Temperature-Based Hardware Trojan For Ring-Oscillator-Based TRNGs

TL;DR

This paper introduces a stealthy temperature-triggered hardware Trojan for ring-oscillator TRNGs that disables entropy at high temperatures, allowing predictable outputs without additional logic.

Contribution

It presents a novel, logic-free Trojan design that manipulates transistor-level behavior to compromise TRNG security under specific conditions.

Findings

Trojan can be triggered by high temperature to disable entropy.

Trojan-infected TRNG produces predictable outputs under attack.

Attack uses Markov Chain model to predict reduced-entropy outputs.

Abstract

True random number generators (TRNGs) are essential components of cryptographic designs, which are used to generate private keys for encryption and authentication, and are used in masking countermeasures. In this work, we present a mechanism to design a stealthy parametric hardware Trojan for a ring oscillator based TRNG architecture proposed by Yang et al. at ISSCC 2014. Once the Trojan is triggered the malicious TRNG generates predictable non-random outputs. Such a Trojan does not require any additional logic (even a single gate) and is purely based on subtle manipulations on the sub-transistor level. The underlying concept is to disable the entropy source at high temperature to trigger the Trojan, while ensuring that Trojan-infected TRNG works correctly under normal conditions. We show how an attack can be performed with the Trojan-infected TRNG design in which the attacker uses a stochastic Markov Chain model to predict its reduced-entropy outputs.