**2. Relevant Work**

Wireless power transfer technology relies on the principle of electromagnetic induction, which falls into two categories, near field and far field. Near-field techniques utilize inductive coupling between coils of wire or capacitive coupling between metal electrodes [1–3]. Inductive coupling for power transfer over a short distance through magnetic fields is one of the most widely used wireless powering technologies. Considering the conversion efficiency and the safety criteria, radiative wireless power transfer is the most popular far-field technique to remotely power mobile devices over a long distance for low-power devices [4–6] and wireless sensor networks (WSNs) [7]. Nondirective antennas can be used to energize sensors, but the efficiency is low. On the other hand, directive transmitting antennas are more efficient to increase the maximum distances that can be remotely powered [8]. Many radiative wireless power transfer techniques have been discussed with different operation frequencies, average chargeable distances, beamforming techniques, and overall system complexity. Depending on different transfer schemes, specific wireless power transfer patterns can be adopted to charge the devices without interrupting the operations. For instance, the electric vehicles can be dynamically charged as they ride on the wireless power lane [9]. Hence, the wireless power source is becoming a new shared input to the devices and vehicles as they are all connected on the wireless charging platform, so the data activities are exposed to the energy source. Especially when the devices and vehicles with hardware trojans need to be recharged, its battery can be very low and the existing security functions may not work intermittently, which raises critical concerns of safety and security. However, the security vulnerabilities for pervasive devices accessing the shared wireless charging platform have not been addressed.

#### *2.1. Survey of Hardware Trojans*

Much attention has been focused on hardware trojan taxonomy, development, and detection in the past two decades, especially since the Defense Science Board of US Department of Defense released a report in 2005 on the security of the supply of highperformance integrated circuits (ICs) which highlighted the need for "secure and authentic hardware" [10]. The resulting research produced numerous publications [11–27] which not only provide insight into existing hardware trojans, but also develop a general framework of hardware trojan understanding. This section will first briefly review hardware trojan taxonomy and detection methods, point out the lack of literature related to analog trojan development, taxonomy, and detection, and then present a number of trojans scenarios that can be possible in the analog/RF domain, specifically attacking a Class-E amplifier in the later sections.

#### 2.1.1. Hardware Trojan Taxonomy and Insertion

Hardware trojans defined by [12] are an intentional and malicious modification of a circuit that is designed to alter the circuit's behavior in order to accomplish a specific objective. It also makes a distinction between such trojans and design bugs and defects by defining such a bug as "an unintentional problem (i.e., error) that is unknowingly introduced into the circuit during its design and development phases" and a defect as "unintentional physical phenomenon (e.g., imperfection) that occurs during the circuit's fabrication, assembly, and testing phases". Trojans, as they are malicious, seek to tamper with the function of the integrated circuit and avoid detection, whereas flaws and bugs are generally discoverable via conventional models of testing and verification.

Reference [11] provides an excellent description of a general view of hardware trojan taxonomy. Furthermore, it details the supply chain and hardware development layout for ASICs and FPGAs. Other resources, such as reference [12], also provide excellent insight into the taxonomy of hardware trojans and the section of the design process into which hardware trojans can be inserted. Hence, it is clear from the various literature that the number of trojans, their triggers, payloads, and development can be inserted in numerous areas of the design phase. These publications indicate not only the type of trojan trigger and payload, but also the potential points at which the trojan can be inserted [1,4,17] which all developed trojans that can be inserted by an untrusted foundry, or which insert the trojan post-fabrication [11,12].

However, while a number of papers indicate hardware trojans, most focus on the digital domain, even while utilizing "analog" trojans. A search of literature generally yields results in which papers such as [15,18] developed "analog" trojans. However, the in these papers, the circuits they are trying to attack generally are in the realm of digital integrated circuits. In [12] the authors indicate there are at least four types of trojans, side channel, semiconductor, analog, and digital, and includes a catch-all category of other for those that do not directly fall into those other categories. Side-channel attacks generally leak information out of an analog channel [12,14]. Semiconductor trojans generally tamper with the dopant polarity [17], analog trojans seek to insert some sort of analog device or additional circuit that will affect some sort of change in the operation of the circuit, either immediate or over time [14,20–23], such as the capacitor trojan threat identified in [18]. Digital trojans generally try to cause issues with the finite state machines (FSM) [12] to cause the overall FSM to end up in a "don't-care" state, if available, that would contain a trojan payload.

Whilst there is a grea<sup>t</sup> deal of literature seeking to define hardware trojans, all of them, however, seek to attack circuits that remain in the digital domain. All the literature mentioned above, even those considered "analog" or even "semiconductor" trojans, seek to attack either microprocessors, digital circuits, etc. Additionally, some developed trojans for "RF applications", but their trojans generally remain in the realm of different transmitter input termination [20], and do not cover the full spectrum of possible hardware trojan attack vectors in the RF domain. Hence, we seek to contribute not only to this prior research, but also to provide some initial steps at the lack of research into trojans that can occur in the analog domain.

#### 2.1.2. Analog Circuit Trojans

Hence, after noting the expansive literature focusing much needed attention on hardware trojans in the digital circuit design domain, the following papers attempt to address trojans in the analog circuit design domain. Quite a few indicate the noticeable lack of research in this field [23,25]. These trojans are more difficult to obfuscate or deceptively insert than larger, more topographically complex digital circuits that can feasibly hide a trojan, digital, analog or semiconductor, these trojans can still exist [25]. The class of power/area/architecture and signature transparent (PAAST) trojans impact the fundamental operation of analog circuits, such as amplifiers, but do not require extra components, area, or semiconductor changes [24]. The study states that by changing the high side supply bus to an amplifier or oscillator circuit, it is possible to cause the circuit to go into a trojan state without adding extra components. It also proves that even without having to physically change the circuit, hardware trojans within analog IC development exist. The research into PAAST trojans has generally focused on the determination of the possible trojan states [26].

Other trojans in the analog/RF front-end domain have also been detected such as changing the termination to the entrance of the power amplifier (PA) [20], or inserting a trojan on a mm-wave RF PA matching network to leak information [27]. Hence, while hardware trojans are possible, there has been little focus on detecting and defending the RF front end from inserted hardware trojans.

#### *2.2. Hardware Trojan Detection*

Hardware trojan detection methods are broadly categorized as destructive and nondestructive [11,12]. Destructive methods can be applied on a smaller scale, but also provide a way to find and form golden models for verification [12]. Nondestructive methods include techniques such as side-channel analysis, formal verification, simulation, and logic testing. Many nondestructive methods require a golden model, and thus, together, these nondestructive and destructive methods form a complementary approach to hardware trojan detection. Other recently studied methods include an optical analysis of various ICs [28].
