Silicon Echoes: Non-Invasive Trojan and Tamper Detection using Frequency-Selective Impedance Analysis

. The threat of chip-level tampering and its detection is a widely researched field. Hardware Trojan insertions are prominent examples of such tamper events. Altering the placement and routing of a design or removing a part of a circuit for side-channel leakage/fault sensitivity amplification are other instances of such attacks. While semi- and fully-invasive physical verification methods can confidently detect such stealthy tamper events, they are costly, time-consuming, and destructive. On the other hand, virtually all proposed non-invasive side-channel methods suffer from noise and, therefore, have low confidence. Moreover, they require activating the tampered part of the circuit (e.g., the Trojan trigger) to compare and detect the modification. In this work, we introduce a general non-invasive post-silicon tamper detection technique applicable to all sorts of tamper events at the chip level without requiring the activation of the malicious circuit. Our method relies on the fact that all classes of physical modifications (regardless of their physical, activation, or action characteristics) alter the impedance of the chip. Hence, characterizing the impedance can lead to the detection of the tamper events. To sense the changes in the impedance, we deploy known RF tools, namely, scattering parameters, in which we inject sine wave signals with high frequencies to the power distribution network (PDN) of the system and measure the “echo” of the signal. The reflected signals in various frequency bands reveal different tamper events based on their impact size on the die. To validate our claims, we performed extensive measurements on several proof-of-concept tampered hardware implementations realized on an FPGA manufactured with a 28 nm technology. Based on these groundbreaking results, we demonstrate that stealthy hardware Trojans, as well as sophisticated modifications of P&R, can be detected with high confidence.


Introduction
Malicious modifications to the designs of application-specific integrated circuits (ASICs) and field programmable gate arrays (FPGAs) endanger the security of several applications. Tampering with the design can be carried out at different phases of the Intellectual Property (IP) design, IP integration, or fabrication, depending on the target platform. FPGAs are vulnerable to tampering even after fabrication and testing due to their reconfigurable natures. These tamper events are often referred to as hardware Trojans (HTs). However, there are other tamper events, which cannot necessarily be classified as hardware Trojans,  Trojans, one should move to very high frequencies (GHz bands) to detect them.
To demonstrate the effectiveness of our approach, we performed extensive measurements on several proof-of-concept hardware Trojan benchmarks and tamper events realized on AMD/Xilinx Artix-7 FPGAs manufactured with 28 nm technology. Based on the acquired results, we show one can set different detection thresholds for different frequency bands to detect the stealthy hardware Trojans as well as sophisticated small tamper events confidently, without the use of any advanced signal processing or machine learning tools.

Technical Background
In this section, we provide theoretical and technical backgrounds for the proposed tamper detection methodology. We explain the contributing features to the chip's impedance behavior and discuss how such an impedance can be characterized using scattering parameters.

Power distribution network (PDN)
The PDN consists of electronic components and interconnects from the voltage regulator module (VRM) to the power rails on the chip. Each component plays a role in delivering low noise and constant voltage supply to the power rails on the die. Figure 1a shows the equivalent circuit model of the system's PDN. The PDN covers not only the off-chip components (e.g., bulk capacitors, PCB routing, ceramic capacitors, PCB planes, and vias) but also the on-chip components such as package bumps, on-chip power planes, and transistors' capacitance. The impedance contribution of these components to the overall PDN's impedance is different at various frequency bands. While the equivalent impedance of the PDN at lower frequencies is dominated by the voltage regulator's and off-chip components' impedance, the on-chip components contribute mostly to the impedance at higher frequencies [ZAB + 18], see Figure 1b. The parasitic inductance that already exists on each capacitor is the primary cause of this impedance behavior. An ideal capacitor can be modeled as a short circuit at high frequencies. However, the existing parasitic inductance on the capacitor's metals causes a resonance at a particular frequency depending on its capacitance and inductance values. In this case, the capacitor becomes an open circuit at very high frequencies due to its impedance increase at frequencies greater than its resonance frequency. Due to their reduced physical size and lower parasitic inductance, smaller capacitors resonate at higher frequencies. As a result, as the frequency increases, all sets of capacitors, from the large to the small ones, become open circuits and have less of an impact on the PDN impedance. As depicted in Figure 1b, the PDN impedance in higher frequencies are dominated by the on-chip structures due to their smaller dimensions.
The dashed blue region in Figure 1a shows the equivalent RC model of the on-chip capacitance. The wideband on-chip behavior of the circuit can be approximated as N

Sources of On-die Impedance
Several regions of an integrated circuit (IC) contribute to the on-die impedance. As discussed in the previous subsection, the impacts of the impedance of an IC package and its die on the PDN are revealed in high frequencies (see Figure 1b). The ranges of such frequency bands are determined based on the chip's technology and size. On-die capacitance C die and resistance R die are the dominant features of the on-chip impedance in these frequency bands [SSS + 11]. Here, we explain the sources of on-die capacitance using the physical structure of a CMOS inverter. Figure 3 shows the cross-sectional view of an inverter, metal power grid layers, and the locations of the corresponding on-die capacitors. An inverter consists of an NMOS and a PMOS transistor whose drain contacts are connected, as shown in Figure 3. A transistor is nothing more than a switch with an infinite off-resistance and a finite on-resistance. A PMOS transistor consists of an n-well, which is the positively doped source, the drain, and the gate regions. The metal layers grid network, the non-switching gate, and p-n diode junction diffusion are the fundamental contributors to C die [SSS + 11]. There also exist sources of R die , which include the power net resistance, transistor channel resistance, transistor gate resistance, and resistance of contacts of n-well and P-substrate [MWK17].
In Figure 3, the colors show the location of each contributing capacitance. The metal capacitance (black color), C m , is the capacitance associated with the on-die power/ground metallization grid network. The size of these capacitors depends on the density of the grid network, the distance and width of the metal layers, and the permittivity of the materials. To be more specific, in the upper metal layers, C m is usually larger due to the density of the power and ground meshes. In the lower metal layers, C m tends to be Tahoura Mosavirik, Saleh Khalaj Monfared, Maryam Saadat Safa, and Shahin Tajik 5 slightly smaller because the power traces are sparser and thinner. The diffusion capacitance (blue color), C d , is associated with the p-n diode junctions. It should be noted that C d and C m contribute to a small portion of the total C die , and the main contributor is the non-switching gate capacitance, C g . All non-switching and powered-on circuits contribute to C g in the chip's PDN. This is because a powered-on transistor has a channel under the gate and contributes to C die , while a powered-off transistor has an inactive channel and does not significantly contribute to the on-die capacitance. When the device is not powered-on, the gates' decoupling capacitance effect is unrecognizable, but as the device gets turned on, the channels start forming, and consequently, C g dominates C die . When the chip's design is modified, different parts of C die (especially, C g ) would change based on the size, location, and nature of the tamper event, and this changes the equivalent circuit of the on-chip PDN, thus impacting the measured signatures from the chip.

Impedance Characterization using Scattering Parameters
To characterize the impedance of the PDN in different frequencies, S (Scattering) or Z (Impedance) parameters are deployed [Bog10,Pup20]. Every circuit/electronic component can be represented as a one/two-port network, as depicted in Fig. 4a. S parameters are spectrally measured over the frequency domain and are typically used in RF/microwave engineering to obtain the reflection/transmission properties of the circuit to the applied electromagnetic field [Poz11]. In frequency domain analysis, waveforms are represented by sine waves. Frequency, amplitude, and phase are the three terms that can fully characterize a sine wave. Therefore, we leverage both the amplitude and phase response in the frequency domain to accurately characterize the chip at each frequency point. A Vector Network Analyzer (VNA) is an instrument that can measure the transmitted and/or reflected power of a signal going into and coming back from a component. We use a VNA to inject sine waves into the chip at every frequency sample and record the signal's reflection response from the chip's PDN.
The impedance profile can be easily derived from the reflection coefficient. Equation 1 expresses the relationship between the input impedance of the device under test (DUT) and the reflection coefficient: where S 11 is the reflection coefficient, Z 0 represents the reference impedance of the VNA which is 50 Ω, and Z DU T corresponds to the impedance obtained from S 11 . Depending on the measurement conditions, it might be more convenient to use one of the Z or S parameters and then convert it to the other one. We only deploy S 11 in our proposed 6 Silicon Echoes: Non-Invasive Trojan and Tamper Detection using Frequency-Selective Impedance Analysis method as the VNA can directly measure it from the chip. However, based on Equation 1, it is observable that the reflection coefficient is another representation of the impedance.

Tamper Detection using Scattering Parameters
We explain the changes that occur to the injected voltage wave by the VNA into the chip by analyzing the ideal transmission line model. This model is the backbone of more complex circuits, and understanding its theoretical foundation clarifies our methodology's mechanism. Figure 4b illustrates an ideal transmission line model where there is a change in the characteristic impedance and propagation constant of medium 2 that are represented by η and γ, respectively. For simplicity, we assume that medium 1 and medium 3 are lossless, thus giving a characteristic impedance of η 0 and a corresponding propagation constant of γ 0 = jβ 0 . We consider medium 2 a non-magnetic (µ r = 1) medium with a relative permittivity of ε r . Considering β 0 = ω √ ε 0 µ 0 , we can rewrite the second medium's propagation constant as γ = jβ 0 √ ε r . Considering η 0 = µ 0 /ε 0 , we can rewrite the characteristic impedance of medium 2 as η = 1/ε r η 0 . ε 0 and µ 0 are the permittivity and permeability of the free space, respectively, and β 0 denotes the free space wave number. The VNA injects a voltage wave with the known amplitude of V + 1 in medium 1, and the reflected voltage wave has an amplitude of V − 1 . After V + 1 is injected, multiple reflections and transmissions occur in the lines. Based on the model in Figure 4b, the lines' voltages can be written as [AHM + 13, CON + 04, Poz11]: where V + i and V − i (i = 1, 2, 3) are forward and backward voltage waves through/from the medium i; however, we assume that there exists no backward voltage wave in medium 3, for simplicity. V + 1 is a known parameter (injected by VNA), whereas V − 1 , V + 2 , V − 2 , and V + 3 are unknown values. By enforcing the boundary conditions on the voltage wave components at the interfaces of the media, all these four unknowns can be found. We are interested in obtaining the S 11 in medium 1 which can be derived as where L is the length of the path that the injected wave voltage travels. From Equation 5, it can be concluded that the reflection coefficient depends on three parameters: the frequency band of interest, the relative permittivity of the sample, and the length of the wave's traveling path. On the other hand, the dependence of S 11 on the frequency has another aspect: frequency and wavelength are inversely proportional to each other. This explains why we can detect smaller size changes in the chip's configuration at higher frequencies.
When different chip configurations with different sizes and P&R are exposed to the incident wave injected from the VNA, the changes occurring in Equation 5 parameters will result in a change in the S 11 profile at distinct frequencies. For example, when the P&R of the circuit is altered, L is changed, and this would cause the chip's reflection response to be different for different P&Rs. If a part of the chip's package or its heat sink is removed, there would be a change in the dielectric properties, and consequently, this variation in the ε r would result in the reflection coefficient change (see section 6.2). Tamper events would change the on-chip impedance and this change can also be explained by Figure  demonstrates how the on-chip impedance changes when a tamper event, such as the change in the routing of the design, occurs. When the injected signal from the VNA travels through a different routing path, the binary values saved in SRAM cell are changed (from the left-side to the right, in Figure 5). This would alter the equivalent circuit of the on-chip impedance. The change is shown by changing from R 2 and C 2 to R 3 and C 3 , as an example for better clarification.

Statistical Analysis
Temperature variations could affect the measurements, leading to noisy traces. In this case, measurement repetition at each frequency point can result in higher signal-to-noise ratio (SNR) for reflection response values. The number of measurement repetitions for frequency f i is represented by N m . We can define S 11 Gen i and S 11 T amp i as random variables corresponding to the reflection coefficient of the chip at the frequency f i for the genuine (untouched) and tampered cases, respectively. We use the mean difference (MD) of N m measurements for each f i as our statistical measure to differentiate between genuine and tampered chips. The difference in means is a standard statistical metric that measures the absolute difference between the mean values for S 11 Gen i and S 11 T amp i and can be expressed as follows, where, µ(.) is the mean function. This value can be calculated separately for both amplitude (|S 11i |) and phase of (∠S 11i ): Note that the phase responses (∠S 11i values at each frequency point) are constrained between −π and π and show a periodic behavior over frequency. To calculate the M D of the phase values, we should perform the unwrapping process for each phase point.

Threat Model
In our threat model, we make the following assumptions. We assume that the adversary can tamper with the internal design of an ASIC or FPGA prior to the verification. Tampering includes adding/removing logic gates to/from the design, modifying the P&R of the design without any logic addition/removal, or both. The goal of tampering could be to disrupt a system's specific or entire functionality, weaken cryptographic implementation's security, or directly leak confidential information. We further assume that the verifier possesses a golden sample to compare its scattering signature with the suspicious chip's signature.
The verifier needs to have neither control over parts of the design nor specific internal support test circuitry for verification. However, we assume that the verifier can halt the clock signal and freeze the chip in a specific state for frequency response measurements.

Experimental Setup
This section presents our experimental setup and the experiments we designed to replicate different chip-level tamper events.

Device Under Test
For our experiments, we chose NewAE CW305 boards (NAE-CW305-04-7A35-0.10-X) [CW3] containing an AMD/Xilinx Artix-7 FPGA (XC7A100T), built with a 28 nm technology, see Figure 6. The direct access to the FPGA's PDN on CW305 boards was the primary reason for the selection of these kits. These boards have multiple power domains, namely, a 1 V domain supplying the core (V CCIN T ) of FPGA, a 3.3 V domain supplying the FPGA I/O banks (V CCO ), and a 1.8 V domain as the auxiliary supply voltage (V CCAU X ). In this paper, we perform our measurements on V CCIN T power domain. CW305 has three SMA connectors providing access to both the high and low sides of a shunt resistor, as well as a 20 dB low noise amplified low side signal. We chose the SMA port on the low side of the shunt resistor, which gives us direct access to the PDN of the FPGA. We deployed the CW305 version, which does not have any decoupling capacitors on V CCIN T power rail.

Measurement Setup
We utilized a Keysight N5227B PNA, which is a microwave VNA capable of operating within 10 MHz -67 GHz bandwidth. We used N4697J characterization cables [Ope], [N52], which are shielded cables for the same frequency range, see Figure 6. The used VNA has an internal capacitor to filter out the DC voltage on the V CCIN T , and therefore, no Bias Tee is needed. We conducted systematic experiments using various implementations on the AMD/Xilinx Artix-7 FPGA to assess the performance of the proposed tamper detection technique. The experiments can be described as follows: first, the bitstream of the reference (golden) configuration is loaded into the FPGA. The measurements are carried out automatically using a MATLAB script which sends commands to the VNA and reads back the reflection responses. We use this script to load the desired bitstream into the FPGA using JTAG  and save the reflection response data on a computer for analysis. We performed the measurements in different frequency bands (the results and details of different bands will be explained in Sect. 5). Within each frequency band, we configured the VNA to measure equally-spaced 100,000 frequency points to ensure the maximum spectral resolution. Before performing the measurements, we precisely calibrated the setup using Keysight's N4694A electronic calibration module. We carried out the calibration until the end of the measurement cable for every frequency band. Then, VNA connects to the computer via WiFi through a TCP/IP link and starts to capture the 1-port reflection response traces of the loaded configuration. Thereafter, the same procedure is performed for the suspicious (possibly modified) configuration, and the reflection responses are saved by the computer in the desired frequency band for further analysis. Please note that all the experiments are performed when the circuit is in its idle state (i.e., no clock signal was provided), and hence, no switching activity exists on the chip.

Results
This section presents our measured S 11 results for various classes of hardware Trojans and tamper events. Unlimited malicious tamper events occur to a design; naturally, we cannot cover all of them. However, we select a few tamper events, which can represent various tamper categories to show our frequency-selective method capability in covering different threats. We prioritize our experiments based on the change in the size of the modified circuit, from the maximum to the minimum change in size. Furthermore, we investigated the effect of different placement and routing of the same implementation on the chip's S 11 response. For Trojan and tamper experiments, we perform the measurements after the completion of the FPGA configuration. To compare two signatures, both golden and tampered circuits should be in identical states. Hence, we provide no clock signals to the implementation after the completion of the configuration and perform the measurements in state 0. One of the important considerations in the process of developing our tamper detection technique is to achieve a high SNR. Typically, the SNR of a VNA, which operates in the frequency domain, is constant over its entire frequency range. In our method, to increase the SNR, and consequently, reduce the effect of thermal noise and environmental changes, we took three actions: first, we set the VNA power to 10 dBm for all of the experiments to ensure a strong reflection signal. Second, we performed an external integration during the measurements using the measurement setup, shown in Figure 6, by measuring each reflection response 100 times at each frequency sample over the desired bandwidth and taking an average of responses at each frequency point. Based on the intra-genuine mean  difference results (the difference in means between two genuine chip measurements at different trials), we defined an experimentally-tuned threshold for the amplitude and phase response at each sensitive band of interest. Finally, we used the difference in means (see Sect.3.2) of these 100 measurements to compare the reference and tampered chip signatures using the corresponding threshold in every frequency band.

Finding the Frequency Bands of Interest
Localizing the frequency bands of interest is of great significance since performing measurements in narrower bandwidths increases the SNR. The frequency bands of interest are those in which the impedance is sensitive to any logic addition/removal and P&R changes. Hence, we designed a set of experiments and performed several wideband |S 11 | measurements within 100 MHz to 2 GHz to discover the frequency bands of interest. For this end, we first performed two separate measurements for the case where the FPGA is powered on but not configured. The |S 11 | difference of chip signatures for these two experiments are shown in Figure 7a in black color. It should be noted that as there is no configuration loaded into the FPGA in these experiments, the FPGA is in its idle state, meaning there is no switching activity on the chip. Then, we performed another |S 11 | measurement for the case that the FPGA is being configured by a bitstream containing an AES-128 IP. The |S 11 | difference profile of the experiment in which the FPGA is during configuration and the one with no configuration is calculated and given in Figure 7a in red color. The comparison of |S 11 | difference profiles in Figure 7a guides us to where we should conduct narrowband experiments to detect the chip-level tamper events with high confidence. The baseline of this approach is the fact that transistors can be modeled as switches, and when the chip is being configured, the input of transistors would shift to a high state (from 0 to 1), connecting a number of switches to prepare the chip for establishing the configuration. These newly created connections would modulate the injected incident voltage wave by VNA, and the comparison between these two experiments' reflection responses would reveal the sensitive ranges of the spectrum. Based on this analysis, we found three frequency bands where we can perform our systematic experiments. The first band is found to be within 315 MHz -355 MHz, the second band is between 560 MHz -650 MHz, and the third band falls within 1.65 GHz -1.7 GHz. These are the spectral ranges where we have the highest sensitivity and SNR for the reflection response experiments, as we can observe a high peak in the |S 11 | difference profiles in the aforementioned bands in Figure 7a. Figure 7b demonstrates the original |S 11 | profile for the case study where the FPGA is powered on but not configured. Please note that the response shown in Figure 7b is intended to illustrate the significant frequency bands.

Case Studies
We designed three categories of experiments to demonstrate the effectiveness of our approach. In the first category, we start with simple experiments where the entire FPGA die is involved, e.g., comparing the powered-off and powered-on FPGA, as well as configured vs. unconfigured FPGA. In the second group, we continue with tampering experiments, in which we compare the scattering signatures of masked AES DOM implementations with different security orders. Moreover, we change the P&R of the same AES design to observe whether it affects the impedance of the system. In the last category of experiments, we conduct experiments on three HT benchmarks from Trust-Hub, namely AES-T1100, AES-T1600, and AES-T1800.

Changes in the Overall FPGA State
Our first set of experiments involved the state of the entire FPGA. We started with a case study to compare the impedance of the FPGA in the powered-on and powered-off states. In the powered-on case, the FPGA is powered on using V CCIN T without any bitstream configurations. The first portion of the spectrum where we observe a change in the scattering signature is the 315 MHz -355 MHz band. This band is where the global resonance frequency of the circuit takes place around 338 MHz, see Figure 7b. The mean of the reflection response of the chip (for 100 measurements) in case of powering on and off the FPGA is shown in Figure 8. The mean difference profiles of 100 measured S 11 signatures for this case are given in Figure 9. Second, we compare the scattering signature of the case where the FPGA is in the unconfigured powered-on state with the case where the FPGA is configured with a bitstream containing an AES-128 circuit. The mean difference profiles of 100 measured S 11 signatures for the configuration mode experiments are shown in Figure 11. The reference (golden) configuration is the case that chip was powered on (with no configuration), and experiments using this implementation are performed in different trials to obtain the intra-distance between the golden configuration signatures (the graphs shown in black color in Figures  and 11). The mean of the reflection response of the chip for the configuration mode of the FPGA is shown in Figure 10. The mean of S 11 signatures are given in Figures 8 and 10 for the first two experiments to show the S 11 signatures' magnitude and unwrapped phase response before the subtraction is performed in Figures 9 and 11. When the FPGA is powered off, the portion of the FPGA's equivalent RLC model responsible for creating connections to power the chip is not connected to the PDN. When the chip is powered on, this portion of the circuit is present, and this is the main reason for the detected changes shown in Figures. 9 and 11. The paralleled on-die capacitance and package inductance are dominant features within the PDN within the 50 MHz to 500 MHz frequency band [MWK17,SSS + 11]. This can be clearly seen in Figures 8 and 10 with the resonances created around 338 MHz. It can also be seen that the reflection response profiles are less noisy in 315 MHz -355 MHz band than the ones in higher frequencies. As mentioned in Sect. 3.2, we unwrapped the phase responses in both experiments to make the distribution of phase continuous and be able to compare the corresponding points to each other. We can set an experimentally-tuned threshold of 0.05 dB and 0.5 deg for the amplitude and phase responses based on the mean differences for this lower portion of the spectrum in Figures 9 and 11.

Tampering with Security Order and P&R of a Cipher
In the next round of experiments, we intended to verify the efficacy of our proposed tamper detection method for cases where the impact size of tampering is significantly smaller than our previous case studies, where the entire FPGA die was involved (see Sect. 5.2.1). First, we implemented domain-oriented masked (DOM) AES with first and second-order protection. DOM is a generic masking scheme, introduced in [GMK16], that enables hardware designs to have arbitrary protection orders. The primary reason for this experiment is to see what would happen if an attacker tampers with a side-channel protected implementation and reduces its protection order. We performed our experiments to see in which frequency band we could distinguish between different orders of protection with more confidence. The designs of AES DOM circuits with different protection orders are given in Figure 12. Moving from first to second-order protection would increase the size of the circuit 55.31% compared to the first-order AES DOM. It should be noted that for these two implementations, we let the EDA tool perform the placement and routing and we did not fix the design location, as one of the goals of this experiment was to assess our method's effectiveness in detecting the change in the logic elements and placement and routing of the circuit. The S 11 mean difference profiles of the chip for these two experiments are shown in Figure 13.
For the next case study, we considered a tamper event, which alters the P&R of the design. For example, in [EGMP17], it has been shown that a Trojan could be realized by only changing the P&R of the configuration. Therefore, in the next set of experiments, we keep the size of the circuit and logic elements unchanged and intend to alter the circuit's placement and routing to assess our method's efficacy in detecting these types of modifications. We implemented an AES-128 circuit and let Vivado compile, place, and route the design in two different trials. The implementations of the AES circuit with Tahoura Mosavirik, Saleh Khalaj Monfared, Maryam Saadat Safa, and Shahin Tajik 15  different placement and routing are given in Figure 14. We performed the experiments for these two circuits, and the results are reported in Figure 15. Based on the mean differences for this portion of the spectrum, we set an experimentally-tuned threshold of 0.005 and 0.05 for the amplitude and phase profiles, respectively. In FPGAs, signals are routed using switch points whose structure is shown in Figure 5. Different configurations result in different signal routings when the bitstream values are set to 0 or 1. This would lead to a change in the on-chip capacitance, and subsequently, the characteristic impedance and reflection response of the chip in this bandwidth. We also can consider the chip interconnects as transmission lines. When the stimulus signal is injected by the VNA into these two designs, it will experience different lengths through the transmission line when the voltage wave is traveling through different routes (see section 3.1).

Hardware Trojans
We performed another set of experiments to assess the effectiveness of the proposed detection method for detecting small and inactive alterations, and the best examples of such alterations are dormant HTs. In principle, as discussed in section 3.1, we should rely on higher frequencies for detecting smaller circuit alterations since the increase in frequency would decrease the detection wavelength. We implemented three HT circuits to differentiate between HT-free and HT-infected circuits by measuring the reflection response from the chip. It should be noted that the HT is not activated, and the circuit is in its idle state in all experiments to generalize the method's applicability to dormant HTs, which are highly challenging to detect due to their stealthy nature. We utilized the AES-T1100, AES-T1600, and AES-T1800 benchmarks (register-transfer level (RTL) level HTs) from Trust-Hub [Tru]. In these HT implementations, the original HT-free design is an AES-128 cryptographic IP, which uses an 11-stage pipeline to perform the ten stages of AES encryption on the 128-bit block. We chose these three HTs as independent case studies because they show different trigger and payload mechanisms. However, the applicability of our method extends to other HT benchmarks as well. It is worth mentioning that these three HTs are physically realized through the addition of transistors or gates.
In implementing the HT-included circuits, if the modified bitstream is subjected to the default compilation, placement, and routing, the addition of the HT causes the EDA tool to change the placement and routing of most logic elements in the overall circuit, and this extensive change makes the alteration easier to detect regardless of the Trojan's size and activity. To make the HT more stealthy, we let Vivado compile, place, and route the HT-included circuit, and we fixed all the cells and logical elements in their location. We then directly remove the HT circuit logic elements and their connections. This way, the HT-free circuit is created while leaving the placement of logic elements unchanged. To illustrate this process, the HT-free and the HT-included circuit implementations are shown in Figure 16 for one of the HT case studies (AES-T1100). In Figure 16b, the logic elements Silicon Echoes: Non-Invasive Trojan and Tamper Detection using Frequency-Selective Impedance Analysis  shown in blue color demonstrate the genuine (HT-free) AES circuit. The area in orange color is the HT circuit consisting of the trigger and payload, whose size is 2.9% of the AES circuit. The payload of AES-T1100 modulates its activity using a spread-spectrum technique to create a power consumption pattern that leaks the AES key. The trigger is a sequential circuit that looks for a predefined sequence of values at the input of the AES circuit to activate the payload. The other two HT circuits are implemented similarly, but their implementations are not shown for the sake of brevity. AES-T1600 is structured in such a way that its payload modulates an unused pin to generate an RF signal on the chip. This signal can be used to transmit the AES key bits. The HT's triggering circuit consists of sequential logic elements for activating the payload when a predefined sequence of values is detected at the input of the AES circuit. The measured reflection response mean differences for AES-T1100 and AES-T1600 are given in Figures 17 and 18, respectively. It should be mentioned that the size of the HT circuit is 2% of the entire AES circuit in AES-T1600.
The last design is HT T1800, whose payload is a shift register that continuously rotates after the Trojan activation phase is complete, thus resulting in an increase in the on-chip power consumption and a decrease in its expected lifetime. The measured reflection response mean differences for AES-T1800 are given in Figure 19. The size of AES-T1800 is 1.8% of the AES circuit. Based on the mean differences for this portion of the spectrum, we set an experimentally-tuned threshold of 0.005 and 0.05 for the amplitude and phase

Tamper Area Overhead vs. Frequency Bands
Overall, the analysis of the scattering signatures at different frequency bands shows that the changes in amplitude of the reflection response are lower than the changes in the phase values, and in higher frequencies, the phase signature suffers from less noise than the amplitude of S 11 . Please note that we chose the thresholds for each frequency band differently because the size of the circuit and the nature of tamper events are different in the three spectral ranges of interest. We did not use the wideband measurements for all tamper events discussed in this work because, in that case, the SNR would be greatly impacted by noise and environmental variation. We offered the frequency selection approach to increase the resolution (the number of sampled points) in each band. Random errors can arise from the uncertainty of the VNA measurement. Since the uncertainty of measurement is inherent, this error source can be reduced by repeating the measurements and averaging the extracted signatures. We find each experiment's most sensitive bandwidth so that we can carry out highresolution measurements in those bands. We calculated the ratio of the maximum difference in means of tampered |S 11 | to the maximum difference in means of genuine |S 11 | for different experiments and reported the results in Table 1. One experiment from each tampering group is selected to perform the analysis. We can see that for the tamper events with larger circuit sizes, the ratio is higher in lower frequencies, and as we go to higher frequencies, we can detect tamper events with smaller sizes with more confidence. For the first case study, where we power off and power on the FPGA, the size of the circuit, which is added to the circuit after powering on the chip, is greater (ratio = 82.23) than in other case studies. Therefore, it highly impacts the first frequency band and resonates around 338 MHz. For the next experiment with an AES circuit with different protection orders, we see its effect at around 596 MHz as the size of the added circuit is 35.6% of the entire circuit. Finally, in case of the addition of an inactive HT, the size of the added circuit is 2.9% of the entire circuit; hence, Trojan can be detected at GHz band at around 1.66 GHz. Table 2 compares the proposed scattering-based tamper detection method in this work with other sensing methods in the literature in terms of system compatibility, invasiveness, cost, measurement time, and HT activation. The proposed method in this work is compatible with legacy systems as it only needs a connection to the PDN of the system. Moreover, it is non-invasive, and the required measurement setup is a VNA, which is available in many test and characterization labs. Besides, as it directly characterizes the impedance, it does not require any HT triggering or active circuits for the detection of tampering. Finally, the proposed method can capture S parameters in the order of a few milliseconds to seconds, depending on the configured frequency resolution on the VNA.

Sensing External Changes to the Chip Environment
Out of curiosity and to understand whether the proposed approach is also applicable to the IC package, we designed another experiment. In this case, we investigated the effect of changes to the chip's environment beyond its die by placing an object on the chip's package surface and recording the chip's scattering response. Detecting such tampering is of great importance since adversary might have tampered with the chip's package to prepare it for SCA or FI attacks, but the modification to the package might not be visible to the verifier during the verification.
We first performed two measurements for the normal case where no object is placed on the chip (see Figure 20a). The |S 11 | and ∠S 11 differences between these two experiments are shown in Figure 21a and 21b, respectively (black graphs). Then, we performed another experiment where we placed a heat sink on the chip during the measurement (see Figure 20b). The S 11 difference of chip signatures for the experiments, with and Tahoura Mosavirik, Saleh Khalaj Monfared, Maryam Saadat Safa, and Shahin Tajik 19  without heat sink is shown in Figure 21 in red color. It should be noted that in all these experiments, the chip is powered on, but no operation is being performed on the chip. Please note that the heat sink is taken from another Xilinx FPGA family, and therefore, the marking on the heat sink shown in Figure 20b does not show the model of our DUT. It is clearly observable that the heat sink's placement on the chip's surface is detectable at high frequencies with more confidence. The observable effect can be explained by the dependency of S 11 parameter to the dielectric property (permittivity). When the heat sink is directly placed on the chip, there would be a change in the dielectric properties of the overall signal which is being reflected, and consequently, this variation in the ε r would result in the reflection coefficient change (see section 3). On the other hand, the permittivity is itself a function of frequency (ε r (f ) = ε r ′ (f )jε r ′′ (f )); hence, the addition of the heat sink would show its effect at higher frequencies due to the higher dielectric losses (dissipation factor (f) = ε r ′′ (f )/ε r ′ (f )) at the GHz regime [Poz11].

Conclusion
In this work, we presented a frequency-selective chip-level tamper detection method based on the reflected scattering parameter analysis of the chip. We demonstrated that the impedance of the chip's PDN could be used as a reliable feature to detect configuration modifications, including the change in the logic elements, placement, and routing. We deployed the scattering signatures in high frequencies to directly probe the chip's die and 20 Silicon Echoes: Non-Invasive Trojan and Tamper Detection using Frequency-Selective Impedance Analysis obtain its frequency response. The reflection response of the chip's die in various frequency bands reveals different tamper events based on their impact size on the die. We performed extensive experiments on several tamper events on various FPGA implementations. We demonstrated that the effect of even small and dormant hardware Trojans and modifications of P&R on the impedance could be observed. By employing a straightforward statistical metric, namely difference in means (MD), we showed that these tamper events could be detected with high confidence. We further showed that we could detect even external tamper events to the package, such as placing a heat sink on the surface of the chip. However, such package tampering deserves a separate thorough study and is beyond the scope of this work.