**Linley Spring Processor Conference 2019**

*April 10 - 11, 2019*

Hyatt Regency, Santa Clara, CA

Hyatt Regency, Santa Clara, CA

SecureRF Locks Up the Keys

New Cryptography IP Thwarts Attacks From Quantum Computers

*By Mike Demler*

Within a decade, quantum computers may be able to factor much larger numbers than conventional computers can handle, a feat that could break the cryptographic protocols that secure today’s Internet communications. To prevent that disaster, SecureRF has developed a new family of licensable cryptographic intellectual property (IP). Using methods drawn from the fields of group-theoretic cryptography (GTC) and infinite-number theory, it offers a quantum-resistant public-key system.

The company’s techniques apply to any computing platform, but they’re particularly well suited to addressing vulnerabilities in low-power IoT devices. SecureRF delivers its IP as synthesizable RTL, as well as in a software tool kit that supports commercially available processors. The IP and software tools can run in embedded devices ranging from 8- to 64-bit CPUs. Customers can implement the algorithms using SDKs built for Android, Linux, and Windows operating systems.

SecureRF includes Arm among its industry partners, and the cryptography IP works as a complement to Arm’s TrustZone. Other industry partners include CPU-IP suppliers Andes and Synopsys along with MCU vendors Microsemi, Renesas, STMicroelectronics, and Texas Instruments. The company has won designs with two undisclosed processor manufacturers (one in the U.S. and the other in Europe), and it expects devices from those companies to begin production in 1H18. The SecureRF solutions work with RISC-V processors, too, and the company collaborated with Intel to develop a security tool kit for its low-end Cyclone V FPGAs. To enable customers to build a complete platform based on devices using its IP, SecureRF also offers its own cloud-based public-key infrastructure (PKI) called Veridify.

The company began operations in 2004. Cryptographer and mathematician Iris Anshel is a cofounder as well as coinventor of the GTC algorithms that underlie all the SecureRF protocols. The company initially designed its cryptography solution to run on the limited compute resources available in RFID chips, but it’s now targeting similarly resource-constrained IoT end points based on ASICs, FPGAs, and MCUs.

Keeping Secrets

Common cryptographic methods for computer systems break down into two categories: symmetric private-key systems and asymmetric public-key systems. Private-key methods include the Advanced Encryption Standard (AES), Data Encryption Standard (DES), and Triple DES (also called 3DES). They’re symmetric because they use the same key to encrypt and decrypt data. Symmetric protocols are good for protecting locally stored data, but using them to protect communications between multiple users is challenging, since it requires distributing the key database and securing it on each authorized system. If all users employ the same keys, hacking one system is the same as hacking them all.

Asymmetric cryptography differs from symmetric because each party uses two keys: a private key that it keeps secret and the public key that it shares. The most popular asymmetric methods are elliptic-curve cryptography (ECC) and RSA (named after its inventors Ron Rivest, Adi Shamir, and Leonard Adleman). The Secure Sockets Layer (SSL) protocol is based on RSA. ECC is often used for digital-signature-based authentication employing so-called Diffie-Hellman key exchanges, as Figure 1 shows. In such protocols, the sending device first passes its message through a hash function. It then creates a digital signature by combining the hash result and its private key in the digital-signature algorithm.

**Figure 1. A digital-signature method using asymmetric cryptography.** Sending systems employ private keys to create encrypted digital signatures. A shared public key enables creation of a unique session key for encrypting messages. Recipients evaluate the hash value for the decrypted message, comparing it with the digital signature to authenticate the message.

The math underlying digital-signature generation varies by method. In RSA, the hash is encrypted using the private key, but in other methods, the signature is mathematically generated using the private key. A receiver employing RSA uses the public key to decrypt the signature and then passes the message through the same hash function, comparing the output against the decryption. Other methods pass the hash output to a verification function, along with the signature and public key, and the function determines if the signature is valid and the communication is authentic.

Besides being more quantum resistant than other public-key schemes, SecureRF’s algorithms are more compute efficient than the prevailing encryption methods. Whereas ECC and RSA require calculating 256- to 4,096-bit numbers, the company’s IP uses only 8-bit calculations. It can thus run on 8-bit 8051 MCUs, which are incapable of running ECC.

For the prevailing methods, the compute time to create a key increases quadratically with the key length. This situation is problematic because longer keys are more secure. By comparison, SecureRF’s GTC technique has a linear compute-time characteristic, so doubling the key length only doubles the compute time rather than quadrupling it. In an example test, the company used an 8-bit Microchip (Atmel) AVR MCU; its algorithms ran 100x faster than ECC and required less than half the ROM.

Throwing In a Few Twists

The foundation of all the SecureRF algorithms is a mathematical operation the company calls E-multiplication. Whereas cryptography methods such as RSA use primes, the E-multiplier uses matrix algebra to calculate braid groups. A braid comprises a set of operations performed on strands, where each strand can be a sequence of signed integers. Strands encode the braid group when they cross over or under another strand. The value of the integer designates the strand it crosses, and the sign bit designates an over or under crossing, as Figure 2 shows.

**Figure 2. Encoding with a braid group.** Each braid comprises a sequence of signed integers. The integer values represent the position to which a strand crosses, and the sign represents an over (positive) or under (negative) crossing. For example, in the first interval, a strand crosses over to the lowest row (value=zero), and in the last interval, a strand crosses under to the lowest row (value=zero bar).

The E-multiplier imparts properties that distinguish the company’s cryptography from other public-key systems. For example, systems such as ECC are finite and cyclic, meaning the codes they generate eventually repeat. In comparison, SecureRF’s E-multiplication technique is infinite and noncyclic, so the code sequences it generates are unique. Braids are infinitely extensible by creating additional “twists” or crossings. In addition, unlike other protocols, the company’s algorithms are noncommutative: the product *a*b* doesn’t equal *b*a*. E-multiplication is therefore a secure one-way function, so it’s easy to compute for any input but difficult to invert.

A Secure Family

The synthesizable SecureRF IP products comprise a set of elements based on its GTC algorithms. The base function is the Ironwood Key Agreement Protocol (KAP) core, which enables two end points to establish a secure communications channel. Ironwood is asymmetric—the two end points run different computations. For one end point, it uses E-multiplication to generate two matrices: a private-key matrix that must be kept secure and the related public-key matrix for sharing with the second end point.

In the second end point, Ironwood installs two private matrices and two private braids, and it uses E-multiplication to produce a public matrix that the end point can share. Once the matrices are shared, the second end point uses E-multiplication and vector math to compute the shared secret and a public vector to send to the first device, which uses matrix and vector math to compute the same shared secret. The certification authority in the PKI signs the public key to designate its authenticity.

The company’s proprietary Walnut Digital Signature Algorithm (WalnutDSA) core works with Ironwood to accelerate the generation and validation of signed secure messages transmitted between devices. In Walnut, signature verification is faster than signature generation, enabling a PKI to distribute certificates that even a tiny 8-bit processor can validate. Walnut includes a novel cloaking mechanism that hides the braid structure. It adds elements that disappear during E-multiplication, rendering the process difficult to reverse. Signatures are variable length with an average of 650 bytes.

WalnutDSA delivers a huge performance boost compared with ECC signature verification. On a Cortex-M3-based processor running algorithms for a 128-bit security level, which is equivalent to 256-bit ECC P256 and 3,072-bit RSA, Walnut runs 40x faster and consumes roughly half of the RAM as well as 40% of the ROM. To perform this test, SecureRF ran its algorithms in C, comparing them with ECC running in more-efficient assembly language. The performance difference would be even greater if both ran in assembly and larger still if WalnutDSA ran on the company’s accelerator core.

In an Intel (Altera) Cyclone V SE FPGA, the Ironwood and Walnut cores together use 8,403 adaptive logic modules (ALMs), comprising roughly 20% of the logic resources in that dual-Cortex-A9 device (see *MPR 10/31/11,* “Altera’s Answer to Zynq”). As Figure 3 shows, the SecureRF cores communicate with the Cortex-A9 CPUs through an AXI-Lite bus.

**Figure 3. SecureRF IP cores in an FPGA.** Designers can install the Ironwood KAP and WalnutDSA in the FPGA fabric. The IP consumes roughly 20% of a Cyclone V SE’s adaptive logic modules.

The company’s other IP products include the Mahogany KAP core, which implements a low-power authentication protocol based on key exchanges for Microsemi SmartFusion2 FPGAs (see *MPR 10/5/15,* “Microsemi Assembles FPGA Security”). Its quantum-resistant Hickory hash function uses the same elements as Ironwood and WalnutDSA, but it has a smaller footprint. SecureRF also offers a set of logic blocks for customers employing AES, ECC, and SHA functions.

Leading the Quantum Resistance

SecureRF’s cryptographic technology provides critical functions that many processor-IP vendors lack. For example, although Arm supplies its Platform Security Architecture (PSA) as a solution for client-to-cloud IoT security, that collection of IP and architecture specifications focuses only on securing the processor; it omits components needed to secure the connection between devices (see *MPR 11/6/17,* “Arm Cooks Up Recipe for IoT Security”). To secure wireless links, designers of PSA-compliant devices must employ third-party tools for the Transport Layer Security (TLS) protocol, which encrypts the link between client and server. TLS uses public-key exchange (typically RSA) to authenticate identities, but most low-power sensor nodes lack the compute resources for such protocols.

A competing IP provider is Inside Secure, which supplies a variety of secure-communications SDKs comprising C routines, including a TLS package that provides ECC and RSA functions in its crypto library. The company’s Guard TLS-TK package targets 32-bit ARM and MIPS CPUs. It also offers a tiny version for 8-bit CPUs, but that version is limited to a preshared-key (PSK) cipher suite. VaultIP is the company’s silicon-IP offering; it includes a comprehensive crypto-acceleration package in the VaultIP-130 (see *MPR 12/21/15,* “VaultIP Secures All Things”). The 130 works in application processors as well as MCUs, and it can run on bare-metal software without a kernel-based operating system. Inside Secure hasn’t announced any quantum-resistant IP.

Key Size Matters

SecureRF’s Ironwood and Walnut IP gives users a solution that works in the smallest processors and is future proof against quantum attacks. One such threat comes from Shor’s algorithm, which breaks the ECC and RSA public-key methods, which assume that factoring large numbers (or solving the discrete-log problem in the case of ECC) is computationally intractable. But Shor’s algorithm exponentially increases factoring speed relative to conventional computers, threatening that assumption (see *MPR 12/11/17,* “Quantum Computing Now Available”).

IBM and others have demonstrated Shor-based factoring of small numbers on experimental quantum computers, which within the next decade are likely to be capable of factoring the large numbers that ECC and RSA codes employ. That threat may be over the horizon today, but many IoT devices will remain in the field long enough to become vulnerable. Whereas Shor’s algorithm depends on the commutative, cyclic, and finite properties of current public-key methods, SecureRF’s methods are immune to such attacks—a fact the algorithm’s author (Peter Shor) has confirmed. Yet building barriers against hackers is a never-ending battle, and there’s always a possibility new attacks will emerge that break the company’s approach.

The company has submitted its methods and proofs to the National Institute of Standards and Technology (NIST) and the NSA in hopes they will garner adoption as industry standards. Many other post-quantum algorithms are vying for attention, but all use key and signature sizes that are much larger than SecureRF’s, presenting a barrier to practical implementation. For example, the Gunesyu, Lyubashevsky, and Poppelmann (GLP) signature requires 1,800-byte public keys compared to just 80 bytes for Walnut DSA. For 128-bit security, another alternative is NTRU encryption, but it uses a 6,130-byte public key. These large keys may be acceptable for computers and smartphones, but most IoT devices have far fewer resources.

To further promote its technology, SecureRF has wisely established alliances with some of the industry’s leading processor and IP vendors. The mathematics behind the SecureRF cryptology may be heavy, but the implementation is light. The company’s cryptographic technology fills a critical gap in platforms such as Arm’s PSA. Regardless of the quantum threat, SecureRF’s IP can run on the tiniest CPUs, making it attractive for low-power IoT processors.

Price and Availability

SecureRF withheld pricing for its IP products. All of the products are available for licensing now. For more information, access *www.securerf.com/products*.

Events

Hyatt Regency, Santa Clara, CA

Hyatt Regency, Santa Clara, CA

Newsletter

Press