It seems as if everything we buy today, from refrigerators to toothbrushes, are "smart" devices that are connected to an app and the internet. So how can we add security to these devices that have considerably less processing power than traditional computers? The most widely used algorithm for symmetric encryption is AES, and it's been the NIST standard since it replaced DES in 2001. However, AES is a general purpose encryption algorithm that sometimes struggles to meet the power and latency requirements of resource-constrained applications. For chip designers, this problem is manifesting as the need to secure the communication channel to external flash.

As we target process nodes smaller than 28nm, designers are forced to contend with complex problems arising from smaller geometries, from well proximity, poly spacing, and other layout-dependent effects to determining the appropriate FinFET width. One security-relevant limitation is the difficulty of building floating gates to support embedded flash in smaller geometries. Without any viable options for on-chip multi-time programmable (MTP) non-volatile memory (NVM) below 28nm, designs are transitioning to external flash:

Unfortunately, this allows an adversary to observe and modify the data stored in external flash, and also makes launching more advanced side-channel and fault injection attacks much easier. It’s hardly a trivial problem, as we need a solution that simultaneously:

  • protects the confidentiality and integrity of data stored in external flash,
  • provides protection against advanced side-channel and fault injection attacks,
  • is able to support read/write speeds of 100MB/s for QSPI flash, and finally
  • doesn’t result in a substantial power and area overhead for the product.

A natural first approach would be to leverage the existing AES engine to protect the data. Encryption alone, however, does not prevent an adversary from modifying the data. For that, we need to use the cipher in an authenticated encryption mode, such as the GCM mode of operation. Unfortunately, AES-GCM has trouble meeting the final requirement of attack resistance. AES was not originally designed to be resistant to side-channel or fault attacks, and modifications to the algorithm that would provide that level of protection result in a substantial area and power penalty.

For a solution that meets all of our desired characteristics, we need to look to the emerging field of lightweight cryptography.

Lightweight Cryptography

Applications necessitating resource-constrained devices have been rapidly expanding, in areas such as the internet of things (IoT), automotive, and medical sensors. In order to provide security where power and area are at a premium, the focus has shifted from general-purpose encryption algorithms like AES to explicitly lightweight designs.

 Importantly, security is not sacrificed in lightweight cryptographic algorithms: key lengths are still required to be at least 128-bits, matching up with AES-128. Instead, lightweight cryptographic algorithms are designed to work within the resource limitations common in embedded devices, for example by requiring fewer registers and less RAM than their general-purpose counterparts. Importantly, all of the lightweight candidates for standardization are designed to be resistant to both side-channel and fault attacks.

But what about the high throughput requirement for communicating with external flash? Despite being targeted for resource-constrained devices, lightweight algorithms can frequently outperform general-purpose algorithms like AES. As part of NIST’s efforts to standardize a set of lightweight algorithms, their performance against AES was evaluated on a Cortex-M4F processor. Many of the candidate lightweight algorithms were able to outperform AES.

Each of the candidate lightweight algorithms for standardization was evaluated against AES by varying both message and associated data lengths. Blue squares indicate that the lightweight algorithm outperformed AES by processing the data faster, while red squares indicate that AES was faster.

From the plot below, we can see that many of the lightweight encryption algorithms under consideration for standardization are able to outperform AES, despite being designed for resource-constrained environments.

The finalists for NIST’s lightweight cryptography standardization effort were announced in early 2021, and the final standard will be released sometime in 2022.

For resource-constrained products, the new class of lightweight encryption algorithms provide significant power and area savings over more traditional, general-purpose algorithms such as AES. Despite being designed for resource-constrained environments, many lightweight encryption algorithms are faster than AES. As our products target process nodes below 28nm, the lack of embedded multi-time programmable non-volatile memory introduces an attack surface between the chip and external flash. Lightweight encryption algorithms are one candidate solution for securing the data between the chip and external flash.

Anonymous