A new design method of hardware Trojan based path delay is proposed, the trigger of the Trojan is designed by using the meta-stability of flip-flop. Compared with the traditional hardware Trojan, the path delay Trojan can't change the circuit function, and can effectively avoid the function equivalence detection, so it has a very high concealment. Inserted path delay Trojan in the AES (Advanced Encryption Standard) circuit, then successfully got the key with the frequency attack. After analyzed the leakage probability of key under different working frequency and different delay structure, obtained an effective method to control the trigger rate of path delay Trojan.
Introduction
The design and manufacture of modern very large scale integrated circuit have formed a huge industrial chain, and the various links of production are distributed all over the world. The whole design process requires a lot of the third party IP (Intellectual Property), and the untrusted third party vendors may add the malicious function in the IP. In the same manufacturer can also add the malicious function beyond the specification of original circuit, so the circuit added maliciously is called hardware Trojan.
Nuclear facilities real-time early warning radar system in Syria cannot be used in Israeli bombing, the sudden failure of the Iraqi air defense system in the Gulf War, and the Intel CPU recently exposed by hackers using Meltdown and Spectre attacks, which aroused people's concerns about the safety of the hardware. In document [1] , designed Memory Access to tamper with user privileges and Shadow Mode to execute backdoor programs and get user passwords. Literature [2] presents the triggering methods and behavior of several hardware Trojan in embedded systems. Document [3] inserted the hardware Trojan in the common FIFO (First In First Out) queue. Document [4] designed two kinds of hardware Trojan that leaked the encryption key. Document [5] designed the Trojan for side channel attack.
However, most of the hardware Trojan designed in the above-mentioned literature are triggered by low toggle events, such as a specified input sequence or a counter [6] . The UCI (Unused Circuit Identification) detection technology [7] and low toggle rate detection technology are easy to detect. [8] [9] [10] can't evade the detection of function equivalence. The traditional Trojan changed the function set of the circuit, there is possible the Trojan is triggered wrongly in the simulation, prototype verification and chip test, and increased the risk of the Trojan design.
This paper first describes a hardware Trojan design idea based on path delay, which is different from the traditional hardware Trojan design scheme based on combinational logic and state machine. It can evade the detection of function equivalence effectively, then design the Trojan and insert it into the AES circuit, and successfully leak the key on the FPGA development board. Finally, we analyze the path delay hardware Trojan.
Design of Path Delay Trojan Trigger Mechanism
The design principle of digital circuits is to meet the time budget. The meta-stability of flip-flop will appear in timing violation, which leads to the unpredictable results of the circuit. Based on this feature of flip-flop, the trigger of path delay Trojan is designed, as shown in Figure 1 . In Figure 1 , A and B are two independent signals, and O is the output. The state transfer/output table of the circuit is shown in Table 1 . As you can see, the signal Q1 and Q2 can't be both 1 at the same time when the circuit work normally. The O is always 0, so the Trojan payload will not be triggered. When the circuit work at higher frequency, if the timing violation appear in Trojan, it is possible that the flip-flop latched a wrong bit or step into meta-stability. At this time, the O will randomly appear 1, resulting in triggering the Trojan.
The satisfiability problem of Boolean is NP complete. Though the output of this Trojan trigger is always 0, the most synthesis tools don't optimize it. Of course, we can't design more complex this Trojan trigger based on non-satisfied condition of Boolean function.
Design of Path Delay Trojan
According to the trigger mechanism based on path delay, the design of the hardware Trojan is as shown in Figure 2 . In Figure 2 , the path delay Trojan includes Delay, Trigger and Payload modules. The Delay select the signals T of original circuit as input. The Delay output will drive the Trigger. The Payload is selector. When the output of Trigger is 0, O is C. When 1, O is S. C is the original output of circuit and the S is the sensitive signal. The Delay module is used to add path delay to flip-flop of Trigger, which make it become the critical path. The XOR gate not only has a larger delay than the other gates, but also does not change the toggle rate of signals.
It is assumed that the highest working frequency of the original circuit is F0 max , and the highest working frequency after inserted the Trojan is F1 max . Obviously F1 max < F0 max . When F < F1max, all paths in the circuit can meet the timing, the Trigger output is 0 and never trigger. When F1 max < F < F0 max , the original circuit can work normally, but the path to the Trigger will violate. the Trigger output will have probability to 1 and leak the sensitive information. When F > F1 max , the Trojan and the original circuit will be out of order.
Experimental Setup and Result

Experimental Setup
The AES is a kind of symmetric data encryption algorithm, which is widely used in the encryption chip. The design completed the AES circuit, as shown in Figure 3 , the maximum working frequency F0 max = 240MHz. After inserting the path delay Trojan of Figure 2 , the maximum working frequency is reduced to F1 max = 225MHz. The input plaintext of AES circuit is generated by a 128 bit LSFR (Linear Feedback Shift Register), and the input key of AES is 128 'hAABB_CCDD_EEFF_0011_2233_4455_6677_8899. The trigger signal of the Trojan is selected from the SubBytes module of the AES, with a higher toggle rate and a longer path delay. The experimental is on the Altera FPGA with EP4CE6F17C8. Under different frequency and different Delay structure, the output ciphertext of AES is sampled. Then complete the data analysis. Figure 4 . Probability distribution ciphertext of the highest 8 bits.
Experimental Result
We divide 128-bits AES key into a group of 8 bits. The leak way of 128-bits AES key is same, for the sake of analyzing, we just focus on the highest 8 bits 0xAA. The occurrence probability distribution of the higher 8 bit of ciphertext is shown in Figure 5 . It can be seen from the peak of probability that the path delay Trojan successfully leaked the AES key.
When the circuit works at 225MHz, the different value of ciphertext has a same probability 0.004 (1/256) and no peak. When the circuit works at 240MHz, the original AES circuit work normally and Trojan circuit appear timing violations, which leaked the AES key 0xAA to form the peak. When the circuit works at 250MHz, both the original AES and Trojan have timing violations. the whole circuit lose the normal function, so present multiple peaks.
The trigger of the path delay Trojan is mainly dependent on the delay characteristic of the path, so we designed different structure of Delay module, as shown in Figure 5 , to study the characteristics of this kind of Trojan. In the same way, the ciphertext output of different Delay modules at different frequency is sampled, than the occurrence probability of the key 0xAA is as shown in Figure 6 . Compared with Delay1, Delay 2 and Delay 3 has larger delay, so the occurrence probability of 0xAA is greater. Compared with Delay1 and Delay2, Delay3 has more asymmetrical, leading to that the two flip-flops of Trigger have more abnormal value. so the occurrence probability of 0xAA is greater.
Therefore, at the same frequency, increasing the delay of the Delay module and using the asymmetric structure can effectively increase the trigger probability of the Trojan. In the same Delay design, the higher the frequency, the greater the trigger probability of the Trojan.
Summary
In this paper, a new kind of hardware Trojan based on path delay is proposed. Compared with the traditional combined logic Trojan horse and state machine Trojan, the path delayed Trojan has an innovative trigger mechanism and strong concealment. We successfully obtained the key of AES inserted path delay Trojan by frequency attack. In the analysis of the path delay Trojan, it is found that changing the delay of path and symmetry of delay module can control the trigger probability of Trojan. The path delay Trojan also provides a new field of vision for integrated circuit optimization and hardware Trojan detection technology.
