feature article
Subscribe Now

A Case of Double Paranoia

Athena Makes Its Crypto Blocks Harder to Hack

“In theory, there is no difference between theory and practice. In practice there is.” – Yogi Berra

There’s theory, and then there’s practice.

In theory, nearly anyone should be able to throw a baseball at 90 MPH. In practice, very few can actually do it. In theory, Windows 3.1 was an intuitive, easy-to-use operating system GUI. In practice, people screwed up their PCs with alarming regularity. In theory, cryptography is an intensive subgenre of mathematics. In practice, it’s mostly about the sloppy analog nature of submicron electronic circuits.

The math behind cryptography is well understood. Well, understood by crypto geeks. Less so by the average engineer. But, as we’ve already discovered, the devil is in the details. Electronic circuits that implement the best of cryptographic algorithms have been hacked through the most unlikely of methods. Differential power analysis (DPA) teases out secret keys merely by monitoring a chip’s current draw. A side-channel attack (SCA) can glean information based on signal timing. And, creepiest of all, electromagnetic attacks can work at a distance, collecting useful data merely by sniffing the RF emissions of an otherwise secure system. Even audio analysis – listening to actual airborne sound waves – can sometimes reveal a system’s inner secrets. It seems that mathematical theory has been outstripped by nefarious practice.

Because of all this, Athena Group now believes that cryptography IP is no longer enough. You now have to harden your crypto blocks against all forms of side-channel attacks (Athena’s blanket term for the noninvasive analysis of unintended circuit effects). Eliminating these “tells” from your system is important. What’s the point of having crypto if someone can crack it, possibly from a distance? And if someone did crack your crypto, how would you know? How long would it be before you discovered the violation, if ever? It’s not as though most hackers crow about their exploits or publish lists of compromised systems. If the bad guys hack your set-top box or Internet-enabled vending machine, you’ll probably never learn about it.

The trick is to turn hardware IP like netlists and RTL into SCA-resistant circuitry. After all, the logical design of your crypto circuitry is already okay. The math is solid. It’s the implementation details that we need to massage, and that’s not something most IP vendors or ASIC designers are equipped to do.

So Athena now licenses almost all of its crypto IP blocks with built-in countermeasures. The exact nature of those countermeasure is – surprise! – a bit of a secret, but it does bulk up the netlist a bit. So you’ll pay a small space penalty, and possibly a minor performance penalty, for making your security features more secure. But hey, if you didn’t want your chip to be secure, what was the point?

Once you’ve made your design decisions and selected the options you want – AES or SHA? Size or speed? – Athena generates the netlist for you. You’ll never see the RTL, which makes sense. You get back spaghetti that’s already been crafted to fit the ASIC hole you’ve defined. In fact, you can give Athena your space requirements first and then have the company dial-in the amount of security that will fit in that space, by cranking up or down options like key size or bus width. It’s like buying security by the pound. Or the square micron.

The public literature says that Athena is using technology from Cryptography Research (CRI; now part of Rambus), but that’s slightly misleading. Athena designed all the IP itself, but it needed to license several CRI patents in order to make everything legal. The circuitry is all Athena’s, even if some of the underlying science is CRI’s.

Athena is remarkably frank about how it developed some of its anti-hacking countermeasures. There’s no handbook for hackers, so thwarting your own security systems requires a bit of creative thinking. At first, Athena’s engineers had a pretty good idea how to implement countermeasures. They were wrong. The first few tests showed them that their own countermeasures “leaked” enough information that, given enough time and the right equipment, they would be able to hack their own systems. Not good.

So they tried other fiendishly clever countermeasures. Still no good. In all, the group says it went through “many hundreds” of design spins before coming across SCA-resistant countermeasures that they truly couldn’t break. The company ran more than a billion traces, looking for RF emissions, sounds, power drops, heat, bus activity, or any other detail that could potentially be used to eke out some piece of significant data. In the end, they satisfied themselves that it was impossible to distinguish between a circuit using real key data and one shuttling random bits. In cryptographic terms, the information leakage is below threshold.

Just as important, the countermeasures are independent of circuit layout. Unlike with a hard-IP block, Athena’s customers are still in charge of their own layout, so Athena can’t dictate what transistor goes where. That makes subtle circuit tricks and obfuscation ploys harder to implement, yet the company believes it’s found a solution. Even if it did take a while.

Oh, and all of this is available for FPGAs as well. The crypto countermeasures have been tested on Altera, Xilinx, and even Microsemi (formerly Actel) devices.

In the IP business, vendors are really offering three things: time, talent, and insurance. First, they save circuit designers time. That’s why we license UARTs and timers and other things that we could probably create from scratch, if we felt like it.

Second, they contribute expertise. That’s why we license microprocessors and bus interfaces and cryptographic processors: because we probably can’t create these things from scratch, even if we did have the time.

And third, they provide some assurance that the IP will actually work, because it’s been used before by other licensees in other systems. So even if we had the time and the talent to design this stuff ourselves, we often don’t because we don’t want the open-ended risk of debugging it. Better to pay some money now in exchange for the guarantee that at least this part of the system won’t give us too many problems.

Cryptography IP works on all three levels. The average designer just flat-out can’t do his own cryptography. It’s not something most of us are taught or have any experience with. Even if you did attend a university course, or bought a book, or attended that one seminar, it’s likely that your first homegrown cryptography hack will suck. And worse, you probably won’t know that it sucks because… how would you? So in-house cryptography is a kind of placebo. You think it’s helping but it’s really just there for show. You may pat yourself on the back for doing it yourself and saving the company money, but how will you ever know if it’s any good? Security IP like Athena’s satisfies the first two requirements and also comes with some assurance that these guys really do know how this stuff works. Even if the bad guys have no idea. 

Leave a Reply

featured blogs
Sep 22, 2021
'μWaveRiders' 是ä¸ç³»åˆ—æ—¨å¨æŽ¢è®¨ Cadence AWR RF 产品的博客,按æˆæ›´æ–°ï¼Œå…¶å†…容涵盖 Cadence AWR Design Environment æ新的核心功能,专题视频ï¼...
Sep 22, 2021
3753 Cruithne is a Q-type, Aten asteroid in orbit around the Sun in 1:1 orbital resonance with the Earth, thereby making it a co-orbital object....
Sep 21, 2021
Learn how our high-performance FPGA prototyping tools enable RTL debug for chip validation teams, eliminating simulation/emulation during hardware debugging. The post High Debug Productivity Is the FPGA Prototyping Game Changer: Part 1 appeared first on From Silicon To Softw...
Aug 5, 2021
Megh Computing's Video Analytics Solution (VAS) portfolio implements a flexible and scalable video analytics pipeline consisting of the following elements: Video Ingestion Video Transformation Object Detection and Inference Video Analytics Visualization   Because Megh's ...

featured video

Accurate Full-System Thermal 3D Analysis

Sponsored by Cadence Design Systems

Designing electronics for the data center challenges designers to minimize and dissipate heat. Electrothermal co-simulation requires system components to be accurately modeled and analyzed. Learn about a true 3D solution that offers full system scalability with 3D analysis accuracy for the entire chip, package, board, and enclosure.

Click here for more information about Celsius Thermal Solver

featured paper

Designing device power-supply ICs in an application-specific automated test equipment system

Sponsored by Maxim Integrated (now part of Analog Devices)

This application note provides guidelines for selecting the device power-supply (DPS) IC in an automated test equipment (ATE) system. These considerations will help you select the right DPS IC for your specific ATE system. It also explains the best system level architecture to tackle the output current and thermal requirements of the ATE system.

Click to read more

featured chalk talk

Yield Explorer and SiliconDash

Sponsored by Synopsys

Once a design goes to tape-out, the real challenges begin. Teams find themselves drowning in data from design-process-test during production ramp-up, and have to cope with data from numerous sources in different formats in the manufacturing test supply chain. In this episode of Chalk Talk, Amelia Dalton chats with Mark Laird of Synopsys in part three of our series on the Silicon LifeCycle Management (SLM) platform, discussing how Yield Explorer and SiliconDash give valuable insight to engineering and manufacturing teams.

Click here for more on the Synopsys Silicon Lifecycle Management Platform