Hardware Trojans have drawn the attention of academia, industry, and government agencies. Effective detection mechanisms and countermeasures against such malicious designs can only be developed when there is a deep understanding of how hardware Trojans can be built in practice, in particular, Trojans specifically designed to avoid detection. In this article, we present a mechanism to introduce an extremely stealthy hardware Trojan into cryptographic primitives equipped with provably-secure first-order side-channel countermeasures. Once the Trojan is triggered, the malicious design exhibits exploitable side-channel leakage, leading to successful key recovery attacks. Generally, such a Trojan requires neither addition nor removal of any logic which makes it extremely hard to detect. On ASICs, it can be inserted by subtle manipulations at the subtransistor level and on FPGAs by changing the routing of particular signals, leading to zero logic overhead. The underlying concept is based on modifying a securely masked hardware implementation in such a way that running the device at a particular clock frequency violates one of its essential properties, leading to exploitable leakage. We apply our technique to a threshold implementation of the PRESENT block cipher realized in two different CMOS technologies and show that triggering the Trojan makes the ASIC prototypes vulnerable.

中文翻译：

---

用于可证明安全的 SCA 保护实施的旁道硬件木马

硬件木马已引起学术界、工业界和政府机构的注意。只有深入了解如何在实践中构建硬件木马，特别是专门为避免检测而设计的木马，才能开发针对此类恶意设计的有效检测机制和对策。在本文中，我们提出了一种机制，可将极其隐蔽的硬件木马引入配备可证明安全的一阶侧信道对策的加密原语中。一旦木马被触发，恶意设计就会表现出可利用的侧信道泄漏，从而导致成功的密钥恢复攻击。一般来说，这种木马既不需要添加也不需要删除任何使其极难检测的逻辑。在 ASIC 上，它可以通过子晶体管级和 FPGA 上的微妙操作插入，通过改变特定信号的路由，导致零逻辑开销。基本概念基于修改安全屏蔽的硬件实现，以特定时钟频率运行设备违反其基本属性之一，从而导致可利用的泄漏。我们将我们的技术应用于在两种不同 CMOS 技术中实现的 PRESENT 块密码的阈值实现，并表明触发木马会使 ASIC 原型易受攻击。基本概念基于修改安全屏蔽的硬件实现，以特定时钟频率运行设备违反其基本属性之一，从而导致可利用的泄漏。我们将我们的技术应用于在两种不同 CMOS 技术中实现的 PRESENT 块密码的阈值实现，并表明触发木马会使 ASIC 原型易受攻击。基本概念基于修改安全屏蔽的硬件实现，以特定时钟频率运行设备违反其基本属性之一，从而导致可利用的泄漏。我们将我们的技术应用于在两种不同 CMOS 技术中实现的 PRESENT 块密码的阈值实现，并表明触发木马会使 ASIC 原型易受攻击。