side-channel. The proposed logic family is synthesizable; thus, it can be ported to Application-Specific Integrated Circuits (ASIC) with minimal effort.
To summarize, a logic family which does not exhibit idle states (thus, it is always active and evades the first detection method), makes the power consumption independent relative to the processed data and/or operations (thus, it conceals the power consumption and evades the second detection method), and can readily be implemented with FPGA primitives is proposed. The contributions of this paper are as follows.
• Logic family with Frequency Modulation (FM), which does not exhibit idle states, thus being able to escape detection schemes based on unused-circuit identification.
• Trojan FM logic circuit augmentation to evade detection schemes based on power consumption.
• Payload which communicates in a controlled fashion through a power consumption side-channel.
• Detection approaches for hardware Trojans built in the proposed logic family with frequency modulation. Table ( LUT) to implement bit-level logic functions, carry logic to support arithmetic operations such as binary / ternary adders [17] , dedicated multiplexors, and Flip-Flops (FF).
II. BACKGROUND
Software support includes macros and primitives, such as CARRY4 which concatenates four LUTs to build a 4-bit binary / ternary adder, MUXF7 and MUXF8 which instantiate 2-to-1 multiplexors, and BRLSHFT4 and BRLSHFT8 which instantiate 4-bit and 8-bit barrel shifters, etc. The DSP units are part of the coarse-grained fabric and implement large two's-complement multipliers and acumulators. The configurable interconnection network connects these modules together to implement digital circuits.
Modern FPGAs also integrate Block Random Access Memories (BRAM) on chip. For example, the BRAM in the Virtex-7 family [18] can operate as either one 36 Kb dual-port RAM or two independent 18 Kb dual-port RAMs.
These BRAMs can be used as large storage areas or large LUTs with multiple outputs to implement logic functions.
Modern FPGAs offer a large number of flip-flops of different types along with their software primitives [19] . The LUT6 primitive refers to a 6-input, 1-output look-up table (LUT) that can either act as an asynchronous 64-bit ROM (that is, with a 6-bit address bus) or implement an arbitrary 6-input logic function. LUTs and flip-flops are the most basic logic building blocks in FPGA circuitry. They will be used in implementing the Trojan logic with frequency modulation.
III. HARDWARE TROJANS
A hardware Trojan is characterized by its activation mechanism, which is referred to as a trigger, and the malicious function that it implements, which is referred to as a payload [5] , [20] . The activation of a Trojan is a statistically rare event, such as the end users or the standard verification tests during manufacturing will very likely not trigger it. In this respect, a hardware Trojan is a stealthy circuit [3] .
Based on their trigger mechanism, malicious circuits are classified as follows. Condition-based Trojans are inactive until a specific condition is met (for example, the attacker provides a special input or a particular value occurs on the data bus). Always-on Trojans operate continuously, but they are inserted on nodes which are rarely exercised [15] .
The payload can take many forms. In one scenario, sensitive data (such as an encryption key) can be sent to the attacker through an output port, which normally transmits plain text. In another scenario it is possible to send the sensitive data to the attacker through side channels in which power consumption or some electromagnetic radiation originating from the chip can be modulated with the encryption key. The payload can also compromise the operation of the circuit, or it can even physically destroy the chip.
As mentioned, there are three major detection methods. The first method, the Malicious Circuit Activation (MCA), is based on applying stimuli at the circuit's input to determine under which conditions the malicious hardware is activated [5] . Since hardware Trojans are stealthy circuits, this method can be very time consuming; thus, it is ineffective at consistently detecting trigger states. The Unused Circuit Identification (UCI) method proposed by Hicks et al. is complementary to MCA [9] . It flags as suspicious those circuits that are not activated under normal operating conditions or by design verification tests [9] . Waksman, Souzzo, and Sethumadhavan proposed a UCI-class analysis for nearly-unused circuit identification [21] , which aims to find gates and their inputs that very rarely impact the outputs of a logic circuit. In the same class of unused circuit identification methods, VeriTrust, which was proposed by Zhang et al., performs a logic analysis to identify the unused inputs of a logic circuit [22] .
Malicious hardware able to evade the UCI analysis are discussed next.
Sturton et al. proposed to create a circuit in which no pair of dependent signals are always equal under the non-trigger condition [23] . This is equivalent to saying that the logic circuitry inscribed by these signals is not idle.
In their work the authors do not mention whether it is always possible to generate such a circuit and with what design effort. Circuits with frequency modulation are always active; therefore, there are not any circuit existance concerns in the proposed logic.
Zhang and Xu [24] and later Zhang, Yuan, and Xu [25] have proposed implementations to evade Trojan detection through tests in the UCI class. Rather than implementing a very rare global trigger condition, which is not activated during standard verification but can be captured by UCI and deemed suspicious, the authors propose to implement sub-trigger conditions that can be each covered by standard verification. This way, the sub-trigger conditions will not be labeled as suspicious. Then, these sub-trigger conditions are integrated using logic operators. However, the global trigger condition output is idle until the condition is activated. This is one weakness of this technique. A second weakness, which is acknowledged by the authors, is that it is nearly impossible to sensitize all non-trigger April 6, 2020 DRAFT conditions, which in turn could cause the Trojans to be detected by UCI techniques. To evade the UCI techniques without exercising all non-trigger conditions, the trigger condition needs to be carefully partitioned such that the probability of each sub-trigger condition is increased. This requirement is in contradiction with the need of as-controllable-as-possible Trojan's payload, making the design and implementation of a hardware Trojan very challenging [24] . The proposed logic family with frequency modulation can escape the UCI tests while ensuring the flexibility of controlling the payload.
Krieg, Wolf, and Jantsch have proposed an RTL-level Trojan [26] . Their malicious circuit is triggered under the control of the software tool at the time when the FPGA bitstream is generated; therefore, any test performed at the RTL level will not raise suspicion. The described logic family with frequency modulation allows the implementation of hardware Trojans at the RTL level but without the help of any software tool, which will allow the distribution of the IP in RTL form.
A second major detection method of malicious circuits is based on side-channel analysis, in which circuit parameters, such as propagation delay or power consumption, are estimated or measured to determine the Trojan contribution [10] , [12] . Hiding (or concealing) countermeasures maintain a constant power consumption; thus, the hardware Trojan is stealthy. This is a problem related to attack and defense of cryptosystems based on power consumption [27] - [29] .
In the third major detection method of malicious circuits monitoring architectures can be deployed on chip to indicate whether the original physical placement or layout of the integrated circuit design has been changed.
Examples in this class include the use of ring oscillators [12] , [13] . Recall that the hardware Trojan logic family is designed to infect synthesizable IPs for FPGAs, for which an original physical placement not yet exists. This makes the monitoring architectures immaterial for this paper.
IV. LOGIC FAMILY WITH FREQUENCY MODULATION
Similar to the Illinois Malicious Processor, which includes a state machine that looks for a special sequence of bytes on the data bus to activate the Trojan's payload [30] , the proposed hardware Trojan is activated by a specific (long) string of processor operation codes. Since each operation code is part of the processor architecture, it will be sensitized during functional testing and, therefore, will escape a UCI-class analysis. It will be understood that a Trojan's activation based on a string of operation codes is given in this paper by way of example and not by limitation. Other (long) strings of events can be conceived to trigger the proposed Trojan.
In order to evade a UCI-class analysis the output of any gate implementing the trigger circuit must not be idle. Synthesizable Trojans mapped onto FPGAs would require that gates and circuits with continuous activity be implemented with standard primitives, which are abundant in the reconfigurable fabric. This is achieved by a logic family with frequency modulation described below.
In standard logic, the information is encoded into the amplitude of the signal, where Logic '1' is encoded as a large amplitude signal, V DD , and Logic '0' is encoded as a small amplitude signal, GND. In the proposed logic the information is encoded into the frequency of a periodic signal, where Logic '1' is encoded as a high frequency signal, f 1 , and Logic '0' is encoded as a low frequency signal, f 0 . The signal modulation in frequency Figure 4 summarizes the operation of the FM OR gate. The standard logic values are combined in Stage 4, and the result will be stored in Stage 5 in the output shift register. It is apparent that the latency of the FM gate is 8 stage delays, which is needed for the result to make a complete turn in the circular shift register. be observed that the LUT output will never stay at a constant level; thus, it will evade a UCI analysis. April 6, 2020 DRAFT If an FM logic gate with more that five inputs is to be implemented, then multiple LUTs are needed. In this case it must be ensured that none of the LUT outputs will stay at a constant level. For example, two LUTs are needed to implement the following seven-input function F F F:
Signals Logic States in each Stage
To avoid a constant value which is detectable through a UCI analysis, F F F needs to be implemented with two FM gates, which guarantees activity at each FM gate output.
As mentioned, no activity can be detected through UCI techniques. Only the clock should exhibit a very high level of activity. Any other function that exhibits such a high level of activity will be suspicious. In FM logic, the shortest length of the circular shift register is 4, in which case the activity is 25% for FM Logic '0' and 50% for FM Logic '1'. Figure 1 shows circular shift registers with eight stages, which means that the activity is 12.5%
for FM Logic '0' and 25% for FM Logic '1'. By increasing the length of the circular shift registers the activity level decreases serving the purpose of hiding the Trojan. An additional benefit of longer circular shift registers is that they allow for the implementation of multi-level logic. For example, in a circular shift register of length 8, extra information can be encoded into Stages 2 and 6.
Let a string of four consecutive events α α α, β β β, γ γ γ, and δ δ δ be the very rare combination that triggers the hardware Trojan.
These events can correspond, for example, to four specific operation codes issued in an attacked processor. Figure 5 presents an event synchronization circuitry, which forces the signals A A A, B B B , C C C, and D D D to be simultaneously '1' when those four operations are issued in the order α α α − β β β − γ γ γ − δ δ δ. This activates the function F F F ∆ ∆ ∆ (A A A, B B B 
which in turn triggers the hardware Trojan. According to Figure 1 , it is apparent that the Trojan's activation is captured into F F F ∆ ∆ ∆ (A A A, B B B A, B B B ,C C C, D D D) switches to '1' synchronously with signal S S SY Y Y N N NC C C. There are no provisions in Figure 5 to ensure such a synchronization. One possible solution is to program the processor ro read the state of the S S SY Y Y N N NC C C signal and issue the operation codes just in time to achieve the synchronization. A second solution is to issue the triggering string of operation codes a number of times at different time intervals, such that the synchronization is statistically achieved.
,C C C, D D D) only if signal F F F(A A
In Figure 1 it is also apparent that the Trojan's activation signal, F F F ∆ ∆ ∆ , remains active for eight clock cycles. If this activation needs to be locked, then the locking circuit shown in Figure 6 can be used. Fig. 6 : Locking AND gate with frequency modulation.
The proposed logic family supports the implementation of locking gates. As an example, a two-input locking AND gate with frequency modulation is shown in Figure 6 . Trojan that includes only a 16-bit counter, an 8-bit sequential comparator, and a 3-bit combinational comparator is large enough to consume the power necessary for its detection [31] . These findings are in line with Potkonjak et al.,
who have shown that gate-level characterization based on timing and power consumption measurements can help with the detection of hardware Trojans [32] . It has also been reported that a network of Ring Oscillators, which are similar to those used in the proposed logic family with frequency modulation, can provide sufficient sensitivity to detect changes in power consumption generated by malicious circuitry [12] . In addition, the field-programmable gate arrays are notable for their large power consumption. As a consequence, reconfigurable implementations are even more vulnerable than ASICs to side-channel analysis [33] , [34] .
Given the above-mentioned considerations it is apparent that building a stealthy hardware Trojan requires the elimination of the relationships between data and power consumption, and between operations and power consumption.
There are two ways to achieve this [29] : (i) hiding (also called concealing), which makes the power consumption independent relative to the processed data and/or operations, and (ii) masking, which randomizes the power consumption. In this paper, only the hiding technique is used in securing the hardware Trojan.
Recall that the CMOS power consumption has two components: (i) dynamic and (ii) static (also referred to as leakage). In order for a hardware Trojan to be stealthy, it must be robust enough to evade analyses based on each and every power consumption component. A common approach is to use Dual-Rail Logic (DRL) [29] , which balances the dynamic power consumption into a constant value through differential encoding in which the information is encoded with direct and complementary signals. DRL operates in two alternating phases: precharge, during which both the direct and complementary signals are set to a common Low value, and evaluation, during which either the direct signal (which encodes logic '1') or the complementary signal (which encodes logic '0') will perform a transition to a High value. This way, exactly one High-to-Low transition during the precharge phase and one Low-to-High transition during the evaluation phase occur in this two-phase operation irrespective of the logic state ('0' or '1') being encoded. The consequence is a constant dynamic power consumption.
Measures to increase robustness against analyses based on static power consumption have also been proposed [6] . The main idea in concealing the leakage is to ensure that the number of states in logic '0' is always equal to the number of states in logic '1'. Since the circuit exhibits symmetry, the leakage power consumption is constant. The power consumption concealment is achieved through hardware replication. Figure 7 shows that the circular shift register is replicated such that for each CSR storing FM Logic '0' (a) there is a dual CSR storing FM Logic '1' (b). The CSRs (a) and (b) are replicated into (c) and (d) such that the number of states in standard logic '0' equals the number of states in standard logic '1'. This conceals the leakage power consumption. By providing the dual FM logic, the number of standard transitions 0-to-1 is always 6, and the number of standard transitions 1-to-0 is always 6. This conceals the dynamic power consumption. Also, both frequencies (1/4 · f CLK and 1/8 · f CLK ) will always be present in the side-channel spectrum, which will defuse attacks based on spectrum analysis.
The proposed implementation is significantly simpler than the dual-rail logic since it lacks the precharge and the evaluation phases. This is possible since the FM logic is based on circular shift registers, which exhibit repetitive April 6, 2020 DRAFT switching behavior. Since the standard logic gate and the multiplexor, which are both dark grayed in Figure 1 , can be implemented in a single LUT, their power consumption can be easily concealed by implementing the dual function in the dual LUT.
After the hardware Trojan is activated, the concealment of the power consumption is no longer needed. The replicas used in protecting the Trojan can now be used to implement the payload. In a first scenario, replicas 7-(b), 7-(c), and 7-(d) can be disabled upon the activation of the Trojan. This will make power consumption dependent on the data and operations implemented with frequency-modulated logic, which in turn will allow the attacker to retrieve secret information through this side channel. In a second scenario, replicas 7-(c) and 7-(d) are disabled, but both replicas 7-(a) and 7-(b) hold the same FM logic value. This will double the dependence of the power consumption on data and operations, with beneficial effects in implementing the payload.
VI. DETECTING HARDWARE TROJANS BUILT WITH FREQUENCY-MODULATED LOGIC
It has been shown that the hardware Trojans built with frequency-modulated logic are robust to tests based on unused-circuit identification and side-channel analysis. A natural question at this point is how such Trojans can be detected and/or neutralized given their new behavior.
The logic with Frequency Modulation (FM) require a large number of circular shift registers, where a standard logic gate (or a LUT), a 2:1 multiplexer, and a circular shift register are needed for each FM gate. This pattern, which can be regarded as a signature of this type of logic, can be the subject of detection attempted at the RTL level. However, if the HDL code is encrypted, the detection can only be based on side-channel analyses.
It should be observed that the robustness of dual-rail logic circuits mapped onto FPGAs might not be very good, since the routing imbalance in reconfigurable arrays lowers the effectiveness of this type of logic [7] . This observation suggests that the hardware Trojans with frequency modulation should be implemented with FPGA primitives (LUT6, FDRE, FDSE, MUXF7, and MUXF8 ) rather than behavioral HDL code, and the placement should be controlled with location attributes and constraints. If the resulting Trojan is robust to side-channel analysis, it is legitimate to investigate other opportunities in defending the circuit.
If the Trojan's triggering circuitry cannot be detected, then the only chance to defend the circuit is by neutralizing the Trojan's payload. This can be achieved, for example, through a Counter-Trojan deployed on the FPGA by the defender. The Counter-Trojan will perform a spectral analysis to determine if oscillations with frequencies that are large fractions of f CLK exist. Then it will trigger its own oscillations on the same frequencies to jam the original payload, so that the attacker is no longer able to communicate with the Trojan. Other proposed techniques are also worth investigating [8] .
VII. CONCLUSION
Defense measures at the RTL, side-channel analysis, and Counter-Trojan levels have been described to mitigate the risk of a novel security vulnerability disclosure.
