Contributed by Rahul Vittal; University of Florida


This trojan is derived from AES-T1300. AES-T1300 had a flaw when it came to synthesizing it. The synthesis tool would remove the trojan circuitry as it didn’t have a primary output. As a workaround, we have synthesized the trojan circuitry separately and fused it with the regular AES circuit (aes_synth_opt.v). We also created another workaround solution by adding a dummy output to the trojan circuitry before synthesizing it(aes_synth.v). This prevented the synthesis tool from removing the trojan circuitry. The idea of this trojan is to artificially introduce leaking intermediate states in the key schedule that depend on known input bits and key bits, but that naturally would not occur during regular processing of the cipher. The Trojan leaks one byte of the AES round key for each round of the key schedule. The leakage circuit (LC) is a 16-bit shift register and loaded it with an initial alternating sequence of zeros and ones. The shift register is only enabled in case the input to the leakage circuit is one, which results in an additional dynamic power consumption.