EEJournal

feature article
Subscribe Now
April 22, 2015

A Case of Double Paranoia

Athena Makes Its Crypto Blocks Harder to Hack
by Jim Turley

“In theory, there is no difference between theory and practice. In practice there is.” – Yogi Berra

There’s theory, and then there’s practice.

In theory, nearly anyone should be able to throw a baseball at 90 MPH. In practice, very few can actually do it. In theory, Windows 3.1 was an intuitive, easy-to-use operating system GUI. In practice, people screwed up their PCs with alarming regularity. In theory, cryptography is an intensive subgenre of mathematics. In practice, it’s mostly about the sloppy analog nature of submicron electronic circuits.

The math behind cryptography is well understood. Well, understood by crypto geeks. Less so by the average engineer. But, as we’ve already discovered, the devil is in the details. Electronic circuits that implement the best of cryptographic algorithms have been hacked through the most unlikely of methods. Differential power analysis (DPA) teases out secret keys merely by monitoring a chip’s current draw. A side-channel attack (SCA) can glean information based on signal timing. And, creepiest of all, electromagnetic attacks can work at a distance, collecting useful data merely by sniffing the RF emissions of an otherwise secure system. Even audio analysis – listening to actual airborne sound waves – can sometimes reveal a system’s inner secrets. It seems that mathematical theory has been outstripped by nefarious practice.

Because of all this, Athena Group now believes that cryptography IP is no longer enough. You now have to harden your crypto blocks against all forms of side-channel attacks (Athena’s blanket term for the noninvasive analysis of unintended circuit effects). Eliminating these “tells” from your system is important. What’s the point of having crypto if someone can crack it, possibly from a distance? And if someone did crack your crypto, how would you know? How long would it be before you discovered the violation, if ever? It’s not as though most hackers crow about their exploits or publish lists of compromised systems. If the bad guys hack your set-top box or Internet-enabled vending machine, you’ll probably never learn about it.

The trick is to turn hardware IP like netlists and RTL into SCA-resistant circuitry. After all, the logical design of your crypto circuitry is already okay. The math is solid. It’s the implementation details that we need to massage, and that’s not something most IP vendors or ASIC designers are equipped to do.

So Athena now licenses almost all of its crypto IP blocks with built-in countermeasures. The exact nature of those countermeasure is – surprise! – a bit of a secret, but it does bulk up the netlist a bit. So you’ll pay a small space penalty, and possibly a minor performance penalty, for making your security features more secure. But hey, if you didn’t want your chip to be secure, what was the point?

Once you’ve made your design decisions and selected the options you want – AES or SHA? Size or speed? – Athena generates the netlist for you. You’ll never see the RTL, which makes sense. You get back spaghetti that’s already been crafted to fit the ASIC hole you’ve defined. In fact, you can give Athena your space requirements first and then have the company dial-in the amount of security that will fit in that space, by cranking up or down options like key size or bus width. It’s like buying security by the pound. Or the square micron.

The public literature says that Athena is using technology from Cryptography Research (CRI; now part of Rambus), but that’s slightly misleading. Athena designed all the IP itself, but it needed to license several CRI patents in order to make everything legal. The circuitry is all Athena’s, even if some of the underlying science is CRI’s.

Athena is remarkably frank about how it developed some of its anti-hacking countermeasures. There’s no handbook for hackers, so thwarting your own security systems requires a bit of creative thinking. At first, Athena’s engineers had a pretty good idea how to implement countermeasures. They were wrong. The first few tests showed them that their own countermeasures “leaked” enough information that, given enough time and the right equipment, they would be able to hack their own systems. Not good.

So they tried other fiendishly clever countermeasures. Still no good. In all, the group says it went through “many hundreds” of design spins before coming across SCA-resistant countermeasures that they truly couldn’t break. The company ran more than a billion traces, looking for RF emissions, sounds, power drops, heat, bus activity, or any other detail that could potentially be used to eke out some piece of significant data. In the end, they satisfied themselves that it was impossible to distinguish between a circuit using real key data and one shuttling random bits. In cryptographic terms, the information leakage is below threshold.

Just as important, the countermeasures are independent of circuit layout. Unlike with a hard-IP block, Athena’s customers are still in charge of their own layout, so Athena can’t dictate what transistor goes where. That makes subtle circuit tricks and obfuscation ploys harder to implement, yet the company believes it’s found a solution. Even if it did take a while.

Oh, and all of this is available for FPGAs as well. The crypto countermeasures have been tested on Altera, Xilinx, and even Microsemi (formerly Actel) devices.

In the IP business, vendors are really offering three things: time, talent, and insurance. First, they save circuit designers time. That’s why we license UARTs and timers and other things that we could probably create from scratch, if we felt like it.

Second, they contribute expertise. That’s why we license microprocessors and bus interfaces and cryptographic processors: because we probably can’t create these things from scratch, even if we did have the time.

And third, they provide some assurance that the IP will actually work, because it’s been used before by other licensees in other systems. So even if we had the time and the talent to design this stuff ourselves, we often don’t because we don’t want the open-ended risk of debugging it. Better to pay some money now in exchange for the guarantee that at least this part of the system won’t give us too many problems.

Cryptography IP works on all three levels. The average designer just flat-out can’t do his own cryptography. It’s not something most of us are taught or have any experience with. Even if you did attend a university course, or bought a book, or attended that one seminar, it’s likely that your first homegrown cryptography hack will suck. And worse, you probably won’t know that it sucks because… how would you? So in-house cryptography is a kind of placebo. You think it’s helping but it’s really just there for show. You may pat yourself on the back for doing it yourself and saving the company money, but how will you ever know if it’s any good? Security IP like Athena’s satisfies the first two requirements and also comes with some assurance that these guys really do know how this stuff works. Even if the bad guys have no idea. 

Leave a Reply

featured blogs
BoardSurfers: Data Type Conversion in Allegro SKILL Programming
Apr 19, 2024
Data type conversion is a crucial aspect of programming that helps you handle data across different data types seamlessly. The SKILL language supports several data types, including integer and floating-point numbers, character strings, arrays, and a highly flexible linked lis...
More from Cadence...
One Robotic Step Closer to Humanoid Robots in the Home
Apr 18, 2024
Are you ready for a revolution in robotic technology (as opposed to a robotic revolution, of course)?...
More from Max's Cool Beans...
Cisco Accelerates Project Schedule by 66% Using Synopsys Cloud
Apr 18, 2024
See how Cisco accelerates library characterization and chip design with our cloud EDA tools, scaling access to SoC validation solutions and compute services.The post Cisco Accelerates Project Schedule by 66% Using Synopsys Cloud appeared first on Chip Design....
More from Synopsys...

featured video

MaxLinear Integrates Analog & Digital Design in One Chip with Cadence 3D Solvers

Sponsored by Cadence Design Systems

MaxLinear has the unique capability of integrating analog and digital design on the same chip. Because of this, the team developed some interesting technology in the communication space. In the optical infrastructure domain, they created the first fully integrated 5nm CMOS PAM4 DSP. All their products solve critical communication and high-frequency analysis challenges.

Learn more about how MaxLinear is using Cadence’s Clarity 3D Solver and EMX Planar 3D Solver in their design process.

featured chalk talk

One Year of Synopsys Cloud: Adoption, Enhancements and Evolution
Sponsored by Synopsys
The adoption of the cloud in the design automation industry has encouraged innovation across the entire semiconductor lifecycle. In this episode of Chalk Talk, Amelia Dalton chats with Vikram Bhatia from Synopsys about how Synopsys is redefining EDA in the Cloud with the industry’s first complete browser-based EDA-as-a-Service cloud platform. They explore the benefits that this on-demand pay-per use, web-based portal can bring to your next design. 
Click here for more information about Synopsys Cloud
Jul 11, 2023
32,168 views