2850 IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS—II: EXPRESS BRIEFS, VOL. 68, NO.

8, AUGUST 2021

SAT-Based Integrated Hardware Trojan Detection

and Localization Approach Through
Path-Delay Analysis
Mohammad Sabri, Ahmad Shabani , and Bijan Alizadeh , Senior Member, IEEE

Abstract—With the rapid growth in IC outsourcing in the
semiconductors industry, concerns have increased about the
weakening ICs security against hardware Trojan attacks. In this
brief, an integrated hardware Trojan detection and localization
methodology is presented by employing the proposed SAT-based
test pattern generation scheme and the MUX-based debugging
technique. The experimental results show that our methodology
can effectively detect timing anomalies in the path-delays caused
by hardware Trojans with node coverage around 97% as well as
localizing all Trojan’s gates with a localization resolution around
99.6%. Moreover, all timing error sites are successfully identified
with zero False Negative and 0.56% False Positive rates.
Index Terms—Hardware Trojan, boolean satisfiability, Trojan
detection, hardware security, delay analysis, SAT.
I. I NTRODUCTION
ITH the rapid growth in globalization of Integrated
W Circuits (ICs) design and fabrication processes, ICs are
becoming more vulnerable to malicious activities introduced
by Hardware Trojans (HTs) [1]. Trojans are potent yet stealthy
attacks that are inserted by the untrusted entities to change
the genuine functionality, degrade performance, or steal vital
information of the chip. In recent years, there has been a sig-
nificant effort in detecting various models of hardware Trojans
by either employing logic testing [2] or side channel-based
analysis approaches [2]–[5]. The side channel-based analysis
approaches are focusing on the anomaly in the circuit parame-
ters (e.g., delay, power, and temperature) introduced by Trojans
to separate infected ICs from the golden ones [3]. The alter-
native defensive approach is to modify the original circuit to
facilitate the post-silicon detection [2], [4]–[6]. Considering
the path-delay analysis, authors of [3] introduced a clock-
sweeping technique to measure path-delays so that it can
generate signatures for each IC to distinguish Trojan-infected
circuits. They leveraged statistical approach which has been
proved to be highly effective in identifying Trojan infected
Manuscript received February 4, 2021; revised March 17, 2021; accepted
April 13, 2021. Date of publication April 20, 2021; date of current version
July 30, 2021. This work was supported in part by the Iran National Science
Foundation (INSF) under Grant 98006098. This brief was recommended by
Associate Editor X. Li. (Mohammad Sabri and Ahmad Shabani contributed
equally to this work.) (Corresponding author: Bijan Alizadeh.)
The authors are with the Design, Verification, and Debugging of Embedded
Systems Laboratory, School of Electrical and Computer Engineering, College
of Engineering, University of Tehran, Tehran 14395-515, Iran (e-mail:
sabri@ut.ac.ir; ah.shabani@ut.ac.ir; b.alizadeh@ut.ac.ir).
Color versions of one or more figures in this article are available at
https://doi.org/10.1109/TCSII.2021.3074549.
Digital Object Identifier 10.1109/TCSII.2021.3074549
1549-7747 
c 2021 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See https://www.ieee.org/publications/rights/index.html for more information.
ICs in the presence of process variations [7]. Recently, authors
of [8] proposed an automated test pattern generation scheme
to generate test vectors that are likely to activate trigger
condition, and change critical paths. However, this method
is solely able to detect timing anomaly of trigger-activated
Trojans, which is not always possible, especially for hard-to-
detect Trojans. Authors of [9] developed a learning assisted
delay-based analysis methodology to detect HTs by train-
ing a neural network for correlating the static timing data to
delay information obtained from clock sweeping [3]. Although
various hardware Trojan defensive approaches have recently
been introduced, the localization problem has been paid much
less attention than it deserves. Authors of [10] developed
a solution for detection and localization of Trojans by analyz-
ing the power consumption characteristics. Nevertheless, this
approach is only able to estimate the Trojan-infected section,
resulting in a low localization resolution.
In this brief, an integrated methodology for Trojan
DEtection and Localization through Path-delay Analysis called
DELPA is presented by means of the proposed Satisfiability-
based (SAT-based) test pattern generation and Multiplexer-
based (MUX-based) debugging technique. To the best of our
knowledge, this is one of the first attempt to integrate both
Trojan detection and localization through path-delay analysis.
The main contributions of this work are as follows:
1) Presenting a new methodology for localizing Trojan’s
gates inserted by an untrusted foundry using MUX-
based debugging technique so that the problem is
adapted to a SAT instance and the MUXs selected by
SAT engine would select which nodes are likely to be
the possible Trojan location.
2) Developing an automated SAT-based test generation
scheme through path-delay analysis alongside the clock-
sweeping technique for measuring the genuine path-
delays [3].
3) Scaling up the proposed methodology to diagnosis
multiple timing error sites caused by different parts of
Trojan circuit.
The rest of this brief is organized as follows. The basic back-
ground and DELPA methodology is introduced in Section II.
The detection and localization phases will be further discussed
in Sections III and IV. Finally, the experimental results and
conclusion are provided in Sections V and VI.
II. PATH -D ELAY T ESTING AND
M EASUREMENT T ECHNIQUE
In order to inspect anomaly in path-delays, generally two-
vector sequences <V1 , V2 > are employed. By applying the

thorized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on September 03,2021 at 12:18:49 UTC from IEEE Xplore. Restrictions app
 SABRI et al.: SAT-BASED INTEGRATED HARDWARE TROJAN DETECTION AND LOCALIZATION APPROACH THROUGH PATH-DELAY ANALYSIS 2851

Fig. 2. Proposed stuck at ‘1’ and ‘0’ models to generate test pairs <V1 , V2 >.

Algorithm 1: SAT-Based Test Patterns Generation

Input: Circuit netlist
Output: Test pattern pairs (TP)
1: for each gate in circuit netlist do
2: if Gate.Type ∈ {‘nand’, ‘and’, ‘or’, ‘nor’} then
Fig. 1. The proposed DELPA methodology. 3: Generate Stuck at ‘1’ & ‘0’ models
4: for each oi ∈ O do // O is a set of circuit outputs
5: Assign oi ← 1// ← assign operator
6: Run SAT solver
initialization vector (V1 ) to the launch flip-flips at time 7: if SAT solver returns UNSAT then
t0 , the circuit is allowed to be stabilized under vector V1 . 8: Remove constraint of oi ← 1
Next, the propagation vector (V2 ) is applied at time t1 , and 9: Continue
the outputs are sampled at t2 time from capture flip-flops. 10: else
11: Extract (V1 , V2 ) from SAT solver results
To measure the path-delays with high resolution, two tech-
12: Update TP with (V1 , V2 )
niques including single-clock and dual-clock schemes are 13: Break
mainly employed [11]. In the first scheme, the test pattern 14: end
pairs <V1 , V2 > are repeatedly applied to the circuit under 15: end
test (CUT). For each pair, the frequency of clock C1 is iter- 16: end
atively increased so that the launch and capture edges are 17: end
closed together. This process will continue until the capture
flip-flops capture the faulty output. Finally, the estimated path
delay is calculated as 1/Fs, where Fs represents the stop
point frequency at which faulty output is captured by capture embedded structures to circuit to obtain the genuine tim-
flip-flops. The second scheme, dual-clock, requires repeated ing fingerprints [12]. The final step in detection phase is
application of test pattern pairs with the difference that the to compare the suspected ICs’ fingerprints with the golden
phase of the capture clock C2 is decremented by a small t one to distinguish Trojan-infected ICs. If the presence of
relative to C1. Trojan is confirmed, the two-vector sequences by which the
timing anomaly is manifested are considered as counter exam-
ples (CXs). Otherwise, the circuit is considered as Trojan-free.
In localization phase, the main goal is to determine the
III. P ROPOSED I NTEGRATED M ETHODOLOGY (DELPA)
possible Trojan locations (PTLs) with high resolution.
In this brief, the Trojan threat model can be any malicious
modification on the main circuit, which is mounted by an
untrusted foundry. This includes any tampering resulting in an A. SAT-Based Test Pattern Generation (Pre-Silicon Stage)
added capacitance to a path, which either could be an added Unlike the clock-sweeping technique where the target test
payload to some paths or Trigger unit incorporating internal pattern are selected randomly from ATPG tool, our determin-
nets of the circuit. Fig. 1 shows the integrated flow of the istic SAT-based test pattern can efficiently target only the most
proposed DELPA methodology. The proposed methodology vulnerable nets which are more likely to be selected by a care-
mainly consists of two phases of detection and localization ful attacker. To create a distinct transition on each circuit net,
in which each phase includes some routines in both pre- two-vector sequence is generated by sequentially sticking each
silicon and post-silicon stages. In pre-silicon stage, the goal net at ‘1’ and ‘0’ values. Algorithm 1 describes the proposed
is to generate the test pattern pairs in such a way that all SAT-Based test patterns generation scheme. The algorithm is
the circuit paths are activated to expose any malicious timing fed with the circuit netlist, and its output is the test pattern
variations. By applying the generated test pattern pairs to the pairs (TP) by which the circuit paths are sensitized. To reduce
golden IC in post-silicon stage, the genuine functionality and the number of test patterns, it is avoided to generate test pat-
timing specifications are obtained in the presence of process terns for transparent gates. The transparent gate refer to the
variation. The golden ICs can be derived by either exhaus- gate whose transitions on its inputs will directly propagate to
tive testing approaches on a limited samples of fabricated ICs its output such as NOT, BUF, and XOR gates. This action
or destructive reverse engineering-based methods [6]. Instead, decreases the number of candidate nets, as only one net for
one can leverage reference-free approaches by adding some each transparent gate is required for test pattern generation.

thorized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on September 03,2021 at 12:18:49 UTC from IEEE Xplore. Restrictions app
 2852 IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS—II: EXPRESS BRIEFS, VOL. 68, NO. 8, AUGUST 2021
Fig. 3. (a) Trojan-infected circuit, (b) Timing characteristics of Trojan-free
and Trojan-infected circuits.
First of all, stuck at ‘1’ and ‘0’ models are generated for each
target net (Line 3) by duplicating the circuit, and imposing cor-
responding ‘1’ and ‘0’ values on target net of the faulty circuit,
and eventually XORing outputs of duplicated circuit with those
of faulty outputs. An example of stuck at ‘1’ and ‘0’ models is
shown in Fig. 2. By adjusting circuit outputs (i.e., XOR gates)
iteratively to logic ‘1’ (Lines 4-5), and running SAT Solver
(Line 6), the gates located on the sensitized path are limited
to their controlling values allowing the generated transition
to be propagated toward adjusted output. If the SAT solver
returns a truth assignment (i.e., SAT), the test pattern pair
<V1 , V2 > extracted from the SAT solver is added to TP list
(Lines 10-12). Otherwise, it implies that the transition cannot
be propagated to adjusted output, thus another circuit out-
put should be selected (Lines 7-9). According to the example
shown in Fig. 2, setting O2_0 and O2_1 will generate a solu-
tion as <V1 , V2 > = <[0, 0, 1, 0, 0, 1], [0, 0, 1, 0, 1, 1]>. The
number of SAT calls for Algorithm 1 in the worst case is
O(N × K), where N is the total number of compacted circuit
nets and K represents the total number of circuit outputs. One
effective way to lower the complexity of Algorithm 1 is to
skip the nets with high transition probability or nets located
on the very long or very short paths since there is a less
delay variation in shorter paths. In fact, a careful attacker
would select the trigger’s inputs or payload of Trojan from the
most vulnerable nets, where they belong to the longest path
of the shortest paths [6]. Note that unlike the clock-sweeping
method, to allow applying two consecutive test patterns to
sequential circuits, we used a design for test (DFT) structure,
known as the enhanced scan test, where the conventional scan
circuit is enhanced by inserting hold latches and additional
hold signal [13].
B. Distinguishing Trojan-Infected ICs (Post-Silicon Stage)
We first obtain the genuine delay model of final post-place
and route stage during physical design. Then, the proposed test
pattern pairs are applied to the delay model. We leverage the
clock-sweeping technique [3] to measure genuine Delay (GD)
in the presence of process variations. The same test pattern
pairs are also applied to the suspected IC, and the outputs are
sampled at the end of GD, and compared with the original
output values. If the sampled outputs and the original ones
are not logically matched, the CUT is set as Trojan-infected,
and the test pattern pairs exposing the timing anomaly are
specified as CXs. Fig. 3(a) shows the same circuit example
of Fig. 2 tampered with a simple Trojan’s payload (i.e., XOR
gate). After applying the generated V1 and V2 sequentially to
the circuit, the faulty value (i.e., logic ‘1’) is manifested at
faulty output N11 at the sampling time (time step 5).
thorized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on September 03,2021 at 12:18:49 UTC from IEEE Xplore. Restrictions app
Algorithm 2: Trojan Localization Procedure
Input: Circuit netlist, Extracted CXs (CX)
Output: Possible Trojan location (PTL)
1: Convert circuit netlist to untimed model
2: foreach Cxj ∈ CX
3: Add Cxj constraints to untimed circuit
4: End
5: Add localization cardinality constraint to untimed circuit
6: Set NL ← 1 : NL is the number of timing error sites
7: Translate circuit into CNF formula
8: While (1) do
9: Run SAT solver
10: if SAT solver returns UNSAT then
11: if PTL = {} then
12: Increment NL
13: else
14: Break
15: end
16: else
17: Sse ← Find MUXs are selected by SAT solver
18: Add  Sse to PTL list
19: Add i={Sse } Si constraint to CNF formula
20: end
21: End
IV. P ROPOSED MUX-BASED T ROJAN L OCALIZATION
In this section, we introduce the proposed SAT-based
approach to localize the trace of inserted Trojans using the
MUX-based debugging technique. The key idea behind the
localization approach is that the faulty output not only depends
on the propagation vector, but also on the initialization vec-
tor. Therefore, the PTLs are those nets that cause the faulty
output at the sampling time if they are just fed with the initial-
ization vector. The localization phase consists of three main
steps: 1) converting circuit to untimed model, 2) appending
localization constraints to CNF, and 3) SAT-based multiplexer
selection. In the first step, all the gates with a delay larger than
one-unit are replaced by a gate with one-unit delay and sur-
plus delay is compensated by adding extra buffers. For a wire
with a non-zero delay, the number of added buffers is pro-
portional to the wire delay. In order to adapt the localization
problem to SAT instance, two localization constraints: 1) CX
constraint and 2) localization cardinality constraint (LCC) are
added in the next step in the form of conjunctive normal
form (CNF) such that the circuit netlist is updated by adding
new hardware associated with each constraint. The first local-
ization constraint models the timing error constraints for each
Cxj = <v1 , v2 >, 1 ≤ j ≤ k, where k is the total number of
CXs. To represent potential timing error sites, extra multiplex-
ers (MUXs) are added to the circuit as shown in Fig. 4. To do
so, the untimed circuit model is duplicated for each Cxj . Then,
one of the duplicated circuit (i.e., delayed circuit) are supplied
with v1 , and the MUXs are added to every gate’s output of
the other duplicated circuit, where its primary inputs are fed
with v2 of the same Cxj . Finally, the constraints related to v1 ,
v2 and the faulty output are appended to CNF by adding new
unit clauses. The second constraint (i.e., LCC) encodes lim-
itation on the cardinality of timing errors. A new hardware
is utilized for LCC as shown in Fig. 4. The number of tim-
ing error sites for which the localization is to be repeated is
a user-specified parameter NL called localization cardinality.
 SABRI et al.: SAT-BASED INTEGRATED HARDWARE TROJAN DETECTION AND LOCALIZATION APPROACH THROUGH PATH-DELAY ANALYSIS
Fig. 4. Applying CX constraint and LCC to the netlist under test.
The reason behind selection of NL is that the different parts of
Trojan circuit might cause different timing deviations. Since
the designer is not aware of Trojan model, the proposed local-
ization algorithm usually starts with NL = 1, and then its value
increases if it fails to return any solutions. We impose LCC
to implicitly enumerate subsets of NL select lines of MUXs
which may simultaneously be activated [14]. The proposed
localization procedure is described in Algorithm 2. The first
step is to convert a given circuit netlist into untimed model.
Next, the localization constraints are imposed on circuit netlist
which later are translated into CNF formula. The SAT solver
is utilized as a decision engine in such a way that if returns
a solution (i.e., active MUX’s select lines), the selected sites
in each iteration are considered as PTLs (Lines 17-18). The
found MUXs in each iteration of Algorithm
 2 should not be
found again in the next iterations. Thus, i={Sse } Si is used to
express above constraint indicating that none of si that belong
to the {Sse } set should simultaneously be selected in the next
iterations (Line 19). After deactivation, the procedure will be
continued until the SAT solver fails to return any other solu-
tion (Line 10). Otherwise if the SAT solver fails and the list
of PTLs is empty, NL increments (Line 10-12). The number
of SAT calls in the localization procedure is C(N, NL ), where
C(N, NL ) represents the number of combinations of NL timing
error sites extracted from the total circuit net N. For typical
circuit benchmarks, the number of SAT calls can be estimated
as N NL /NL ! as N  NL .
V. E XPERIMENTAL R ESULTS
We have implemented the proposed methodology using C++
language, and applied it to a subset of ISCAS-85, ISCAS-89,
Trust-hub benchmarks and ITC-99 benchmark benchmarks.
The sequential circuits were implemented in the full scan
mode. Since the conventional scan-based design does not
allow applying two successive uncorrelated vectors, we used
enhanced-full scan mode including additional hold latches
to address this issue as suggested by [13]. All the cir-
cuits were synthesized by Synopsys Design Complier using
TSMC-90 nm technology, and the post-place and route accom-
plished using Cadence SOC-Encounter. Moreover, the maxi-
mum frequency, the functional frequency, and the step size of
clock-sweeping in our simulations are 1.5 GHz, 700 MHz, and
10 ps, respectively. To obtain the delay model, we used timing
thorized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on September 03,2021 at 12:18:49 UTC from IEEE Xplore. Restrictions app
2853
TABLE I
T EST PATTERN G ENERATION R ESULTS OF D IFFERENT
B ENCHMARK C IRCUITS
information of final physical design included in the standard
delay format (SDF). We have randomly selected Trojans with
different number of injected timing error sites (i.e., NL ) from
the most vulnerable nets. To find the vulnerable nets, the short-
est path passing the net is found and selected. Then, we sort the
selected paths and find the longest one which includes the most
vulnerable nets. The efficiency of the test pattern generation
is evaluated by node coverage metric which is the percentage
of circuit nodes whose delay variations are observable through
path-delay analysis. Also, we introduce localization resolution
(LR) metric according to (1), where N is the total circuit nets,
LMax is the maximum circuit logic depth, NPTL represents the
total number of PTLs, and LPTL Max defines the maximum point-
to-point distance in terms of logic depth between PTLs and
GTLs. The localization results are evaluated, on average, for
Trojans with different number of affected nets NL = 1, 2, 3,
where all locations are randomly selected 10 times from the
most vulnerable nets.
NPTL × LPTL
Max
LR = 1 − (1)
N × LMax
We apply the proposed methodology to different benchmark
circuits and measure node coverage metric as listed in Table I.
The first column report the number of gates whose input
and output transitions are not transparent (NCandidate ). Then,
the circuit nets that have overlap in transition are excluded
from NCandidate , resulting in a compact list of nets (NCompact ).
Also, NUNSAT shows the number of nets for which the SAT
solver did not return any solution. Here, the node coverage
is defined as the percentage of compact nets that SAT solver
can generate corresponding test pattern pairs. From Table I,
the proposed test generation scheme achieves the node cover-
age around 97%, in average, which is high enough to detect
almost any timing variations caused by Trojan circuits. The
False Positive Rate (FPR) is the percentage of genuine cir-
cuit nets, which are wrongly selected as Trojan’s gates. The
False Negative Rate (FNR) is the percentage of Trojan gates
that are not included in our detected list of PTL. The local-
ization process detects all the true timing error sites caused
by Trojan by providing a suspected list. As a result, the FNR
for all the circuit benchmarks is zero. Table II reports the
localization results of different benchmark circuits in terms of
LR metric in the case of NL = 1 and #CX = 3. Results of
 2854 IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS—II: EXPRESS BRIEFS, VOL. 68, NO. 8, AUGUST 2021
Fig. 5. Effect of number of CXs on the number of identified PTLs.
TABLE II
L OCALIZATION R ESOLUTION R ESULTS (#CX = 3 & NL = 1)
TABLE III
L OCALIZATION R ESOLUTION R ESULTS (NL = 2)
Table II show that the LR metric of the proposed approach is
about 99.97%, and the FPR is about 0.08%, on average. From
the evidence, the reduction in the number of PTLs (NPTL ) is
achieved by extracting more CXs during the detection phase,
which makes the identified possible locations get closer to
the GTL, as shown in Fig. 5. We also inspect the effects of
multiple timing errors on localization accuracy. According to
Tables III and IV, as the number of timing error sites (NL )
increases, so does the number of PTLs, resulting in reduc-
tion in localization resolution. The average number of PTLs
(NPTL ) is 30 and 41 for NL = 2 and NL = 3, respectively.
Also, the average LR is about 99.78% and 99.14% for NL = 2
and NL = 3, respectively.
VI. C ONCLUSION
In this brief, an integrated methodology called
DELPA incorporating both delay-based hardware Trojan
detection and localization approaches was proposed. The
SAT-based test pattern generation scheme alongside the
MUX-based debugging technique was proposed. From the
experimental results, the following conclusions can be drawn.
1) It localizes Trojan’s gates with zero FNR, and 0.55% FPR,
thorized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on September 03,2021 at 12:18:49 UTC from IEEE Xplore. Restrictions app
TABLE IV
L OCALIZATION R ESOLUTION R ESULTS (NL = 3)
on average, and 2) It can simply be upgraded to localize
multiple timing error sites caused by different parts of Trojan.
R EFERENCES
[1] M. Tehranipoor and F. Koushanfar, “A survey of hardware Trojan tax-
onomy and detection,” IEEE Design Test Comput., vol. 27, no. 1,
pp. 10–25, Jan./Feb. 2010, doi: 10.1109/MDT.2010.7.
[2] A. Shabani and B. Alizadeh, “PMTP: A MAX-SAT-based approach to
detect hardware Trojan using propagation of maximum transition prob-
ability,” IEEE Trans. Comput. Des. Integr. Circuits Syst., vol. 39, no. 1,
pp. 25–33, Jan. 2020, doi: 10.1109/TCAD.2018.2889663.
[3] K. Xiao, X. Zhang, and M. Tehranipoor, “A clock sweep-
ing technique for detecting hardware Trojans impacting circuits
delay,” IEEE Desig Test, vol. 30, no. 2, pp. 26–34, Apr. 2013,
doi: 10.1109/MDAT.2013.2249555.
[4] A. Shabani and B. Alizadeh, “Enhancing hardware trojan detec-
tion sensitivity using partition-based shuffling scheme,” IEEE Trans.
Circuits Syst. II, Exp. Briefs, vol. 68, no. 1, pp. 266–270, Jan. 2021,
doi: 10.1109/tcsii.2020.3001263.
[5] A. Shabani and B. Alizadeh, “PODEM: A low-cost property-based
design modification for detecting hardware Trojans in resource-
constraint IoT devices,” J. Netw. Comput. Appl., vol. 167, Oct. 2020,
Art. no. 102713, doi: 10.1016/j.jnca.2020.102713.
[6] A. Nejat, D. Hely, and V. Beroulle, “ESCALATION: Leveraging
logic masking to facilitate path-delay-based hardware Trojan detec-
tion methods,” J. Hardw. Syst. Security, vol. 2, pp. 83–96, Feb. 2018,
doi: 10.1007/s41635-018-0033-6.
[7] Y. Jin and Y. Makris, “Hardware Trojan detection using path delay fin-
gerprint,” in Proc. IEEE Int. Workshop Hardw. Oriented Security Trust,
2008, pp. 51–57, doi: 10.1109/HST.2008.4559049.
[8] Y. Lyu and P. Mishra, “Automated test generation for Trojan detection
using delay-based side channel analysis,” in Proc. Design Autom. Test
Europe Conf. Exhibition (DATE), 2020, pp. 1031–1036.
[9] A. Vakil, F. Behnia, A. Mirzaeian, H. Homayoun, N. Karimi,
and A. Sasan, “LASCA: Learning assisted side channel delay
analysis for hardware Trojan detection,” 2020. [Online]. Available:
arXiv2001.06476.
[10] S. Wei and M. Potkonjak, “Scalable consistency-based hardware Trojan
detection and diagnosis,” Proc. 5th Int. Conf. Netw. Syst. Security, 2011,
pp. 176–183, doi: 10.1109/ICNSS.2011.6059998.
[11] S. Bhunia and M. M. Tehranipoor, The Hardware Trojan War: Attacks,
Myths, and Defenses. Cham, Switzerland: Springer, 2017.
[12] T. Hoque, S. Narasimhan, X. Wang, S. Mal-Sarkar, and S. Bhunia,
“Golden-free hardware trojan detection with high sensitivity under pro-
cess noise,” J. Electron. Test., vol. 33, no. 1, pp. 107–124, 2017,
doi: 10.1007/s10836-016-5632-y.
[13] L. Bushnell and V. D. Agrawal, Essentials of Electronic Testing for
Digital, Memory, and Mixed-Signal VLSI Circuits. New York, NY, USA:
Kluwer Academic Publishers, 2002.
[14] B. Alizadeh and M. Shakeri, “QBF-Based post-silicon debug of
speed-paths under timing variations,” IEEE Trans. Circuits Syst.
I, Reg. Papers, vol. 65, no. 12, pp. 4326–4335, Dec. 2018,
doi: 10.1109/TCSI.2018.2858291.