barrier against obtaining accurate detection.
Another challenge relates to the availability of golden chips
to use their performance parameters as reference models.
Providing golden models requires comprehensive testing and
measurements on a set of test chips which may be
accompanied by de-layering those chips to insure that they are
free of Trojans and the measured parameters are valid. Such
comprehensive evaluation may be very time-consuming and
requires considerable cost and effort. By far, some methods
have been proposed to address this challenge. Narasimhan et
al. [28] assumed that the Trojan is a sequential circuit that is
activated when its flip flop states reaches a special pattern. At
this point, the Trojan circuit would consume some extra
transient power which was not present before. Based on this,
the paper proposed to measure transient power of the circuit at
different time slices and compare them to see if any
considerable deviation is observed. Although this study is a
self-referencing method (does not rely on external reference
values), it has serious problems. First, it is only applicable to
sequential Trojans. Secondly, the condition under which a
0018-9340 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
3
Trojan is activated and hence, the set of test vectors required
to apply to the circuit is not known.
As another study in this context, Davoodi et al. [29]
presented a method which finds similar sequences in a design
and embeds sensors with similar structures as reference
models. Using this technique, the delay of each path in a
fabricated chip could be accurately estimated by measuring
the sensor delay. Applicability of this method is limited due to
the fact that finding sequences of similar structures is not
always possible in a design.
The study in [30] proposes to use correlation between side-
channel signatures to detect infected signatures, called as
Outliers. In this approach, test vectors are applied to the
circuit and signatures are extracted. Since a given signature
may have correlation with a set of neighboring signatures, it
may be estimated by observing its neighbors. The paper uses
this property and compares a measured signature with the
estimated one. If noticeable deviation observed, one can
deduce the signature is an outlier. To estimate a given
signature, this method requires PV models that should be
provided by the foundry. However, as the foundry is assumed
to be untrusted, one cannot rely on the provided PV models.
The study in [31] uses simulation to extract performance
parameters instead of obtaining golden chips. Since one
cannot rely on simulation statistics as they use inaccurate
models and variation affects the parameters, the authors
proposed to use PCM (Process Control Monitor)
measurements to tune the simulation models and remove
discrepancy between simulation statistics and real ones. This
method has some limitations. First of all, PCMs may not
always be available in the designs. Secondly, they are
themselves subject to attack and the foundry may fabricate
them in a way that distracts the simulation parameters. Finally,
the method can only obtain golden parameters and does not
address process variation. Therefore, the problem of detecting
small Trojans is still a challenging problem.
In this paper, we propose a mechanism which uses path
delays for detecting HTs. The new method attempts to remove
the Trojan hiding effects of process variation as much as
possible to enhance the resolution of detection. The new
method can also be implemented in a manner that increases
the risk of concealing the HT by the attacker which makes this
technique independent of golden models in some scenarios.
III. LATCH-BASED STRUCTURE: BASIC CONCEPT
The basic idea of using latch-based structures is to embed
simple latches in the circuit to compare relative delays of two
given paths. The reason behind using latch elements lies in the
dependency of their logical outputs to the delay of their
elements. To clarify the matter, consider simple SR NAND
latch shown in Fig. 1 in which a common signal Test drives S
and R inputs. When Test=0, then Y1Y2=11. By applying a low-
to-high transition on Test, both outputs, i.e., Y1 and Y2, go
towards changing their value from 1 to 0. Since the gates in
the latch may have different propagation delays, one of the
outputs may change its value sooner than the other, which
causes the slower gate to keep its logical value. This means
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TC.2016.2576444, IEEE
Transactions on Computers
> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) <
Fig. 1. An SR latch structure with common input signal
Fig. 2. Using latch-based structure to compare the delays of two paths path1
and path2
that Y1Y2=01, if g1 is faster than g2, and Y1Y2=10, otherwise.
Assuming that the latch structure is ideally symmetric and
both gates as well as the feedback connections have equal
delays (or have negligible difference), the main contributing
factor that determines the logical values is the propagation
delay of the Test signal. In other words, such a structure can
be used to catch the delay difference between the two
propagation paths. This comparison mechanism can be applied
to two arbitrary paths in a design to compare their delays. Fig.
2 shows an example in which two paths, constructed with a set
of logical cells, are configured in a latch-based structure. In
this scheme, Test signal is propagated through both paths so
that the latch outputs can indicate relative delays. Observing
Y1Y2=01 after a low-to-high transition on Test means that
path1 has less delay than path2; otherwise, path1 has more
delay. Such a structure may also be implemented by NOR
latches similarly, except that the direction of transition and
logical outputs are reciprocal.
By using latch-based structures which translate relative
delays into the functionality observed at the output, we can
measure the delay of Trojan-susceptible paths in the design
using other paths as reference delay to find out whether the
delay has been changed or not. This implementation has many
advantages which will be discussed later in the paper. It
should be noted that the idea of using latches as hardware
security primitives is not new, and SRAM-based PUFs or
latch-based PUFs have been introduced before [32]. However,
to the best of our knowledge, the idea of using latch structures
for the goal of HT detection has not been proposed before.
To make the latch-based structure applicable for HT
detection, some important considerations must be taken into
account. To find out whether the latch outputs have been
changed due to increase in the delay by a Trojan circuit, the
original Trojan-free outputs must be known before the chip is
fabricated. This requires selecting a special path as the
0018-9340 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
4
reference path that makes the latch outputs predictable.
Suppose, for example, that path1 in Fig. 2 is a path which may
be used by an attacker to embed a Trojan and its delay is
increased as a consequence. For the rest of the paper, we call
such paths as target paths, since they may be the target of
attack. This issue instructs the designer to choose a second
path (path2) as a reference path to compare the delay of the
two paths and recognize any extra delay by observing the
changed values occurred at the outputs. For the latch outputs
to be predictable before physical manufacturing, the designer
should select path2 such that its delay is higher than that of
path1. Therefore, in a NAND latch, the original outputs of the
circuit are Y1Y2=01. It should be noted that the delay
difference between path1 and path2 should not be too large as
it causes the Trojans delay effect to be removed. Since
finding a reference path with the proper delay difference may
not be always possible, it may be required to tune the delay
difference between the two paths, after a reference path is
selected. Selecting an appropriate reference path and tuning
the delay difference is an important factor that determines the
detection resolution of the method. The desired delay
difference is determined by the amount of the delay variations
of the two paths. This means that the designer should take
worst case variation of the paths into account in the design
phase to insure that the reference path has always higher delay
than the target path.
Another consideration that should be taken into account is
the structure by which the latch is inserted in the design.
Although we can use special logical gates for this purpose, we
chose to use functional gates already in the netlist. Advantages
of this strategy are two folds. First, using the original circuit
gates instead of adding new ones helps us keep area overhead
of the scheme as low as possible. Secondly, this scheme resists
against removal attacks. In removal attacks, an attacker may
try to remove or bypass the added latch gates and change the
logical output values back to the original ones, as if the design
is Trojan-free. By employing the original gates of the design
as the latch gates, committing removal attacks are not simply
feasible. This structure causes the circuit to have two
operating modes, namely normal mode and test mode. In the
normal mode, the circuit is in its normal operating phase. In
the test mode, the circuit is tested for HT detection.
To separate the two modes, the structure should be
modified. This modification could be done in several ways.
Fig. 3 illustrates a simple scheme which uses multiplexers
(MUXs) to separate the operating modes. In this figure, the
delays of two paths of the design, path1=ABCDEF and
path2=GHIJKL, are compared using the latch-based structure.
MUXs are used to separate operating modes. When signal Sel
is 0, the circuit operates in the normal mode and signals b, i, q
and r are fed to their original cells. When Sel is 1, the circuit
operates in the test mode and signal Test is fed to the first cells
of the two paths to propagate. In this mode, cells F and L are
configured as a latch element and a feedback loop is
established using their outputs. If the cells at the end of the
two paths are not of types NAND or NOR, the logical
structure of the end cells should be modified so that NAND or
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TC.2016.2576444, IEEE
Transactions on Computers
> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) <
Fig. 3. Using MUXs as a simple structure to separate normal and test mode
NOR types are created, without changing the functionality. It
must be noted that to propagate Test signal through the paths,
the side inputs of the cells located on the paths must be
controlled with non-controlling values. This can be done by
applying appropriate test vectors and preparing paths for
testing purposes. In Fig. 3 the non-controlling values for each
cell are shown.
The structure described above is the basis of the proposed
technique: a path which may be used by the attacker to insert a
Trojan is determined, and then an appropriate second path is
selected as the corresponding reference path. Finally, these
two paths are configured in a latch-based structure and their
delay difference is tuned. This strategy can be done for every
path which may be the target of attack.
In the proposed method, selecting a reference path and
configuring the latch-based structure is done at the design
phase. In this phase, the delays of paths are extracted based on
the timing information available in technology libraries. To
obtain more accurate results, the designer can place and route
the design and generate an initial layout for the circuit. At this
stage, more accurate timing and parasitic information are
available. Despite using accurate models and layout-generated
timing information, different chips may exhibit different
timing behavior after fabrication. This is because process
variation drastically affects device parameters and such effects
are not known before the chips are manufactured. That is why
side-channel analysis techniques need golden models and
cannot rely on post-layout simulation results.
To see how our technique addresses variation, we should
take a deeper look at process variation and its components.
Generally, process variation is composed of two parts: die-to-
die (or inter-die) and within-die (or intra-die) variation. Die-
to-die variation corresponds to the variation seen for the
structures between different dies. Within-die variation
represents variation across a given die. Traditionally, die-to-
die variation has been the major part of total variation. Even in
newer technologies in which within-die variation is following
an increasing trend, die-to-die component still dominates
within-die factor [33], [34]. As mentioned previously, the
major factor that determines the amount of the delay
difference between the target and reference paths is process
variation, and designers should consider worst case scenario
when tuning the delays to preclude false alarms.
In the latch-based structure, since both target and reference
paths are located on the same die, die-to-die variation is
0018-9340 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
5
removed and the only affecting factor is within-die variation.
It is even possible to address within-die variation and alleviate
its effects as much as possible. Within-die variation is
composed of two components: Systematic variation and
random variation. Systematic variation corresponds to the
location-dependent deviation of device parameters from their
nominal values. This kind of variation is completely
dependent on the location of the devices on the die and has
similar effects on devices located close to each other. Random
variations correspond to that part of within-die variation which
is not related to the physical location of devices, and is
completely random in nature. In other words, the devices
located close to each other may exhibit different properties
which are known as the random component of variation.
Our latch-based structure can be implemented in a way that
can decrease the effects of systematic variation. By selecting a
reference path sufficiently near the target path, we can expect
systematic variations to have similar effects on both paths.
This means that only within-die random variation could be
considered when tuning delays. Such reduction in process
variation can remarkably increase HT detection resolution
which is not seen in previous studies.
IV. LATCH-BASED STRUCTURE: IMPLEMENTATION
The basic idea of using the proposed latch-based structure
was elaborated in the previous section. The way in which this
concept can be implemented in a given design is dependent on
the designers strategy. As explained, a path, which may be
the target of the HT attack, should be determined, and an
appropriate reference path must be selected nearby. These two
paths are then configured as a latch-based structure.
Recognizing target paths depends on the application for which
the circuit is designed, or the designer can choose Trojan-
susceptible paths based on his/her knowledge of the design.
Generally, any combinational path can be configured and
therefore, the method does not limit the designer to choose
among a set of particular paths.
To evaluate the proposed method, we assumed that an
attacker may choose to insert the Trojan in the nodes of the
circuit which are not easily controllable. The rationale behind
this assumption is that highly controllable nodes are expected
to have considerable activity during post-manufacturing
testing phase and side-channel effects of Trojan circuits
connected to such nodes cannot be easily concealed. It is
normally assumed that a wise attacker attempts to cover
his/her Trojan circuit in a design such that it exposes
minimum side channel effects. Determining low-controllable
nodes as target nodes have also been considered in other
studies like [8], [14]. Since the concept of latch-based
structure is to compare the delay of a target path with a
reference path, we need to establish combinational paths, if
possible, containing the target nodes.
Choosing appropriate combinational paths for target nodes
to establish target paths may be done in various ways. In this
paper, we chose to have as few target paths as possible. Our
goal by this strategy is to reduce the number of target paths in
a design and hence, reducing the overhead of latch-based
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TC.2016.2576444, IEEE
Transactions on Computers
> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) <
structure.
The next step after recognizing target paths is to choose
appropriate reference paths. To select the reference paths,
different strategies may be used. The first one is to choose
corresponding reference paths based on the netlist structure
(before doing physical design). This strategy has the
advantage of choosing the best candidate paths as reference
paths, however, it does not guarantee that target and reference
paths are located near each other when the final layout is
generated. To alleviate the effects of process variation, the
target and reference paths must be close to each other. One
solution is to manually place the nodes of the target and
reference paths close to each other in the layout, while other
circuit nodes are placed automatically using the CAD tool.
The major drawback of this strategy is that it may affect the
quality of placement. Another strategy is to create an initial
layout of the design and determine target and reference paths
based on their relative position in the layout. Since this
strategy does not affect the placement quality, we chose to use
this scheme in our implementation.
As the target and reference paths should be close to each
other, we have to consider them in a limited-size region which
fits to our definition of proximity. In this regard some studies,
such as [35]-[37], have investigated the amount of within-die
systematic variation for different regions of a die. They show
that the neighbor regions exhibit similar variation noise. Based
on the region size for which these studies have reported their
results, we tried to choose a smaller size to insure that there is
negligible systematic noise in a given region. Based on this,
we considered a region of size 50 m 50 m as a region
with no considerable systematic variations. Such a region size
is somewhat pessimistic and we could even consider larger
regions without any noticeable systematic effects inside.
Based on the defined size, the whole area of the layout is
partitioned into different regions, and the latch structures are
embedded in each region, exclusively. In other words, for each
region, the target and corresponding reference paths are
recognized, and the technique is implemented in that region.
As discussed, the delay of a reference path must be slightly
higher than that of the corresponding target path to insure that
the latch output is predictable after the chip is fabricated. The
amount of delay difference is mainly determined by the
random variation. We should take within-die random variation
into account to guarantee that in every die, the reference path
has always higher delay than the target path.
Beside the random variation, there is still a second factor
that should be considered when tuning the delays. This factor
is related to the error of delay estimations in the gate-level
modifications with respect to their effects on the actual delays
in the final layout. Given a pair of target and reference paths,
the last cells of these paths should be modified to create a
latch structure. Such modifications incur some changes in the
fan-out properties of these cells, and their delay values are not
exactly known before generating the final layout. Moreover,
additional elements must be added to the circuit to separate the
normal from the test operation mode. The exact delay of these
elements is only known after the layout is generated, and the
0018-9340 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
6
designer can only make a rough estimation of the delay
changes when creating the latch structures at the design time.
To take such timing issues into account, we chose to use a
constant value as another factor of the delay difference, which
compensates for the difference between the estimated timing
and the desired one. Equation (1) describes the way in which
the delay difference ( ) is calculated. In this equation,
corresponds to the standard deviation of the target path
delay. The coefficient is selected to be 6 to guarantee that in
every die the reference path delay is always larger than the
target path delay assuming that the delays can deviate in the
range of -3 to +3. The CO (compensation offset) parameter
is the constant value that is considered when determining the
delay differences. The appropriate CO value may be different
for each structure. Moreover, the value is not known in the
first pass of the design cycle, and the designer should attempt
with a set of values to find the appropriate one.
= 6 + (1)
To obtain high resolution HT detection, the delay difference
between a given target and a reference path should not exceed
the determined value ( ). Since finding a reference path
which satisfies this constraint may not always be possible, we
can select an appropriate path (among a set of available
combinational paths), and then tune its delay according to the
intended value. Tuning path delays could be done using
transistor sizing or adding extra delay cells. In our
implementation, we chose the second option, where necessary,
to reach the intended . One advantage of this strategy is
that it does not have any impact on the circuit timing, since
delay elements are added in the Test signal path. Moreover, by
choosing 2-input delay elements (like simple 2-input AND or
OR gates) instead of simple buffers, the existence of these
delay elements in the circuit can be checked (using their
second input) and an attacker cannot simply remove or bypass
them to mask the Trojan effects.
As a brief overview, the following is a step-wise procedure
for implementing the proposed method:
Step1: Generate an initial layout for the deign
Step2: Find target nodes, based on their activity level
(see Fig. 4(a) as an example)
Step3: Partition the layout into disjoint regions (Fig.
4(b))
Step4: Find available combinational paths containing
target nodes in each region to form target paths (Fig.
4(c)).
Step5: Select an appropriate nearby reference path for
each target path, create the latch-based structure, and
finally, tune the delay difference if necessary (Fig.
4(d)). This step is done for every target path in each
region until all target paths are covered.
A question that may arise in the context of finding reference
paths is whether it is always possible to find a reference path
for a given target path. To answer this question, we have
analyzed target paths of some ISCAS89 benchmarks in terms
of the availability of reference paths. Fig. 5 to Fig. 7 illustrate
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TC.2016.2576444, IEEE
Transactions on Computers
> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) < 7

statistics about the number of reference path options for the

target paths of three different benchmarks. We chose p=0.001
as the threshold value for the activity level, and the circuit
nodes with lower activity were considered as the target nodes.
As can be seen from the figure, finding a reference path is not
a challenging task, and we can expect to find a suitable one for
almost all target paths. The only case in which a reference
path may not be found is when the corresponding target path is
very long (as can be seen in the figures, the number of such
cases are very limited). To address this issue we can simply
break long paths into smaller ones to insure that a reference
path can always be found.
(a) Finding target nodes of a design
V. SIMULATION RESULTS
A. Simulation setup
To evaluate the proposed latch-based structure, we used a
set of ISCAS89 benchmarks and extracted their post-layout
simulation results. To synthesize and generate the layout of
the circuits, we used Nangate 45nm technology node. To
conduct our experiments, we considered 3/=6% within-die
random variation, which is consistent with the data reported in
the literature [34]. We also assumed 3/=3% for each 100
m of the die as within-die systematic variation. This means,
for example, that a die with dimensions 200 m 200 m
(b) Partitioning the layout into disjoint regions experiences a 3/=6% systematic variation across its area. To
apply systematic variation, we used VARIUS [38], a tool
capable of creating variation map models across a given area.
B. Analysis of HT detection probability
In order to evaluate HT detection probability (HDP), latch-
based structure was used for some of them. Table I shows the
results for five sample target paths of three benchmarks. In
this table, HDP has been evaluated by experimenting four
different values for CO, namely 0, 10, 20 and 30 ps. In each
experiment, the columns labeled as FP report the probability
of false positive (probability of detecting HT when the target
path is HT-free), and columns denoted by 2G and 1G
represent the HDP for two and one minimum-sized AND gate
(c) Finding appropriate target paths (dark circles represents intermediate
when used as a Trojan circuit in the corresponding target path,
nodes used in forming target paths)
respectively.
As it can be seen from Table I, when considering no
compensation offset (CO = 0 ps), some of the paths experience
high FP (false positive) rate. This is because the post-layout
path delays do not follow the values estimated when the
latches are being inserted. Since high FP rates is not
acceptable for a given target path, no HT detection
experiments were done in high FP rate scenarios (more than
10% in our experiments). Such scenarios are indicated with
dash symbol in the table. By increasing CO, we can expect a
decrease in FP, which is clear from the reported results in
many of the scenarios. For example, path #1 in s1423
(d) Selecting appropriate reference path for a given target path (reference benchmark experiences a decreasing trend in FP (from 82% to
paths are represented by dashed lines) 0%) when increasing the offset (from 0 ps to 30 ps).
It must be noted that a one-step increase in the offset value
does not necessarily result in FP reduction. However, further
Fig. 4. An example to illustrate the required steps to implement our latch-
based method
continuing the trend would guarantee the reduction of FP rate.
This is due to the fact that each time the offset is increased, a

0018-9340 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TC.2016.2576444, IEEE
Transactions on Computers
> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) <
Fig. 5. Number of reference path options for s5378 benchmark
Fig. 6. Number of reference path options for s9234 benchmark
Fig. 7. Number of reference path options for s15850 benchmark
reference path with higher delay is expected to be selected,
while the target path delay is constant.
Based on the reported HDP results, Trojan circuits with two
AND gates are 100% detected in nearly all experiments.
Trojan circuits with one AND gate are also detected with
0018-9340 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
8
relatively high probability in many of the scenarios. The best
achieved HDP results are highlighted for each target path in
the table.
It should be noted that no more CO values are tested, when
the best possible HDP result is obtained for a given CO value.
For this reason, some of the target paths were not tested for
some of the CO values, which are indicated with dash symbol
in the table. For example, path #4 of s9234 benchmark has
gained the best possible HDP for CO = 0 ps, and hence, other
CO values were not tested in the experiments. Briefly
speaking, a new CO value from the set of pre-selected offset
values is tested only if the previous tested CO value results in
high FP rate, or the best possible results are not achieved and
we can expect higher HDPs by testing more CO values from
the set.
It is worth noting that the selected compensation offset has
a direct impact on the resulting accuracy, and by attempting a
set of values and choosing the best one, we can achieve more
accurate results. In other words, the results reported in Table I
are not the best possible ones, and better results are likely
achieved by attempting more offset values. In doing so, we
tested some of the target paths with new offset values, and the
results are reported in Table II. In this table, the results are
reported for some of the target paths with lower HDP
compared to the other paths. We used 5 ps step for COs,
including negative values, in our experiments. As can be seen
from the table, paths #2 and #3 of s9234, and path #3 of s5378
have gained higher HDP compared to the previous results. The
only exception is path #5 of s5378 which does not gain benefit
from testing more offset values.
C. Analytical comparison of HDP results
To gain insight into the capability of our approach in
mitigating the variation effects, we performed an extreme-case
analytical comparison in which the HDP of the proposed
latch-based structure technique is compared with the best
possible HDP that is theoretically achievable. Since current
delay-based HT detection techniques rely on golden delay
measurements, they have to take all components of variations
into account, including die-to-die and within-die variation in
their reference delay fingerprints. For a typical 45nm
technology, this means an average process variation of about
3/=30% [34].
Table III illustrates the theoretical HDP results in
comparison with the ones obtained from the practical latch-
based structure, with the higher HDPs highlighted in the table.
In this table, column 2 reports the path delay of the previously
tested target paths in an increasing order. The effectiveness of
the Trojan circuit in terms of delay is reported in the third
column. Column 4, labeled as T-HDP, reports the theoretically
achievable HDP for the corresponding target path and Trojan
delays, when considering 3/=30% for the delay variation.
The HDPs reported in this column represent an upper-bound
on the results that are practically achievable by using previous
delay-based HT detection techniques. Finally, the last column,
labeled as L-HDP, reports the best HDPs achieved by the
proposed approach, when considering within-die random and
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TC.2016.2576444, IEEE
Transactions on Computers
> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) < 9

TABLE I
HDP RESULTS FOR A SET OF TARGET PATHS
CO = 0 ps CO = 10 ps CO = 20 ps CO = 30 ps
Benchmark Path# FP 2G 1G FP 2G 1G FP 2G 1G FP 2G 1G
#1 82% - - 34% - - 0% 100% 10% 0% 100% 100%
#2 62% - - 0% 98% 76% 0% 84% 66% 0% 74% 0%
s1423 #3 0% 100% 2% 8% 100% 100% 0% 100% 100% - - -
#4 100% - - 100% - - 0% 100% 62% 0% 0% 0%
#5 2% 100% 100% - - - - - - - - -
#1 100% - - 0% 0% 0% 0% 0% 0% 0% 100% 98%
#2 24% - - 10% 100% 100% 0% 100% 100% - - -
s5378 #3 0% 0% 0% 6% 100% 22% 0% 100% 54% 0% 0% 0%
#4 64% - - 90% - - 0% 100% 100% - - -
#5 0% 100% 0% 0% 58% 0% 0% 84% 52% 0% 24% 0%
#1 2% 100% 100% - - - - - - - - -
#2 72% - - 0% 100% 72% 0% 100% 0% 0% 8% 0%
s9234 #3 22% - - 0% 100% 34% 0% 0% 0% 0% 100% 32%
#4 0% 100% 100% - - - - - - - - -
#5 28% - - 16% - - 0% 100% 66% 0% 4% -

TABLE II
HDP OF SOME TARGET PATHS FOR EXTENDED CO VALUES
CO = -10 ps CO = -5 ps CO = 5 ps CO = 15 ps CO = 25 ps
Benchmark Path# FP 2G 1G FP 2G 1G FP 2G 1G FP 2G 1G FP 2G 1G
#3 38% - - 0% 100% 2% 0% 0% 0% 0% 100% 46% 0% 100% 100%
s5378
#5 54% - - 0% 100% 0% 0% 58% 0% 0% 78% 10% 0% 0% 0%
#2 100% - - 0% 100% 100% - - - - - - - - -
s9234
#3 0% 100% 20% 0% 0% 0% 0% 0% 0% 0% 100% 96% 0% 14% 0%

TABLE III deviation ().

A COMPARISON BETWEEN THE PROPOSED LATCH- Any HT affecting a given path would shift the normal
BASED STRUCTURE AND THE THEORETICAL distribution of the delay for the corresponding path. Thus, the
APPROACH IN TERMS OF HT DETECTIONS HT can be detected if it causes the path delay to be outside its
PROBABILITY original distribution range. Assuming that the delay shift
Case # Path delay Trojan delay T-HDP L-HDP introduced by the HT is denoted by d, Eq. (2) calculates the
1 46 30 99% 100% HT detection probability for a path with standard deviation
2 82 38 99% 100% of the normal distribution. In this equation, corresponds to
3 97 69 99% 66% the desired level of false positive rate, which was assumed to
4 112 57 99% 62% be 2% in the reported results in Table III. The erf( ) function
5 144 59 98% 100% used in Eq. (2) is in fact the error function, and is computed
6 145 54 95% 100% using Eq. (3).
1
7 146 41 79% 100% [1 ( )]
2 2
8 159 46 81% 52% = {1
(2)
9 161 51 87% 100% [1 + ( )] >
2 2
2 2
10 163 34 53% 76% erf() = (3)
0
11 165 58 93% 96%
As can be seen from Table III, for the paths with small
12 178 32 41% 100%
delay values, (e.g., cases 1 to 4) the probability of theoretically
13 181 29 34% 98%
detecting the Trojan circuits is high (HDP=99%). This means
14 210 63 84% 100%
that for low delay paths, previous delay-based detection
15 214 37 39% 100%
techniques can potentially perform well, even when all
components of variation are considered. For such cases, the
systematic variations with the values previously reported in detection probability of the latch-based structure depends
Section V-A. heavily on how successful the designer is to tune the delay
To extract the theoretical HDP results, we used Eq. (2) difference of the target and reference paths. For the latch-
introduced in [22] which gives a theoretical upper-bound on based technique, while cases 1 and 2 gained maximum HDP,
the detection probability in the presence of process variation. the results in cases 3 and 4 are below the highest achievable
This equation assumes a normal distribution for the path one. This can be attributed to the limitations of the method in
delays, which is characterized by a mean () and a standard tuning the path delay differences.

0018-9340 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TC.2016.2576444, IEEE
Transactions on Computers
> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) <
As expected, with the increase of path delays, the
theoretical HDP starts to fall. In high delay paths, the
theoretical HDP may not be large due to the masking effects
of the process variation. This issue is clear from the lower T-
HDP results reported for high delay paths, except for the ones
with high Trojan delay, like cases 11 and 14. In contrast, the
latch-based structure has performed close to optimum in
nearly all scenarios, thanks to mitigating variation effects.
Even if the designer is not completely successful in tuning
the path delays, the resulting HDP may still be higher
compared to the theoretical results, especially for high delay
path. Cases 10 and 11 in Table III are of such examples in
which the latch-based technique has gained improved HDP
over the theoretical approach, despite not achieving the best
possible results. As the path delay increases, the difference in
HDP between the theoretical and the latch-based technique is
more highlighted, which is clear from the results.
The results reported in Table III show comparisons under
extreme-case conditions. The extremity of the conditions can
be explained from the following aspects.
Firstly, the values of process variation we used in our
theoretical analysis represent an average value. However, the
real amount of variation may be larger, which in turn,
culminates in lower theoretical HDP.
Secondly, the efficacy of previous practical delay-based HT
detection techniques may be limited by some factors. For
example, the resolution of the steps by which the clock phase
is shifted has a direct impact on the accuracy of frequency
testing approaches, which can prevent them from achieving
the best possible HDP.
Thirdly, the theoretical HDP results are extracted with the
assumption of 2% false positive rate, whereas the results
reported for the latch-based HDP have no false positive in
many of the cases. Clearly, lower theoretical HDPs are
achieved with the assumption of zero false positive, compared
to the reported results.
Fourthly, the target paths tested in our experiments are in
fact sub-paths, i.e., they are parts of complete paths. Current
path delay measurement techniques cannot measure the delay
of sub-paths. They can only measure the delay of complete
paths located between flip flops. This means that the
theoretical HDP values reported in Table III may not be
practically achievable by current delay-based techniques, as
they have to measure the delay of longer paths with higher
variation effects, resulting in lower HDP values.
Despite all the extreme-case conditions described above and
the limitations of the latch-based technique in adjusting the
delay difference, we can still see that the proposed technique
has practically resulted more efficient HDP than the ones
theoretically achievable by the other techniques.
D. Overhead analysis
The resulting detection probability is achieved at the cost of
area for embedding the latch structures. To evaluate the area
overhead of the proposed scheme, we should consider the
extra logic elements that are added to the design. The main
part of these elements is attributed to those used to separate
0018-9340 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
10
Fig. 8. An example of constructing latch-based structure using simple OR
gates
the normal and the test mode. Although separating these two
operating phases can be done with the help of MUX-based
scheme shown in Fig. 3, we chose to use simple AND and OR
gates to isolate the two operating modes. An example of this
scheme is shown in Fig. 8. To put the circuit into the test
mode, Sel is kept low (non-controlling value for the OR gates)
which makes the two paths configured in the latch-based
structure. When Sel is set to high, the circuit operates in its
normal mode. This scheme incurs lower area overhead
compared to the MUX-based structure.
Delay elements and logical gates required to construct the
latches constitute another part of the overhead for each
embedded latch. Obviously, the total area overhead of the
scheme has a direct relation to the total number of target paths
that should be covered. As discussed, a designer may choose
to cover any arbitrary path in a design. Here, we chose to
cover low transition nodes as sensitive points that may be the
target of attack.
Table IV shows area overhead results of our
implementation. In this table, the results are reported for two
threshold values of nodes activity, namely p=0.0001 and
p=0.001. For each activity threshold, the first column
represents the number of target nodes. The number of target
paths that cover these target nodes is reported in the second
column. The third column reports the ratio of covered nodes to
the total number of circuit nodes. Finally, the overhead is
shown in the fourth column.
While we can observe low overhead for some of the
benchmarks, some other benchmarks experience a relatively
high area overhead. For example, s5378 results in about 60%
overhead, when p=0.001. The main reasons for this high
overhead are twofold. First of all, we did not employ scan
chains when synthesizing the benchmark circuits. As a result,
controlling internal flip flops of the circuit is only possible by
applying appropriate test vectors to the primary inputs of the
circuits. A direct consequence of this issue is an increase in
the number of low transition nodes which logically lie at the
middle and ending stages of the design. Obviously, many of
such low transition nodes are removed if scan chains already
exist in the design. Moreover, dummy scan flip flops can also
be used to increase the level of activity. Of course, a positive
aspect of considering large number of sensitive nodes is the
high coverage of the circuit (42.8% coverage at the cost of
60.6% overhead for s5378 benchmark).
Another reason for the high area overhead is that the
number of sensitive nodes covered by a given target path is
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TC.2016.2576444, IEEE
Transactions on Computers
> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) < 11

TABLE IV
AREA OVERHEAD RESULTS FOR SOME BENCHMARKS
P = 0.0001 P = 0.001
Benchmark
# of nodes # of paths Covered nodes (%) Overhead (%) # nodes # paths Covered nodes (%) Overhead (%)
s1423 0 0 0 0% 1 1 0.6% 1.1%
s1488 5 4 3% 8.3% 19 14 10.7% 29.1%
s5378 23 16 3.9% 8.7% 241 121 42.8% 60.6%
s9234 32 22 8.2% 13.3% 54 28 12.4% 17.9%
s15850 96 52 6.8% 9.3% 502 240 30.2% 42.8%
s13207 63 40 6.2% 7% 303 133 25.2% 23.3%
s38417 53 26 1% 1.6% 342 185 6.8% 11.4%

limited. Experimental results revealed that many of the target
paths contain only one or two target nodes. This issue is
caused by the netlist structure in which no or few
combinational paths exist among target nodes. Therefore, the
number of target paths is comparable to the number of
sensitive nodes. This issue is clear from the results reported in
Table IV.
A promising way to address this problem can be to bypass
flip flops in the test mode and to form target paths containing
many target nodes which had been separated by the flip flops.
In this way, the number of target paths is considerably
reduced. Of course, this strategy requires additional
multiplexers to separate the two operating modes of the
circuit, and the overhead of these multiplexers must be taken
into account.
We should constrain the length of long target paths created
by this technique. This constraint is applied for two reasons.
The first one is that longer target paths are more affected by
the process variation which adversely affects the detection
resolution. The second reason is that finding reference paths
for very long target paths may not always be possible.
To study the efficiency of the bypassing technique, some
experiments were conducted and the results are shown in
Tables V and VI. A set of experiments were done to
investigate the effects of path length on HT detection
resolution. In these experiments for which the results are
shown in Table V, we considered four different path lengths
and HDP values are reported. As expected, when the target
path length increases (i.e., more target paths are concatenated
together) lower HDP values are achieved. In contrast, longer
paths incur lower area overhead due to fewer paths. Therefore,
the designer should consider a trade-off between the area and
the desirable HT detection accuracy.
A second set of experiments were performed to investigate
the overhead reduction of the bypassing scheme. Table VI
shows the area overhead for different benchmarks when
employing bypassing strategy. For each benchmark in the
table, the results of experiments are reported for two activity
thresholds and two different lengths of target paths. In each
experiment, the first column represents the number of target
paths, the second column represents the number of
multiplexers used for bypassing the flip flops, and finally, the
third column represents the resulting area overhead.
Compared to Table IV, we achieved a significant reduction
in the area overhead (between 30% and 60% improvement).
TABLE V
PATH LENGTH VS. DETECTION RESOLUTION FOR
DIFFERENT NUMBER OF STAGES
No. of
4 7 10 13
stages
Average
98% 96% 78% 66%
HDP
Clearly, considering 13 stages as the limit on the target path
length results in fewer target paths, and incurs lower area
overhead compared to when 7-stage length is used as the
threshold value. This is achieved at the cost of lower HDP
based on the data reported in Table V. This instructs the
designers to choose an appropriate target path length
according to their desirable HDP and area overhead
constraints dictated by the design goals.
E. CAD flow and run time analysis
The required steps to implement the proposed technique are
shown in the flow chart depicted in Fig. 9. The input to the
flow chart are some parameters that should be provided by the
designer. These parameters are defined in Table VIII.
According to the flow, target nodes are recognized and then
are clustered into disjoint regions. In each region, target paths
are established by the target nodes, and then are added to the
list TP_LST. For each target path in the list, different reference
paths may be tested and the one with acceptable HDP result is
selected to configure a latch structure.
Based on the presented flow, a possible concern may arise
regarding the time required to configure a circuit by the
proposed structure. The whole time required to create latch-
based structures depends on the number of target paths that
should be covered as well as the size of the circuit. Larger
circuits have more candidate reference paths, and thus it takes
more time to choose an appropriate reference path. Table VII
reports the time spent by our automated flow for some of the
benchmarks. The results are based on the set of target paths
achieved for the activity threshold P=0.0001.
The run time for large circuits may be tolerated since the
technique is implemented at the design-time. Moreover, the
designer can speed up the flow by limiting the number of
reference paths to be tested for a given target path at the cost
of area overhead.
VI. ADVANTAGES, LIMITATIONS AND SECURITY ANALYSIS
The proposed detection structure has many advantages over

0018-9340 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TC.2016.2576444, IEEE
Transactions on Computers
> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) < 12

TABLE VI
AREA OVERHEAD RESULTS FOR THE TECHNIQUE OF BYPASSING FLIP FLOPS
P = 0.0001 P = 0.001
Benchmark 7 stages 13 stages 7 stages 13 stages
# of # of Overhead # of # of Overhead # of # of Overhead # of # of Overhead
paths MUXs (%) paths MUXs (%) paths MUXs (%) paths MUXs (%)
s1423 0 0 0% 0 0 0% 1 0 1.1% 1 0 1.1%
s1488 2 2 5.2% 1 3 3.7% 7 7 18.3% 5 10 15.8%
s5378 6 10 4.3% 4 12 3.5% 60 65 38.5% 34 67 28.3%
s9234 9 13 7.9% 5 17 6% 15 14 11.9% 8 20 8.4%
s15850 28 25 6.1% 16 37 4.5% 119 132 27.3% 66 174 19.8%
s13207 22 18 4.6% 12 28 3.3% 82 60 17.1% 44 90 11.8%
s38417 16 10 1.1% 9 17 0.8% 107 85 7.9% 58 127 5.6%

TABLE VII
AUTOMATED FLOW RUN TIME
Bench. s1488 s5378 s9234 s15850 s13207 s38417
Run
time 12 80 84 447 680 940
(minute)

TABLE VIII
PARAMETER DEFINITION FOR THE CAD FLOW
Parameter Definition
P Threshold value for the activity of the target nodes
S Region size to cluster the target nodes
L Maximum length for the target paths
MHDP Minimum desirable HDP
Trojan size (in terms of delay) for which the MHDP
D
is desirable
CO_LST List of CO values to be tested

other techniques. First, the new method is self-reference. It

uses the delay of in-circuit paths as the reference models to
measure the delay of target paths, and the designer is relieved
from pre-extracting golden parameters (which is not always
possible). This is in contrast to many of the HT detection
techniques that rely solely on golden models for comparison
purposes.
Another strong point is that the method is not bound to a
particular type of attack. Every malicious circuitry which
increases the delay of combinational paths has potential to be
detected, regardless of its activation model and its malicious
consequences.
As another important advantage, the effects of process
variation are considerably reduced. Since the target and
reference paths are located on the same die and close to each
other, die-to-die and systematic within-die variations are
nullified. Moreover, these paths experience similar
environmental conditions, like temperature, which means even
less variation effects. Whereas in other techniques, Fig 9. The required flow to implement the design
environmental variation is an important factor which may
adversely affect the resolution of detection. on the clock tree adds further to the existing variation.
Another factor that further mitigates variation effects is that Another capability of the proposed method is that it can be
the proposed method does not involve clocking and hence, its used for every combinational path of the design. In other
resolution is not affected by the variation on the clock tree. In words, every path (or part of a path) in the design can be
delay-based techniques that use frequency testing for path considered as a target path. This is in contrast to frequency
delay measurement, delay variation of logical gates located on testing techniques that consider a complete path (by complete
the paths is not the only source of variation. Process variation path, we mean a path that starts and ends with flip flops).

0018-9340 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TC.2016.2576444, IEEE
Transactions on Computers
> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) <
Obviously, testing the delay of a part of a path is not possible
using frequency testing, and requires adding extra flip flops,
which results in timing problems. Considering only a part of a
path for delay comparison can be a promising way for further
decreasing variation effects of long paths.
As another advantage, we can point out the use of available
circuit structures for delay measurement. In our method, delay
comparison is done by embedding latch-based structures.
Since logical gates used in these structures are part of the main
circuit, an attacker may not simply manipulate or remove
them, as it may change the delay of the paths or functionality
of the circuit. This issue helps to remove some of vulnerable
points in the design. Consider, for example, RO-based
detection methods. In RO structures, the path delays are
measured using embedded counters. Although these counters
are in-circuit elements, since they play no role in the main
functionality of the design, an attacker may alter or bypass
them in the test mode to conceal his/her Trojan side-effects.
As an example, the work in [39] shows a successful attempt to
embed a Trojan circuit in a design equipped with RO
structures.
One possible attack to our technique is to embed a Trojan in
a target path and neutralizing the extra delay by increasing the
delay in the corresponding reference path. We should note that
this kind of attack is risky for the attackers since they have to
double their Trojans side effects. Moreover, the designers can
make this attack more risky by using subsequent latching
scheme. Consider, for example, that a target path T1 forms a
latch with a peer reference path R1. R1 can also form a latch
with another reference path R2, and this trend can be
continued. Given this structure, thwarting the Trojan in the
path T1 needs adding extra delay to the path R1, which in turn,
necessitates adding more delay to the path R2 and all other
reference paths. Another way to conceal the Trojan effects is
to reduce the delay of the target path. In this case, the
adversary has to replace the original standard cells with the
ones that have wider transistors and higher driving strength
which results in more power consumption. Moreover, the
position in the layout wherein the target path is located may be
fully occupied with other cells and the attacker may need to
make room to place wider cells. This is too difficult as it may
require to move many of the standard cells in the nearby to
make enough room which may also change the routing of
some interconnections. This issue can considerably affect the
background effects and increase Trojan-to-circuit ratio which
is not desirable for an adversary.
As a drawback for the proposed method, we can point out
the area overhead of the design. Since embedding latch-based
structures requires adding extra elements, if large number of
design paths are to be covered, the area overhead would be
high. This issue prevents the technique to be used to cover all
parts of a design. As a result, according to the overhead
constraints dictated by the designer, latches can be augmented
only in highly critical parts of a design.
The other issue is the iterative process required to tune the
delay of target and reference paths. The number of iterations
depends on the accuracy of detection which the designer is
0018-9340 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
13
seeking for. Achieving higher HDP requires selecting the best
compensation offset among a larger set of options, which in
turn prolongs the design time. Of course, the results reported
in Section V-B for the target paths show that the set of options
is not very large, and good candidates can be selected by
testing few offset values.
VII. CONCLUSION AND FUTURE WORKS
A delay-based HT detection technique was proposed in
which the delay of a Trojan-susceptible path is compared with
the delay of other paths of the design by embedding latches at
the end of the two paths. These latches indicate the existence
of Trojans by converting any extra delay to the changes in the
functionality of the circuit. Using the delay of in-circuit paths
as golden reference models can make this technique a golden
chip-free approach. The erroneous effects of die-to-die,
systematic within-die and environmental variations are
considerably removed by selecting near target and reference
paths on a die. Security analysis of the technique indicates that
the method can achieve high detection resolution. The
proposed method can be used together with other side-channel
approaches to improve their detection probability by covering
parts of a design wherein inserted Trojans are hard-to-detect
by available approaches.
As future works, layout-level techniques can be considered
to tune the delay differences in finer granularity, hence
achieving higher Trojan detection accuracy.
REFERENCES
[1] F. Koushanfar, Provably secure active IC metering techniques for
piracy avoidance and digital right management, IEEE Transactions
on Information Forensics And Security, vol. 7, Issue 1, pp. 51-63,
2012.
[2] Defense Science Board (DSB) Study on High Performance Microchip
Supply[Online].Available:http://www.dtic.mil/docs/citations/ADA43
5563.
[3] J. Roy, F. Koushanfar and I. L. Markov, Ending piracy of integrated
circuits, IEEE Transactions on Computer, vol. 43, Issue 10, pp. 30-
38, 2010.
[4] M. Tehranipoor and C. Wang, Introduction to Hardware Security
and Trust, Springer, 2012.
[5] M. Tehranipoor, H. Salmani and X. Zhang, Integrated Circuit
Authentication, Springer, 2014.
[6] M. Tehranipoor and F. Koushanfar, A survey of hardware trojan
taxonomy and detection, IEEE Design & Test of Computers, vol. 27,
Issue 1, pp. 10-25, 2010.
[7] S. Bhunia, M. Abramovici, D. Agrawal, P. Bradley, M. S. Hsiao, J.
Plusquellic and M. Tehranipoor, Protection against hardware trojan
attacks: towards a comprehensive solution, IEEE Design & Test,
vol. 30, Issue 3, pp. 6-17, 2013.
[8] R. S. Chakraborty, F. Wolff, S. Paul, C. Papachristou and S. Bhunia,
MERO: a statistical approach for hardware trojan detection, in
Proc. CHES, 2009, pp. 396-410.
[9] S. Saha, R. S. Chakraborty, S. S. Nuthakki, Anshul and D.
Mukhopadhyay, Improved test pattern generation for hardware
trojan detection using genetic algorithm and boolean satisfiability, in
Proc. CHES, 2015, pp. 577-596.
[10] S. Jha and S.K. Jha, Randomization based probabilistic approach to
detect trojan circuits, in Proc. HASE, 2008, pp. 117-124.
[11] F. Wolff, C. Papachristou, S. Bhunia and R. S. Chakraborty,
Towards trojan-free trusted ICs: problem analysis and detection
scheme, in Proc. DATE, 2008, pp. 1362-1365.
[12] R. S. Chakraborty, S. Paul and S. Bhunia, On-demand transparency
for improving hardware trojan detectability, in Proc. HOST, 2008,
pp. 48-50.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TC.2016.2576444, IEEE
Transactions on Computers
> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) < 14

[13] M. Banga and M. S. Hsiao, VITAMIN: voltage inversion technique [35] J. Plusquellic, D. Acharyya and K. Agarwal, Measuring within-die
to ascertain malicious insertions in ICs, in Proc. HOST, 2009, pp. spatial variation profile through power supply current measurements,
104-107. in Proc. ISQED, 2011, pp. 1-5.
[14] H. Salmani, M. Tehranipoor and J. Plusquellic, A novel technique [36] N. Drego, A. Chandrakasan and D. Boning, All-digital circuits for
for improving hardware trojan detection and reducing trojan measurement of spatial variation in digital circuits, IEEE Journal of
activation time, IEEE Transactions on Very Large Scale Integration, Solid-State Circuits, vol. 45, Issue. 3, pp. 640-651, 2010.
vol. 20, Issue 1, pp. 112-125, 2012. [37] S. Realov and K. L. Shepard, On-chip combined C-V/I-V
[15] J. Li and J. Lach, At-speed delay characterization for IC characterization system in 45-nm cmos technology, IEEE Journal of
authentication and trojan horse detection, in Proc. HOST, 2008, pp. Solid-State Circuits, vol. 48, Issue. 3, pp. 814-826, 2013.
8-14. [38] S. R. Sarangi, B. Greskamp, R. Teodorescu, J. Nakano, A. Tiwari and
[16] X. Wang, M. Tehranipoor and R. Datta, Path-RO: a novel on-chip J. Torrellas, VARIUS: a model of process variation and resulting
critical path delay measurement under process variations, in Proc. timing errors for microarchitects, IEEE Transactions on
ICCAD, 2008, pp. 640-646. Semiconductor Manufacturing, vol. 21, Issue 1, pp. 3-13, 2008.
[17] X. Zhang and M. Tehranipoor, RON: an on-chip ring oscillator [39] X. Zhang, N. Tuzzio and M. Tehranipoor, Red team: design of
network for hardware trojan detection, in Proc. DATE, 2011, pp. 1- intelligent hardware trojans with known defense schemes, in Proc.
6. ICCD, 2011, pp. 309-312.
[18] J. Rajendran, V. Jyothi, O. Sinanoglu and R. Karri, Design and
analysis of ring oscillator based design-for-trust technique, in Proc.
VTS, 2011, pp. 105-110.
[19] A. Ferraiuolo, X. Zhang and M. Tehranipoor, Experimental analysis
of a ring oscillator network for hardware trojan detection in a 90nm G. Zarrinchian is a Ph.D. student at the
ASIC, in Proc. ICCAD, 2012, pp. 37-42. department of Computer Engineering and
[20] K. Xiao, X. Zhang and M. Tehranipoor, A clock sweeping technique
Information Technology of Amirkabir
for detecting hardware trojans impacting circuits delay, IEEE Design
& Test, vol. 30, Issue 2, pp. 26-34, 2013. University of Technology. His research
[21] A. Nejat, S. M. H. Shekarian and M. Saheb Zamani, A study on the interests include hardware security and
efficiency of hardware trojan detection based on path-delay digital system design.
fingerprinting, Microprocessors and Microsystems, vol. 38, Issue 3,
pp. 246-252, 2014.
[22] S. M. H. Shekarian and M. Saheb Zamani, Improving hardware
trojan detection by retiming, Microprocessors and Microsystems,
vol. 39, Issue 3, pp. 145-156, 2015.
[23] M. Potkonjak, A. Nahapetian, M. Nelson and T. Massey, Hardware M. Saheb Zamani received his B.Sc.
trojan horse detection using gate-level characterization, in Proc.
DAC, 2009, pp. 688-693. degree in Computer Engineering from
[24] J. Aarestad, D. Acharyya, R. Rad and J. Plusquellic, Detecting Isfahan University of Technology in 1989,
trojans though leakage current analysis using multiple supply pad and the M.Eng.Sc. and Ph.D. degrees in
IDDQs, IEEE Transactions on Information Forensics and Security, Computer Engineering from the
vol. 5, Issue 4, pp. 893-904, 2010.
[25] M. Banga and M. S. Hsiao, A region based approach for the University of New South Wales, Australia
identification of hardware trojans, in Proc. HOST, 2008, pp. 40-47. in 1992 and 1996, respectively. He joined
[26] H. Salmani and M. Tehranipoor, Layout-aware switching activity Amirkabir University of Technology in 1996 and He is now
localization to enhance hardware trojan detection, IEEE an associate professor at the department of Computer
Transactions On Information Forensics And Security, vol. 7, Issue 1,
pp. 76-87, 2012. Engineering and IT. His research interests are hardware
[27] R. Rad, J. Plusquellic and M. Tehranipoor, A sensitivity analysis of security and trust, quantum computing, electronic design
power signal methods for detecting hardware trojans under real automation, and biological design automation.
process and environmental conditions, IEEE Transactions on Very
Large Scale Integration Systems, vol. 18, Issue 12, pp. 1735-1744,
2010.
[28] S. Narasimhan, X. Wang, D. Du, R. S. Chakraborty and S. Bhunia,
TeSR: a robust temporal self-referencing approach for hardware
trojan detection, in Proc. HOST, 2011, pp. 71-74.
[29] A. Davoodi, M. Li and M. Tehranipoor, A sensor-assisted self-
authentication framework for hardware trojan detection, IEEE
Design & Test, vol. 30, Issue 5, pp. 74-82, 2013.
[30] J. Zhang, H, Yu and Qiang Xu, HTOutlier: hardware trojan detection
with side-channel signature outlier identification, in Proc. HOST,
2012, pp. 55-58.
[31] Y. Liu, K. Huang and Y. Makris, Hardware trojan detection through
golden chip-free statistical side-channel fingerprinting, in Proc.
DAC, 2014, pp. 1-6.
[32] Y. Su, J. Holleman and B. P. Otis, A digital 1.6 pj/bit chip
identification circuit using process variations, IEEE Journal of Solid-
State Circuits, vol. 43, Issue 1, pp. 69-77, 2007.
[33] L. Cheng, P. Gupta, C. J. Spanos, K. Qian and L. He, Physically
justifiable die-level modeling of spatial variation in view of
systematic across wafer variability, IEEE Transactions on
Computer-Aided Design of Integrated Circuits and Systems, vol. 30,
Issue 3, pp. 388-401, 2011.
[34] L. T. Pang, K. Qian, C. J. Spanos and B. Nikolic, Measurement and
analysis of variability in 45 nm strained-si cmos technology, IEEE
Journal of Solid-State Circuits, vol. 44, Issue. 8, pp. 2233-2243, 2009.

0018-9340 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.