Hardware Security and Standardization

Author: Trenton Grale PhD, Hardware Security Architect

Commentary

The complexity of modern electronic systems means that “security” is a broad concept. The
array of solutions to achieve a desired level of security is heterogeneous, and there is no “one
size fits all” solution. It requires study and understanding of the particular market vertical and its
threats and requirements. At this early stage, the standards and requirements in each market
segment are still being worked out.

Once it is built, hardware, including security hardware, is fixed. However, security threats
continue to evolve and become more sophisticated. Accordingly, as best as practical, future
potential threats must be anticipated and mitigated.

EDA tool threat modeling capabilities have recently appeared. Solutions such as Cycuity’s
Radix security verification and emulation tools are an example. In the broad picture, however,
EDA tools targeting hardware security are currently still in the early stages of development and
deployment.

Security goals include confidentiality, integrity, authentication, attestation.

XtremeEDA’s Approach to Hardware Security

XtremeEDA, an Accenture company, takes a holistic view of the overarching problem of
hardware security. Many vendors offer point solutions, ranging from hardware IP blocks to
perform security functions to EDA tools for security verification. Our objective is to look at the
big picture and consider all aspects of security in a system as a whole. Every system is
different, with unique functional, performance, security, and cost objectives—and tradeoffs will
inevitably have to be made. Furthermore, a high level system view is vital to ensure seamless
integration of diverse IPs and solutions, and avoid creating gaps that could be exploited by
attackers. Therefore, we are dedicating resources to become experts in all aspects of the entire
process. These include threat modeling, IP design and selection, and security verification. As a
result, we will be equipped to assist our clients with the whole picture of designing security into
their systems, as we now do in providing functional and formal design verification and physical
implementation services.

Example

Consider the security objective of confidentiality. Encrypting data preserves its confidentiality by
preventing unauthorized personnel (who don’t have the key) from reading it. The Advanced
Encryption Standard (AES) is the present commonly-used algorithm for encrypting data. The
steps of performing AES encryption on a message may be carried out in software or in
dedicated hardware. Any data processing incurs a cost in resources and, most important, time.
Dedicated hardware can be (and has been) designed to perform AES encryption, and this will
generally be faster than pure software operating on a general purpose processor. Conversely,
cost considerations for a particular deployment may preclude using specialized hardware, so
that the algorithm must be performed in software. The AES steps are complex, involving bit
substitutions, shifts, and GF(2n) polynomial multiplication and addition on bytes. Performing
these functions in a modern RISC instruction set requires a large code base of relatively simple
instructions that consumes both memory and execution time.

The RISC-V specifications include specialized instructions for various cryptographic functions,
including those employed by AES. A RISC-V processor core can be customized by adding
these specialized instructions to assist and speed up performing the AES steps. Accordingly
the code memory requirement can be reduced and performance increased. The performance
improvement, while still not as fast as dedicated hardware, may be sufficient for a specific
deployment without incurring the cost (design effort, IP cost, chip area) of an AES IP block.

XtremeEDA’s Concrete Steps

XtremeEDA undertook just such a modification of a Codasip 3-stage RISC-V core. We
customized the core to include four 32-bit AES instructions from the RISC-V scalar cryptography
specification. Each invocation of these instructions replaced many basic instructions that were
necessary to perform loads, table lookups, shifts, and bitwise XOR operations to carry out the
AES steps. As a result, the application code was smaller and faster.

The challenges of this project included developing proficiency with the Codasip Studio CPU
customization tool and the CodAL customization language, writing AES software to use the new
instructions correctly, and verifying the design. The design team had prior experience with
Studio, and so was quickly able to augment its skills and quickly build in the new functionality.
Firmware and software initially started with C code to implement the AES operations without
using the specialized instructions. Once this code was working, it could be used as a basis for a
functional comparison. Next, the software team incorporated the AES instructions inline in C
functions that were called to perform the specific AES substitution, shifting, and column mixing
operations. Verification was conducted methodically, starting with testing very basic functions
with a restricted set of data. Additional tests were built upon that foundation, and a complete
verification suite could fully test AES encryption and decryption.

Customizing a processor to accelerate AES encryption and decryption may seem to be a
modest accomplishment. After all, AES is quite commonplace and many IPs are available off
the shelf to implement its functionality. What this project does is to establish a baseline for
further development into more complex and integrated security solutions, such as a hardware
root of trust. For example, establishing unique device identity via integrating a physically
unclonable function (PUF) IP can result in a comprehensive secure communication system.
Crypto Quantique offers a type of PUF they term QDID. By using QDID, a device can be
uniquely identified with an identifier that cannot be hacked or forged. This identity can be used
not only to authenticate the device, but to generate cryptographic keys for public key
cryptosystems such as RSA and ECC. Using public key technology, an edge device containing
QDID can be onboarded to a cloud application securely. Subsequently, the edge device can
securely exchange payload data, encrypted with AES, with the cloud application. As a result of
this integration of two security-related technologies—AES acceleration and a PUF—an IoT edge
device can communicate its data to the cloud securely and with minimal power and area
overhead.

XtremeEDA is an experienced partner you can trust!!

Cadence Design Systems helps engineers pick up the development tempo. A leader in the market for electronic design automation (EDA) software, Cadence sells and leases software and hardware products used to design integrated circuits (ICs), printed circuit boards (PCBs), and other electronic systems. Semiconductor and electronics systems manufacturers use its products to build components for wireless devices, networking equipment, and other applications. The company also provides maintenance and support, and offers design and methodology consulting services. Customers have included Pegatron, Silicon Labs, and Texas Instruments. Cadence gets more than half of its sales from customers outside the US.

Synopsys, Inc. (Nasdaq:SNPS) provides products and services that accelerate innovation in the global electronics market. As a leader in electronic design automation (EDA) and semiconductor intellectual property (IP), Synopsys’ comprehensive, integrated portfolio of system-level, IP, implementation, verification, manufacturing, optical and field-programmable gate array (FPGA) solutions help address the key challenges designers face such as power and yield management, system-to-silicon verification and time-to-results. These technology-leading solutions help give Synopsys customers a competitive edge in quickly bringing the best products to market while reducing costs and schedule risk. For more than 25 years, Synopsys has been at the heart of accelerating electronics innovation with engineers around the world having used Synopsys technology to successfully design and create billions of chips and systems. The company is headquartered in Mountain View, California, and has approximately 90 offices located throughout North America, Europe, Japan, Asia and India.

asicNorth was established in January 2000 with one purpose in mind: deliver the highest quality design services possible. In an industry that can be quite volatile at times, it is important to have a design partner that you can depend upon to deliver the skills you need when you need them. A project can only be successful if there are:

Top quality skills on the team
Communication with the customer
Attention to detail
Cost sensitivity
Focus on the schedule

Today, asicNorth is enabling high-tech industry leaders and startups alike with a combination of digital, analog, and mixed-signal design capabilities. Driven to produce successful results, asicNorth is Making Chips Happen™.

Codasip delivers leading-edge RISC-V processor IP and high-level processor design tools, providing IC designers with all the advantages of the RISC-V open ISA, along with the unique ability to customize the processor IP. As a founding member of RISC-V International and a long-term supplier of LLVM and GNU-based processor solutions, Codasip is committed to open standards for embedded and application processors. Formed in 2014 and headquartered in Munich, Germany, Codasip currently has R&D centers in Europe and sales representatives worldwide. For more information about our products and services, visit www.codasip.com. For more information about RISC-V, visit www.riscv.org.

Founded in 1999, Avery Design Systems, Inc. enables system and SOC design teams to achieve dramatic functional verification productivity improvements through the use of

Formal analysis applications for RTL and gate-level X verification;

Robust Verification IP for PCI Express, USB, AMBA, UFS, MIPI, DDR/LPDDR, HBM, HMC, ONFI/Toggle, NVM Express, SCSI Express, SATA Express, eMMC, SD/SDIO, Unipro, CSI/DSI, Soundwire, and CAN FD standards.

Siemens EDA
The pace of innovation in electronics is constantly accelerating. To enable our customers to deliver life-changing innovations to the world faster and to become market leaders, we are committed to delivering the world’s most comprehensive portfolio of electronic design automation (EDA) software, hardware, and services.