Secure Chips Agreement: Enforcing Trust
- Secure Chips Agreement is a concept that encompasses diverse methods—such as physical-layer key agreement, optical PUFs, and interposer-based strategies—to establish chip authenticity and provenance.
- Key approaches include polar coding for secret communication, unit-level optical authentication using surface microstructures, and distributed validation in zero-trust chiplet environments.
- Emerging frameworks integrate blockchain provenance and formal hardware-software contracts to delineate leakage budgets and enforce security contracts across multifarious semiconductor supply chains.
Searching arXiv for papers relevant to secure chip authentication, provenance, chiplet trust, and key agreement. “Secure Chips Agreement” denotes a class of technical and governance arrangements by which semiconductor devices, chiplets, or other hardware units establish authenticity, provenance, communication trust, or shared secret state under explicit threat models. In the literature represented here, the term does not identify a single standardized protocol. Rather, it spans several partially overlapping problem settings: physical-layer secret transmission and key agreement over degraded or time-varying channels; unit-level authentication of packaged chips through intrinsic physical features; distributed authentication of chiplets in zero-trust System-in-Package environments; supply-chain provenance tracking across heterogeneous consortiums; and hardware-software security contracts that formalize what a processor may leak and what software must guarantee. The common theme is that trust is made explicit and is enforced either by coding, intrinsic physical signatures, distributed validation, trusted packaging substrates, or formal contracts (Koyluoglu et al., 2010, Liu et al., 2024, Tashdid et al., 13 May 2025).
1. Physical-layer secure agreement and its scope
A foundational interpretation of secure agreement is information-theoretic secret communication or key agreement over a channel whose asymmetries favor the legitimate parties over an eavesdropper. In “Polar Coding for Secure Transmission and Key Agreement” (Koyluoglu et al., 2010), the communication model begins with Wyner’s degraded wiretap setting. The transmitter sends a secret message over channel uses while requiring, for any , a codebook such that for sufficiently large ,
The main channel is , and the eavesdropper channel is a degraded version,
with . For a binary-input degraded wiretap channel, the paper states that the perfect secrecy rate is achieved by polar coding, while the proof in Section IV establishes vanishing normalized leakage,
For symmetric main and eavesdropper channels, the result becomes secrecy-capacity achieving: 0 The practical significance is that secrecy is obtained with polar encoding and decoding complexity 1, rather than through random coding existence arguments (Koyluoglu et al., 2010).
The same paper treats a second setting that is closer to “agreement” than one-way transmission: secret key agreement over fading erasure wiretap channels when only the statistics of Eve’s channel state information are known. Users communicate over 2 super-blocks, each containing 3 fading blocks of 4 channel uses, and exploit random channel variation to accumulate common randomness. The formal theorem sets
5
then applies a universal hash 6 to obtain a key 7 with
8
This is strong secrecy for the final key. A plausible implication is that secure agreement can be grounded in channel reciprocity or channel variability even when instantaneous leakage conditions are unknown, provided the adversary is passive and the model assumptions hold (Koyluoglu et al., 2010).
A more radical physical-layer approach appears in “Perfectly Secure Key Agreement Over a Full Duplex Wireless Channel” (Wunder et al., 2024). There, two authenticated devices use full-duplex communication, reciprocal channel response, and a bisparse blind deconvolution problem rather than traditional channel-entropy extraction or Diffie–Hellman. Alice and Bob choose sparse local signals 9, map them through a public codebook 0, transmit simultaneously, and recover structured products involving the reciprocal channel. The common secret is
1
and the paper proves information-theoretic secrecy under a passive eavesdropper model with balanced superposition at Eve. This suggests a distinct secure-agreement paradigm: the shared secret is created by reciprocal physical coupling and locally chosen randomness, not primarily by computational hardness or channel entropy (Wunder et al., 2024).
These physical-layer results are narrow in scope. They do not provide authentication against active man-in-the-middle attack, do not address general side-channel models, and rely on strong assumptions such as degradedness, reciprocity, or sparse blind deconvolution structure. They are best understood as rigorous foundations for one class of secure agreement, not as complete secure-chip protocols (Koyluoglu et al., 2010, Wunder et al., 2024).
2. Intrinsic device authentication and unit-level trust
A different meaning of secure agreement arises when the problem is not shared-key generation but agreement on the identity of a specific chip unit. “Surface-Based Authentication System for Integrated Circuit Chips” (Liu et al., 2024) proposes using the epoxy package surface of each IC chip as an optical physically unclonable function. The method is explicitly motivated by counterfeit-IC risk in semiconductor supply chains and by the limitations of electronic PUFs, which require powered chips and are sensitive to environmental variation.
The paper first shows that consumer imaging devices capture meaningful package-surface microstructure. In a scanner-versus-confocal comparison, scanner-derived norm maps correlate with confocal-derived norm maps on the same chip at around 0.53–0.54, versus 0.03–0.04 across different chips. It then develops a lightweight video-based verification method based on specular-reflection features. For each test-reference video pair, the system samples ten frames from each video, yielding 2 frame pairs; identifies the 3 brightest pixels in the chip-background region; and computes a robust matching score
4
From the 5 scores 6, it forms
7
and the zero-score ratio
8
then defines the final robust score as
9
with 0. Under the reported conditions, the final specular-reflection-based method achieves equal error rate 1, with a Gaussian-fit estimate of 2 also reported; baseline diffuse features perform worse, including 0.12 EER for the 3-component norm map, 0.02 for the 4-component, 5 and 6 for a sixth height-map subband under Laplace and Gaussian assumptions, and 7 for raw intensity images (Liu et al., 2024).
The engineering meaning of secure agreement here is unit-level authenticity agreement between an enrolled reference and a probe sample. The paper emphasizes that the method authenticates the packaged unit surface, not necessarily the internal silicon provenance. It also does not evaluate print, screen, or 3-D spoof attacks; does not provide robustness results for long-term aging, contamination, or arbitrary uncontrolled imaging conditions; and is naturally a one-to-one verification scheme rather than a one-to-many identification system (Liu et al., 2024). Thus, the result is best interpreted as a non-electrical, package-level trust anchor for incoming inspection, acceptance testing, and anti-counterfeit workflows.
3. Chiplet authentication in zero-trust System-in-Package environments
In heterogeneous chiplet systems, secure agreement becomes a distributed authentication problem among vendors, integrators, and assembled components. “SAFE-SiP: Secure Authentication Framework for System-in-Package Using Multi-party Computation” (Tashdid et al., 13 May 2025) and “AuthenTree: A Scalable MPC-Based Distributed Trust Architecture for Chiplet-based Heterogeneous Systems” (Tashdid et al., 18 Aug 2025) address this problem under explicit zero-trust assumptions.
SAFE-SiP embeds, in each chiplet, a signature or watermark generation circuit, a garbling circuit, a SHA-256 unit, and access to a TRNG. For each bit 8 of a 9-bit signature 0, the garbling construction uses
1
and maps
2
The aggregate authentication computation is summarized as
3
Chiplets are sourced by the integrator, assembled by a potentially untrusted foundry, then authenticated through DfT infrastructure using WBR and WIR. Verified outputs are hashed and stored in OTP memory for future secure boots; at later secure boot cycles, the system reauthenticates chiplets by comparing newly generated hashes with stored values, and any mismatch disables the compromised chiplet. The paper reports an average area overhead of 3.05%, a computational complexity expression
4
and latency figures of 96 cc, 160 cc, and 192 cc for 5, respectively. Area and power overheads vary substantially by design; for example, at 6, CVA6 incurs 7.92% cell-area overhead and 34.08% power overhead, whereas OR1200 incurs 1.84% and 4.12% (Tashdid et al., 13 May 2025).
AuthenTree removes the assumption of a trusted integrator by distributing trust across multiple integrator chiplets in a tree-based MPC-style architecture. Each chiplet carries a unique signature, ideally PUF-based; each hashes its signature through SHA-256; integrator chiplets first cross-authenticate one another; then they collaboratively authenticate the rest of the system. The paper does not specify a concrete secret-sharing algorithm or threshold equation, but repeatedly states that authentication requires consensus from a threshold number of integrator chiplets and that all sensitive signature material is partitioned so that no single party can reconstruct or manipulate the complete authentication result alone. Quantitatively, the evaluation reports area as low as 0.48% and 7,000.50 7 on Ariane, power under 0.5% in the abstract with per-benchmark overheads ranging from 0.13% to 1.83%, and authentication latency below 1 8, implemented with a SHA-256 core requiring 96 cycles at 9 (Tashdid et al., 18 Aug 2025).
These two frameworks converge on a common definition of secure agreement: authenticity is established without disclosure of raw chiplet identity material, and the ability of any single supply-chain actor to impersonate, clone, or substitute a component is reduced. The main difference is architectural. SAFE-SiP relies on chiplet-local garbling and secure-boot reauthentication (Tashdid et al., 13 May 2025). AuthenTree distributes validation authority among multiple integrator chiplets and frames the problem explicitly as federated trust in a zero-trust SiP (Tashdid et al., 18 Aug 2025). In both cases, the papers are strongest on provenance and authenticity and weaker on formal interoperability details, revocation, and comprehensive Trojan detection.
4. Trusted substrates, fabrication partitioning, and physical roots of trust
A further class of secure-chips agreements relocates the trust anchor away from the commodity chiplet and into packaging or fabrication structure. “An Interposer-Based Root of Trust: Seize the Opportunity for Secure System-Level Integration of Untrusted Chiplets” (Nabeel et al., 2019) argues that the interposer can serve as the mandatory communication backbone and therefore as a system root of trust. The proposed ISEA architecture places AHB interfaces, policy storage, and transaction monitors on a trusted active interposer. Each TRANSMON contains an Address Protection Unit, a Data Protection Unit, and a Slave Access Filter. The APU policy fields are Master ID, address, address mask, and permission; permissions use "01" for read-only, "10" for write-only, "11" for read/write, with "00" reserved. Unauthorized transactions are blocked by default, and the interposer returns an error response. The DPU constrains writes of particular data values to protected address ranges. In the demonstrated ARM-based system, four core chiplets and four memory chiplets are integrated into a 64-core shared-memory system, with all system-level communication mediated through the interposer (Nabeel et al., 2019).
The same theme is extended in the perspective paper “2.5D Root of Trust: Securing the Chiplet Ecosystem” (Williams et al., 20 Jun 2026), which explicitly treats the interposer as the trusted computing base in multi-vendor 2.5D systems. The paper distinguishes interconnect attacks, cache-coherence exploits, and microarchitectural side-channel threats. Runtime enforcement is provided by TRANSMONs and by Coherence Message Checkers located at physical ingress links and memory-controller boundaries. The CMC-1 pipeline uses one pipeline stage to analyze flit fields and a subsequent pipeline stage to look up permissions. CMC-2 adds an additional pipeline stage to filter broadcast requests and can convert an unauthorized broadcast into a targeted negative acknowledgment or unicast response. The paper reports system-level implementation effects including 73.7% reduction in maximum IR drop, 18.5% reduction in total system silicon footprint, 2.68% active interposer utilization, 3.2% reduction in total system power, and approximately 4% average performance loss for CMC-1 on single-core SPEC 2006 workloads (Williams et al., 20 Jun 2026).
A fabrication-centric approach appears in “Securing Digital Systems via Split-Chip Obfuscation” (Sweeney et al., 2020). There, a system is partitioned across a trusted legacy-node chip and an untrusted advanced-node chip. The Split-Chip Partitioning tool characterizes each module in four candidate configurations—trusted IC, untrusted IC, untrusted IC with Key Logic, and untrusted IC with FSM Obfuscation—and optimizes a vulnerability measure based on exposure and criticality, subject to user-defined constraints on frequency, power, bandwidth, latency, area, and placement. The security guarantee comes from withholding the trusted chip netlist from the untrusted foundry; vulnerability itself is explicitly described as a ranking metric rather than a security guarantee (Sweeney et al., 2020).
These works recast secure agreement as an agreement about where trust physically resides. A plausible implication is that multi-vendor secure-chip governance can be made more enforceable when identity binding, routing, access control, or sensitive control logic are moved into a trusted substrate—active interposer, trusted legacy die, or similarly isolated fabric—rather than left inside untrusted chiplets (Nabeel et al., 2019, Williams et al., 20 Jun 2026, Sweeney et al., 2020).
5. Provenance, accountability, and distributed trust across organizations
Secure agreement also has a supply-chain meaning: participants agree not only on device identity, but on the authenticated history of a device and the accountability of each actor who handled it. “Reward-based Blockchain Infrastructure for 3D IC Supply Chain Provenance” (Valapu et al., 2024) addresses this through a dual-layer architecture. The lower layer records provenance events on permissioned blockchain infrastructure; the upper layer computes reputation across multiple consortiums.
The provenance layer supports device-type registration by manufacturers through 0 and 1, individual device registration using hashes of unique physical identifiers such as ECID or PUF-derived IDs, transfer initiation via
2
and delivery confirmation through
3
Verification uses 4, which checks whether the hash of the physically extracted device ID appears in the blockchain. The supply chain is modeled as a provenance DAG, and because organizations may belong to different consortium blockchains, the paper introduces meta-entities such as 5 to represent trust-boundary crossings between an untrusted blockchain 6 and a trusted blockchain 7 (Valapu et al., 2024).
The reputation layer is based on “purchase equals endorsement” and additive-increase, multiplicative-decrease. On successful verification, the seller’s reputation is updated by
8
On validated defect reports, the manufacturer is penalized by
9
while other sellers on the provenance path use
0
The discount parameter 1 depends on trust zone: 2 in an untrusted blockchain, whereas 3 may be greater than 4 in a trusted blockchain, so blame decays less in untrusted zones. The paper also defines normalized reputation by comparing actual reputation 5 to ideal reputation 6: 7 This gives a practical way to distinguish complete provenance from complete trust: a part may be fully traceable yet still associated with lower-reputation actors or high-risk cross-zone transfers (Valapu et al., 2024).
In a secure-chips-agreement interpretation, this architecture supports clauses on provenance attestation, supplier accountability, chain-of-custody confirmation, and risk-weighted acceptance of parts from heterogeneous administrative domains. The framework does not solve buyer tampering, wash trading, or governance disputes over Trusted Authority decisions, but it formalizes how digital provenance and trust-zone-sensitive reputation can coexist (Valapu et al., 2024).
6. Formal security contracts and constrained-chip enforcement
Another use of the agreement concept is neither authentication nor key exchange, but a formal contract specifying what the hardware may leak and what the software must prevent. “Hardware-Software Contracts for Secure Speculation” (Guarnieri et al., 2020) introduces contracts for speculative processors as labeled ISA-level semantics. A hardware platform satisfies a contract 8 if, for all programs 9 and initial states 0,
1
The paper defines contracts such as 2, 3, 4, and a speculative-PC/sequential-CT intermediate form, then proves that different secure-speculation mechanisms satisfy different contracts. For example, disabling speculation satisfies 5, while load delay and speculative taint tracking satisfy 6 and a weaker speculative-PC contract but not 7 (Guarnieri et al., 2020).
The software side is expressed through noninterference with respect to a contract: 8 If 9 and 0, then 1. The paper uses this to unify constant-time programming and sandboxing under the same contract framework and shows how properties such as SNI and wSNI can be checked using Spectector on x86 code (Guarnieri et al., 2020).
“Contract-Aware Secure Compilation” (Guarnieri et al., 2020) generalizes the same idea to compilation against microarchitectural contracts. A contract 2 provides contract states, labels, and a labeled transition system producing contract traces 3. Hardware satisfies the contract if
4
for programs 5 differing only in data. A compiler is secure for all contracts in a family 6 if
7
for all 8. The main theorem composes compiler correctness with hardware compliance, yielding hardware-level indistinguishability from source-level architectural indistinguishability (Guarnieri et al., 2020).
This literature suggests a precise but narrow meaning of secure chips agreement: a formal leakage budget. Hardware vendors promise a contract; compilers and software are verified against that contract; end-to-end security follows only within that declared budget. The agreement is therefore not “the chip is secure” in an absolute sense, but “the chip leaks no more than this contract exposes, and software is constructed accordingly” (Guarnieri et al., 2020, Guarnieri et al., 2020).
7. Limits, divergences, and the absence of a single canonical model
The surveyed works do not converge on one canonical secure-chips agreement. They instead define several incompatible but complementary notions.
Physical-layer works focus on passive eavesdroppers, degraded or reciprocal channels, and asymptotic secrecy (Koyluoglu et al., 2010, Wunder et al., 2024). Unit-authentication work focuses on counterfeit detection through package-surface uniqueness, not on communication secrecy or die-level provenance (Liu et al., 2024). Chiplet-authentication frameworks focus on provenance and identity without fully addressing arbitrary Trojan functionality (Tashdid et al., 13 May 2025, Tashdid et al., 18 Aug 2025). Interposer and split-chip architectures move the trust anchor into packaging or fabrication choices rather than into cryptographic exchange (Nabeel et al., 2019, Williams et al., 20 Jun 2026, Sweeney et al., 2020). Blockchain provenance frameworks treat secure agreement as an auditable chain-of-custody problem, not a cryptographic mutual-authentication protocol (Valapu et al., 2024). Contract-based processor papers use “agreement” in a formal semantics sense, specifying leakage obligations across the hardware-software boundary (Guarnieri et al., 2020, Guarnieri et al., 2020).
Several common misconceptions therefore require qualification. First, authentication is not equivalent to secrecy: a chip can be authenticated by an optical PUF or by SAFE-SiP without providing confidential communication (Liu et al., 2024, Tashdid et al., 13 May 2025). Second, provenance is not equivalent to functional trust: blockchain records or secure boot hashes do not guarantee absence of all malicious logic (Valapu et al., 2024, Tashdid et al., 13 May 2025). Third, information-theoretic key agreement does not solve active adversary problems unless authentication assumptions are added (Koyluoglu et al., 2010, Wunder et al., 2024). Fourth, a trusted interposer or split-fabrication strategy does not by itself define revocation, lifecycle management, or broad interoperability rules (Nabeel et al., 2019, Sweeney et al., 2020, Williams et al., 20 Jun 2026).
A plausible synthesis is that “Secure Chips Agreement” is best treated as an umbrella term for enforceable trust arrangements at the semiconductor boundary. Depending on the threat model, the relevant agreement may concern: shared secret extraction from channel asymmetry; verification of chip-unit authenticity; zero-trust chiplet validation; interposer-mediated system control; provenance and reputation across supply chains; or formal leakage contracts between processors and software. The surveyed literature provides strong building blocks for each of these functions, but no single paper supplies a complete, universally applicable secure-chip agreement stack.