Side-Channel Hardware Trojan for Provably-Secure SCA-Protected Implementations

TL;DR

This paper introduces a stealthy hardware Trojan that can bypass detection in secure cryptographic hardware, exploiting side-channel leakage without adding or removing logic, thus compromising the security of protected implementations.

Contribution

It presents a novel method to insert undetectable hardware Trojans into side-channel protected cryptographic devices by subtle manipulations at the transistor or routing level.

Findings

Trojan triggers exploitable side-channel leakage in protected hardware

Insertion requires no additional logic, making detection extremely difficult

Vulnerable implementations demonstrated on CMOS technology prototypes

Abstract

Hardware Trojans have drawn the attention of academia, industry and government agencies. Effective detection mechanisms and countermeasures against such malicious designs can only be developed when there is a deep understanding of how hardware Trojans can be built in practice, in particular Trojans specifically designed to avoid detection. In this work, we present a mechanism to introduce an extremely stealthy hardware Trojan into cryptographic primitives equipped with provably-secure first-order side-channel countermeasures. Once the Trojan is triggered, the malicious design exhibits exploitable side-channel leakage, leading to successful key recovery attacks. Generally, such a Trojan requires neither addition nor removal of any logic which makes it extremely hard to detect. On ASICs, it can be inserted by subtle manipulations at the sub-transistor level and on FPGAs by changing the routing of particular signals, leading to \textbf{zero} logic overhead. The underlying concept is based on modifying a securely-masked hardware implementation in such a way that running the device at a particular clock frequency violates one of its essential properties, leading to exploitable leakage. We apply our technique to a Threshold Implementation of the PRESENT block cipher realized in two different CMOS technologies, and show that triggering the Trojan makes the ASIC prototypes vulnerable.