Temperature-Based Hardware Trojan For Ring-Oscillator-Based TRNGs
This work addresses security vulnerabilities in cryptographic hardware for applications like encryption and authentication, but it is incremental as it builds on existing TRNG architectures.
The authors tackled the problem of designing a stealthy hardware Trojan for ring-oscillator-based true random number generators (TRNGs) by exploiting temperature sensitivity, resulting in predictable non-random outputs when triggered, without requiring additional logic.
True random number generators (TRNGs) are essential components of cryptographic designs, which are used to generate private keys for encryption and authentication, and are used in masking countermeasures. In this work, we present a mechanism to design a stealthy parametric hardware Trojan for a ring oscillator based TRNG architecture proposed by Yang et al. at ISSCC 2014. Once the Trojan is triggered the malicious TRNG generates predictable non-random outputs. Such a Trojan does not require any additional logic (even a single gate) and is purely based on subtle manipulations on the sub-transistor level. The underlying concept is to disable the entropy source at high temperature to trigger the Trojan, while ensuring that Trojan-infected TRNG works correctly under normal conditions. We show how an attack can be performed with the Trojan-infected TRNG design in which the attacker uses a stochastic Markov Chain model to predict its reduced-entropy outputs.