 Thank you so much for the introduction. To actually explain what we have done here in this work, I should explain some basics for all the Trojans. First of all, just consider a circuit that has malicious changes. Actually, this malicious changes means that it has doesn't work. This chip or this IC adds some functionality or removes some functionality of the circuit. Or it can lead to changing or reducing the reliability. It means that you have your design, you have your circuit here, and you give it to the fab and company to produce it for you. And then there are some changes in the design that you are not aware of. And it adds some functionality to the circuit. It leaks information. It gives a key out, for instance, or makes the crypto actually very, very simple or big. But you are not aware of this. This leads to some unpleasant applications for these military applications. Some other applications that may target many more people or even the device that you have in your pocket. If they are totally affected, it means that they have some functionality that you are not aware of. But without the scenarios or, let's say, the potential attack victors, suppose that you just make a design and give it to a factory or foundry. And a malicious foundry or company can introduce a fraud in your design. Or even it can be true that malicious employee during the design process or even during the manufacturing process. Or you as a company just buy an IP core from another company or from another person, which actually fulfills all your requirements that you have. It says the areas, people, whatever. But it has some other functionality that you are not aware of. Or even sometimes can be requested by the government agencies. Or it can be done by the attackers. Let's say by hacker attackers, for instance. You just have a firmware in your system. You want to update the firmware. And then if the partner that provides the firmware is not trusted, it might be trojanized or something that the trojan is introducing to the firmware. Or even it can be during the shipment. You just buy something from the Amazon and then you're in the way, which is shipped to you to the customer. It can be changed or it can be replaced by some other device that it has trojan inside. But actually how the trojans work, usually there are some small changes in the circuit. Particular points of the circuit that they can lead to completely break a broken crypto or a weakened crypto. For instance, it can change the functionality of the system or circuit. And in particular scenarios, just leak the key out or make the circuit very or crypto very simple. For instance, instead of the areas, you have just one round of the areas. Then everything seems random and everything seems encrypted but not necessarily. And then you have one round of the areas that can be easily broken. Or it can be changes in the site and leakage of the circuit. For instance, it leaks about the key in particular scenario, particular fashion, but not easily through a particular site on us. But how do we detect such trojans if you have the functionality testing or even such an evaluation? First of all, what is usually considered in Harvard's community is just comparing the chip with the golden chip. It means that it's a bit hard assumption, a strong assumption that you have a chip and also a golden chip. It means that you have a chip that it might be a trojan infected, another chip that you are definitely sure that there is not a trojan. And then you just compare the characteristics of these two devices. Sometimes it's hard to assume that the golden chip is accessible or you do functional testing. You have your chip and then you just check it with many test vectors to see whether the functionality is correct if the functionality is altered before. Or you do search and evaluations. You go through a set of the art and standard search and evaluations to see whether the circuit is leaking through the search or not. Or you do net list analysis. This means that, again, you have a device. In your hand, you do reverse engineering. Extract all the net list. And then, again, compare with your original design that you set in the factory to see whether it's sent or not. Actually, this is not. It's shown as not enough. In last year's chess, it has been shown that even if the net list appears to be correct, it doesn't mean it not necessarily doesn't have any trojan anxiety. It might be because of the delay of the circuit. The delay is altered. And so, again, it might be trojan infected. What we are doing here in this work is I'm just showing that how to design a circuit that can't pass this search and evaluation means that the device seems completely secure and is secure. But under certain conditions, it starts leaking information through, again, the search. One question is here, whether we are actually helping criminals here by just introducing the new ways of trojans. The answer is that, yeah, it might be, but the detection and design of the trojans are closely related. If we don't know how the trojans can be designed, then we cannot provide protectionists. We cannot provide the efficient detection mechanisms. Particularly in this works, I'm showing that, again, how one search and parametric trojan can be inserted in the system. What does a parametric means? It means that it doesn't leak always, but in particular scenario, in particular condition, it leaks information. In these works, I'm dealing with the high clock frequency. The device is working absolutely fine without the leakage. And then you just increase the clock frequency and it starts leaking. And then you can exploit the leakage. What makes a work different to the other works, instead of the art, search and parametric trojans, is that mostly the other works or previous works either target the PRNG because in search and security, in search and containment measures, we usually need source of randomness internal or ability to the system. I mean, we have seen the last talk about masking and the Boolean masking in some source of randomness are used. And if the attacker or the trojan is targeting the PRNG and changing the distribution of this PRNG and the distribution is not uniform anymore, then the one attack is possible. Either such previous works are targeting the PRNGs or are going to the transistor level manipulation, for instance, changing the dopant of the circuit or particularly separate circuit to just leak particular or certain intermediate values, for instance. The point is that none of these schemes or most of these schemes cannot pass the search and evaluation. It means that if you just have, if you want to get, for instance, a certificate of your design and send it to an evaluation lab, the evaluation lab would just, instead of the art, leakage detection schemes can easily find not done. The lab cannot easily find that the system has trojan or trojan infected. It can detect that the system has a leakage. Whether this leakage is explotable or not, this is another question. But the lab cannot say, definitely, that this device doesn't have a leakage. As I said, our goal here is to say, to see how we can add such a trojan into a system that system stays secure but becomes insecure in particular condition. To explain that, I need to go through masking in hardware a bit. I can explain that after several key risks and add mechanisms that we had for the masking of schemes in hardware. Finally, we had the threshold implementation in short, we call it TI, which can provide toolable security against first-order attacks in hardware particularity. And it's a mixture of boolean masking that we have seen in the last talk and also multi-particle computation. Because we have boolean masking and we have single boolean masking in the last talk, it means that you just have x and represent the x by some shares in the way that if you explore the shares, you get the value x. And if you want to apply one linear function over this mask, easily you just apply the linear function over each share separately and then you are done. This is simple. But the challenge, of course, is the nonlinear functions. If you want to apply nonlinear functions over some shares that they are boolean masking. This is actually the place that TI plays a role and say that I have some requirements how to implement a mask in hardware to be able to provably say that this is our dozen league information through the first order such and other cases. Suppose you have this box that the input is x, output is y, and then you want to represent this box by some other functions that when x is shared in three shares, minimum, and y also, the output of this box is also shared in three shares, and it is a small function. We call it component functions. Each of them provide one output share. One of the requirements is straightforward. Trivial is this the correctness. It means that if you explore this x, all the shares of the x, you get x and gear. If you explore all the y's, you get y. This is the trivial, but non-completeness says that if you have here each of these component functions, each of them should be independent of one share. For instance, you can see a f1 is independent of x1, f2 doesn't receive x2, and f3 doesn't receive x3. But what does it mean? It means that the leakage of f1 will be independent of x1 and then independent of x, and also leakage of f2 and the same for f3, and then it means that an average leakage of this circuit will be independent of x, but an average. This is the meaning of the first or the second. But the third property is the uniformity. To understand the uniformity, I should explain it. As I said, we have a PR range usually, or a source of randomness in the circuit. And then it provides random values to share for instance x. And then it should follow a uniform distribution, I mean the mass. And then uniformity property of the TI says that if the input is a uniform sharing of particular x, for instance, then the old input should be also a uniform sharing of all possible sharing value of the y. It means that actually applying this f1, f2, f3 doesn't change the uniformity or distribution of the masses. Not fulfilling any of these conditions, of course, that non-completeness and uniformity, you cannot guarantee that the system is secure against first order average. Achieving correctness is super easy, even trivial. Non-completeness can be also achieved easily, I would say, explained in the next slide. But the uniformity is a problem. We have to check a lot of things to finally find the trial and error whether the circuit is uniform or not. To explain that, I need to again explain some other one more concept, which is called derachiary. Just to start with an example, suppose that you have this box with forward input and forward output. And I have just a small function here, S1, which gives us the one output width of this box. There are six forward inputs and one with output, E and E, one of the width of the body. And then suppose this is the A and F algebraic normal form of the one bit of this box, this E. And then two linear components and one quadratic component. And then you just replace A with the sharing of the A, A1, XOR, A2, XOR, A3. The same for B, C, and D. Just write the formula and then expand it. And then finally, you have some linear components and quadratic components. And then the idea here with this little sharing is that if you have this, again, circuit, the point here is at which part of this component will go to E1, which one to E2, and which one to E3. And I'm just separating this and to separate this terms in three parts in a way that it fulfills the requirement of the non-completeness. And D. by sharing actually follows a particular format for the indexing. But what is easy and what to say is that the quadratic terms, for instance, B2 and C3, this cannot go to E2 because it has two. It cannot also go to E3 because it's had three. Definitely, it has to go to E1. That means that these components, these quadratic terms, they are clear vertical. We don't have any other terms. But the other components that we have on the terms, either the linear ones or the quadratic ones that they have the same index, they are arbitrary can go to two different functions. For instance, A2 can go to E1 and also to E3. And then they are actually not changing the functionality of the system, but they have effect on the uniformity. It means that if by changing this, by putting A2 into E1 or E3, it changes the uniformity. It means that if the second might be uniform, or if it's uniform, it might be not uniform by after changing. But this is not the end of the story. You can add more terms. Even the terms that they do not exist. For instance, you add B2, add E1, and also E3. It doesn't change the functionality because if all of them, again, B2 is canceled, but again, it changes the uniformity. The same for some other particular quadratic terms that they are actually called correction terms. These are called correction terms. We just add them to achieve the uniformity. Now, suppose that you made your circuit like this. This is the all three-component function. And then one correction terms, which both of them are receiving getting the input from X2. This is the same component function just to achieve the uniformity. Without this C, this circuit is not uniform. Just suppose this. And then what happens if this correction term is the last coming signal. It means that the circuit which is realizing these correction terms is actually the slowest component in this critical path. If you have a register here, there's start and register at the output. The time which happens to this output correction term is ready. If intentionally we make it slow, this just component function, the correction terms, and this will be the result. Suppose that this is the clock, and the clock period or frequency is still slower or the clock period is longer, that the critical pattern lay means that the time is required from all of these values from X1, X2, X3 to generate Y1, Y2, Y3. And then the circuit will be fault-free. No problem at all. The circuit works absolutely fine. But, and also it's uniform. It means that it should be secure against press or objects. You just decrease the clock frequency in a way that the critical path delay of the correction terms are violated means that they are not performing correctly or they are not evaluated correctly. But the circuit becomes unstable. Sometimes it's working correctly. Sometimes not, because you cannot say that how many nanoseconds per second your circuit completely needs. And then if you decrease again the clock frequency means that the delay of these two correction terms are completely violated. They are never, they are ready or correctly evaluated. But the delay of these component functions are not evaluated, are not violated. It means that they are evaluated correctly here. It means that the circuit will be fault-free. The circuit works like this, that these correction terms do not exist in this design. And then what happens? The circuit is still is correct because the X4 of them is actually correct, but it's not uniform anymore. Because the correction terms are not added to the system. And if you again decrease the clock period or increase the clock frequency, then the circuit will not work correctly because the delay of these component functions will be violated. And this is actually the place that we want to inject this rotor. It means that if we intentionally make this circuit, part of the circuit longer or this circuit is slower, then we already inject it or throw it into the system. But how it's complicated? How can we make this part of the circuit slower? As a case of study we have the present, present sulfur in the threshold implementation minimum of three shares. This box is implemented in two steps. Decompose in two parts, G and F, because this box is a cubic function. Now we decompose it into two quadratic functions. And now we target the G function, the first part of the box, and then put the old rotor here by just making the component of the correction terms slower in the whole of the circuit. We target first and when FPGA prototype, this part of six is the Sakura G board, which is also used for such an evaluation in practice. One option in FPGAs to make the delay, to introduce delay is to make particular logic is slow, is to pass the particular routine through switch boxes, because the switch boxes in FPGA are active elements and then just by changing the routine, they go through more active elements and then they become slower. But how can we do this? We have a video here at the moment's place. This is just a full of the view of the FPGA. You just need to select the correction term via here. You just find the correct name of your design and then you see here it's selected. We turn off the other signals and these two lines are the corrections that's actually in the FPGA. And then you just need to select that one that you want and then un-route it. First of all, we get a delay of the signal which is already routed. You see it's 0.8 nanoseconds here, actually it's 0.99 nanosecond. This delay of this and then you just un-route it, just some commands here, un-route. And then just select another area that you can see here. One part of the circuit will be selected here. There's a bit of time. You just select one area which is not used. You will see, for instance here, we select one part which is not used and as the router here to use, definitely one of the wires which are there for the router. For instance, we select this line, you will see now, we select one of the lines here and say the routing should pass through this particular line. And here we get again root. But selecting this, we say again root. You see it's rooted now, we turn off all the other signals that are not necessary. And now you see the circuit now is rooted through this particular line that we want and then coming back. And if you get the delay of this, you get this now 5.2 nanoseconds. You see the 0.9 nanoseconds. And then you are done with just changing the routing. The point here is in the FPGA, it doesn't conceal any resources. I mean resources with respect to the slices, the flip flops and also the loops. Then if you compare the original design with the Trojan infected design, there is no difference in the utilization and the resource utilization. For instance here, the original design has those many flip flops and loops and the slices and then the critical category says that the maximum clock frequency is 219 megahertz. And just by changing the routing through the switch boxes, you see that the utilization stays exactly the same by just changing the routing. And then what the circuit works like this, that the maximum clock frequency will be 196, but in the gray area where the circuit is unstable, 212 megahertz up to 219 megahertz. It means that if we run the circuit at this area in the yellow one, then the circuit should actually leak information in the first order. These are the practical starting results. At 168 megahertz, because we are in the green part, the circuit should be secure, simple power trace. You can see how long does it take from here to here, some microseconds. And there's 100 million traces. And then these are the result of actually the T test, the common leakage protection schemes. Fix versus random. The first order over the number of traces, and also over the time. It doesn't lead to all three components, three orders. Actually, the reason is that we have some non-generator in the system to hide higher order leakage, because the TI that we have is only first order. And now we run the system at the 216 megahertz, which actually we are in the yellow part. Now the circuit, the one simple power trace is the string, it's a shorter, and then 100 million traces. And then it starts leaking after 20 million traces. And then the first order. And then this actually detects the leakage. It means that there is a leakage to exploit. Detectable leakage might be exploitable. We have some attacks also in the paper. And it shows that it's actually proof of concept that these leakages are exploitable. This is my last slide. There might be some rising questions about this work. For instance, how about the ASICs? This is what the FPGA. Whether it's possible on ASIC or not, yeah, it's possible by changing the transistor characteristics. For instance, you can replace the gates of the system by their high threshold variance. Means that the gates are becoming slower. And then again, you can have actually effect on the delay of the particular lines. We already fabricated two chips, 19 nanometer and 65 nanometer chips, with these Trojans infected designs. They are still under evaluation. What are the possible scenarios for this Trojan? You can think about the third IP course and also manufacturers. That the malicious design maximum frequency is 196. I mean, the device is sold by this. Or the IP course is this maximum block frequency is 100. Of course, you don't see the gray and the yellow parts in the specification. And then it will never be evaluated by the solution and lab at a frequency higher than 197 megahertz. And then because the circuit will not function correctly. But the Trojan adversary can run it at higher frequency for instance, 216 megahertz and then explode the leakage. Now this was the point how the scenario of the attack is. The last question or last criticism is that we need to control over the clock. Whether the clock control over the clock is a realistic scenario or not. In FPG, it is because usually it's externally clocked. And then internally it's used a PLL or DCM to increase the frequency multiplied by a particular Trojan value. Usually it's a realistic assumption in FPG. But in ASIC, the clock is commonly generated internally in the embedded systems. And then this cannot be taken into account that the attacker has the control over the clock. But the same effect can be seen by lowering the power supply. It means that you just decrease the power supply voltage and then it gets to start being slower. But as long as the clock frequency is generated internally, it has the same frequency, you have the same gain effect. As a last message, the overclocking actually and then controlling over or monitoring the power supply reduction should be internally done to not detect such a Trojan to just say that if this Trojan is inserted, then we should avoid being it activated. Thank you for your attention. I'm not familiar with hardware design, but I guess that there must be some tools, some optimizer, which can detect that there are some very lengthy and unnecessary problems. So is there any way to obfuscate this kind of problem? Yeah, I can get back to this slide. I don't play the video completely. But the thing is, the whole of this circuit is here. And then not necessarily you select a signal which is not used here, but it's real of the circuit. And then, of course, if you do net list analysis, you will recognize some roots that they are strength in your system. But we are talking about exactly this point, that when you want to buy an IP code from someone else, then what you should look at. With that value, you should look at the long wires that they are unnecessarily long or not. I mean, this is exactly the point that here in this work, we are saying that what we should look at to be able to find such trotons. But if without knowing this, that the troton can be inserted by making your routine long, you would never look at the long wires in your third party IP code. Just a short comment. Your project is basically a kind of fault attack. And manufacturers of smart cards have implemented both overclocking and undervoltage protection on the smart card. And in addition, if the circuit is calculating cryptographic encryption, for example, you can easily avoid the fault attacks by trying to decrypt the result before you send it out. Because if you are overclocking the result of the incorrect and you decrypt it, you see that you need to get the same value if you start with. So that's how good protecting mechanisms are. But the functionality is correct in this case. This is the point. Not that overclocking. Overclocking, it will help you collect. Because it should be correct. This is the point in your design, that the correction terms will be canceled each other. And then, no matter the correction terms on there or not, the functionality of the system is correct because you always receive the correct result if you are in that yellow area. If you are here, the system works correctly. This is the point. If you decrypt it again, you get the same places. OK. I thought that the collection level reaches on the line. Here is correct. There is no problem. Here is the minus table. And here is, again, the result of the function is correct. And here, again, it's just going to be faulty. But here, the result is correct, but the size of the ligament itself. That has been good. Thank you.