 Thank you for the introduction. Hello, everyone. This talk is about the design methodology for a still-sea parametric Trojan and its application to bug attacks. This is a joint work with Georg Becker, Daniel Holcombe, and Christophe Parr. Hardware Trojan gets a lot of attention these days. Many potential attacks, such as malicious employees or malicious IC design company under government pressure or third party IP course. Small changes at certain points of the circuit can break or weaken crypto. For example, in 2013 Becker had a paper. They proposed a hardware Trojan methodology and they evaluated its effect on the interrandom number generator. Or in 2008, Biham and Shamir had a paper about bug attack. They showed that decryption cypher takes on any computer that computes at least for one pair of numbers incorrectly. The attacker used that to leak the secret keys. So these small changes can be a secret disaster. So why do we trust our chips to work correct things? They seem to do writings for a practical number of operations. For example, floating point division bug, which was a computer bug and affected the floating point division unit of a former Intel processor, was a very extremely rare bug and was discovered accidentally. Also the logic gates of our chip appear correct. In this work, we will show that if the logic gates of our chip appear correct and they do write things most of the times, Trojan can still exist. In this type, first I introduce the work. Then I'll talk about the pass delay fault. Then I'll introduce our proposed method for creating a Stolzi pass delay fault, which consists of two main phases, pass selection and delay distribution along these selected paths. Then I'll talk about the bug attack on ECDS protocol. At the end, I conclude the work. Why we design Trojan? Trojan detection and Trojan design are closely related to proposed effective Trojan detection methodology. We need to know that how hardware Trojan can be built. In this work, we examine how Stolzi parametric Trojan can be introduced in a given target circuit. This is a motivating example. For example, bug attacks assume RSA digital signature is running on a server or an embedded device. The client sends a message to the server and the server computes the RSA signature and then sends it back to the client. If there is a fault in multiplication during the exponentiation of M to power of K modulo N, the attacker can easily use this bug and elix the secret key K by using Chinese Rewinder theorem. This bug attack was showed by Shamir and Biham in 2008, but they didn't talk about how we can implement such multiplier. The research challenge here is low-level manipulation of integer multiplier so that it results correct output for almost all inputs, but it results slightly inaccurate results for extremely rare inputs. We focus on this challenge in this work. The stocked fault model is not good for Stolzi hardware Trojan because they are not rare and can be easily detected. But we think that the Stolzi model is good for Stolzi hardware Trojan. We said that a circuit has a delay pass fault if there is a pass in a circuit from a primary input to a primary output that the circuit is slow to propagate a transition on this pass. In this example, I want to show a pass delay fault on the red pass. In the delay fault, we need to propagate a transition so we need to have two test vectors. The table shows a two test vector that creates a rising transition at the input of the red pass. If there is no fault on the pass at the correct output, we will see a falling transition from 1 to 0. But if there is a delay fault on this pass, the faulty output remains at level 1 and we cannot see a transition at the output. Two main properties for a viable delay-based Trojan are triggerability and Stolzi. Triggerability means that for secret inputs which are known to the attacker, Trojan results in an error with very high probability. Stolzi means for randomly chosen inputs, the Trojan results an error with extremely low probability. We try to introduce a hardware Trojan with these two properties. Now I'm going to talk about our method for creating a Stolzi pass delay fault. This is the flowchart of our proposed method which consists of two main phases. The first phase is pass selection and the second one is delay distribution. In the first phase, which is pass selection, we search the circuit and find a really sensitized pass. We use controllability and observability metrics to guide our pass selection algorithm and we use set-based check to ensure about triggerability of our selected ray pass. In the second phase, which is delay distribution, we decide where on the ray pass we should add the delay. We need to be careful at this step because adding delay may cause error on other pass. We use genetic algorithm to smartly distribute the delay over the gates of the selected ray pass. First, I talk about the first phase which is finding a really sensitized pass. First, we initialize pass speed with a hard to trigger node. Then we extend this pass backward until reaching a primary input. Then we go forward until reaching a primary output. At each step, we use set-check to ensure about triggerability of the selected ray pass. Also, the set-check returns us a pair input, which is poison input and can be used as a trigger for the fault later by the attacker. Here is an example for our pass selection algorithm. We consider a subset of 3-bit volastry multiplier. The table reports the controllability and observability of all nodes of this sub-circuit. First, we need to find a hard to trigger node to initialize our ray pass. So node 12 is added to the ray pass with falling transition as an initial point. Then we go backward until reaching a primary input. To extend node 12, we have two options, node 9 and node 11. We choose node 11 based on criteria for difficulty of justification and transition. We introduce in the paper. Then between 6 and 8, node 6 is chosen, then node 3 and then node 1. Note that at each step, set-check is used to ensure about the triggerability of the selected ray pass. The next set-check is going forward until reaching a primary output. The only option we have at this step is node 13. Then between node 14 and 15, node 14 is selected. But at this step, when we use checks that it retains unsatisfiable, it means that our selected pass is not triggerable. So we go back and select another option, which is node 15. So node 15 is added to the ray pass with rising transition. And this is our selected ray pass. To evaluate our pass selection algorithm, we compare the stillsiness of our selected ray pass with 750 random pass of a 32-bit Wallastry multiplier. The figure reports the error rate of all these passes. If we zoom in, we can see the error rate of our selected ray pass. So our pass selection algorithm finds a pass that is much higher than the random search. I'll explain the first phase. Now I'm going to explain the second phase, which is delay distribution. In the delay distribution, the delay of the selected ray pass is increased so that it will exceed the clock period and cause an error when the pass is triggered. But the question is that where on the pass to increase the delay? We need to be careful at this step because of the stillsiness problem. Adding a delay on the ray pass may cause errors on other pass. They're intersecting or overlapping with our ray pass. In our work, we want to minimize this problem. We use genetic algorithm to distribute smartly the delay over the selected ray pass so that a pass delay fault occurs and trigger with poison inputs, but it is not triggered with the random input. The fitness function of the genetic algorithm is empirical probability from a simulation of causing an error where random inputs are applied to the circuit. Here is a simple example for our delay distribution method. Assume we want to distribute a delay of 30 units on the ray pass. If we don't use the genetic algorithm, what solution can be like this? After fault simulation with random test specter, the error probability is 0.022. But if we use our delay distribution method based on genetic algorithm, the probability of error detection is 0.016. To evaluate our delay distribution method, we apply this method on the ray pass and other best random pass in a 32-bit Wallastry multiplier. We distribute 2,276 per second on all these passes. The green bar reports the error rate when we uniformly distribute the delay over these pass and the orange bar reports the error rate when we use our delay distribution method. As you can see, for all these pass, the genetic algorithm reduced the error rate about 3.5 times. As you can see, the genetic algorithm reduced the number of fault while it's not affecting triggerability. It means our ray pass is still triggerable by the poison inputs. This is our overall evaluation. Here, we distribute a delay of 2,530 per second on the selected ray pass and we count how many times the circuit exceeds the critical pass delay, which is 2,520. First, we distribute uniformly the delay over the selected ray pass and then we use our delay distribution algorithm. When we use uniformly delay distribution, the error probability is through 10,000, but when we use our delay distribution method, the error probability is less than 2 to power of minus 2,6. We obtain zero fault detection out of 260 million random test vectors. A clock period usually significantly longer than the critical pass delay. In the next experiment, we consider a different clock period. In this experiment, we want to show that if the delay of the ray pass exceeds the critical pass delay, again errors are very late. This figure reports the error rate when the delay of the ray pass is increasing for a different clock period. The second table reports the result when the clock period is 2,800 and the delay of the ray pass is 2,150. At this case, the error probability is 2 to power of minus 25, and as you can see, the error is still very rare. So, we still see triggerable fault for bug attack. And now I'm talking about bug attack on ECDH protocol. This is ECDH algorithm. As you can see, first client C and server S selects the secret keys, then they compute the public keys and exchange it, and then they compute the join keys. The main idea of bug attack is that the attacker sent a Poison S point QC to the server so that an error occurs if the most significant unknown bit is 0 or 1. The attacker learns one key bit per message. But the problem is that the handshake of the ECDH protocol needs to be completed to detect the error. Also, the point QC cannot be chosen randomly. Therefore, the attack complexity is very hard to find a good point for QC. To solve this problem, we target Montgomery Ladder step and we introduce one time only pre-computation step. In this step, we pre-compute the good points for QC because we know that what is the Poison inputs are from our past selection algorithm and from our set check. So, we can compute good points for QC. So, based on this pre-computation step, the attack complexity becomes very good. This is the attack complexity. We target 256-bit ECDH with Montgomery Ladder scalar multiplication. The table reports the pre-computation complexity, storage requirement, and attack complexity for three different failure probability. And this is the conclusion of the work. We introduce a new type of parametric hardware Trojan based on Rayleigh-sensitized pastile fault. We present a stat-based algorithm to search the circuit for finding an extremely rare pass and we present a delay distribution method using genetic algorithm. We modify a 32-bit multiplier so that it results slightly faulty output for extremely rare inputs and we talk about bug attack against ECDH implementation. Thank you. Thank you very much.