“In theory, there is no difference between theory and practice. In practice there is.” – Yogi Berra
There’s theory, and then there’s practice.
In theory, nearly anyone should be able to throw a baseball at 90 MPH. In practice, very few can actually do it. In theory, Windows 3.1 was an intuitive, easy-to-use operating system GUI. In practice, people screwed up their PCs with alarming regularity. In theory, cryptography is an intensive subgenre of mathematics. In practice, it’s mostly about the sloppy analog nature of submicron electronic circuits.
The math behind cryptography is well understood. Well, understood by crypto geeks. Less so by the average engineer. But, as we’ve already discovered, the devil is in the details. Electronic circuits that implement the best of cryptographic algorithms have been hacked through the most unlikely of methods. Differential power analysis (DPA) teases out secret keys merely by monitoring a chip’s current draw. A side-channel attack (SCA) can glean information based on signal timing. And, creepiest of all, electromagnetic attacks can work at a distance, collecting useful data merely by sniffing the RF emissions of an otherwise secure system. Even audio analysis – listening to actual airborne sound waves – can sometimes reveal a system’s inner secrets. It seems that mathematical theory has been outstripped by nefarious practice.
Because of all this, Athena Group now believes that cryptography IP is no longer enough. You now have to harden your crypto blocks against all forms of side-channel attacks (Athena’s blanket term for the noninvasive analysis of unintended circuit effects). Eliminating these “tells” from your system is important. What’s the point of having crypto if someone can crack it, possibly from a distance? And if someone did crack your crypto, how would you know? How long would it be before you discovered the violation, if ever? It’s not as though most hackers crow about their exploits or publish lists of compromised systems. If the bad guys hack your set-top box or Internet-enabled vending machine, you’ll probably never learn about it.
The trick is to turn hardware IP like netlists and RTL into SCA-resistant circuitry. After all, the logical design of your crypto circuitry is already okay. The math is solid. It’s the implementation details that we need to massage, and that’s not something most IP vendors or ASIC designers are equipped to do.
So Athena now licenses almost all of its crypto IP blocks with built-in countermeasures. The exact nature of those countermeasure is – surprise! – a bit of a secret, but it does bulk up the netlist a bit. So you’ll pay a small space penalty, and possibly a minor performance penalty, for making your security features more secure. But hey, if you didn’t want your chip to be secure, what was the point?
Once you’ve made your design decisions and selected the options you want – AES or SHA? Size or speed? – Athena generates the netlist for you. You’ll never see the RTL, which makes sense. You get back spaghetti that’s already been crafted to fit the ASIC hole you’ve defined. In fact, you can give Athena your space requirements first and then have the company dial-in the amount of security that will fit in that space, by cranking up or down options like key size or bus width. It’s like buying security by the pound. Or the square micron.
The public literature says that Athena is using technology from Cryptography Research (CRI; now part of Rambus), but that’s slightly misleading. Athena designed all the IP itself, but it needed to license several CRI patents in order to make everything legal. The circuitry is all Athena’s, even if some of the underlying science is CRI’s.
Athena is remarkably frank about how it developed some of its anti-hacking countermeasures. There’s no handbook for hackers, so thwarting your own security systems requires a bit of creative thinking. At first, Athena’s engineers had a pretty good idea how to implement countermeasures. They were wrong. The first few tests showed them that their own countermeasures “leaked” enough information that, given enough time and the right equipment, they would be able to hack their own systems. Not good.
So they tried other fiendishly clever countermeasures. Still no good. In all, the group says it went through “many hundreds” of design spins before coming across SCA-resistant countermeasures that they truly couldn’t break. The company ran more than a billion traces, looking for RF emissions, sounds, power drops, heat, bus activity, or any other detail that could potentially be used to eke out some piece of significant data. In the end, they satisfied themselves that it was impossible to distinguish between a circuit using real key data and one shuttling random bits. In cryptographic terms, the information leakage is below threshold.
Just as important, the countermeasures are independent of circuit layout. Unlike with a hard-IP block, Athena’s customers are still in charge of their own layout, so Athena can’t dictate what transistor goes where. That makes subtle circuit tricks and obfuscation ploys harder to implement, yet the company believes it’s found a solution. Even if it did take a while.
Oh, and all of this is available for FPGAs as well. The crypto countermeasures have been tested on Altera, Xilinx, and even Microsemi (formerly Actel) devices.
In the IP business, vendors are really offering three things: time, talent, and insurance. First, they save circuit designers time. That’s why we license UARTs and timers and other things that we could probably create from scratch, if we felt like it.
Second, they contribute expertise. That’s why we license microprocessors and bus interfaces and cryptographic processors: because we probably can’t create these things from scratch, even if we did have the time.
And third, they provide some assurance that the IP will actually work, because it’s been used before by other licensees in other systems. So even if we had the time and the talent to design this stuff ourselves, we often don’t because we don’t want the open-ended risk of debugging it. Better to pay some money now in exchange for the guarantee that at least this part of the system won’t give us too many problems.
Cryptography IP works on all three levels. The average designer just flat-out can’t do his own cryptography. It’s not something most of us are taught or have any experience with. Even if you did attend a university course, or bought a book, or attended that one seminar, it’s likely that your first homegrown cryptography hack will suck. And worse, you probably won’t know that it sucks because… how would you? So in-house cryptography is a kind of placebo. You think it’s helping but it’s really just there for show. You may pat yourself on the back for doing it yourself and saving the company money, but how will you ever know if it’s any good? Security IP like Athena’s satisfies the first two requirements and also comes with some assurance that these guys really do know how this stuff works. Even if the bad guys have no idea.