Prior to spinning out of Galois, engineers from Niobium Microsystems completed work on the 21st Century Cryptography DARPA project. This project developed a proof-of-concept ASIC containing high-performance, low-energy, side-channel resistant implementations of AES-256 cryptographic primitives. These implementations were developed in correct-by-construction fashion, by directly translating formal models of the cryptographic constructs into a hardware implementation language, and realized using asynchronous design to enable a novel side-channel resistance technique in addition to providing performance and energy benefits.
The resulting ASIC, fabricated in the Global Foundries 12nm FinFET process (12LP), includes multiple synchronous and asynchronous cryptographic blocks implementing the AES-256, cryptographic primitive, as well as a RISC-V core (for control and testing of the cryptographic blocks). It incorporates a new side-channel resistance approach called island-based random dynamic voltage scaling (iRDVS) that uses multiple random voltages to hide data-dependent power consumption. This technique was developed and implemented in silicon for the first time during this project.
We used asynchronous design techniques to reduce vulnerability to power side-channels, in addition to optimizing the balance among power, performance, and energy utilization. In contrast to their synchronous counterparts, asynchronous circuits tend to have a much smoother distribution of power consumption and are therefore less susceptible to power monitoring attacks. They also have no global clock frequency and automatically adapt to voltage supply changes, which enables the use of random dynamic voltage scaling (and in particular iRDVS), to distort the observed relationship between power utilization and computational effort. In addition, though we focused on power side-channel attacks in this project, dynamic voltage scaling can add randomness to this timing and make them more resilient to timing attacks as well.
The fabricated ASIC, called Galois G1, runs at a speed of 1 GHz and provides AES-256 streaming-encryption throughput of 20Gbps while consuming 22mW of power with a constant 0.8V power supply, and 12Gbps while consuming 14mW of power with full iRDVS side-channel resistance enabled. We also made several advances during the project with respect to high-level synthesis from mathematical specifications, analytical models of the iRDVS side-channel resistance technique, and formal correctness proofs for key aspects of our asynchronous design techniques. Our next step to advance the 21CC side-channel resistant cryptographic engines will be to develop a complete solution with higher throughput and with fully integrated voltage regulators.
Finally, there are many existing and legacy designs that could benefit from our approach. This approach can be generalized with additional automation to be able to partition an arbitrary circuit in such a way as to maximize its protection by the iRDVS flow we already developed.
This material is based upon work supported by the Defense Advanced Research Projects Agency (DARPA) under Contract No. HR0011-19-C-0070. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the Defense Advanced Research Projects Agency (DARPA).