Journal of Hardware and Systems Security (2018) 2:225–239

https://doi.org/10.1007/s41635-018-0042-5

A Hardware Trojan Attack on FPGA-Based Cryptographic Key

Generation: Impact and Detection
Vidya Govindan1 · Rajat Subhra Chakraborty1 · Pranesh Santikellur1 · Aditya Kumar Chaudhary2

Received: 1 February 2018 / Accepted: 5 June 2018 / Published online: 20 June 2018
© Springer International Publishing AG, part of Springer Nature 2018

Abstract
True Random Number Generator (TRNG) circuits are important components of cryptographic systems. Lack of statistical
randomness in the generated bitstreams from a TRNG can result in compromised keys, leading to serious security breaches.
In this paper, we describe a Hardware Trojan Horse (HTH)-based attack on the TRNG of an FPGA-based cryptosystem,
that results in reduced entropy and increased predictability of the generated keys. The proposed HTH does not cause any
functional failure in the cryptosystem, and its impact is undetectable by analysis of the compromised bitstream using standard
statistical randomness testing software suites (NIST, two enhanced versions of NIST Dieharder, and LIL-tests), and by a
circuit-level HTH detection technique using Transition Effect Ring Oscillator (TERO). Finally, we show that the impact of
the HTH can be detected by applying Wavelet Transform on the compromised bitstream.

Keywords Field Programmable Gate Arrays (FPGA) · Hardware Trojan Horse (HTH) · Randomness tests · True Random
Number Generator (TRNG) · Wavelet transforms

1 Introduction implementation against side-channel attacks, and many

more [1]. The overall security of a cryptographic system is
Random Number Generators (RNGs) constitute an integral critically dependent on the statistical quality of the gener-
part of any modern cryptographic system. In all modern ated random numbers—if the random numbers have higher
cryptographic algorithms and secure communication pro- predictability, i.e., lower entropy, several powerful attacks
tocols, random numbers play an important part. Random exist to break the security of the cryptosystem. For any
numbers are used as cryptographic keys in both sym- cryptosystem, it is important that the cryptographic keys
metric and asymmetric encryption, initialization vectors are generated inside the system, and never leave the system
for stream ciphers, padding values in asymmetric encryp- in plaintext over an unencrypted communication channel.
tion, challenges in zero-knowledge proofs, countermeasure Hence, if the cryptosystem is implemented on a single chip,
the TRNG being used as the key generator is usually also
 Vidya Govindan implemented on-chip [1].
[email protected]
Random numbers are commonly generated via two
Rajat Subhra Chakraborty different schemes: Pseudo Random Number Generators
[email protected]
(PRNGs) and True Random Number Generators (TRNGs).
Pranesh Santikellur PRNGs use mathematical algorithms for random num-
[email protected]
ber generation and are deterministic in nature, and some-
Aditya Kumar Chaudhary times called Deterministic Random Number Generators
[email protected]
(DRNGs). Although PRNGs show good statistical proper-
1
ties and are usually simple to implement on logic devices,
Secured Embedded Architecture Laboratory (SEAL),
Department of Computer Science and Engineering,
their output sequence can be predicted exactly either by
Indian Institute of Technology Kharagpur, Kharagpur, knowledge of the algorithm behind their working or by noting
West Bengal, 721302 India down a sequence of past outputs [2]. TRNGs on the other
2 Centre for Artificial Intelligence and Robotics, DRDO hand derive their randomness from uncontrolled physi-
Complex, C. V. Raman Nagar, Bangalore, 560093 India cal phenomena such as thermal noise, atmospheric noise,
226 J Hardw Syst Secur (2018) 2:225–239

flicker noise, shot noise, radioactive disturbances, clock jit- deviation (RMSD) should be nearly negligible in value.
ter, and phase noise. In addition to the noise source, a The testing methodology declares a randomness source to
TRNG needs a noise extraction mechanism, noise digitiza- have passed the test if the obtained values of these metrics
tion mechanism, and an optional, but highly recommended calculated on the dataset are smaller than the theoretical
post-processing mechanism to improve the statistical qual- expected values.The author claims that this test is difficult to
ity of the generated bitstream. This post-processing mech- pass in general, and give examples of bitstreams generated
anism usually employs mechanisms easily implementable from several standard pseudorandom number generators
in hardware or software, ranging from simple arithmetic failing this test.
schemes such as a von Neumann Corrector [3] to eliminate Hardware Trojan Horses (HTHs) have become one of
long strings of consecutive zeros and ones, to full-fledged the prime focuses of research in the Hardware Security
encryption circuits. All of these three components have a community in the last decade [11–15]. HTHs are well-
major impact on the statistical quality of the random num- hidden, malicious modifications to circuits which are
bers produced. Most modern TRNG circuits exhibit more difficult to detect by traditional integrated circuit (IC)
or less the same high-level architecture as shown in Fig. 1, testing methods. Often, they are designed to get activated
which is recommended by the AIS-31 standard [4]. only under very rare logic conditions, and once activated, it
According to security evaluation process and require- can either cause malfunction of the circuitry, or leakage of
ments for cryptographic module guidelines, the quality of secret information. Presence of a HTH might be confused
the generated random bit stream must be validated by some with faults which occur due to manufacturing defects. As
standard statistical tests suites, as necessitated by several described in [16], a HTH consists of two main components:
security standards, e.g., FIPS 140-2 [6] or AIS 31 [4]. trigger and payload. A trigger is the activation mechanism
Two of the most widely used industry-standard test suites for a HTH, and usually consists of signals or events that
for randomness evaluation are NIST SP 800-22 [7] and are continuously monitored for specific logic conditions.
Dieharder [8]. These test suites employ series of tests based The payload comprises of malicious circuit to modify the
on a hypothesis that the tested data stream is random. The intended circuit behavior or to leak information. Once a
NIST test suite comprises of 15 tests each of which is valid trigger condition is satisfied, the HTH payload is
used to test different properties of the input data stream. In activated, which in turn alters the circuit behavior. The
each of these tests, the processed input sequence is passed impact of undetected HTHs can be disastrous at a personal
through a function to generate a “P value” which is com- or a national scale, resulting in loss of human life and/or
pared with a predefined significance level (α) to analyze the billions of dollars worth of revenue, company goodwill, or
randomness. The data to be tested passes the test under con- national infrastructure. Typically, the impact of HTH on
sideration when the obtained P value is greater than or equal cryptographic systems is in the form of attacks that help to
to α. The Dieharder test suite comprises of 26 tests which is reveal the secret key [17].
an improvement over the Diehard battery tests published by
George Marsaglia on a CD-ROM of random numbers [9]. 1.1 Our Contributions
In [10], the author has proposed the Law of Iterated
Logarithm (LIL)-based testing method for evaluating In this paper, we have demonstrated a HTH attack on an
random number generators to reduce the type-II errors in FPGA-based cryptographic system. In particular, the HTH
NIST SP800-22 test suite. According to the paper, for a reduces the entropy of the bitstream generated from the on-
generator G to be considered “good” for a sufficiently large chip TRNG, resulting in a successful collision attack [18] on
sequence, three metrics, viz., the total variation distance the generated cryptographic keys, whereby the probability
(d), Hellinger distance (H ), and the root-mean-square of key usage that has been used previously increases. We

Fig. 1 Generic architecture of a

True Random Number
Generator (TRNG) circuit used
as a cryptographic primitive [5],
as endorsed by the AIS 31
standard
J Hardw Syst Secur (2018) 2:225–239 227

have demonstrated that two industry-standard and widely testing, circuit-level FPGA-based HTH detection technique
used randomness evaluation frameworks, namely NIST and CWT. In Section 3, we describe the overall system
(original and two recently proposed enhanced versions) architecture, including details of the TRNG circuit, and
and Dieharder, and in addition the “difficult-to-pass” LIL- the randomness evaluation methodology. In Section 3.3,
tests, are unable to detect the decrease in entropy of we describe the mode of operation of the inserted HTH,
the compromised raw bitstream, which in turn implies and theoretical analysis of its impact on the security of the
that the inserted HTH remains undetected. We also system. In Section 4, we describe implementation results
demonstrate that a recently proposed FPGA-based circuit- for the system and the HTH, impact of the HTH on the
level HTH detection technique [19] is incapable of detecting randomness of the bitstream, and detection attempts of the
the proposed HTH. We have earlier proposed [20] an HTH-infected bitstream. We conclude in Section 5 with
HTH attack on FPGA-based TRNG that adversely affects future directions of research.
the entropy of the output of a TRNG, thus results in
cryptographic keys which are predictable. However, in [20],
we did not consider the presence of the post-processing 2 Background
circuitry in the TRNG. Thus, the impact of the attack was
not evaluated after the raw bitstream had been processed by 2.1 True Random Number Generators and Statistical
the post-processing module. In contrast, in this paper, we Randomness Estimation
have considered the impact on the security of the crypto-
system after the compromised bitstream is processed by a Considerably large amount of work has been done on
cryptographic post-processing module. RNGs both commercially and in academics. As mentioned
The proposed HTH-based attack also evades a recently in [24], the hardware RNGs (or TRNGs) can be decomposed
published TRNG architecture that proposes a TRNG with into four categories: (a) circuits integrated on processors
self-repair capability to increase the dependability of the and systems-on-chip (SoCs); (b) commercial RNG used
complete system. Our proposed HTH eludes this protection as “add-on” peripheral devices; (c) True Random Number
technique because the work in [21] employs only a subset Generators (TRNGs) design for FPGAs; and (d) discrete
of the tests usually employed to test entropy of TRNGs, in device-based TRNGs. Various FPGA-based TRNGs have
particular only a subset of the tests mentioned in [22]. Also, been widely studied in the recent past [25–28]. A survey on
their statistical testing using 213 bits for entropy tests and TRNG hardware IP cores suitable for FPGAs was published
20,000 bits for FIPS tests [6] is not sufficient to detect the in [29]. Many innovative ways to improve the existing
proposed HTH, since the HTH activation period is 218 bits, TRNGs have also been introduced, e.g. ,dependable TRNG
i.e., over 200,000 bits. with self-repair capabilities [21] and side-channel attack
Finally, we have implemented a methodology of ran- -resistant TRNG [30].
domness evaluation to detect the proposed HTH or sim- In general, evaluation of a generated bitstream from a
ilar threats using Continuous-time Wavelet Transform TRNG for good statistical properties, unpredictability, and
(CWT) [23]. In our scheme, the raw bitstream generated reliability is very difficult. Nevertheless, there are many
from the digital noise source is periodically sampled and widely used techniques to evaluate the randomness of a
analyzed using dedicated software being executed on a com- TRNG output. One of the most common is the NIST
puter connected with the FPGA board. If the tests fail, the statistical testing suite [7]. As discussed in [31], the current
software raises an alarm signal that is fed back to the cryp- version of NIST SP 800-22 test suite contains 15 tests
tographic hardware, where remedial options can be taken, which are divided into two categories, namely the binomial-
including temporary suspension of operations and/or inval- based tests and the chi-square-based tests. All these tests
idation of the keys generated from the TRNG waiting to be individually follow a two-level testing strategy. The testing
used, and results of the last few cryptographic operations. process involves breaking the bitstream to be tested into
The architecture of the cryptosystem considered by us is N blocks, each of which contains n bits. The hypothesis
described in detail in Section 3. Our work thus points to the testing is carried out for each data block in all the tests
insufficiency of the current widely used randomness eval- according to a predefined test metric and one “P value” is
uation frameworks, and the need to supplement them with obtained for each block. According to the obtained P values
additional test methodologies. and a significance level α, the first-level test computes a
passing ratio which should lie in the confidence interval for
1.2 Organization of the Paper it to pass. Further, once the first-level tests pass, K equal
sub-intervals in the range [0, 1] are selected and number
The rest of the paper is organized as follows. In Section 2, of P values falling under each of these sub-intervals are
we provide a brief introduction to TRNGs and statistical counted, following which a chi-square goodness-of-fit test
228 J Hardw Syst Secur (2018) 2:225–239

is performed on these K numbers, producing another P 2.2 Circuit-Level Technique for HTH Detection
value PT and another significance level αT . The second- on FPGA
level tests pass if the obtained PT ≥ αT . In the NIST
test suite, the recommended values of the above discussed The Transition Effect Ring Oscillator (TERO) circuit was
parameters are as follows: N = 1000, n = 106 , K = 10, originally introduced as a new high-entropy element for
and αT = 0.001. Recently, it has been argued in [31] that FPGA-based TRNGs [35]. A detailed stochastic model
the second-level tests for binomial testing is incomplete, for entropy estimation of a TERO-based TRNG from
and instead, binomial-based tests should be based on a the physical model including the electrical noises was
slightly modified metric termed the “Q-values”. Another presented in [36]. In our work, we have adopted the TERO
second-level NIST test proposed is [32]. implementation proposed in [19], with slight modifications,
In [33], authors have devised a method for applying the as shown in Fig. 2. In our implementation, we have 14
theory of Kolmogorov complexity to randomness testing inverters and 1 NAND gate in each TERO branch, followed
of sequences based on the Martin-Lof Test which defines by a D flip-flop. It was noted in [19] that in the presence of
a threshold value. This threshold is compared with the one or more HTH circuits in the vicinity of the TERO, the
obtained wavelet transform coefficients after application of counter values after counting for a fixed amount time differ
Discrete Wavelet Transform (DWT) on the sequence to be from that obtained from TERO designs embedded in HTH-
tested. Then, based on the comparison results, randomness free circuits. This is the basis of the application of TERO for
of the sequence is determined. However, there are major HTH detection.
differences with the treatment of the above paper with
randomness analysis of TRNG output bitstreams. Firstly, 2.3 Continuous-Time Wavelet Transform
the approach proposed in [33] is primarily based on analysis
of the compressibility of a bit sequence, and secondly, the Unlike frequency domain analysis techniques such as
authors have not presented any result after executing the Fourier Transforms, wavelet transforms have a unique
proposed test on any well-known pseudo or true random ability to localize events in both time and frequency. For
generator output. A minor difference is that the authors a square-integrable function (or sequence) f (t), the CWT
have used DWT, while we have used CWT. Hence, we with respect to a mother wavelet function ψ(t) is defined as:
think application of this test on actual RNGs would require  ∞  
1 t −b
some more investigation which can be a part of our future W (a, b) = f (t) √ ψ ∗ dt (1)
−∞ |a| a
work. There have also been other papers such as [34] which
discuss the various misinterpretations and guidelines related where a, b are real parameters, and ∗ denotes complex
to statistical tests, confidence levels, and limitations of such conjugate. The parameter a is called the scaling or
tests. dilation parameter, while b denotes the translation of
Hardware/software co-design for on-the-fly evaluation the wavelet with respect to time. In joint time-frequency
of FPGA-based TRNG was proposed in [22], where nine analysis, the parameter b corresponds to time, while a1 is
tests from the NIST test suite [7] were performed in related to the frequency selectivity of the mother wavelet
hardware. Note that studies by researchers have revealed ψ(t). Plots of |W (a, b)|2 jointly with the variation in
that the presence of embedded (on-chip) tests to evaluate the a and b parameter values are termed scalograms.
the statistical qualities of TRNGs affect the TRNG circuit The locations of peaks in scalograms throw light on
itself [5]! Hence, design and implementation of on-chip the positions and duration of events in the original
randomness evaluation circuitry that does not adversely signal [23]. Wavelet transforms have been widely employed
affect the TRNG itself is challenging. Nevertheless, the in engineering, for diverse application domains such as data
quest for an efficient, high-entropy, and less susceptible compression [23] and defect detection and localization in
TRNG is still ongoing. integrated circuits [38]. A common (and one of the simplest)

Fig. 2 TERO circuit modified from the design proposed in [19]

J Hardw Syst Secur (2018) 2:225–239 229

logic (PL) in a single device. The PL part of the device

consists of a Ring Oscillator (RO)-based TRNG core which
generates a random bitstream at the rate of 100 Mbits per
second. This raw bitstream is sent to the PC through the
UART core for statistical randomness testing. We have used
the board’s USB-UART interface to connect to the PC
which is connected to the PS part of the device. The UART
(RX and TX) pins of the PS is used in a simple GPIO mode
to allow the UART to be connected (passed through) to the
PL. The processor samples the RX signal and sends it to
the EMIO channel-0 which is connected to the RX input of
the UART RX/TX module. Similarly, our design samples
the TX output of the UART RX/TX module through another
EMIO channel-1, and sends it on the PS UART TX pin. The
bits received through UART is logged in the PC through the
Fig. 3 Haar mother wavelet function ψ(t) [37] RS232 port, using a data logger software. Test suites are run
on the data collected in the PC in this way. This randomness
testing is currently done by dedicated software on the PC
wavelet functions is the Haar Wavelet. The Haar sequence
and is not real-time. It is to be noted that high-performance
was proposed in 1909 by Alfréd Haar. The Haar scaling
implementation of randomness testing is not a contribution
function is defined as
 of this work, and a high-performance (or even real-time)
1 if 0 ≤ t < 1 implementation of randomness testing will be unable to
φ(t) = (2)
0 otherwise detect the proposed HTH, as should be clear from later parts
and the Haar mother wavelet function is defined as of the section. Based on the results of these tests, an alarm
⎧ signal is fed back to the FPGA through UART. In the event
⎨ 1 if 0 ≤ t < 2
1
of a test failure, the keys stored in the Key Management
ψ(t) = −1 if 2 ≤ t < 1
1 (3)
⎩ module are invalidated.
0 otherwise
The TRNG output is also fed to the TRIVIUM cipher
Historically, the Haar function was the original wavelet. post-processing block (details in Section 3.2), after which
This wavelet is not continuous as shown in Fig. 3 and is a the data is parallelized in blocks to generate 128-bit keys in
special case of the Daubechies wavelet [23]. It is orthogonal the Key Management module. From the Key Management
to its own translations and dilations and preserves energy module, the AES core receives the key when required for
during analysis. Wavelet transforms in general are efficient encryption and decryption. The AES core contains the logic
in detecting and localizing discontinuities in a signal which for both encryption and decryption. In order to monitor the
generally is observed by the means of concentration of die temperature and the on-chip voltage levels, XADC IP
the wavelet coefficients at the discontinuities. The HTH is instantiated which raises an alarm whenever these levels
proposed by us can be imagined as a discontinuity in a signal are outside the predefined threshold values. The XADC is
which is constructed out of the collected TRNG output the basic building block that enables analog mixed signal
bitstream. As we demonstrate later in Section 4, CWT (AMS) functionality in Xilinx-7 series FPGAs [40]. The
indeed has an ability to detect the type of HTH considered ADC conversion data is stored in dedicated registers called
by us. status registers. We utilize the temperature status register
values for activating our HTH. These registers are accessible
through a 16-bit synchronous read-and-write port called
3 System Architecture and HTH Design the Dynamic Reconfiguration Port (DRP). In addition, the
XADC optionally can also be made to read input value from
3.1 Overall Architecture a threshold register, and the user can initialize value in this
threshold register using DRP.
The complete system architecture is depicted in Fig. 4. The TERO core is also implemented in the PL part of
We have used a Xilinx Zedboard for implementation the device to study the effect of HTH on the TERO output.
which features a Xilinx Zynq XC7Z020-1CLG484 All We placed five TERO circuits across the FPGA fabric (four
Programmable SoC (AP SoC) [39]. The Zynq SoC in four quadrants and one at the center), and observed the
integrates dual or single-core ARM Cortex-A9 MPCore - effect of the proposed HTH by connecting the TERO output
based processing system (PS), and Xilinx programmable to a 16-bit counter implemented using a DSP48 hard macro
230 J Hardw Syst Secur (2018) 2:225–239

Fig. 4 System architecture

slice available on the Zynq SoC of the Xilinx Zedboard. clock results in randomness of the bitstream generated.
The counter values were obtained using Xilinx Vivado’s Note that the oscillation frequencies of each individual
Integrated Logic Analyser (ILA) IP, which was triggerd RO is also slightly different from the theoretical value of
after every 217 clock cycles of the 100 MHz system clock. f = 2nτ 1
, where n is the number of stages, and τ is
We later show that this technique is unable to detect the the average propagation delay of each inverter of the RO.
proposed HTH. Because of process variation effects, in general, no two ring
oscillators have identical oscillation frequencies. Also, there
3.2 Design and Implementation of FPGA -Based is a possibility of the oscillators getting “locked” in phase,
TRNG and active “frequency injection attack” through the power
source [41]. Since we have carefully chosen the number
We adopted the TRNG circuit described in [26] with slight of RO chains in the design according to suggestions in
enhancement, a schematic for which is shown in Fig. 5. [25], and we are using an industry-verified FPGA board,
It consists of a chain of 117 Ring Oscillators (ROs), each the possibility of ROs locking and power supply attack is
RO consisting of four inverters connected in a ring and one extremely low.
NAND gate for enabling the circuit. The output of each Finally, the generated bitstream is post-processed using
ring oscillator is sampled by a clock signal of frequency a hardware implementation of the TRIVIUM synchronous
100 MHz, using an edge-triggered D flip-flop. The outputs stream cipher [42]. TRIVIUM was chosen because of
of these D flip-flops are XOR-ed, and this XOR-ed output its relative lightweight, simplicity of implementation, and
is further sampled using the same 100 MHz clock signal. resistance to cryptanalysis attacks. TRIVIUM uses an 80-
The operation of this circuit is based on clock jitter, which bit secret key and an Initialization Vector (IV) to define
can be defined as the unpredictable short-term deviation the initial state of the cipher. With the secret key and the
of the oscillatory signals generated from the ROs, from IV, the TRIVIUM cipher performs 1152 clock cycles of
their theoretical positions [5]. The combination of the “mixing” to impose randomness on the output, and then
jitter contributed by the ROs with respect to the sampling starts generating the cipher text at the rate of 1 bit per clock
J Hardw Syst Secur (2018) 2:225–239 231

Fig. 5 The TRNG circuit used in our implementation for session key generation. The design is adapted from [26], with addition of the
cryptographic post-processing circuit

cycle. Our cipher hardware design is flexible and can be were input to a serial-to-parallel converter which created
configured to give 1/8/64 bit output rate per clock cycle. The session keys of the required length from the TRIVIUM
cipher was reseeded and re-keyed every time a valid output output bitstream. The TRIVIUM cipher and the serial-to-
is generated in order to ensure that the cipher produces an parallel converter both use the same 100 MHz system clock.
uncorrelated and almost random output. These output bits The keys are stored in a BRAM module inside the FPGA,

Fig. 6 The structure of the implanted HTH (in red), and its impact (when activated) on the infected bitstream
232 J Hardw Syst Secur (2018) 2:225–239

with one valid/invalid bit per key to show whether the key is stream cipher. In absence of the HTH, the cardinality of
valid or not. The hardware overhead for the complete TRNG the set of session keys to be randomly chosen to ensure
has been reported in Section 4. at least two identical session keys follows the Birthday
Paradox quite consistently for different session key lengths,
3.3 Inserted HTH: Mode of Operation and Impact assuming the Boolean mapping induced by TRIVIUM to
be a random mapping. However, in the presence of the
Figure 6 shows the structure of the implanted HTH, and its active
√ HTH, for a set of session keys of approximate size
impact on the infected bitstream when the HTH is activated. 1.17 M, the keys collide with 100% probability. Repetition
The HTH is triggered following the Reconfigurable Lookup of session keys is a serious security threat in practical
Table (RLUT) model described in [43], whereby the TRNG cryptosystems, including facilitating replay attacks [44]. We
module, procured as a 3rd party hardware intellectual present details of the key collision results in Section 4. As
property (3PIP) module, contains the HTH. The HTH mentioned at the beginning of this section, it should be
is triggered using a signal which is generated by the clear now that the mode-of-operation of the proposed HTH
temperature sensing circuit on board. In our case, we utilize ensures that it would be able to evade detection, even if
the value written into the temperature status register by we had a high-performance (even real-time) randomness
the XADC module, whenever the die temperature rises evaluation as part of our system.
above a specified threshold, in our case that is 42 ◦ C. This
temperature threshold to trigger the HTH was set by writing
12 hA01 (= 42) in the XADC control register. In our 4 Experimental Results
design, we have used the 9-th bit of the temperature status
register as a trigger signal for our HTH. Our trigger logic We now present the hardware resource utilization figures
thus incurs no hardware overhead. for the complete system, along with overhead caused by
Once activated, the HTH affects the raw bitstream the inserted HTH. We have also provided our observations
generated by the TRNG by injecting a 96-bit length on the TERO-based HTH detection technique, and the
fixed pattern as shown in Fig. 6 at the beginning of 100 standard statistical testing suite results in the presence and
consecutive 218 = 262144 bit-sized bitstream chunks. After absence of the inserted HTH. Finally, a signal analysis-
this, the HTH goes back to its inactive state, until again based technique based on CWT is provided as a means
woken up by the temperature rise of the on-chip sensor. to detect the proposed HTH. All circuit designs were
The HTH payload design consists of a simple state machine performed using the Xilinx Vivado (v. 2016.3) design suite.
and a CFGLUT module used as a RLUT [43], which can All logic synthesis, technology mapping, and placement and
be reconfigured on the fly to change the HTH infection bit routing were performed using the default settings in Vivado.
pattern. Also, note that currently the RLUT functionality is CWT analysis was carried out using the in-built routines
implemented in a stand-alone fashion—its integration into included in the Wavelet Transform Toolbox for Matlab (v.
one of the LUTs used in the TRIVIUM cipher design will R2015a). All experiments were performed on a 64-bit Linux
further reduce the HTH hardware footprint. work station with 3.30 GHz Processor and 8 GB of RAM.

3.4 Impact of the Inserted HTH: Collision in Key 4.1 Hardware Resource Utilization and Power
Values Dissipation

Consider a “random mapping” f : A → B . Let the Table 1 shows the resources utilized by the whole design
number of elements in the set B be M, i.e., |B | = M. with and without HTH. It was observed that the HTH incurs
Let S ⊆ A be a set composed of a random selection of 0.94, 11.70, and 20.00% overhead for the number of LUTs,
elements of A. Then, the famous Birthday Paradox implies flip-flops (FFs), and LUTRAM elements respectively. The
that Prob.[f (x) = f (y)] √≈ 0.5 for two arbitrary elements relatively large LUTRAM overhead, calculated with the
x, y ∈ S if |S | ≈ 1.17 M [18]. This result is termed a HTH-free design as baseline (which uses 5 LUTRAMs),
“paradox” (i.e., counter-intuitive) because the cardinality
√ of can be attributed to the use of one additional CFGLUT
the random subset chosen from the domain can be O( M) to introduce the periodic HTH pattern as discussed in
(instead of O(M)), and still a “collision” in values under Section 3.3 (resulting in 6 LUTRAMs in the HTH-infected
the mapping for two arbitrary elements of the subset can be design). The increase in LUTRAM count can be completely
expected with a probability about 0.5. The HTH described nullified by replacing one of the static LUTRAMs used in
above decreases the entropy of the bitstream input to the TRIVIUM cipher by a configurable CFGLUT, and then
TRIVIUM, which in turn increases the collision probability having additional control logic to reuse it during runtime to
in the generated session key values output by the TRIVIUM introduce the HTH.
J Hardw Syst Secur (2018) 2:225–239 233

Table 1 Hardware resource utilization Table 3 Session key collision results (50 runs for each key size)

Resource Without With HTH HTH insertion Key size Session Runs with Runs with
element HTH overhead (%) (k) key count collision collision
√
(bits) M = 2k , S = 1.17 2k  (HTH inactive) (HTH active)
LUT 4741 4786 0.94
LUTRAM 5 6 20.00 4 5 25 50
FF 2307 2577 11.70 8 19 24 50
BRAM 4.5 4.5 0 16 300 24 50
DSP 1 1 0 32 76678 27 50
BUFG 4 4 0 64 5.025 × 109 26 50
MMCM 1 1 0

small observed deviation and the inherent unreliability of

The total on-chip power of the design as reported the TERO circuit itself, we conclude that the TERO-based
by Vivado’s integrated power analysis tool is shown in technique is ineffective in detecting the proposed HTH.
Table 2. It is clear that the power dissipation overhead
due to HTH insertion is almost negligible. This makes it 4.4 Statistical Testing Results
almost infeasible to apply techniques that depend on power
dissipation measurements to infer the presence of HTH, in The statistical tests for randomness evaluation were
case of the proposed HTH. performed on 1 billion bits generated from each of the HTH-
free and HTH-infected TRNGs (before post-processing).
4.2 Session Key Collision Results We have presented in this section the statistical analysis
results for NIST and Dieharder test suites. Finally, we have
We considered different session key lengths, for both applied CWT-based analysis on the HTH-free and HTH-
Trojan-infected and -uninfected keys. Table 3 shows the infected bitstreams. The time required to carry out the
number of session keys chosen as suggested by the Birthday NIST and Dieharder tests was about 16 h on the previously
Paradox, and the observed number of runs in which mentioned workstation for a data size of 10 billion bits. For
collisions occurred. Fifty runs were carried out for each the CWT analysis to evaluate one block of length 3000, it
session key size, from 4-bit keys to 64-bit keys. The results took approximately 10 min to generate the plots with the
clearly demonstrate the impact of the activated HTH, and its coefficients.
serious security implications. Three different versions of testing using the NIST test
suite were carried out, all for the level of significance
4.3 TERO-Based HTH Detection set at α = 0.01. Table 4 shows the NIST test [7]
results, wherein the minimum pass rate for each statistical
As mentioned in Section 3.1 we placed five instances of test with the exception of the random excursion (variant)
TERO circuit in different quadrants of the FPGA fabric test is approximately 980 for a sample size of 1000
and observed the change in output counter values. An binary sequences, each consisting of 1 million bits. The
average difference of less than 0.1% was noticed over minimum pass rate for the Random Excursion (variant)
100 measurements in counter output values for the TERO test is approximately 614 for a sample size of 628 binary
placed nearest to the inserted HTH location, compared to the sequences. This is because for the random excursion tests
corresponding TERO in the FPGA without HTH. The other P values are calculated only if the input binary sequence
TERO values showed no deviation. However, we observed meets a particular criterion as mentioned in [7]. Therefore,
that the TERO count values for even the circuit without for these tests, the total binary sequences considered are less
the HTH were not constant over time. Hence, given the than 1000, unlike other tests. Table 4 also lists the P value
for the different second-level NIST tests as proposed in [32],
Table 2 Power consumption which when ≥ 0.01 implies the particular test passed [7].
Table 5 provides the test results for the Q value-based
Power Without HTH With HTH HTH insertion
binomial tests of the NIST test suite, as proposed in [31].
(watt) (watt) overhead (%) Similar results were obtained for the Dieharder tests (see
Dynamic 1.760 1.762 0.11 Table 6), where all tests passed for both the HTH-infected
Device static 0.160 0.160 0.00 as well as HTH-free bit patterns, except the Marsaglia
Total 1.920 1.922 0.10
and Tsang GCD Test, which failed for both the HTH-free
and HTH-infected circuit. However, this test passed with
234 J Hardw Syst Secur (2018) 2:225–239

Table 4 First- and second-level

NIST test suite resultsa Statistical test Bitstream (HTH inactive) Bitstream (HTH Infected)

1st level 2nd level 1st level 2nd level

Pass rate P value Pass rate P value

Frequency 993/1000 0.867692 994/1000 0.277082

Block frequency 990/1000 0.811080 982/1000 0.334538
Cumulative sums 992/1000 0.940080 995/1000 0.689019
Cumulative sums 994/1000 0.755819 992/1000 0.201189
Runs 991/1000 0.614226 992/1000 0.101917
Longest run 991/1000 0.118120 983/1000 0.975644
Rank 987/1000 0.104371 988/1000 0.200115
FFT 988/1000 0.064418 980/1000 0.025023
Non-overlapping template 983/1000 0.028817 984/1000 0.022149
Overlapping template 984/1000 0.812905 986/1000 0.693142
Universal 986/1000 0.262249 990/1000 0.805569
Approximate entropy 986/1000 0.522100 992/1000 0.102526
Random excursions 619/628 0.167034 594/605 0.062493
Random excursions variant 617/628 0.007820 594/605 0.082597
Serial 985/1000 0.167184 988/1000 0.595549

a For tests with more than one subtest, pass proportion shown are the smaller values

larger bitstream data files (e.g., 10 billion bits). Thus, we are depicted in the Table 7. From the table, it is clear that
conclude that both the NIST and Dieharder test suites prove since the observed values are less than the expected values
ineffective in detecting the inserted HTH. We also applied for both the HTH-free and HTH-infected bitstreams, the
the statistical tests proposed in [45] after implementing them LIL tests passed for both, and thus were unable to detect the
in software (unlike the hardware implementation of [45]), presence of the proposed HTH.
and found that all the tests comfortably passed for both Additionally, we repeated all the tests, with active and
the HTH-free and HTH-infected bitstreams of 1 billion bits inactive HTH on a data set of size of 10 billion bits, wherein
each. This again demonstrates the evasive nature of the we have obtained same results. We have also tested data
proposed HTH. files of size 10 billion and 1 billion from the TRIVIUM
We carried out the LIL tests proposed in [10] for a cipher output (after post-processing), which passed all the
sample size of 10 billion bits each generated by the HTH- tests successfully (which is expected as post-processing is
free and HTH-infected TRNGs, using the software kindly supposed to increase entropy).
shared with us by the author. The obtained and theoretically Finally, we consider the result of applying CWT on the
expected statistical distance metrics as reported by the tests golden and infected TRNG bitstreams. Figure 7 shows the
difference in the CWT coefficients calculated for: (a) a
reference “Golden” bitstream (which had passed NIST and
Table 5 Q value-based NIST statistical test results‡ Dieharder tests and for which the HTH was inactive), and
(b) an HTH-infected bitstream. The 1 billion bit dataset
Statistical Bitstream Bitstream
were first analyzed for varying lengths with the Wavelet
test (HTH inactive) (HTH infected)
toolbox and empirically we came to the conclusion that
Q value Q value
dividing the sequence into chunks of length 3000 gave
Frequency 0.969588 0.552383 the best results for detecting the proposed HTH. For the
Runs 0.310049 0.270265 data that was collected during experimentation, for all the
FFT 0.036833 0.102526 portions of the bitstream affected by the inserted HTH, the
Universal 0.270265 0.691081 proposed analysis method detected the HTH with 100%
Random excursions variant 0.042988 0.026203 pass rate. We have used the Haar Wavelet, with a scale
setting of the “power of 2” mode with power = 7, for
‡
For tests with more than one subtest, Q values shown are the smaller evaluating the input data using CWT. The blue box in
values Fig. 7b clearly shows a deviation from the golden bitstream
J Hardw Syst Secur (2018) 2:225–239 235

Table 6 Dieharder test results

Statistical test Bitstream (HTH inactive) Bitstream (HTH infected)

P value P value

Diehard Birthdays Test 0.52017885 0.94047042

Diehard OPERM5 Test 0.91139756 0.00031978
Diehard 32 × 32 Binary Rank Test 0.60825999 0.77973743
Diehard 6 × 8 Binary Rank Test 0.56224308 0.38559539
Diehard Bitstream Test 0.45018776 0.95823048
Diehard OPSO 0.66623360 0.89529106
Diehard OQSO Test 0.93220474 0.34797128
Diehard DNA Test 0.44008319 0.08326412
Diehard Count the 1s (stream) Test 0.90497912 0.46085164
Diehard Count the 1s Test (byte) 0.34022498 0.97919475
Diehard Parking Lot Test 0.95063855 0.10932071
Diehard Minimum Distance (2d circle) Test 0.41730255 0.03411971
Diehard 3d Sphere (minimum distance) Test 0.49013019 0.06259836
Diehard Squeeze Test 0.06132605 0.08176140
Diehard Sums Test 0.21864531 0.10598363
Diehard Runs Test 0.15116770 0.00605953
Diehard Craps Test 0.04951539 0.00001241
Marsaglia and Tsang GCD Test 0.00000047 0.00000001
STS Monobit Test 0.76518635 0.88224534
STS Runs Test 0.59096337 0.85284228
STS Serial Test (generalized) 0.06403045 0.11497045
RGB Bit Distribution Test 0.03480518 0.00410276
RGB Generalized Minimum Distance Test 0.40774975 0.08776353
RGB Permutations Test 0.13777670 0.35678627
RGB Lagged Sum Test 0.00415203 0.00450869
RGB Kolmogorov-Smirnov Test 0.59770839 0.61492999

(without HTH) which corresponds to the inserted HTH 4.5 Discussions

pattern. Figure 8 also shows zoomed version of the portion
of the plot in the blue box of Fig. 7, which exposes the It is slightly difficult to comment on exactly how to
inserted HTH pattern in the analyzed input signal, as well synthesize a bitstream (or to modify a given random
as in the CWT coefficient plots. We thus conclude that bitstream generated from a TRNG) that is guaranteed to
CWT is an effective technique to detect the type of HTH pass NIST and Dieharder tests, but would be detectable by
deployed in this paper. However, note that for the CWT CWT. For us, the main insight behind application of CWT
analysis to evaluate one block of length 3000, in total, it took to detect the type of infection induced by the proposed HTH
approximately 10 min (∼600 s) for data acquisition and data is the well-known and unique ability of CWT to resolve
analysis, to generate the plots with the wavelet coefficients, events simultaneously in time and frequency domains.
thereby detecting the anomaly. Hence, the proposed scheme Because of this ability, CWT is presumably able to detect
is not real-time. and localize (relatively) short-duration but extremely large

Table 7 Statistical distances

reported by the LIL tests [10] Statistical distances HTH inactive HTH infected
(10 billion bits)
Expected value Observed value Expected value Observed value

Total variation distance (d) 0.07927 0.05836 0.06944 0.05538

Hellinger distance (H ) 0.07021 0.05646 0.06192 0.05891
Root-mean-square-distance (RMSD) 0.00523 0.00356 0.00457 0.00353
236 J Hardw Syst Secur (2018) 2:225–239

a
Analyzed Signal (length = 3000)
1

0.5

0
500 1000 1500 2000 2500 3000
Time(ns)
CWT Ca,b Coefficients (Coloration mode)
128
120

64
100

32
80

16
60

8
40

4
20

Time(ns) Scale of colors from MIN to MAX

CWT Coefficients Line ( Ca,b for scale a = 16)

2

-2
500 1000 1500 2000 2500 3000
Time(ns)

b
Analyzed Signal (length = 3000)
1

0.5

0
500 1000 1500 2000 2500 3000
Time(ns)
CWT Ca,b Coefficients (Coloration mode)
128
120

64
100

32
80

16
60

8
40

4
20

Time(ns) Scale of colors from MIN to MAX

CWT Coefficients Line ( Ca,b for scale a = 16)

2

-2
500 1000 1500 2000 2500 3000
Time(ns)

Fig. 7 Plot of Haar Wavelet-based Continuous-time Wavelet Transform (CWT) coefficients for Golden and HTH-infected bitstream (before
post-processing)
J Hardw Syst Secur (2018) 2:225–239 237

Analyzed Signal (length = 3000)

1

0.5

0
80 100 120 140 160 180 200 220 240
Time (ns)
CWT Ca,b Coefficients (Coloration mode)

120
64

100

32
80

16 60

40
8

20

Time (ns) Scale of colors from MIN to MAX

CWT Coefficients Line (Ca,b for scale a = 16)

2

-2
80 100 120 140 160 180 200 220 240

Time (ns)
Fig. 8 Zoomed in plot of Haar Wavelet-based Continuous-time Wavelet Transform (CWT) coefficients for HTH-infected bitstream (before
post-processing)

time-period periodicities, embedded in random signals (i.e., cipher or stream cipher design, is a cat-and-mouse game
uninfected bits generated from the TRNG). The fact that between the designers and the adversaries, and there is cur-
such periodicities passed the Fast Fourier Transform (FFT) rently no clear winner. To the best of our knowledge, there
test included in the NIST test suite is proof of the inability of is no known TRNG that has been established to be abso-
other competing signal processing techniques in detecting lutely robust, and no current randomness testing method
the impact of the proposed HTH. Even if FFT would have can claim itself to be sacrosanct. It is very much feasible
been able to detect the presence of an embedded periodic that the enhanced randomness testing methodology pro-
signal, it does not have the ability to localize occurrence of posed in this paper is defeated by some other attack on
such periodicities. the TRNG in near future. In other words, the demonstrated
Further, one may argue that given that any random- effectiveness of CWT in this work, while encouraging,
ness testing tool is effective only until the next non- should not be interpreted as a “cure-all” solution for all
distinguishing attack is reported, is it worth enough to types of inserted HTHs. We want to emphasize that the
explore different randomness testing strategies at all? We experimental results demonstrate the effectiveness of CWT
have followed the principles laid out in [1], which says in detecting the impact of only the HTH proposed in this
that contemporary TRNG designs should have a three-fold paper—establishment of wider effectiveness of CWT for
security evaluation criteria which consists of: (a) a proof randomness testing and HTH detection requires extensive
of robustness; (b) embedded tests of randomness, and (c) a additional experimentation and analysis.
stochastic model of randomness. Our approach to a HTH Regarding the failure of the Marsaglia and Tsang GCD
design that impacts the randomness of a common TRNG test for 1 billion-sized dataset, but its success for the 10
also naturally extends to development of stronger random- billion-sized dataset, we would like to point out that in
ness evaluation techniques compared to the state-of-the-art. order to run all the Dieharder tests and to get a dependable
The art of secure TRNG design, much like secure block result (pass or fail), it is recommended that the input file
238 J Hardw Syst Secur (2018) 2:225–239

size should consist of minimum 12 megabytes (about 100 5. Fischer V (2014) Random number generators for cryptography
million) random bits as mentioned in [46]. We carried out design and evaluation. Summer School on Design and Security
of Cryptographic Algorithms and Devices, Šibenik, Croatia, June
our own testing with the in-built pseudorandom number
2014. Accessed: May 2017
generators present in the Dieharder suite, and found out that 6. National Institute of Standards and Technology (2002) FIPS PUB
all the tests start passing only after a random bit data of 140-2. Security requirements for cryptographic modules. Federal
size 1 billion (1000 million) bits. Hence, we carried out our Information Processing Standards (FIPS) publication. Accessed:
May 2017
testing on 1 billion and 10 billion bit-sized datasets. Please
7. Rukhin A et al (2010) A statistical test suite for random and
note that we do not claim that 1 billion bits are enough pseudorandom number generators for cryptographic applications.
to declare a stream random, and the choice of the dataset Accessed: May 2017
sizes is based only on our observations with the experiments 8. Brown RG, Eddelbuettel D, Bauer D (2017) Dieharder: a random
number test suite (v 3.31.1). Accessed: December 2017
that we have carried out with the available test suites and
9. Marsaglia G (1995) Diehard battery of tests of randomness.
resources. Also, in the paper [46], the originators of the Accessed: December 2017
Marsaglia and Tsang GCD test mention that it is one of 10. Wang Y (2014) On the design of LIL tests for (pseudo) random
the most difficult to pass randomness tests in the Dieharder generators and some experimental results. IACR Cryptology
suite, and is thus expected to fail sometimes. This failure ePrint Archive. 2014:31
11. Kumagai J (2000) Chip detectives [reverse engineering]. IEEE
does not necessarily mean that the source of randomness is Spectrum 37(11):43–48
of inferior quality. 12. DARPA (2007) TRUST in integrated circuits (TIC). [Online].
Available: http://www.darpa.mil/MTO/solicitations/baa07-24
13. Adee S (2008) The hunt for the kill switch. IEEE Spectrum
5 Conclusions 45(5):34–39
14. Bhunia S, Hsiao MS, Banga M, Narasimhan S (2014) Hardware
Trojan attacks: threat analysis and countermeasures. Proc IEEE
In this paper, we have demonstrated a potent attack on 102(8):1229–1247
an FPGA-based cryptographic system, through a HTH 15. Tehranipoor M, Koushanfar F (2010) A survey of hardware trojan
that affects the entropy of the keystream generated taxonomy and detection. IEEE Des Test Comput 27(1):10–25
16. Xiao K, Forte D, Jin Y, Karri R, Bhunia S, Tehranipoor M (2016)
from a TRNG. We demonstrated that the compromised Hardware trojans: lessons learned after one decade of research.
bitstream can lead to collision of generated session keys ACM Trans Des Autom Electron Syst 22(1):6:1–6:23
with much higher probability, which is a grave security 17. Ali SS, Chakraborty RS, Mukhopadhyay D, Bhunia S (2011)
concern. Through experimental results, we have shown that Multi-level attacks: an emerging security concern for crypto-
graphic hardware. In: Proceedings of design, automation & test in
the impact of this HTH on the compromised bitstream
Europe conference & exhibition (DATE 2011), pp 1–4
is undetectable by several standard randomness testing 18. Stinson D (2006) Cryptography: theory and practice, 3rd edn.
schemes. We also discussed the ineffectiveness of a TERO CRC Press/Chapman and Hall, Boca Raton
-based HTH detection technique on the proposed HTH. We 19. Kitsos P, Stefanidis K, Voyiatzis AG (2016) Tero-based detection
then demonstrated that Wavelet Transform-based analysis of hardware trojans on fpga implementation of the AES algorithm.
In: 2016 Euromicro conference on digital system design (DSD),
can detect the anomaly in the compromised bitstream. pp 678–681
Our future work will be directed towards designing and 20. Johnson AP, Patranabis S, Chakraborty RS, Mukhopadhyay D
implementing a complete FPGA-based VLSI architecture to (2016) Remote dynamic clock reconfiguration based attacks on
perform real-time on-chip randomness evaluation, including internet of things applications. In: Euromicro conference on digital
system design (DSD 2016), pp 431–438
Wavelet Transform, while minimizing impact on the TRNG. 21. Martin H, Di Natale G, Entrena L (2017) Towards a dependable
true random number generator with self-repair capabilities. IEEE
Trans Circ Syst Regul Pap PP(99):1–10
22. Yang B, Rožić V, Mentens N, Dehaene W, Verbauwhede I (2015)
References Embedded HW/SW platform for on-the-fly testing of true random
number generators. In: Proceedings of design, automation & test
1. Fischer V (2012) A closer look at security in random number in europe conference & exhibition (DATE 2015), pp 345–350
generators design. In: Schindler W, Huss SA (eds) Proceedings 23. Rao RM, Bopardikar AS (1998) Wavelet transforms: introduction
of the third international workshop on constructive side-channel to theory and applications. Prentice Hall/Chapman and Hall,
analysis and secure design (COSADE 2012). Springer, Berlin, Englewood Cliffs
pp 167–182 24. Lampert B, Wahby RS, Leonard S, Levis P (2016) Robust,
2. Massey J (1969) Shift-register synthesis and BCH decoding. IEEE low-cost, auditable random number generation for embedded
Trans Inf Theory 15(1):122–127 system security. In: Proceedings of the 14th ACM conference on
3. Von Neumann J (1951) Various techniques used in connection embedded network sensor systems CD-ROM, SenSys ’16. ACM,
with random digits. Natl Bur Stand Appl Math Ser 12:36–38 New York, pp 16–27
4. Killmann W, Schindler W (2011) A proposal for: functionality 25. Sunar B, Martin WJ, Stinson DR (2007) A provably secure true
classes for random number generators. Bundesamt für Sicherheit in random number generator with built-in tolerance to active attacks.
der Informationstechnik (BSI) publication. Accessed: May 2017 IEEE Trans Comput 56(1):109–119
J Hardw Syst Secur (2018) 2:225–239 239

26. Wold K, Tan CH (2008) Analysis and enhancement of random 35. Varchola M, Drutarovsky M (2010) New high entropy element
number generator in FPGA based on oscillator rings. In: for fpga based true random number generators. In: Mangard
Proceedings of the international conference on reconfigurable S, Standaert F-X (eds) Cryptographic hardware and embedded
computing and FPGAs (ReConFig 2008), pp 385–390 systems, CHES 2010. Berlin, Heidelberg, pp 351–365
27. Lao Y, Tang Q, Kim CH, Parhi KK (2016) Beat frequency 36. Haddad P, Fischer V, Bernard F, Nicolai J (2015) A physical
detector–based high-speed true random number generators: approach for stochastic modeling of TERO-based TRNG. In:
statistical modeling and analysis. J Emerg Technol Comput Syst Workshop on cryptographic hardware and embedded systems,
13(1):9:1–9:25 CHES 2015
28. Haddad P, Fischer V, Bernard F, Nicolai J (2015) A physical 37. (2018) Haar Wavelet. Wikipedia article on Haar Wavelet. https://
approach for stochastic modeling of tero-based trng. In: Workshop en.wikipedia.org/wiki/Haar wavelet. Accessed: May 2017
on cryptographic hardware and embedded systems, CHES 2015, 38. Bhunia S, Roy K, Segura J (2002) A novel wavelet transform
St-Malo, France based transient current analysis for fault detection and local-
29. Petura O, Mureddu U, Bochard N, Fischer V, Bossuet L ization. In: Proceedings of the IEEE/ACM design automation
(2016) A survey of ais-20/31 compliant trng cores suitable for conference (DAC’02), pp 361–366
FPGA devices. In: 2016 26th international conference on field 39. Zynq Evaluation and Development Hardware User’s Guide (2017)
programmable logic and applications (FPL), pp 1–10 Xilinx online documentation. Accessed: January 2018
30. Chari SN, Diluoffo VV, Karger PA, Palmer ER, Rabin T, Rao 40. Xilinx Zynq-2000 XADC UserGuide(UG480) (2017) Xilinx
JR, Rohotgi P, Scherzer H, Steiner M, Toll DC (2010) Designing online documentation. Accessed: December 2017
a side channel resistant random number generator. In: Smart 41. Theodore MA, Moore SW (2009) The frequency injection attack
card research and advanced application: 9th IFIP WG 8.8/11.2 on ring-oscillator-based true random number generators. In:
international conference, CARDIS 2010, Passau, Germany, April Proceedings of the 11th international workshop on cryptographic
14–16, 2010. Proceedings. Springer, Berlin, pp 49–64 hardware and embedded systems, CHES’09, pp 317–331
31. Zhu S, Ma Y, Lin J, Zhuang J, Jing J (2016) More powerful 42. De Cannière C, Preneel B TRIVIUM Specifications, 2005.
and reliable second-level statistical randomness tests for NIST SP eSTREAM submitted papers. Accessed: May 2017
800-22. In: Proceedings of advances in cryptology—ASIACRYPT 43. Roy DB, Bhasin S, Guilley S, Danger J-L, Mukhopadhyay D,
2017. Springer, pp 307–329 Ngo XT, Najm Z (2015) Reconfigurable lut: a double edged
32. Pareschi F, Rovatti R, Setti G (2007) Second-level NIST sword for security-critical applications. In: Proceedings of the
randomness tests for improving test reliability. In: Proceedings 5th international conference on security, privacy, and applied
of IEEE international symposium on circuits and systems 2017, cryptography engineering, vol 9354, SPACE 2015, pp 248–268
pp 1437–1440 44. Malladi S, Alves-Foss J, Heckendorn RB (2002) On preventing
33. Yutao F, Guiping S (2014) A new testing method of randomness for replay attacks on security protocols. DARPA technical report by
true random sequences. In: 2014 IEEE 5th international con- University of Idaho Moscow. Accessed: May 2017
ference on software engineering and service science, pp 537– 45. Yang B, Rožić V, Mentens N, Dehaene W, Verbauwhede I (2016)
540 TOTAL: TRNG on-the-fly testing for attack detection using
34. Greenland S, Senn SJ, Rothman KJ, Carlin JB, Poole C, Lightweight hardware. In: Proceedings of the design, automation
Goodman SN, Altman DG (2016) Statistical tests, p values, test in Europe conference exhibition, DATE’16, pp 127–132
confidence intervals, and power: a guide to misinterpretations. Eur 46. Marsaglia G, Tsang WW (2002) Some difficult-to-pass tests of
J Epidemiol 337–350 randomness. J Stat Softw 7(3):1–9