feature article
Subscribe Now

A Case of Double Paranoia

Athena Makes Its Crypto Blocks Harder to Hack

“In theory, there is no difference between theory and practice. In practice there is.” – Yogi Berra

There’s theory, and then there’s practice.

In theory, nearly anyone should be able to throw a baseball at 90 MPH. In practice, very few can actually do it. In theory, Windows 3.1 was an intuitive, easy-to-use operating system GUI. In practice, people screwed up their PCs with alarming regularity. In theory, cryptography is an intensive subgenre of mathematics. In practice, it’s mostly about the sloppy analog nature of submicron electronic circuits.

The math behind cryptography is well understood. Well, understood by crypto geeks. Less so by the average engineer. But, as we’ve already discovered, the devil is in the details. Electronic circuits that implement the best of cryptographic algorithms have been hacked through the most unlikely of methods. Differential power analysis (DPA) teases out secret keys merely by monitoring a chip’s current draw. A side-channel attack (SCA) can glean information based on signal timing. And, creepiest of all, electromagnetic attacks can work at a distance, collecting useful data merely by sniffing the RF emissions of an otherwise secure system. Even audio analysis – listening to actual airborne sound waves – can sometimes reveal a system’s inner secrets. It seems that mathematical theory has been outstripped by nefarious practice.

Because of all this, Athena Group now believes that cryptography IP is no longer enough. You now have to harden your crypto blocks against all forms of side-channel attacks (Athena’s blanket term for the noninvasive analysis of unintended circuit effects). Eliminating these “tells” from your system is important. What’s the point of having crypto if someone can crack it, possibly from a distance? And if someone did crack your crypto, how would you know? How long would it be before you discovered the violation, if ever? It’s not as though most hackers crow about their exploits or publish lists of compromised systems. If the bad guys hack your set-top box or Internet-enabled vending machine, you’ll probably never learn about it.

The trick is to turn hardware IP like netlists and RTL into SCA-resistant circuitry. After all, the logical design of your crypto circuitry is already okay. The math is solid. It’s the implementation details that we need to massage, and that’s not something most IP vendors or ASIC designers are equipped to do.

So Athena now licenses almost all of its crypto IP blocks with built-in countermeasures. The exact nature of those countermeasure is – surprise! – a bit of a secret, but it does bulk up the netlist a bit. So you’ll pay a small space penalty, and possibly a minor performance penalty, for making your security features more secure. But hey, if you didn’t want your chip to be secure, what was the point?

Once you’ve made your design decisions and selected the options you want – AES or SHA? Size or speed? – Athena generates the netlist for you. You’ll never see the RTL, which makes sense. You get back spaghetti that’s already been crafted to fit the ASIC hole you’ve defined. In fact, you can give Athena your space requirements first and then have the company dial-in the amount of security that will fit in that space, by cranking up or down options like key size or bus width. It’s like buying security by the pound. Or the square micron.

The public literature says that Athena is using technology from Cryptography Research (CRI; now part of Rambus), but that’s slightly misleading. Athena designed all the IP itself, but it needed to license several CRI patents in order to make everything legal. The circuitry is all Athena’s, even if some of the underlying science is CRI’s.

Athena is remarkably frank about how it developed some of its anti-hacking countermeasures. There’s no handbook for hackers, so thwarting your own security systems requires a bit of creative thinking. At first, Athena’s engineers had a pretty good idea how to implement countermeasures. They were wrong. The first few tests showed them that their own countermeasures “leaked” enough information that, given enough time and the right equipment, they would be able to hack their own systems. Not good.

So they tried other fiendishly clever countermeasures. Still no good. In all, the group says it went through “many hundreds” of design spins before coming across SCA-resistant countermeasures that they truly couldn’t break. The company ran more than a billion traces, looking for RF emissions, sounds, power drops, heat, bus activity, or any other detail that could potentially be used to eke out some piece of significant data. In the end, they satisfied themselves that it was impossible to distinguish between a circuit using real key data and one shuttling random bits. In cryptographic terms, the information leakage is below threshold.

Just as important, the countermeasures are independent of circuit layout. Unlike with a hard-IP block, Athena’s customers are still in charge of their own layout, so Athena can’t dictate what transistor goes where. That makes subtle circuit tricks and obfuscation ploys harder to implement, yet the company believes it’s found a solution. Even if it did take a while.

Oh, and all of this is available for FPGAs as well. The crypto countermeasures have been tested on Altera, Xilinx, and even Microsemi (formerly Actel) devices.

In the IP business, vendors are really offering three things: time, talent, and insurance. First, they save circuit designers time. That’s why we license UARTs and timers and other things that we could probably create from scratch, if we felt like it.

Second, they contribute expertise. That’s why we license microprocessors and bus interfaces and cryptographic processors: because we probably can’t create these things from scratch, even if we did have the time.

And third, they provide some assurance that the IP will actually work, because it’s been used before by other licensees in other systems. So even if we had the time and the talent to design this stuff ourselves, we often don’t because we don’t want the open-ended risk of debugging it. Better to pay some money now in exchange for the guarantee that at least this part of the system won’t give us too many problems.

Cryptography IP works on all three levels. The average designer just flat-out can’t do his own cryptography. It’s not something most of us are taught or have any experience with. Even if you did attend a university course, or bought a book, or attended that one seminar, it’s likely that your first homegrown cryptography hack will suck. And worse, you probably won’t know that it sucks because… how would you? So in-house cryptography is a kind of placebo. You think it’s helping but it’s really just there for show. You may pat yourself on the back for doing it yourself and saving the company money, but how will you ever know if it’s any good? Security IP like Athena’s satisfies the first two requirements and also comes with some assurance that these guys really do know how this stuff works. Even if the bad guys have no idea. 

Leave a Reply

featured blogs
Apr 9, 2021
You probably already know what ISO 26262 is. If you don't, then you can find out in several previous posts: "The Safest Train Is One that Never Leaves the Station" History of ISO 26262... [[ Click on the title to access the full blog on the Cadence Community s...
Apr 8, 2021
We all know the widespread havoc that Covid-19 wreaked in 2020. While the electronics industry in general, and connectors in particular, took an initial hit, the industry rebounded in the second half of 2020 and is rolling into 2021. Travel came to an almost stand-still in 20...
Apr 7, 2021
We explore how EDA tools enable hyper-convergent IC designs, supporting the PPA and yield targets required by advanced 3DICs and SoCs used in AI and HPC. The post Why Hyper-Convergent Chip Designs Call for a New Approach to Circuit Simulation appeared first on From Silicon T...
Apr 5, 2021
Back in November 2019, just a few short months before we all began an enforced… The post Collaboration and innovation thrive on diversity appeared first on Design with Calibre....

featured video

Meeting Cloud Data Bandwidth Requirements with HPC IP

Sponsored by Synopsys

As people continue to work remotely, demands on cloud data centers have never been higher. Chip designers for high-performance computing (HPC) SoCs are looking to new and innovative IP to meet their bandwidth, capacity, and security needs.

Click here for more information

featured paper

Understanding the Foundations of Quiescent Current in Linear Power Systems

Sponsored by Texas Instruments

Minimizing power consumption is an important design consideration, especially in battery-powered systems that utilize linear regulators or low-dropout regulators (LDOs). Read this new whitepaper to learn the fundamentals of IQ in linear-power systems, how to predict behavior in dropout conditions, and maintain minimal disturbance during the load transient response.

Click here to download the whitepaper

featured chalk talk

TDK Magnetic Sheets For EMI and NFC Applications

Sponsored by Mouser Electronics and TDK

Today’s dense, complex designs can be extremely challenging from an EMI perspective. Re-designs of PCBs to eliminate problems can be expensive and time consuming, and a manufacturing solution can be preferable. In this episode of Chalk Talk, Amelia Dalton chats with Chris Burket of TDX about Flexield noise suppression sheets, which may be just what your design needs to get EMI under control.

Click here for more information about TDK Flexield Noise Suppression Sheets