Security IP
As part of the OpenTitan® project lowRISC® and its partners created a number of security related IP blocks. These blocks are hardened against fault injection and side channel attacks for use in root of trust devices, and have been designed to meet the requirements of security certifications such as FIPS and Common Criteria.
All of these IP blocks except HMAC have been verified as part of the OpenTitan Earl Grey chip design, and are shipping in commercial devices. Many are also used in the open-source Caliptra root of trust from the Open Compute Project.
- Encryption/Decryption using AES-128/192/256 in multiple cipher block modes: ECB, CBC, CGB, OFB, CTR. Support for AES-192 can be removed to save area
- First-order masking of the cipher core using domain-oriented masking (DOM) to deter side-channel analysis (SCA) including formal pre-silicon SCA evaluation setup
- Automatic as well as software-initiated reseeding of internal pseudo-random number generators (PRNGs)
- On-the-fly round-key generation in parallel to the actual encryption/decryption
- This IP targets compliance with both BSI’s AIS31 recommendations for Common Criteria (CC), as well as NIST’s SP 800-90A and NIST’s SP 800-90C (Second Draft), both of which are referenced in FIPS 140-3
- Provides support for both deterministic (DRNG) and true random number generation (TRNG), when combined with a secure entropy source
- Common application interface for hardware peripherals and software applications.
- Operates at 256 bit security strength
- Support for multiple separate CSRNG instances per IP block
- Designed to work with the OpenTitan External Entropy Source and Entropy Distribution Network (EDN) modules
- Two modes: SHA-2 (256/384/512-bit keys), and HMAC based on SHA-2 (128/256/384/512/1024-bit keys)
- Support for context switching (via saving and restoring) across multiple message streams
- 32 x 32-bit message FIFO buffer
- Support for SHA3-224, 256, 384, 512, SHAKE[128, 256] and cSHAKE[128, 256]
- Support 128b, 192b, 256b, 384b, 512b of the secret key length in KMAC mode.
- 64b x 10 depth Message FIFO
- First-order masking of the Keccak core using domain-oriented masking (DOM) to deter side-channel analysis (SCA) including formal pre-silicon SCA evaluation setup
- Performance (at 100 MHz):
- SHA3-224: 2.93 B/cycle, 2.34 Gbit/s (masking disabled) – 1.19 B/cycle, 952 Mbit/s (DOM)
- SHA3-512: 1.47 B/cycle, 1.18 Gbit/s (masking disabled) – 0.59 B/cycle, 472 Mbit/s (DOM)
- Coprocessor optimized for wide integer arithmetic, especially for asymmetric cryptographic operations like RSA or Elliptic Curve Cryptography (ECC)
- 32b wide control path with 32 32b wide registers
- 256b wide data path with 32 256b wide registers
- Reduced, security-focused instruction set architecture for easier verification and the prevention of data leaks
Security IP roadmap
We are currently working on several enhancements to our Security IP to improve their performance, power and area, and to add support for new encryption standards like AES-GCM and additional post-quantum cryptography (PQC) algorithms.
Our roadmaps are based on interest from existing and potential partners. If you would like to help steer the future direction of OpenTitan, contact us.
Consultancy and support services
The OpenTitan root of trust design provides a working example of the integration of these IP blocks on a secure SoC, and incorporates further security features such as lifecycle management.
Security is a system-wide issue, and ensuring that the final design is secure requires system-level thinking and a clear threat model. lowRISC has security, hardware and verification experts who can help you design a secure SoC.
At lowRISC we also offer consultancy and technical support for secure hardware and software. If you would like us to implement new security components, modify existing ones or help you integrate them in your SoC and software stack, contact us.
Contact