Author: Trenton Grale PhD, Hardware Security Architect
The complexity of modern electronic systems means that “security” is a broad concept. The
array of solutions to achieve a desired level of security is heterogeneous, and there is no “one
size fits all” solution. It requires study and understanding of the particular market vertical and its
threats and requirements. At this early stage, the standards and requirements in each market
segment are still being worked out.
Once it is built, hardware, including security hardware, is fixed. However, security threats
continue to evolve and become more sophisticated. Accordingly, as best as practical, future
potential threats must be anticipated and mitigated.
EDA tool threat modeling capabilities have recently appeared. Solutions such as Cycuity’s
Radix security verification and emulation tools are an example. In the broad picture, however,
EDA tools targeting hardware security are currently still in the early stages of development and
Security goals include confidentiality, integrity, authentication, attestation.
XtremeEDA’s Approach to Hardware Security
XtremeEDA, an Accenture company, takes a holistic view of the overarching problem of
hardware security. Many vendors offer point solutions, ranging from hardware IP blocks to
perform security functions to EDA tools for security verification. Our objective is to look at the
big picture and consider all aspects of security in a system as a whole. Every system is
different, with unique functional, performance, security, and cost objectives—and tradeoffs will
inevitably have to be made. Furthermore, a high level system view is vital to ensure seamless
integration of diverse IPs and solutions, and avoid creating gaps that could be exploited by
attackers. Therefore, we are dedicating resources to become experts in all aspects of the entire
process. These include threat modeling, IP design and selection, and security verification. As a
result, we will be equipped to assist our clients with the whole picture of designing security into
their systems, as we now do in providing functional and formal design verification and physical
Consider the security objective of confidentiality. Encrypting data preserves its confidentiality by
preventing unauthorized personnel (who don’t have the key) from reading it. The Advanced
Encryption Standard (AES) is the present commonly-used algorithm for encrypting data. The
steps of performing AES encryption on a message may be carried out in software or in
dedicated hardware. Any data processing incurs a cost in resources and, most important, time.
Dedicated hardware can be (and has been) designed to perform AES encryption, and this will
generally be faster than pure software operating on a general purpose processor. Conversely,
cost considerations for a particular deployment may preclude using specialized hardware, so
that the algorithm must be performed in software. The AES steps are complex, involving bit
substitutions, shifts, and GF(2n) polynomial multiplication and addition on bytes. Performing
these functions in a modern RISC instruction set requires a large code base of relatively simple
instructions that consumes both memory and execution time.
The RISC-V specifications include specialized instructions for various cryptographic functions,
including those employed by AES. A RISC-V processor core can be customized by adding
these specialized instructions to assist and speed up performing the AES steps. Accordingly
the code memory requirement can be reduced and performance increased. The performance
improvement, while still not as fast as dedicated hardware, may be sufficient for a specific
deployment without incurring the cost (design effort, IP cost, chip area) of an AES IP block.
XtremeEDA’s Concrete Steps
XtremeEDA undertook just such a modification of a Codasip 3-stage RISC-V core. We
customized the core to include four 32-bit AES instructions from the RISC-V scalar cryptography
specification. Each invocation of these instructions replaced many basic instructions that were
necessary to perform loads, table lookups, shifts, and bitwise XOR operations to carry out the
AES steps. As a result, the application code was smaller and faster.
The challenges of this project included developing proficiency with the Codasip Studio CPU
customization tool and the CodAL customization language, writing AES software to use the new
instructions correctly, and verifying the design. The design team had prior experience with
Studio, and so was quickly able to augment its skills and quickly build in the new functionality.
Firmware and software initially started with C code to implement the AES operations without
using the specialized instructions. Once this code was working, it could be used as a basis for a
functional comparison. Next, the software team incorporated the AES instructions inline in C
functions that were called to perform the specific AES substitution, shifting, and column mixing
operations. Verification was conducted methodically, starting with testing very basic functions
with a restricted set of data. Additional tests were built upon that foundation, and a complete
verification suite could fully test AES encryption and decryption.
Customizing a processor to accelerate AES encryption and decryption may seem to be a
modest accomplishment. After all, AES is quite commonplace and many IPs are available off
the shelf to implement its functionality. What this project does is to establish a baseline for
further development into more complex and integrated security solutions, such as a hardware
root of trust. For example, establishing unique device identity via integrating a physically
unclonable function (PUF) IP can result in a comprehensive secure communication system.
Crypto Quantique offers a type of PUF they term QDID. By using QDID, a device can be
uniquely identified with an identifier that cannot be hacked or forged. This identity can be used
not only to authenticate the device, but to generate cryptographic keys for public key
cryptosystems such as RSA and ECC. Using public key technology, an edge device containing
QDID can be onboarded to a cloud application securely. Subsequently, the edge device can
securely exchange payload data, encrypted with AES, with the cloud application. As a result of
this integration of two security-related technologies—AES acceleration and a PUF—an IoT edge
device can communicate its data to the cloud securely and with minimal power and area