On-Chip Fingerprinting of IC Topology for Integrity Verification

Maxime Lecomte, Jacques Jean-Alain Fournier, Philippe Maurine

To cite this version:

HAL Id: lirmm-01269856
https://hal-lirmm.ccsd.cnrs.fr/lirmm-01269856
Submitted on 28 Jan 2022

HAL is a multi-disciplinary open access archive for the deposit and dissemination of scientific research documents, whether they are published or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers. L’archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.
On-chip fingerprinting of IC topology for integrity verification

Maxime Lecomte  
CEA-Tech  
Gardanne, France  
Email: maxime.lecomte@cea.fr

Jacques J.A. Fournier  
CEA-Tech  
Gardanne, France  
Email: jacques.fournier@cea.fr

Philippe Maurine  
LIRMM  
Montpellier, France  
Email: philippe.maurine@lirmm.fr

Abstract—The integrity of integrated circuits (ICs), in particular for detecting malicious add-ons like Hardware Trojans (HTs), have been studied in several recent research papers. The main limit of the proposed techniques so far is that the bias induced by the process variations restrict their efficiency and practicality. Most of those techniques compare two ICs’ signatures while trying to get rid of the process variations. In this paper we propose a novel approach which in practice eliminates this limit. We first make the assumption that IC infection is done at a lot level, which is more realistic than models where infections are done on individual circuits. We introduce a variation model for the performance of CMOS structures in real designs which are different from test chips dedicated to the measure of process variations. This model is used to create signatures of lots which are independent of the process variations and is used as a base to define methods allowing to detect HTs and counterfeits in a straightforward way. The model and the methods are validated experimentally on 30 FPGA boards.

I. INTRODUCTION

Due to the recent trend of outsourcing integrated circuit (IC) manufacturing and design, structural integrity verification of ICs has become a hot topic. From the specification step to that of packaging, and especially during the design step, a circuit can be corrupted by a malicious adversary. This malicious alteration of the IC structure is called a Hardware Trojan (HT) insertion and its effects can range from performance degradation (e.g. denial of service) up to more sophisticated functionalities (memory dumping etc) [1]. Similarly with the multiplication of fountires and IC vendors, counterfeits are spreading rapidly, ranging from simple copies to a complete replacement of an given IC by one of lower quality.

A HT is composed of two parts: the trigger and the payload. The trigger is the mechanism that scans some signals within the IC until a specific condition is met. When this condition is met, the payload is activated. The trigger can either be generated externally (external signals or physicals condition) or internally (a special internal state, data, etc). Moreover the trigger can either be combinational (result of a logical operation) or sequential (related to a succession of states). The payload is the ‘malicious’ effect of the HT. It can either be explicit where signals are directly added, removed or deactivated. It can also be implicit where the effect cannot be directly observed like, for example, adding side-channel information in the power consumption. The detection of a HT before its activation is a difficult task and it still remains a challenging problem even after its activation when the payload is implicit.

The probability of triggering a HT during functional tests is low and testing is an expensive approach to that end. Moreover, inspecting the circuit through reverse engineering is an expensive process in terms of cost and time and can be destructive. This solution can therefore be applied to only few devices, even though the latest imaging based methods have proven to offer a simpler and faster alternatives [2].

Several non destructive methods for HT detection have been recently proposed. The first proposed approaches analyze, using statistical techniques, the overall consumption of an IC to detect the impact of the HT. For example, in [3], a detection technique based on the Karhunen-Loève theorem is proposed in order to detect the power consumption of the HT within process variations and noise. However, this paper only reports validations obtained by simulations, omitting things like the measurement noise. Moreover, the technique may not scale to complex Systems on Chip (SoC).

Hence, in order to enhance the detection capabilities, techniques have been proposed in [4] to analyze locally the propagation delays of logical paths with embedded monitors. However, once again, only simulation results are provided. Another method has been proposed in [5] to integrate a hardware system allowing the monitoring of IC’s net. However, little information is given in this paper about the efficiency of the proposed technique. In parallel to this approach, a test solution was also proposed in [6] in order to trigger easily a HT or at least to increase their electrical activity.

In [7], a first attempt to suppress process variations has been proposed based on the strong correlation between the maximum operating frequency of ICs, $F_{\text{max}}$, and their dynamic power consumption. This approach however faces the difficult problem of measuring $F_{\text{max}}$ on SoCs [8].

Then in 2011, the use of Ring Oscillators (RO) has been proposed to detect HTs. For example, in [9] the authors propose an analysis of RO sensitivity to the presence of HT but conclude that it seems difficult to detect really small HT. In parallel [10] proposes the use of an array of RO, used in conjunction with a Principal Component Analysis (PCA) [11], to distinguish infected ICs from genuine ones. This proposal has been experimentally validated on an FPGA using a Digital Sampling Oscilloscope (DSO) (thus off-chip) to measure the oscillating frequency of ROs. This idea has then be applied to design an ASIC in 2012 [12] where the initial results were only partly validated. This could be due to the use of an embedded 8-bit counter as RO, which reduces the accuracy.
of the measured frequencies.

Later in 2013, the authors in [13] propose to cluster, during the design step, the power grid in several voltage islands embedding each a dedicated sensor to enhance the detection capability. However, no experimental results are given in this paper, neither on the improvements obtained nor on the cost in terms of Silicon area. In 2014, [14] describes a method based on the use of near field electromagnetic cartography. Yet, the authors conclude that it seems difficult to detect all the HT. However, in [15], a more efficient technique is used to interpret the EM traces. As a result, authors conclude it is possible to detect really small HTs but with a special care to control the temperature during measurements. Finally, in [16] the authors analyze EM emanations from FPGAs and succeed to differentiate a genuine population from an infected one.

Based on those results, the on-chip monitoring solutions seem relevant in term of efficiency since the obtained detections rates are higher than for off-chip methods. Furthermore, these solutions seem industrially viable since the cost of the equipment, dedicated to the data acquisition, is reduced as the tests can easily be done in parallel. For those reasons, the work presented here is based on on-chip methods.

In this paper, we consider that the infection of a single device is not realistic based on the current life cycle of ICs (mainly linked to production and distribution constraints). That is why the HT detection methodology proposed in this paper does not aim at establishing if an IC is infected but aims at checking the integrity of a whole production lot. Moreover, this approach also determines if a given IC is a counterfeit (apart from the case of a really high quality copy). The principle of the proposed methodology is to detect, thanks to a embedded sensor network, an alteration in the design’s structure induced by the presence of a HT, or by a modification in its place and route or in its floor-plan. These alterations modify the IC power distribution and in particular the static voltage drops [17] in the glue logic and hence that in the sensor array. This method is based on a novel variation model of the performance of CMOS structures in real designs (not in test chips dedicated to the fine measurement of the intra and inter die variations), model which is introduced and validated in this paper.

The paper is organized as follows. First, section II describes the threats to IC integrity and specifies which ones are covered in this paper. Then section III introduces the proposed variation model and defines the basic principle of our detection methods. Section IV details the HT and counterfeit detection methodology and section V describes the experimental results which validate the proposed approach and the proposed variation model on a set of 30 FPGAs. Finally, the wide range of perspectives generated by our approach is discussed, as a conclusion, in section VI.

II. THREATS AND CHARACTERISTICS OF INFECTED DEVICES AND COUNTERFEITS

First, this section recalls briefly the main threats to IC integrity. Second, the HT and counterfeit detection method is described specifying which threats it covers.

A. Threats to IC integrity

Fig. 1 summarizes the different steps, from design to exploitation, for manufacturing an IC and the associated threats.

The first vulnerabilities are at the design stage. A corrupted piece of hardware IP can be introduced into the product (Threat (1) in Fig. 1) or a compromised employee from the design center can introduce a HT into the HDL description (Threat (2) in Fig. 1). It is difficult to protect against such threats, but some solutions based on ad-hoc design and verification methods have been proposed [18], [19].

The second vulnerable stage is the manufacturing (Threat (3) in Fig. 1). For example, filler cells can be substituted by logic gates, inducing a denial of service or more complex functionalities, or a fuse can be disabled etc. A last threat is that of counterfeits. A taxonomy of counterfeit types is given in [20]. It consists in selling second hand products, lower quality devices or functional copies directly onto the market causing financial losses (Threat (4) in Fig. 1). Some can even be almost perfect copies which are difficult to detect.

B. Features of infected circuits or counterfeits

Many methods have been proposed to detect HTs. Among them, a large majority aims at detecting the parasitic electrical activity (additional power consumption) generated by the HT’s trigger. However, this parasitic electrical activity is not the only measurable trace left by the HTs. Another one is the alteration of the inner structure of the IC. For example, the HT insertion modifies the local and global capacitance and resistance of the power and ground nets. This modification induces a different current flow in the IC, and thus a different static or dynamic voltage distribution (static or dynamic voltages drops).

Based on the taxonomy given in [20] the considering counterfeits are specific case of recycled or remarked components. These counterfeits are characterized by a different physical structures, and therefore by a different repartition of the voltage across the IC’s surface.

III. PRINCIPLE OF HT AND COUNTERFEIT DETECTION

Our detection method is based upon a simple principle: a fingerprinting of the supply voltage on the surface of IC at rest (i.e. just powered on with the clock active). In order to do this, a network of sensors is uniformly spread over the whole IC surface to get a cartography of the inner supply voltage. Any sensor sensitive to the supply voltage, $V_{dd}$ can be used. In the experiments reported in section V, Ring Oscillators (RO)
are used. Given that the frequency $f$ of a RO is sensitive to the local $Vdd$ value, the distribution of measured values for $f$ above the IC surface, in the absence of any process variation ($P$), is a direct picture of the $Vdd$ distribution. Hence in our approach, we have to get rid of the effect of intra-die and inter-die process variations. With this approach, we shall be able to mitigate risks linked to the introduction of HT at the manufacturing stage.

A. Process variation model and performance variation model of CMOS structures

Given $p$, an inherent parameter of the IC fabrication technology, the impact of the manufacturing process variations, the so-called process variations, are generally described as follows:

$$p = \bar{p} + \Delta p_{\text{inter}} + \Delta p_{\text{intra}}$$  \hspace{1cm} (1)

with $\bar{p}$ being the mean (or typical) value of the parameter on a whole lot of a production, $\Delta p_{\text{inter}} \sim N(0, \sigma^2_{\text{inter}})$ the effect of the inter-die variations assumed normal and $\Delta p_{\text{intra}} \sim N(0, \sigma^2_{\text{intra}})$ the impact of variations within a die, i.e. the intra-die process variations also assumed normal.

This process variation model is well known and widely adopted to simulate the effect of process variations on the parameter $p$ of an IC (a transistor, a resistance, a pn junction, etc.). However, the extraction of the standard deviation values ($\sigma$) (case 2). Hence for our case, we shall use the following variation model for the output value $T(x_i, y_i)$ of a sensor $i$ located at $(x_i, y_i)$ on the IC’s surface:

$$T(x_i, y_i) = \bar{T} + \Delta T_{\text{inter}} + \Delta T_{\text{intra}} + \Delta T(x_i, y_i)$$  \hspace{1cm} (2)

where $\Delta T(x, y)$ is a deterministic value which depends on the sensor’s position over the IC, and which models the impact of the IC’s structure on the performance of the sensor. To ease the reading, $T(x_i, y_i)$ and $\Delta T(x_i, y_i)$ shall be noted $T_i$ and $\Delta T_i$, respectively, showing that the variation model considered in this paper is a spatial model.

B. Fingerprinting the IC’s structure

Considering the model given by equation (2), fingerprinting the structure of a design featuring a network of $q$ sensors regularly spread on its surface is relatively simple for a same manufacturing lot of ICs. The $q$ values of $\Delta T_i$ are calculated by averaging the impact of the process variations on $m_{\text{lot}}$ devices of the same lot:

$$\Delta T_i = \frac{1}{m_{\text{lot}}} \cdot \sum_{j=1}^{m_{\text{lot}}} T^j_i - \bar{T} = \frac{1}{m_{\text{lot}}} \cdot \sum_{j=1}^{m_{\text{lot}}} \Delta T^j_i$$  \hspace{1cm} (3)

$$\sigma_{\Delta T_i} = \sqrt{\frac{1}{m_{\text{lot}}} \cdot \sum_{j=1}^{m_{\text{lot}}} (\Delta T^j_i - \bar{\Delta T}_i)^2}$$  \hspace{1cm} (4)

where:

$$\bar{T} = \frac{1}{m_{\text{lot}} \cdot q} \cdot \sum_{j=1}^{m_{\text{lot}}} \sum_{i=1}^{q} T^j_i$$  \hspace{1cm} (5)

$T^j_i$ is the measurement of the output of the sensor $i$ of the device $j \in \{1, \ldots, m_{\text{lot}}\}$ of the considered lot.

With these notations, the vector $S_{\text{Design}} = [s_{\text{Design}}^1, \ldots, s_{\text{Design}}^q]$ can be defined as follows:

$$S_{\text{Design}} = [\Delta T_1, \ldots, \Delta T_q, \sigma_{\Delta T_1}, \ldots, \sigma_{\Delta T_q}]$$  \hspace{1cm} (6)

$S_{\text{Design}}$ represents the fingerprint of the physical structure of an IC called ‘Design’ and is by construction independent of the process variations. This fingerprint is the base of the HT and counterfeit detection methods proposed in section IV.

IV. DETECTION METHODOLOGY

The starting point of our methodology is the addition of a network of sensors sensitive to the supply voltage. Those sensors are placed so as to cover most of the IC’s surface. The granularity, i.e. the distance between two sensors, is chosen by the IC designer depending on the trade-off between detection capability and cost.

When the first run or the test run (which are less likely to be infected, as this run is dedicated to the characterisation which allows HT detection) is received, the integrity of some devices is verified to qualify the whole lot. This could be done by applying reverse engineering methods or by using optical based methods [23]. Once the first production lot is qualified, the signature (see eq. (6)) of the design is calculated using equations (3) and (4). This fingerprint constitutes the reference fingerprint for the considered design.

The designer will then usually order other runs (“production runs”) from the same foundry or from another one which offers the same technology node. Once those new production lots are received, their corresponding fingerprints are calculated and are ‘compared’ with the reference one in order to verify that the newly received lots have not been corrupted. Ageing techniques could be applied to this reference lot to derive fingerprints of the design at different ages.

In the same way, at some (later) point in time, the designer can have ‘field returns’ which could contain counterfeits. With the reference fingerprint, the origin of these devices can be verified without application of expensive, complex and destructive methods. In order to do that, the designer extracts the fingerprint of the suspected device and compares it with the reference fingerprint to finally get a probability that the device is a genuine one. If the probability is too low, complementary analyses (like reverse engineering) can be applied.

The above procedures require the comparison of the reference fingerprint with that of a new production lot in order to detect the eventual presence of an HT (case 1). The procedures also require the comparison of the reference fingerprint $S_{\text{REF}}$ with the fingerprint of a single device in order to detect counterfeits (case 2).

A. Case 1: HT detection

When the integrity of a new lot of devices has to be checked, the first step is to calculate its fingerprint $S_{\text{New Run}}$.
Since this signature shall be, in practice, calculated using a high number of devices (> 100), the estimate of means can be considered as reliable. It is therefore possible to apply distinguishers or a statistical tools working on the means, like the Difference of Means (DoM) or the T-test (and more precisely the Welch’s test). This implies using the $\Delta T_i$s of the signatures (eq. (6)) and to analyze the values

$$\hat{\Delta S_i} = S_i^{\text{Ref}} - S_i^{\text{NewRun}}$$

for $i = \{1, \ldots, q\}$, or that of

$$T_{\text{Stat}} = \sqrt{\frac{(S_i^{\text{Ref}})^2 - (S_i^{\text{NewRun}})^2 j}{\sqrt{m_{\text{lot}}}}}$$

It is also possible to use other statistical tools such as the Kolmogorov-Smirnov test (KS) to determine if the distributions for all $j \in \{1, \ldots, m_{\text{lot}}\}$ of $(T_i^j - \hat{T})$ for the reference lot and for the new one are drawn from the same distribution law, i.e. if the devices embed the same design or not.

With the same idea of comparing centered populations of $(T_i^j - \hat{T})$, clustering solutions can be used such as the k-means (with $k = 2$) or using simply the median. To do this, the populations $(T_i^j - \hat{T})$ of the reference lot and of the new lot are merged within the same set. Then, the k-means is applied on the resulting population (or the median is calculated) so that to split it into two clusters. Finally, the number of devices in each cluster coming from the reference lot and from the new one are counted. If the tested ICs are genuine, the two resulting clusters have the same number of elements from the reference lot and that of the new lot. More precisely, if the cardinals of the reference lot and that of the new lot are equal, 50% of the devices from the reference lot and 50% of the devices from the new lot have to constitute each cluster. If this is not the case, the new lot can be considered as different from the reference one.

**B. Case 2: counterfeit detection**

The case of the suspected ‘field return’ is more difficult to treat as the fingerprint as described so far for HT detection cannot be calculated on one single device: we only have the $T_i^{\text{Suspected}}$ of the considered device. In this case, we first “recenter” all the values using the value $T_i^{\text{Suspected}}$ of the suspected IC (i.e. calculate $T_i^{\text{Suspected}} - \hat{T}^{\text{Suspected}}$) and then calculate the probabilities that each $T_i^{\text{Suspected}}$ values comes from the normal distribution:

$$N(0, (\sigma_i^{\text{Suspected}})^2) = N(0, \sigma_i^{\Delta T}^2)$$

$$\sigma_i^{\Delta T}$$ is indeed the standard deviation of the sensor $i$, value estimated with the ICs from the reference lot. The probabilities for all sensors are then combined (and more precisely a multi-normal distribution is defined with all $\sigma_i^{\Delta T}$) to obtain the probability that the considered device is a genuine one.

**V. EXPERIMENTAL RESULTS**

The HT detection methodology has been experimentally tested on a set of 30 FPGA boards featuring a Xilinx Spartan3E-1600. 15 boards have been used as genuine ICs and 15 have been used in order to emulate an infected lot.

or counterfeited devices. Validation of our methodology using FPGAs is a first step before entering the long and costly process of designing an ASIC.

**A. Experimental protocol**

On each Spartan-3E-1600 FPGA, a 128-bit-key AES, an RS232 communication block and a Finite State Machine (FSM) have been placed and routed. An array of 60 ROs has been added to the design. Each RO is coupled with a clock divider by two so as to be able to observe and measure precisely the 60 frequencies on an I/O pad through a multiplexer. The area overhead incurred by the addition of our on-chip detection hardware is about 3.2% of the FPGA resources. The frequency measurements are performed with an oscilloscope from Lecroy featuring a 4GHz bandwidth and a 40GS/s sampling rate.

In order to obtain accurate measurements (accuracy of ±0.025ps), each frequency estimation is done by measuring the duration equivalent to 100 periods and by repeating this experiment 100 times to obtain a mean value of the period of each RO: $T_i^j$. During these measurements, the IC is kept inactive, i.e. just powered on and with the clock running. The time spent to measure the 60 values $T_i^j$ on a board is lower than 2min which is short enough to consider the temperature as constant in a laboratory environment. In order to guarantee a good stability of the supply voltage, the FPGA is powered by a stabilized dc supply source with an accuracy of 0.05%.

To emulate the effect of a HT, a 64-bit LFSR is used. It occupies an area of 48 slices which represents 0.32% of the FPGA’s surface (see the rightmost picture of Fig.2). Note that the AES alone is mapped onto 1778 slices. The LFSR is clocked at 50MHz by taking the clock input of a D Flip-Flop of the AES. This HT can therefore be considered as a sequential HT.

To emulate counterfeits, several constrained place and route steps of the design are performed. Fig. 2 gives 3 different floorplans of the same HDL code (three leftmost pictures). One of them (Design 1) is considered as the original / genuine design, the two others as counterfeits.

**B. Estimations of $\sigma_{\text{inter}}^2$ and $\sigma_{\text{intra}}^2$**

Before evaluating the relevance of the proposed methodology and thus the relevance of the proposed variation model of CMOS structures, the impact of the inter and intra-die variations have been estimated on the 30 FPGA boards. Fig. 3(a) gives the histogram of the periods ($T_i^j$) for the 60 ROs on ten boards, i.e. ten different devices. One can observe that the mean period for each device varies from 13.5ns to 14.5ns. The
impact of inter-die variations is therefore of the order of several hundreds ps. Hence, using data from 30 boards, we estimate that the inter-die impact can be modelled by the following normal distribution $N(0, \sigma_{\text{inter}}^2)$ with $\sigma_{\text{inter}}^2 = 460$ ps.

Fig. 3(b) shows the histograms for the measured periods (centred for each board) for the 60 ROs values and this for the same ten boards. On can observe that the intra-die variations have an impact of the order of a hundred ps. Based on those assumptions, the intra-die variations can be considered to follow a zero-mean normal distribution and can be modeled by $N(0, \sigma_{\text{intra}}^2)$ with $\sigma_{\text{intra}} = 130$ ps.

C. Validation of our variation model and Counterfeit detection

In section III, we introduced a variation model for the performance of CMOS structures and for that of sensors. This model is novel as it introduces a deterministic term which expresses the impact of the design structure on the sensor and particularly the impact of the power distribution. This novel model being the base of the proposed detection method, we start by evaluating its relevance.

In order to do that, the frequency of the 60 ROs from the 3 leftmost designs shown in Fig. 2 have been measured on 15 boards. Then, the first half of their fingerprints $S_{\text{Design}}$ (i.e. the $\Delta T_i$s) have been compared. Fig. 4(a) shows $S_{\text{Design}1}$ (dark curve) and the unique fingerprints (dotted curves) for each of the 15 devices used to compute $S_{\text{Design}1}$. Fig. 4(b) shows the three fingerprints obtained from the three designs. One can observe they are significantly different despite the use of the same 15 boards. One can also observe that the designs 2 and 3 have significantly different fingerprints (which are in turn different from that of design 1) even though the two floorplans are relatively similar. Note that in Fig. 6(a) (dotted curve), we see that the signatures corresponding to the same design obtained from two different lots of 15 FPGA are the same.

For these designs 2 and 3, the sensors 30 to 45, located in the neighborhood or in the AES (see Fig. 2), are characterized by high $s_i = \Delta T_i$ values. For the design 1, the AES is around sensors 1 to 10 (see Fig. 4(b)). This reinforces the hypothesis that the floorplan influences the sensors by modifying locally the distribution of supply voltage even when the IC does not compute anything.

At this point, we see that our variation model of CMOS structures is valid and allows to distinguish different floorplans of a same HDL code. To show that our method can determine whether a suspected IC is a counterfeit (compared to a reference lot), we shall refer to Fig. 5 which shows the complete fingerprint (calculated from 15 samples) of the design 1 (dark curve), i.e. the values of $\Delta T_i \pm \sigma_{\Delta T_i}$, and the fingerprint of a suspected device (dotted line). In this case, there are visually no doubt that the considered device is a counterfeit. For example, the ROs 30, 39 and 40 are out of the $\pm 3 \cdot \sigma_{\Delta T_i}$ measured on the reference lot.

D. HT detection

The detection method of an infected lot is similar to that of a counterfeit lot, although the alteration of the physical structure is expected to be significantly smaller and localized. Fig. 6 shows the results obtained by applying the DoM (upper picture) and the T-test (lower picture) in order to verify the integrity of the 15 infected and 15 genuine ICs with the 15 reference ICs. 30 boards are used. To emulate the infection (the presence of a sequential HT), a 64-bit LFSR (48 slices) has been added to the design 1. Both the DoM and the T-test allow to detect an anomaly located around RO 33 which
is effectively close to the LFSR. Moreover, the DoM stays low between the reference and the genuine lots. In this case, the absolute T-values ($| T_{Stat} |$) does not exceed 1.22 for $i \in \{1, \ldots, 60\}$. Genuine lots are therefore recognized as uninfected lots. Similar results have been obtained with the k-means and the median. These results validate the proposed detection methodology and above all the proposed variation model of the performance of a CMOS structure in a real design which strongly depends on the power distribution in advanced CMOS technologies.

VI. CONCLUSION AND PERSPECTIVES

This paper introduces an efficient and practical approach for detecting Hardware Trojans in ICs and counterfeits based on a new variation model for the performance of CMOS structures. This model gets rid of the process variation issues usually met when doing HT detection in practice. The model is actually built from measurements made on ‘real circuits’ and not designs usually dedicated to the monitoring of process variations, the latter being much more uniform and regular in terms of physical structure and content. This approach is based on the assumption that IC infection is more likely to be done on a lot level than on individual isolated ICs.

A reference signature is first derived from a trusted lot (which could correspond in practice to a first run usually done for characterisation purposes). Then the same signatures will be calculated on subsequent (suspected) lots and compared with the reference one, using the different statistical methods described in this paper. For counterfeit detection, we propose a way of calculating this IC fingerprint and comparing it with the reference signature. The model and the methods have been successfully experimented on a set of 30 FPGA boards as an initial validation strategy.

The next steps will be to implement the on-chip sensor structures on an ASIC design and validate the method on large set of ICs. Moreover, other factors like the size of the HT, the density of sensors to used or the positioning of those sensors shall be investigated.