feature article
Subscribe Now

A Case of Double Paranoia

Athena Makes Its Crypto Blocks Harder to Hack

“In theory, there is no difference between theory and practice. In practice there is.” – Yogi Berra

There’s theory, and then there’s practice.

In theory, nearly anyone should be able to throw a baseball at 90 MPH. In practice, very few can actually do it. In theory, Windows 3.1 was an intuitive, easy-to-use operating system GUI. In practice, people screwed up their PCs with alarming regularity. In theory, cryptography is an intensive subgenre of mathematics. In practice, it’s mostly about the sloppy analog nature of submicron electronic circuits.

The math behind cryptography is well understood. Well, understood by crypto geeks. Less so by the average engineer. But, as we’ve already discovered, the devil is in the details. Electronic circuits that implement the best of cryptographic algorithms have been hacked through the most unlikely of methods. Differential power analysis (DPA) teases out secret keys merely by monitoring a chip’s current draw. A side-channel attack (SCA) can glean information based on signal timing. And, creepiest of all, electromagnetic attacks can work at a distance, collecting useful data merely by sniffing the RF emissions of an otherwise secure system. Even audio analysis – listening to actual airborne sound waves – can sometimes reveal a system’s inner secrets. It seems that mathematical theory has been outstripped by nefarious practice.

Because of all this, Athena Group now believes that cryptography IP is no longer enough. You now have to harden your crypto blocks against all forms of side-channel attacks (Athena’s blanket term for the noninvasive analysis of unintended circuit effects). Eliminating these “tells” from your system is important. What’s the point of having crypto if someone can crack it, possibly from a distance? And if someone did crack your crypto, how would you know? How long would it be before you discovered the violation, if ever? It’s not as though most hackers crow about their exploits or publish lists of compromised systems. If the bad guys hack your set-top box or Internet-enabled vending machine, you’ll probably never learn about it.

The trick is to turn hardware IP like netlists and RTL into SCA-resistant circuitry. After all, the logical design of your crypto circuitry is already okay. The math is solid. It’s the implementation details that we need to massage, and that’s not something most IP vendors or ASIC designers are equipped to do.

So Athena now licenses almost all of its crypto IP blocks with built-in countermeasures. The exact nature of those countermeasure is – surprise! – a bit of a secret, but it does bulk up the netlist a bit. So you’ll pay a small space penalty, and possibly a minor performance penalty, for making your security features more secure. But hey, if you didn’t want your chip to be secure, what was the point?

Once you’ve made your design decisions and selected the options you want – AES or SHA? Size or speed? – Athena generates the netlist for you. You’ll never see the RTL, which makes sense. You get back spaghetti that’s already been crafted to fit the ASIC hole you’ve defined. In fact, you can give Athena your space requirements first and then have the company dial-in the amount of security that will fit in that space, by cranking up or down options like key size or bus width. It’s like buying security by the pound. Or the square micron.

The public literature says that Athena is using technology from Cryptography Research (CRI; now part of Rambus), but that’s slightly misleading. Athena designed all the IP itself, but it needed to license several CRI patents in order to make everything legal. The circuitry is all Athena’s, even if some of the underlying science is CRI’s.

Athena is remarkably frank about how it developed some of its anti-hacking countermeasures. There’s no handbook for hackers, so thwarting your own security systems requires a bit of creative thinking. At first, Athena’s engineers had a pretty good idea how to implement countermeasures. They were wrong. The first few tests showed them that their own countermeasures “leaked” enough information that, given enough time and the right equipment, they would be able to hack their own systems. Not good.

So they tried other fiendishly clever countermeasures. Still no good. In all, the group says it went through “many hundreds” of design spins before coming across SCA-resistant countermeasures that they truly couldn’t break. The company ran more than a billion traces, looking for RF emissions, sounds, power drops, heat, bus activity, or any other detail that could potentially be used to eke out some piece of significant data. In the end, they satisfied themselves that it was impossible to distinguish between a circuit using real key data and one shuttling random bits. In cryptographic terms, the information leakage is below threshold.

Just as important, the countermeasures are independent of circuit layout. Unlike with a hard-IP block, Athena’s customers are still in charge of their own layout, so Athena can’t dictate what transistor goes where. That makes subtle circuit tricks and obfuscation ploys harder to implement, yet the company believes it’s found a solution. Even if it did take a while.

Oh, and all of this is available for FPGAs as well. The crypto countermeasures have been tested on Altera, Xilinx, and even Microsemi (formerly Actel) devices.

In the IP business, vendors are really offering three things: time, talent, and insurance. First, they save circuit designers time. That’s why we license UARTs and timers and other things that we could probably create from scratch, if we felt like it.

Second, they contribute expertise. That’s why we license microprocessors and bus interfaces and cryptographic processors: because we probably can’t create these things from scratch, even if we did have the time.

And third, they provide some assurance that the IP will actually work, because it’s been used before by other licensees in other systems. So even if we had the time and the talent to design this stuff ourselves, we often don’t because we don’t want the open-ended risk of debugging it. Better to pay some money now in exchange for the guarantee that at least this part of the system won’t give us too many problems.

Cryptography IP works on all three levels. The average designer just flat-out can’t do his own cryptography. It’s not something most of us are taught or have any experience with. Even if you did attend a university course, or bought a book, or attended that one seminar, it’s likely that your first homegrown cryptography hack will suck. And worse, you probably won’t know that it sucks because… how would you? So in-house cryptography is a kind of placebo. You think it’s helping but it’s really just there for show. You may pat yourself on the back for doing it yourself and saving the company money, but how will you ever know if it’s any good? Security IP like Athena’s satisfies the first two requirements and also comes with some assurance that these guys really do know how this stuff works. Even if the bad guys have no idea. 

Leave a Reply

featured blogs
Oct 26, 2020
Last week was the Linley Group's Fall Processor Conference. The conference opened, as usual, with Linley Gwenap's overview of the processor market (both silicon and IP). His opening keynote... [[ Click on the title to access the full blog on the Cadence Community s...
Oct 23, 2020
Processing a component onto a PCB used to be fairly straightforward. Through-hole products, or a single or double row surface mount with a larger centerline rarely offer unique challenges obtaining a proper solder joint. However, as electronics continue to get smaller and con...
Oct 23, 2020
[From the last episode: We noted that some inventions, like in-memory compute, aren'€™t intuitive, being driven instead by the math.] We have one more addition to add to our in-memory compute system. Remember that, when we use a regular memory, what goes in is an address '...
Oct 23, 2020
Any suggestions for a 4x4 keypad in which the keys aren'€™t wobbly and you don'€™t have to strike a key dead center for it to make contact?...

featured video

Demo: Inuitive NU4000 SoC with ARC EV Processor Running SLAM and CNN

Sponsored by Synopsys

Autonomous vehicles, robotics, augmented and virtual reality all require simultaneous localization and mapping (SLAM) to build a map of the surroundings. Combining SLAM with a neural network engine adds intelligence, allowing the system to identify objects and make decisions. In this demo, Synopsys ARC EV processor’s vision engine (VPU) accelerates KudanSLAM algorithms by up to 40% while running object detection on its CNN engine.

Click here for more information about DesignWare ARC EV Processors for Embedded Vision

featured paper

An engineer’s guide to autonomous and collaborative industrial robots

Sponsored by Texas Instruments

As robots are becoming more commonplace in factories, it is important that they become more intelligent, autonomous, safer and efficient. All of this is enabled with precise motor control, advanced sensing technologies and processing at the edge, all with robust real-time communication. In our e-book, an engineer’s guide to industrial robots, we take an in-depth look at the key technologies used in various robotic applications.

Click here to download the e-book

featured chalk talk

AC Protection & Motor Control in HVAC Systems

Sponsored by Mouser Electronics and Littelfuse

The design of HVAC systems poses unique challenges for things like motor control and circuit protection. System performance and reliability are critical, and those come in part from choosing the right components for the job. In this episode of Chalk Talk, Amelia Dalton chats with Ryan Sheahen of Littelfuse about choosing the right components for your next HVAC design.

Click here for more information about Littelfuse AC Protection & Motor Control in HVAC Solutions