Reference-Free Spectral Analysis of EM Side-Channels for Always-on Hardware Trojan Detection

Always-on hardware Trojans (HTs) pose a critical risk to trusted microelectronics, yet most side-channel detection methods rely on unavailable golden references. We present a reference-free approach that combines time-frequency EM analysis with Gaussian Mixture Models (GMMs). By applying Short-Time Fourier Transform (STFT) at multiple window sizes, we show that HT-free circuits exhibit fluctuating statistical structure, while always-on HTs leave persistent footprints with fewer, more consistent mixture components. Results on AES-128 demonstrate feasibility without requiring reference models.

💡 Research Summary

The paper addresses the pressing problem of detecting always‑on hardware Trojans (HTs) in deployed integrated circuits without relying on a golden reference chip, labeled training data, or detailed design models. Always‑on Trojans continuously inject parasitic activity (extra switching, leakage, covert modulation) and therefore leave persistent footprints in the electromagnetic (EM) side‑channel that can be captured during normal operation.

The authors propose a four‑step, reference‑free detection framework. First, passive EM emissions are recorded from the device under test while it executes a standard workload (AES‑128 encryption). No knowledge of the internal architecture or a trusted reference is required. Second, the raw EM traces are transformed into time‑frequency representations using the Short‑Time Fourier Transform (STFT). To capture both transient and persistent spectral features, STFT is performed with multiple window lengths (e.g., 120, 200, 300, 400, 500, 600 samples). For each window size, a “stability map” is derived by combining the mean and variance spectrograms, yielding a 2‑D feature matrix of frequency versus time.

Third, each stability map is vectorized into feature vectors consisting of frequency bins and their associated stability scores. These vectors are modeled with a Gaussian Mixture Model (GMM). The number of mixture components is not fixed; instead, the Bayesian Information Criterion (BIC) is used to select the model order that best balances fit and complexity. This unsupervised probabilistic modeling captures the latent statistical structure of the EM emissions without any supervision.

The detection hypothesis is that always‑on HTs generate a persistent spectral artifact that suppresses the natural variability of the EM signal across different time‑frequency resolutions. Consequently, the GMM fitted to HT‑free data exhibits a strong dependence of component count on the STFT window size—different windows reveal different operational modes (instruction phases, AES rounds, memory accesses), leading to a varying number of mixture components. In contrast, HT‑infected devices show a stable, lower number of components across all window sizes because the Trojan’s continuous activity dominates the spectrum, reducing the diversity of latent clusters.

The methodology is validated on an AES‑128 encryption engine implemented in hardware. Five hundred EM traces are collected for both a clean design and a design with an always‑on Trojan derived from the Trust‑Hub AES‑T1100 IP. The Trojan spreads key‑bit leakage over multiple clock cycles using a PRNG‑generated CDMA code, which modulates a leakage circuit composed of flip‑flops to create a covert side‑channel. Spectrograms and stability maps for the two cases are visualized (Figures 3‑4). Feature vectors are extracted for each STFT window length, and GMMs are fitted with BIC‑selected orders (Figures 5‑6).

The key result is shown in Figure 7: the median number of GMM components versus window size. The clean AES implementation shows a clear trend—larger windows yield fewer components, reflecting the capture of coarser operational modes. The Trojan‑infected implementation, however, maintains a consistently low and tightly clustered component count (around three components) across all window sizes. This cross‑scale consistency is taken as a strong indicator of an always‑on Trojan.

The authors conclude that the proposed reference‑free, unsupervised approach can reliably detect always‑on HTs using only passive EM measurements. It eliminates the need for golden chips, extensive labeled datasets, or detailed simulation models, making it suitable for post‑deployment security assurance in supply‑chain‑constrained environments. Limitations noted include sensitivity to measurement setup variations (probe placement, temperature, power noise), the use of a fixed key/plaintext workload, and the Gaussian assumption inherent in GMMs. Future work may explore more robust clustering techniques, adaptation to diverse workloads, and extension to other side‑channel modalities (power, optical).

Overall, the paper contributes a novel cross‑scale statistical consistency metric for hardware Trojan detection, demonstrating that unsupervised GMM analysis of multi‑resolution EM spectrograms can serve as an effective, reference‑free security diagnostic.