Advancing the State-of-the-Art in Hardware Trojans Design by Haider, Syed Kamran et al.
1Advancing the State-of-the-Art in
Hardware Trojans Design
Syed Kamran Haider, Chenglu Jin, and Marten van Dijk
Abstract—Electronic Design Automation (EDA) industry heavily reuses third party IP cores. These IP cores are vulnerable to insertion
of Hardware Trojans (HTs) at design time by third party IP core providers or by malicious insiders in the design team. State of the art
research has shown that existing HT detection techniques, which claim to detect all publicly available HT benchmarks, can still be
defeated by carefully designing new sophisticated HTs. The reason being that these techniques consider the HT landscape to be
limited only to the publicly known HT benchmarks, or other similar (simple) HTs. However the adversary is not limited to these HTs and
may devise new HT design principles to bypass these countermeasures.
In this paper, we discover certain crucial properties of HTs which lead to the definition of an exponentially large class of Deterministic
Hardware Trojans HD that an adversary can (but is not limited to) design. The discovered properties serve as HT design principles,
based on which we design a new HT called XOR-LFSR and present it as a ‘proof-of-concept’ example from the class HD . These
design principles help us understand the tremendous ways an adversary has to design a HT, and show that the existing publicly known
HT benchmarks are just the tip of the iceberg on this huge landscape. This work, therefore, stresses that instead of guaranteeing a
certain (low) false negative rate for a small constant set of publicly known HTs, a rigorous HT detection tool should take into account
these newly discovered HT design principles and hence guarantee the detection of an exponentially large class (exponential in number
of wires in IP core) of HTs with negligible false negative rate.
Index Terms—Hardware Trojans, Security, Taxonomy, Classification, IP Cores.
F
1 INTRODUCTION
Modern electronic systems heavily use third party IP (intel-
lectual property) cores as their basic building blocks. An
IP core is a reusable block of logic, tailored to perform
a particular operation in an efficient manner, that is an
intellectual property of one party. Optimized for area and
performance, the IP cores are essential elements of design
reuse in electronic design automation (EDA) industry and
save a lot of resources to redesign the components from
scratch. UARTs, DSP units, Ethernet controllers and PCI
interfaces etc. are some examples of the IP cores [1].
The IP cores are typically offered either in a hardware
description language (e.g., Verilog or VHDL) as synthesiz-
able RTL (also called ‘open source’ IPs) or as generic gate-
level netlists (also called ‘closed source’ IPs). These IP cores
give rise to a critical security problem: how to make sure
that the IP core does not contain a Hardware Trojan (HT)?
A (compromised) IP core vendor acting as an adversary
could implant a malicious circuitry in the IP core for privacy
leakage or denial of service attacks.
A significant amount of research has been done during
the past decade to design efficient tools for HT detection.
Hicks et al. [2] proposed Unused Circuit Identification (UCI)
which centers on the fact that the HT circuitry mostly
remains inactive within a design, and hence such minimally
used logic can be distinguished from the other parts of the
circuit. However later works [3], [4] showed how to design
HTs which can defeat the UCI detection scheme. Zhang et
• S. K. Haider, C. Jin, and M. van Dijk are with the Department of Electrical
and Computer Engineering, University of Connecticut, Storrs, CT, 06279.
E-mail: {syed.haider, chenglu.jin, vandijk}@engr.uconn.edu
al. [5] and Waksman et al. [6] proposed detection schemes
called VeriTrust and FANCI respectively and showed that
they can detect all HTs from the TrustHub [7] benchmark
suite. Yet again, the most recent technique called DeTrust [8]
introduces new Trojan designs which can evade both Ver-
iTrust and FANCI.
The reason behind this cat-and-mouse game between
attackers and defenders is that the current HT detection
tools offer critically low HT coverage and typically only
cover a small constant set of publicly known HT benchmarks
such as TrustHub. Whereas an adversary may design new
HTs which are different from the publicly known HTs in
that they can bypass the detection tool, as demonstrated
by DeTrust [8]. It is unclear to what extent the existing HT
detection tools are effective for publicly unknown HTs.
The first and foremost challenge in designing an effective
HT detection technique is to define the scope of the counter-
measure on the landscape of HTs. The HT taxonomies can
be used for this purpose. Bhunia et al. [9] presents a taxon-
omy of HTs based on an extensive survey of the existing
literature. The trigger based HTs are subdivided into digital
and analog categories where digital HTs have two general
models, combinational and sequential HTs. Combinational
HTs are those whose trigger circuitry is simply a comparator
whereas sequential HTs have memory elements as well in
their trigger circuitry. Trojans are also classified based on
payloads, i.e. digital, analog and others such as denial of
service.
Since we are talking about digital IP cores, in this paper
we limit ourselves to trigger activated digital HTs which
have digital payloads. The Trojans that are always active
and/or exploit side channels for their payloads are out of
scope of this paper.
ar
X
iv
:1
60
5.
08
41
3v
2 
 [c
s.C
R]
  1
2 A
pr
 20
17
2Even though existing HT taxonomies, such as the one
mentioned above, provide significant knowledge about the
HT properties, yet this information is quite fundamental
and does not provide detailed characteristics vital for the
HT countermeasures to provide strong security guarantees.
This limitation may lead to uncertainties and potentially
misleading information about the detection coverage that
a HT countermeasure can provide.
This paper introduces four crucial properties (d, t, α, l)
of a large and complex class HD of trigger activated and
deterministic digital HTs. These properties, determining the
stealthiness of HTs, lead to a much more detailed classifica-
tion of such HTs and hence assign well defined boundaries
to the scope of the existing and new countermeasures on
the huge landscape of HTs. In our model, HD represents the
HTs which are embedded in a digital IP core whose output is
a function of only its input, and the algorithmic specification
of the IP core can exactly predict the IP core behavior. A brief
highlight of the properties of HD is as follows:
d: Trigger Signal Dimension represents the number
of wires used by HT trigger circuitry to activate the
payload circuitry in order to exhibit malicious be-
havior. Large d shows a complicated trigger signal,
hence harder to detect.
t: Payload Propagation Delay is the number of cy-
cles required to propagate malicious behavior to
the output port after the HT is triggered. Large t
means it takes a long time after triggering until the
malicious behavior is seen, hence less likely to be
detected during testing.
α: Implicit Behavior Factor represents the probability
that given a HT gets triggered, it will not (ex-
plicitly) manifest malicious behavior; this behavior
is termed as implicit malicious behavior. Higher
probability of implicit malicious behavior means
higher stealthiness.
l: Trigger Signal Locality shows the spread of trigger
signal wires of the HT across the IP core. Small
l shows that these wires are in the close vicinity
of each other. Large l means that these wires are
spread out in the circuit, hence the HT is harder to
detect.
Based on the above mentioned parameters, we introduce
a new stealthy HT, coined the XOR-LFSR, which cannot be
efficiently detected by ordinary means (design knowledge of
the HT itself needs to be incorporated in the detection tool).
We also show that the current publicly known HTs have
small d (mostly d = 1 for TrustHub) and hence they are the
simplest ones. Fig. 1 depicts a pictorial representation of the
HT class HD that includes TrustHub1. Although VeriTrust
and FANCI can detect TrustHub HTs, it is unclear what
security guarantees they offer outside TrustHub.
The rest of this paper is organized as follows. Section
2 provides some basic background of HTs and introduces
our threat model. Section 3 defines the HT class HD and
introduces several advanced properties of this class which
lead to new HT design methodologies.
1. In this paper, we are only considering HTs from TrustHub that are
trigger activated and have digital payloads.
TrustHub Trojan 
Benchmarks
Unknown Coverage 
by VeriTrust / FANCI
XOR-LFSR 
Trojan 
Hardware Trojan Coverage
𝑯𝑫
Fig. 1. Class of Deterministic Hardware Trojans HD , and detection
coverages of existing Hardware Trojan countermeasures.
IP Core violates 
Specifications
IP
 C
o
re
 w
it
h
 
Ex
tr
a 
C
ir
cu
it
ry
IP
 C
o
re
 
w
it
h
o
u
t 
Ex
tr
a 
C
ir
cu
it
ry
IP Core does not 
violate Specifications
A Hardware 
Trojan
N/A
An Exploit
(Due to poor 
specifications or 
implementation)
Normal 
Behavior
Fig. 2. IP Core Design Space: An IP core can either have a Hardware
Trojan or an Exploit, or it behaves ‘normally’.
2 BACKGROUND & DEFINITIONS
A digital IP core can fall under one of the following three
categories, as shown in Fig. 2, based on its level of confor-
mity to the design specifications; (1) containing A Hardware
Trojan, or (2) containing An Exploit, or (3) exhibiting Normal
Behavior.
2.1 Hardware Trojan
A Hardware Trojan (HT) is malicious extra circuitry embed-
ded inside a larger circuit, which results in data leakage
or harm to the normal functionality of the circuit once
activated. We define extra circuitry as redundant logic added
to the IP core without which the core can still meet its design
specifications2. A trigger activated HT activates upon some
special event, whereas an always active HT remains active all
the time to deliver the intended payload.
Trigger activated HTs typically consist of two parts: a
trigger circuitry and a payload circuitry. The trigger circuitry is
implemented semantically as a comparator which compares
the value(s) of certain wires(s) of the circuit with a specified
boolean value called trigger condition. The HT trigger cir-
cuitry sends its comparator’s output to the payload circuitry
over certain other wire(s) called the trigger signal. Once the
trigger signal is asserted, the payload circuitry performs
the malicious operation called ‘payload’ as intended by the
adversary.
Definition 1. Trigger condition refers to an event, mani-
fested in the form of a particular boolean value of certain
internal/external wires of the circuit, which activates the
HT trigger circuitry.
2. Design specifications can also cover the performance requirements
of the core, and hence pipeline registers etc. added to the core only for
performance reasons can also be considered as ‘necessary’ to meet the
design specifications and will not be counted towards ‘extra’ circuitry.
3A
B S
C
(a) Half Adder
A
B
S
C
1
0
B
A
A+B
B
Sel
(b) Half Adder with HT
Fig. 3. A simple HT: Trigger condition A = B; Normal output S = A⊕B;
Malicious output (under trigger condition) S = B.
Definition 2. Trigger signal or Trigger State refers to a col-
lection of physical wire(s) which the HT trigger circuitry
asserts in order to activate the payload circuitry once a
trigger condition occurs.
The trigger signal must not be confused with trigger
condition; trigger condition is an event which causes the
HT activation, whereas trigger signal is the output of trigger
circuitry which tells the payload circuitry to show malicious
behavior.
Fig. 3 shows an example of a simple HT embedded in a
half adder circuit. The HT-free circuit in Fig. 3a generates a
sum S = A⊕B and a carry C = A ·B. The HT, highlighted
in red in Fig. 3b, triggers when A = B and produces
incorrect results i.e. S = B for A = B and S = A ⊕ B for
A 6= B. Notice the difference between the trigger condition
A = B, and the trigger signal Sel which only becomes 1
when the trigger condition is satisfied.
The Trojan affected circuit in Fig. 3 produces a malicious
output S = 1 for trigger condition A = B = 1 which
is distinguishable from otherwise normal output (S = 0).
However, the same circuit produces a (so called) malicious
output S = 0 for trigger condition A = B = 0 which
is the same as otherwise normal output and cannot be
distinguished from the ‘normal’ behavior of the circuit. This
observation leads us to the definition of explicit vs. implicit
malicious behaviors:
Definition 3. Explicit malicious behavior refers to a behav-
ior of a HT where the HT generated output is distinguish-
able from a normal output.
Definition 4. Implicit malicious behavior refers to a behav-
ior of a HT where the HT generated output is indistin-
guishable from a normal output.
Notice that an adversary may exploit the implicit mali-
cious behavior to bypass functional testing based detection
tools during the testing phase. Once the infected circuit has
passed the testing and is deployed, it can then manifest
explicit malicious behavior to actually deliver the payload.
In other words, implicit malicious behavior can lead to a
false negative.
Definition 5. False Negative refers to a scenario when a
HT detection tool identifies a circuit containing a HT as
a Trojan-free circuit or transforms a circuit containing a
HT into a circuit which still allows the HT to express
implicit or explicit malicious behavior.
Non-Deterministic
Core & Spec
Hardware 
Trojans
Use Standard I/O 
Channels (St)
Use Side 
Channels (Si)
Deterministic 
Core & Spec
𝒕, 𝜶, 𝒅, 𝒍
𝐻𝐷
𝐻𝑁𝐷
Fig. 4. Classification of Hardware Trojans
Clearly, all existing dynamic analysis (i.e. functional
testing) based approaches which assume that a HT is never
triggered during the functional testing phase can suffer from
false negatives because of the implicit malicious behavior.
Neglecting the implicit malicious behavior could lead to
devastating consequences in a security critical application,
e.g. if an adversary designs a HT to significantly increase
the probability of implicit malicious behavior and thus
alleviates the existing HT detection techniques.
2.2 An Exploit
An exploit refers to a loophole in the specifications or
implementation of an IP core which allows an adversary
to manipulate it beyond its intended specifications. Notice
that an exploitable IP core does not have ‘extra’ circuitry
like a Hardware Trojan. Depending upon the nature of the
exploits, they can also deliver the payloads like Hardware
Trojans such as privacy leakage or denial of service etc.
Some examples of exploits are as follows: a wireless connec-
tion that can be overloaded may lead to a denial of service,
a broken AES module due to a predictable key, recent
OpenSSL Heartbleed bug etc. This paper only focuses on
rigorous reasoning about Hardware Trojans (not exploits).
3 CHARACTERIZATION OF HARDWARE TROJANS
In this section, we characterize the trigger activated HTs
based on their following fundamental characteristics that
lead to a clear distinction between the deterministic HD and
non-deterministic HND types.
3.1 St vs. Si Hardware Trojans
Hardware Trojans are first grouped based on the payload
channels they use once activated as shown in Fig. 4. St
refers to the Trojans using only standard I/O channels (this
includes LED outputs etc.) whereas Si represents the Trojans
which also use side channels to deliver the payload. I/O
channels are generally used to communicate binary pay-
loads bj at certain times tj for the duration of the execution
of the IP core. In this sense the view of an I/O channel can
be represented as a sequence (b1, t1), (b2, t2), . . . , (bN , tN ).
Its information is decomposed in three channels: the binary
channel corresponding to (b1, b2, . . . , bN ), the timing chan-
nel corresponding to (t1, t2, . . . , tN ), and the termination
channel N which reveals information about the duration
of the execution of the IP core. If a Trojan delivers some
of its payload over the timing channel (or other side chan-
nels), then we define it to be in Si. If a Trojan delivers all
of its payload using the standard usage of I/O channels
4(the binary and termination channels), then we define it
to be in St. E.g., a HT causing performance degradation in
terms of slower response/termination times due to slower
computation (denial of service in the most extreme case) is
in St.
3.2 HD vs. HND Hardware Trojans
We further refine our description of St Trojans by subdi-
viding them in HD and HND groups based on the IP core
behavior in which they are embedded and their algorithmic
specifications.
Definition 6. HD Trojans are the ones which are:
1) Embedded in an IP core whose output is a function of
only its input – i.e. the logical functionality of the IP
core is deterministic, and
2) The algorithmic specification of the IP core can exactly
predict the IP core behavior.
If any of the two above mentioned conditions is not
satisfied for a St type HT then we consider the HT to be in
HND . A true random number generator (TRNG), for exam-
ple, is a non-deterministic IP core since its output cannot be
predicted and verified by logic testing against an expected
output.3 Any St Trojan in such a core is considered HND .
A pseudo random number generator (PRNG), on the other
hand, is considered a deterministic IP core as its output
depends upon the initial seed and is therefore predictable
by a logic based testing tool (hence HD). Similarly, if the
algorithmic specification allows coin flips generated by a
TRNG then we consider the Trojan to be HND . On the other
hand, if the coin flips are generated by a PRNG then we
regard the Trojan as HD .
The non-deterministic behavior of IP cores and/or their
functional specification which accepts small probabilistic
fluctuations within some acceptable range allows a covert
channel for HND Trojans to embed some minimal malicious
payload in the standard output without being detected by
an external observer [10]. The external observer considers
these small fluctuations as part of the functional specifica-
tion. Hence, the non-deterministic nature of HND Trojans
prohibits the development of a logic testing based tool to
detect these Trojans with overwhelming probability.
4 ADVANCED PROPERTIES OF CLASS HD
In the following discussion, we introduce some crucial
properties of HD Trojans that characterize their complexity
and stealthiness.
4.1 Trigger Signal Dimension d
When a trigger condition of a hardware Trojan occurs,
regardless of the other subsequent user interactions, its trigger
circuitry gets activated and outputs a certain binary value on
a certain trigger signal Trig to activate the payload circuitry
which manifests malicious behavior. A trigger signal Trig
is represented as a labeled binary vector of one or more
wires/registers/flip-flops (each carrying a 0 or 1), e.g. in
the example circuit of Fig. 3, Sel = 1 is a trigger signal. In
3. Any IP core which contains a TRNG as a module, yet the I/O
behavior of the core can still be predicted is considered HD .
other words, Trig represents a trigger state of the circuit
through which the circuit must have passed before mani-
festing malicious behavior. Notice that the trigger state(s)
can be associated back to the occurrence of the respective
trigger condition(s). Hence a HT can be represented by a
set of trigger states T ; i.e. the states which always lead to
malicious behavior (implicit or explicit).
Definition 7. A set T of trigger states represents a HT if the
HT always passes through one of the states in T in order
to express implicit of explicit malicious behavior.
Notice that T is not unique. For example, T could be
T = {(Sel = 1)}, or if Sel is somehow independent
of A and B, then it could also be T = {[(A,B) =
(1, 1)], [(A,B) = (0, 0)]} etc.
We define the trigger signal dimension d of a HT repre-
sented by a set of trigger states T as follows:
Definition 8. Trigger Signal Dimension d(T ) of a HT is
defined as d(T ) = maxTrig∈T |Trig|.
In other words, the trigger signal dimension shows the
width of the widest trigger signal bit-vector of a HT. E.g. for
the HT from Fig. 3b, d(T ) = 1 since the set of trigger states
T = {(Sel = 1)} only has the signal Sel that activates
the payload circuitry is only 1-bit wide (and hence easy to
detect). In the next section, we show that one can design
HTs with high dimensional trigger signals. Obviously, it
becomes difficult to detect HTs which only have high di-
mensional sets of trigger states, i.e. large trigger signals. The
set of possible values of a given trigger signal Trig grows
exponentially in d = |Trig| and only one value out of this
set can be related to the occurrence of the corresponding
trigger condition. Clearly, since in theory d can be as large
as the number of wires n in the IP core, HD represents an
exponentially (in n) large class of possible HTs.
4.2 Payload Propagation Delay t
For a set T which represents a HT, we know that if the HT
manifests malicious behavior, then it must have transitioned
through a trigger state Trig ∈ T at some previous clock
cycle. Therefore, we define the payload propagation delay t as
follows:
Definition 9. Payload Propagation Delay t(T ) of a hard-
ware Trojan represented by a set of trigger states T is
defined as the maximum number of clock cycles taken
to propagate the malicious behavior to the output after
entering a trigger state in T .
I.e., the number of clock cycles from the moment when a
trigger signal is asserted till its resulting malicious behavior
shows up at the output port. E.g., consider a counter-based
HT where malicious behavior immediately (during the same
clock cycle) appears at the output as soon as a counter
reaches a specific value. Then, t({Trig}) = 0 for the trigger
signal Trig which represents the occurrence of the specific
counter value (i.e. trigger condition). However, notice that
any counter value j clock cycles before reaching the ‘specific
value’ can also be considered as a trigger signal Trig with
t({Trig}) = j, because eventually after j cycles this Trig
manifests the malicious behavior.
5To detect a HT with a large value of t(T ), the memory
requirement and complexity of logic testing based detection
tool is increased. However, for any HT, typically there exists
a set of trigger signals which represents the HT and which
has a small t because of a small number of register(s)
between the trigger signal and the output port.
4.3 Implicit Behavior Factor α
In addition to previously discussed properties of Trojans,
the IP core in which the Trojan is embedded plays a crit-
ical role in its stealthiness. According to the definition of
implicit malicious behavior, it may not always be possible
to distinguish a malicious output from a normal output just
by monitoring the output ports. Consequently, the implicit
malicious behavior adds to the stealthiness of the HT since
it creates a possibility of having a false negative under logic
testing based techniques. We quantify this possibility by
defining the implicit behavior factor α as follows:
Definition 10. Implicit Behavior Factor α(T ) of a HT is the
probability that given the HT is triggered, it will manifest
implicit malicious behavior.
In other words, the higher the value of α, the lower
the chance of detection by logic testing even if the HT
gets triggered and hence the higher the overall stealthiness
of the HT. E.g. for the HT from Fig. 3b with the trigger
condition A = B, if (A,B) = (1, 1) then the malicious
output S = 1 is distinguishable from the normal output
(i.e. S = 0). However for (A,B) = (0, 0), the malicious4
output S = 0 is indistinguishable from the normal output
(i.e. S = 0), i.e. the implicit malicious behavior comes into
the picture. Hence, given that this particular HT activates,
the probability that the HT-generated (malicious) output is
indistinguishable from the normal output is α(T ) = 0.5
which represents the implicit behavior factor of this HT.
4.4 Trigger Signal Locality l
We notice that the individual wires of a HT trigger signal
of dimension d are logically/physically located in the close
vicinity of each other in the circuit netlist/layout. This is
because eventually these wires need to coordinate (through
some combinational logic) with each other to perform the
malicious operation. Based on this observation, we intro-
duce the idea of locality in gate level circuits, similar to the
region based approach in [11].
Consider the simple combinational circuit from Fig. 5a.
Based on this circuit, we draw a locality graph shown in
Fig. 5b whose nodes represent the wires of the circuit and
each edge between any two nodes represents connectivity
of the corresponding two wires through a combinational
logic level. In other words, each logic gate of the circuit
is replaced by multiple edges (three in this case) in the
graph which connect together the nodes corresponding to
its inputs and the output. For any two nodes (i.e. wires)
i and j in a locality graph, we define dist(i, j) as the
shortest distance between i and j. In other words, dist(i, j)
represents the minimum number of basic combinational or
4. The output is considered malicious because it is generated by an
activated hardware Trojan.
A
B
C
D
E
F
O
(a) A simple circuit
A
C
B
D
E
F
O
1
2
1
(b) Locality Graph of the circuit
Fig. 5. Example of Locality Graph
sequential logic levels (e.g. logic gates and/or flip flops)
between wires i and j. E.g. dist(E,B) = dist(E,C) = 1,
whereas dist(E,O) = dist(E,A) = 2.
Definition 11. Trigger Signal Locality l(T ) of a HT repre-
sented by the set of trigger states T is defined as:
l(T ) = max
Trig∈T
(
max
0≤i,j<|Trig|
dist(Trig[i], T rig[j])
)
where Trig[i] represents the label of the ith wire in Trig.
A low value of l(T ) shows that the trigger signal wires
of the HT are in the close vicinity of each other and vice
versa. Having a notion of locality can significantly reduce
the computational complexity of logic testing based HT
detection tools.
4.5 Achievable Quadruples (d, t, α, l)
A Hardware Trojan can be represented by multiple sets of
trigger states T , each having their own d, t, α, and l values.
The collection of corresponding quadruples (d, t, α, l) is
defined as the achievable region of the Hardware Trojan.
The choice of parameters d and t significantly affects
α of the HT. α as a function of t and d is decreasing
in both t and d. Reducing t means that explicit malicious
behavior may not have had the chance to occur, hence, the
probability α that no explicit malicious behavior is seen
increases. Similarly, reducing d can increase α since as a
result of smaller d, there may not exist a set of trigger signals
T that represents the HT and satisfies d(T ) ≤ d. Increasing t
or d only decreases α down to a certain level; the remaining
component of α represents the inherent implicit malicious
behavior of the HT.
5 EXAMPLES OF HD TROJANS
In this section, we present some examples of new HTs from
the class HD . These HTs demonstrate how the properties of
HD Trojans defined in the previous section play a significant
role in determining the stealthiness of these HTs.
6Q3 Q2 Q1 Q0LFSR
Data
Secret
Data
Secret
W1=Q1
W2
OutW1
0
1
0
1
0
1
W3
(a) A counter based HD Trojan. Trigger Condition:
LFSR = 1101; Trigger Signal: (W1,W2); Pay-
load: Leak Secret
Cycle Q3 Q2 Q1 Q0 W1 W2 W3
0 1 0 1 0 1 1 0
1 0 1 0 1 0 0 0
2 1 0 1 1 1 1 0
3 0 1 1 1 1 1 0
4 1 1 1 1 1 1 1
5 1 1 1 0 1 1 0
6 1 1 0 0 0 0 0
7 1 0 0 0 0 0 0
8 0 0 0 1 0 0 0
9 0 0 1 0 1 1 0
10 0 1 0 0 0 0 0
11 1 0 0 1 0 0 0
12 0 0 1 1 1 1 0
13 0 1 1 0 1 1 0
14 1 1 0 1 0 1 1
(b) Truth Table of the Trojan affected circuit. Trigger Condition:
LFSR = 1101
Fig. 6. A Counter-Based HD Trojan having Trigger Signal Dimension
d = 2.
5.1 A Counter-Based HD Trojan
The example Trojan shown in Fig. 6a can leak Secret
via Out port instead of Data once it is activated. The
trigger condition of this Trojan is generated by a counter,
when reached to (1101), which is implemented as a 4-bit
maximal LFSR in order to have maximum possible time
before the Trojan gets triggered. The LFSR is initialized to
(Q3, Q2, Q1, Q0) = (1010). At 14th clock cycle, the trigger
condition (i.e. LFSR = 1101) occurs, the HT gets triggered
and produces W1 6= W2 on the trigger signal (W1,W2).
This results in the activation of payload circuitry (the group
of three MUXes) which leaks the secret.
It can be seen in Fig. 6b that all individual wires related
to the HT circuitry are continuously showing transitions
without activating the HT during several clock cycles before
reaching to the trigger condition (i.e. cycle 14). Therefore,
clearly those existing logic testing based HT detection tech-
niques which only look for simplistic one-dimensional HT
rk … … r3 r2 r1LFSR
Feedback Logic
A1
A2
…
Selective 
Connections
Ak
…
O
Fig. 7. k-XOR-LFSR: A general HD Trojan.
(i.e. d = 1) trigger signals do not see any ‘suspicious’
wire which is stuck at 0 or 1, and hence this HT is not
detected unless it gets activated in a long testing phase. This
shows that this HT has a trigger signal dimension d = 2
since two wires W1 and W2 together constitute the trigger
signal. Since counter based HTs can have large counters, it
may not always be feasible to activate them during testing.
Consequently, in order to efficiently detect such HTs, the
knowledge of such design parameters must be incorporated
while designing the HT countermeasures.
5.2 An Advanced HD Trojan: k-XOR-LFSR
Fig. 7 depicts k-XOR-LFSR, a counter based Trojan with the
counter implemented as an LFSR of size k. The Trojan is
merged with the circuitry of an IP core which outputs the
XOR of k inputs Aj .
Let ri ∈ {0, 1}k denote the LFSR register content at clock
cycle i represented as a binary vector of length k. Suppose
that u is the maximum index for which the linear space L
generated by vectors r0, . . . , ru−1 (modulo 2) has dimension
k − 1. Since dim(L) = k − 1 < k = dim({0, 1}k), there
exists a vector v ∈ {0, 1}k such that, (1) the inner products
〈v, ri〉 = 0 (modulo 2) for all 0 ≤ i ≤ u−1, and (2) 〈v, ru〉 =
1 (modulo 2). Only the register cells corresponding to vj = 1
are being XORed with inputs Aj .
Since the Aj are all XORed together in the specified
logical functionality to produce the sum
∑
j Aj , the Trojan
changes this sum to∑
j
Aj ⊕
∑
j:vj=1
rij =
∑
j
Aj ⊕ 〈v, ri〉.
I.e., the sum remains unchanged until the u-th clock cycle
when it is maliciously inverted.
The trojan uses an LFSR to generate register values
ri ∈ {0, 1}k for each clock cycle i and we assume in our
analysis that all vectors ri behave like random vectors from
a uniform distribution. Then, it is unlikely that u is more
than a small constant larger than k (since every new vector
ri has at least probability 1/2 to increase the dimension by
one). Therefore, u ≈ k, hence, the register size of the trojan
is comparable to the number of clock cycles before the trojan
is triggered to deliver its malicious payload. This makes the
trojan somewhat contrived (since it can possibly be detected
by its suspiciously large area overhead).
72
2.02
2.04
2.06
2.08
2.1
2.12
2.14
0 5 10 15 20 25 30 35
d
t
Lower Bound on ‘d’
(k=256)
(a) k = 256
0
0.5
1
1.5
2
2.5
3
3.5
4
4.5
2 4 8
1
6
3
2
6
4
1
2
8
2
5
6
5
1
2
1
0
2
4
2
0
4
8
4
0
9
6
d
k
Lower bound on ‘d’
(t=0)
(b) t = 0
Fig. 8. Lower bounds on d for k-XOR-LFSR.
Since inputsAj can take on any values, any trigger signal
Trig must represent a subset of the LFSR register content.
Suppose t({Trig}) = j. Then Trig must represent a subset
of ru−j . We will proceed with showing a lower bound on
d({Trig}). Consider a projection P to a subset of d register
cells; by r|P we denote the projection of r under P , and we
call P d-dimensional. If ru−j |P ∈ {ri|P : 0 ≤ i < u − j},
then the wire combination of the d wires corresponding to
ru−j |P cannot represent Trig (otherwise t({Trig}) > j): if
this is the case for all d dimensional P , then Trig cannot
represent a subset of ru−j . The probability that ru−j |P ∈
{ri|P : 0 ≤ i < u − j} is at least equal to the probability
that {ri|P : 0 ≤ i < u−j} = {0, 1}d, which is (by the union
bound)
≥ 1−
∑
w∈{0,1}d
Prob({ri|P : 0 ≤ i < u− j} ⊆ {0, 1}d \ {w})
= 1−
∑
w∈{0,1}d
(1− 1/2d)u−j ≈ 1− 2de−(u−j)/2d
Since there are
(
k
d
) ≤ kd/d! projections, Trig cannot repre-
sent a subset of ru−j with probability
≥ (1− 2de−(u−j)/2d)kd/d! (1)
For d ≤ log(u−j)−log(log(u−j) log k+log log k), this lower
bound is about ≥ 1/e. Since u ≈ k and after neglecting the
term log log k, this shows an approximate lower bound on
d({Trig}), i.e.,
≥ log(k − t({Trig}))− log(log(k − t({Trig})) log k)
This characterizes the stealthiness of the k-XOR-LFSR.
In other words, the stealthiness of k-XOR-LFSR can be
increased with k within the acceptable area overhead limits.
Fig. 8 shows the lower bounds on d for this HT for fixed
values of k and t; if t({Trig})) = 0, then d({Trig}) ≥
log k − 2 log log k. The HT can be designed for any point
in the region above the lower bound. For the HT shown in
Fig. 7, clearly α(Trig) = 0 since it always produces incorrect
output immediately once the HT gets triggered.
6 CHARACTERIZING TRUSTHUB BENCHMARKS
Trusthub [7] benchmark suite includes a wide variety of
Hardware Trojans including trigger-activated and always-
active Trojans; Trojans that use standard IO channels as well
as side channels. In this section, we analyze the TrustHub
benchmarks with respect to our definitional framework. As
TABLE 1
Classification of Trusthub Benchmarks w.r.t. our definitional framework
Type d t α Benchmarks
St
D 1
0
1/232 BasicRSA-T{100, 300}
0.5 s15850-T100, s38584-T{200, 300}
0-0.25 wb conmax-T{100, 200, 300}
0-0.87 RS232-T{100, 800, 1000, 1100, 1200, 1300, 1400,1500, 1600, 1700, 1900, 2000}
1
0.5 b15-T{300,400}
0.5-0.75 s35932-T{100, 200}
0-0.06 RS232-T{400, 500, 600, 700, 900, 901}
2
0.5 vga-lcd-T100, b15-T{100, 200}
0.87 s38584-T100
3
1/232 BasicRSA-T{200, 400}
0.5 s38417-T100
5 0.99 s38417-T200
7 0.5 RS232-T300
8 0.5 s35932-T300
ND N/A MC8051-T{200, 300, 400, 500, 600, 700, 800},PIC16F84-T{100, 200, 300, 400}
Si N/A
AES-T{400, 600, 700, 800, 900, 1000, 1100, 1200,
1300, 1400, 1500, 1600, 1700, 2000, 2100}, s38417-
T300, AES-T{100, 200, 300}
mentioned earlier, our HD class of HTs covers majority of
the relevant benchmarks from TrushHub. Here we present
the values of design parameters (d, t, α) for these bench-
marks which provide a deeper insight about the stealthiness
of these well known HTs.
TABLE 1 shows the relevant5 benchmarks from Trusthub
categorized according to our framework. St-D group (i.e.
HD Trojans) is further subdivided based on the properties
(d, t, α). All these Trojans happen to be represented by a
single trigger of dimension d = 1 (i.e., the trigger is a single
wire); whereas their corresponding t and α values6 are listed
in TABLE 1.
To determine t values of these trojans, we simply count
the minimum number of registers between the trigger signal
wires(s) and the output port of the IP core. Since precisely
calculating α can be almost impossible for large circuits, we
estimate α values through experiments. We argue that these
estimated values closely represent the corresponding actual
values of α, hence TABLE 1 fits the definition of α. In order
to estimate α values, we first find the smallest chain of logic
gates starting from the trigger signal wire(s) till the output
port of the IP core (ignoring any registers in the path). Then
for each individual logic gate, we compute the probability
of propagating a logic 1 (considering that the trigger wire(s)
get a logic 1 upon a trigger event), e.g. an AND gate has
the probability 1/4 of propagating a logic 1, whereas an
XOR gate has the probability 1/2. Finally we compute an
aggregate probability of propagation by multiplying all the
probabilities of each logic gate in the chain, which gives the
value 1− α.
Notice that all these St-D Trojans have a very low value
5. Not all of the benchmarks from TrustHub are listed in TABLE 1,
because some of them have no payload, such as RS232-T200. Similarly
the payloads of some other benchmarks are harmless which would be
removed by synthesis tools. E.g. RS232-T1800, which just adds three
inverters to waste energy.
6. α values show estimated upper bounds on probabilities.
8of d (particularly d = 1) which reflects their low stealthiness,
and hence the fact that these publicly available benchmarks
represent only a small subset consisting of simple Trojans.
Even though some of these benchmarks have high values of
α (e.g. s38584-T100 and s38417-T200), however in practice,
having a very high value of α may not always be useful for
the adversary. Ideally, on one hand, the adversary wants the
Trojan to be triggered in the logic testing phase only once,
and remain undetected (i.e. by having high α) so that the
Trojan trigger is whitelisted. On the other hand, after the
testing phase, he wants the Trojan to deliver the payload
by disrupting the normal output (i.e. by having low α),
otherwise the Trojan is not useful for him. Therefore, the
adversary would like to have a sweet spot between the high
and low ends of α values.
St-ND (i.e.HND group) and Si Trojans are out of scope of
this paper. In our model, some TrustHub benchmarks, e.g.
MC8051 series, are considered to be in HND group because
of their flexible design specifications. The specification of
a processor is relatively flexible about the timing/ordering
of outputs (e.g. instructions execution) due to some unpre-
dictable factors like interrupt requests etc. This flexibility,
however, makes it harder for logic testing based tools to
verify the functional correctness of the design. However, if
there exists a precise and strict model for these cores, such
HTs can still be analyzed in our model.
7 RELATED WORK
Hardware trojans have recently gained significant interest
in the security community [12], [13], [14]. The works [13]
and [14] showed how malicious entities can exist in hard-
ware, while Skorobogatov et al. [15] showed evidence of
such backdoors in military grade devices. Nefarious designs
have also been deployed and detected in wireless communi-
cations devices [16]. Recent works have mostly focused on
detection [17] and identification schemes [18], which assess
to what extent the pieces of hardware may be vulnerable,
and how related trojans can be classified. State of the art HT
detection schemes include UCI [2], VeriTrust [5], FANCI [6]
and DeTrust [8]. Typically, HT detection techniques only
show their detection capabilities for HTs from the TrustHub
benchmarks suite, in which all trojans are explicitly trig-
gered. This explicitness forgoes the lack of implicitness,
due to which all the above schemes are able to detect
the benchmarked trojans. These schemes, however, do not
cater for higher dimensional (d > 1) trojans or the added
stealthiness because of the implicit malicious behaviors (i.e.
α). DeTrust presents a trojan example which bypasses other
existing countermeasures, and interestingly it happens to
have the dimension d = 2. However, this property has not
been noticed or analyzed in that paper. We fill these gaps
by providing a detailed and rigorous framework to reason
about HT characteristics and their impact on the detection
schemes.
Further works construct and detect HTs that use side
channels [19], [20], [21]. Such HTs remain implicitly on, and
have usually no effect on the normal functionality of the
circuit. Side channels include power based channels [22], as
well as heat based channels [23]. Power based HTs force the
circuit to dissipate more and more power to either damage
the circuit, or simply waste energy. Heat based HTs leak
important information via heat maps [24], where highs and
lows in heat dissipation can be interpreted as logic 1’s and
0’s. Our work only focuses on HTs that perturb standard
I/O channels; analyzing side channel models/frameworks
is out of scope of this paper.
8 CONCLUSION
We provide the first rigorous framework of Hardware Tro-
jans within which “Deterministic Trojans”, the class HD is
introduced. We discover several stealthiness parameters of
the Hardware Trojans from HD which lead us to design
a much more stealthy XOR-LFSR Hardware Trojan. This
shows that the current publicly known Hardware Trojans
are the simplest ones in terms of stealthiness, and hence they
represent just the tip of the iceberg at the huge landscape of
Hardware Trojans.
We conclude that our framework allows the Hardware
Trojan research community to rigorously reason about the
stealthiness of different Hardware Trojans and the effec-
tiveness of existing countermeasures. The Hardware Trojan
design principles introduced in this paper encourage and
assist in designing new and even stronger countermeasures
for highly stealthy and sophisticated Hardware Trojans.
REFERENCES
[1] S. Morioka and A. Satoh, “A 10 gbps full-aes crypto design with
a twisted-bdd s-box architecture,” in Computer Design: VLSI in
Computers and Processors, 2002. Proceedings. 2002 IEEE International
Conference on, 2002, pp. 98–103.
[2] M. Hicks, M. Finnicum, S. King, M. Martin, and J. Smith, “Over-
coming an untrusted computing base: Detecting and removing
malicious hardware automatically,” in Security and Privacy (SP),
2010 IEEE Symposium on, May 2010, pp. 159–172.
[3] J. Zhang and Q. Xu, “On hardware trojan design and implemen-
tation at register-transfer level,” in Hardware-Oriented Security and
Trust (HOST), 2013 IEEE International Symposium on, June 2013, pp.
107–112.
[4] C. Sturton, M. Hicks, D. Wagner, and S. T. King, “Defeating
uci: Building stealthy and malicious hardware,” in Proceedings
of the 2011 IEEE Symposium on Security and Privacy, ser. SP ’11.
Washington, DC, USA: IEEE Computer Society, 2011, pp. 64–77.
[5] J. Zhang, F. Yuan, L. Wei, Z. Sun, and Q. Xu, “Veritrust: Verifica-
tion for hardware trust,” in Proceedings of the 50th Annual Design
Automation Conference, ser. DAC ’13. New York, NY, USA: ACM,
2013, pp. 61:1–61:8.
[6] A. Waksman, M. Suozzo, and S. Sethumadhavan, “FANCI: Iden-
tification of stealthy malicious logic using boolean functional
analysis,” in Proceedings of the 2013 ACM SIGSAC Conference on
Computer & Communications Security, ser. CCS ’13. New York, NY,
USA: ACM, 2013, pp. 697–708.
[7] M. Tehranipoor, R. Karri, F. Koushanfar, and M. Potkonjak,
“Trusthub,” http://trust-hub.org.
[8] J. Zhang, F. Yuan, and Q. Xu, “Detrust: Defeating hardware trust
verification with stealthy implicitly-triggered hardware trojans,”
in Proceedings of the 2014 ACM SIGSAC Conference on Computer &
Communications Security, 2014, to appear.
[9] S. Bhunia, M. Hsiao, M. Banga, and S. Narasimhan, “Hardware
trojan attacks: Threat analysis and countermeasures,” Proceedings
of the IEEE, vol. 102, no. 8, pp. 1229–1247, Aug 2014.
[10] M. Bellare, K. G. Paterson, and P. Rogaway, “Security of symmetric
encryption against mass surveillance,” in International Cryptology
Conference. Springer, 2014, pp. 1–19.
[11] M. Banga and M. Hsiao, “Trusted rtl: Trojan detection methodol-
ogy in pre-silicon designs,” in Hardware-Oriented Security and Trust
(HOST), 2010 IEEE International Symposium on, June 2010, pp. 56–
59.
9[12] M. Tehranipoor and F. Koushanfar, “A survey of hardware trojan
taxonomy and detection,” Design Test of Computers, IEEE, vol. 27,
no. 1, pp. 10–25, Jan 2010.
[13] S. T. King, J. Tucek, A. Cozzie, C. Grier, W. Jiang, and Y. Zhou,
“Designing and implementing malicious hardware,” in Proceedings
of the 1st Usenix Workshop on Large-Scale Exploits and Emergent
Threats, ser. LEET’08. Berkeley, CA, USA: USENIX Association,
2008, pp. 5:1–5:8.
[14] S. Adee, “The hunt for the kill switch,” Spectrum, IEEE, vol. 45,
no. 5, pp. 34–39, May 2008.
[15] S. Skorobogatov and C. Woods, “Breakthrough silicon scanning
discovers backdoor in military chip,” in Proceedings of the 14th
International Conference on Cryptographic Hardware and Embedded
Systems, ser. CHES’12. Berlin, Heidelberg: Springer-Verlag, 2012,
pp. 23–40.
[16] Y. Liu, Y. Jin, and Y. Makris, “Hardware trojans in wireless cryp-
tographic ics: silicon demonstration & detection method evalu-
ation,” in Proceedings of the International Conference on Computer-
Aided Design. IEEE Press, 2013, pp. 399–404.
[17] T. Reece, D. Limbrick, X. Wang, B. Kiddie, and W. Robinson,
“Stealth assessment of hardware trojans in a microcontroller,” in
Computer Design (ICCD), 2012 IEEE 30th International Conference on,
Sept 2012, pp. 139–142.
[18] S. Wei, K. Li, F. Koushanfar, and M. Potkonjak, “Provably complete
hardware trojan detection using test point insertion,” in Computer-
Aided Design (ICCAD), 2012 IEEE/ACM International Conference on,
Nov 2012, pp. 569–576.
[19] R. Karri, J. Rajendran, K. Rosenfeld, and M. Tehranipoor, “Trust-
worthy hardware: Identifying and classifying hardware trojans,”
Computer, vol. 43, no. 10, pp. 39–46, Oct 2010.
[20] S. Wei, K. Li, F. Koushanfar, and M. Potkonjak, “Hardware trojan
horse benchmark via optimal creation and placement of malicious
circuitry,” in Proceedings of the 49th Annual Design Automation
Conference, ser. DAC ’12. New York, NY, USA: ACM, 2012, pp.
90–95.
[21] R. Chakraborty and S. Bhunia, “Security against hardware trojan
through a novel application of design obfuscation,” in Computer-
Aided Design - Digest of Technical Papers, 2009. ICCAD 2009.
IEEE/ACM International Conference on, Nov 2009, pp. 113–116.
[22] S. Narasimhan, X. Wang, D. Du, R. Chakraborty, and S. Bhunia,
“Tesr: A robust temporal self-referencing approach for hardware
trojan detection,” in Hardware-Oriented Security and Trust (HOST),
2011 IEEE International Symposium on, June 2011, pp. 71–74.
[23] S. Narasimhan, D. Du, R. Chakraborty, S. Paul, F. Wolff, C. Pa-
pachristou, K. Roy, and S. Bhunia, “Hardware trojan detection
by multiple-parameter side-channel analysis,” Computers, IEEE
Transactions on, vol. 62, no. 11, pp. 2183–2195, Nov 2013.
[24] D. Forte, C. Bao, and A. Srivastava, “Temperature tracking: An
innovative run-time approach for hardware trojan detection,”
in Computer-Aided Design (ICCAD), 2013 IEEE/ACM International
Conference on, Nov 2013, pp. 532–539.
