Cryptographic circuits that perform cryptographic operations are susceptible to side-channel attacks where an attacker may obtain sensitive data as the cryptographic operation is performed. One type of side-channel attack is Differential Power Analysis (DPA), where the attacker who seeks to obtain a secret key used in a cryptographic operation may study the differences in power consumption of an integrated circuit as the cryptographic operation is performed. An attacker may be an unauthorized entity that may obtain the secret key information associated with the cryptographic operation by analyzing power consumption measurements of the integrated circuit over a period of time. So, in order to secure cryptographic operations, random material (such as masks, nonces, an initialization vector (IV), key-wrapping keys, etc.) can be used with input data being processed by the cryptographic operation to obfuscate the computation or otherwise conceal the secret key information. The random material can be generated from an entropy source. Entropy is a measurement of uncertainty, disorder, or unpredictability in a system and the higher the entropy, the higher the uncertainty found in a result. An entropy source can be any type of unpredictable noise source, such as hardware sources like variance in fan noise, mouse movements, or other randomness generators. A circuit can collect or measure the randomness of the noise source and generate a random number (entropy output) based on the randomness of the noise source. Random number generators (RNGs) are hardware devices that take non-deterministic inputs from the noise source and generate unpredictable numbers as their outputs. The higher the entropy of the RNG, the less certainty (i.e. higher unpredictability) is found in the result.
Modern systems may require multiple secure cryptographic operations. Scaling the number of cryptographic operations performed increases the demand for random numbers, which can exceed a rate at which random numbers can be generated and distributed by an RNG. In particular, it will take an RNG some period of time in order to produce and deliver a random number for a single request. When multiple requests are submitted to a centralized random number generation block for servicing, as the number of requests increases, so does the overall time required to service all the requests. This interval can grow to the point where the requests are stalled beyond an acceptable period of time or possibly produce an incorrect result.
The present disclosure is illustrated by way of example, and not by way of limitation, in the figures of the accompanying drawings.
The following description sets forth numerous specific details, such as examples of specific systems, components, methods, and so forth, in order to provide a good understanding of several embodiments of the present disclosure. It will be apparent to one skilled in the art, however, that at least some embodiments of the present disclosure may be practiced without these specific details. In other instances, well-known components or methods are not described in detail or presented in simple block diagram format to avoid obscuring the present disclosure unnecessarily. Thus, the specific details set forth are merely exemplary. Particular implementations may vary from these exemplary details and still be contemplated to be within the scope of the present disclosure.
The RNG 100 is a centralized RNG that is operatively coupled with a plurality of consumers. In one embodiment, it receives requests over direct connections with the consumers in this implementation. The RNG 100 can receive requests over a common connection in other implementations, as illustrated in
As described above, scaling the number of cryptographic operations performed increases the demand for random numbers, which can exceed a rate at which random numbers can be generated and distributed by the RNG 100 or RNG 150. A circuit can be designed to include additional RNGs to accommodate the increase in the number of cryptographic operations expected. However, the additional RNGs are expensive in chip area and increase design complexity. Also, the demand can increase beyond the rate at which the additional RNGs can generate and distribute the random numbers.
Aspects of the present disclosure of embodiments can overcome the challenges described above and others by providing cryptographic circuits that can be selectively operated to use a same random number. Aspects of the present disclosure of embodiments can decouple the demand for random numbers from the number of cryptographic operations being performed. Aspects of the present disclosure of embodiments can provide a centralized generation scheme to support multiple consumers of random material, while achieving an area savings over a distributed generation scheme. Aspects of the present disclosure of embodiments can achieve scalable generation and distribution of random materials (e.g., masks, nonces, key-wrapping keys, etc.) by replicating and re-using the random materials. Aspects of the present disclosure of embodiments can reduce the overall time required to service all the requests. The number of requests increases when at least some random numbers generated can be shared among multiple cryptographic operations. Aspects of the present disclosure of embodiments can reduce or prevent requests from being stalled beyond the acceptable period of time or producing an incorrect result.
The RNG 200 receives a first request 201 from a first consumer 202. The first consumer 202 can be a first cryptographic circuit (e.g., a processing circuit configured to perform a cryptographic operation) performing a first cryptographic operation. The entropy distribution logic 210 can determine that the first request 201 is for a shared random number. The RNG 200 generates a first random number 203 and provides the first random number 203 to the first consumer 202 in response to the first request 201.
The RNG 200 can also receive a second request 205 from a second consumer 204. The second consumer 204 can be a second cryptographic circuit (e.g., a processing circuit configured to perform a cryptographic operation) different from the first cryptographic circuit performing a second cryptographic operation different from the first cryptographic operation. The entropy distribution logic 210 can determine that the second request 205 is for a shared random number. So, instead of generating a second random number for the second request 205, the RNG 200 provides the first random number 203 to the second consumer 204 in response to the second request 205.
The RNG 200 can also receive a third request 209 from a third consumer 206. The third consumer 206 can be a third cryptographic circuit (e.g., a processing circuit configured to perform a cryptographic operation) different from the other cryptographic circuits performing a third cryptographic operation different from the other cryptographic operations. The entropy distribution logic 210 can determine that the third request 209 is for a shared random number. So, instead of generating a third random number for the third request 209, the RNG 200 provides the first random number 203 to the third consumer 206 in response to the third request 209.
The RNG 200 can also receive a fourth request 213 from a fourth consumer 208. The fourth consumer 208 can be a fourth cryptographic circuit (e.g., a processing circuit configured to perform a cryptographic operation) different from the other cryptographic circuits performing a fourth cryptographic operation different from the other cryptographic operations. The entropy distribution logic 210 can determine that the fourth request 213 is for a non-shared random number. So, the RNG 100 generates a second random number 215 and provides the second random number 215 to the fourth consumer 208 in response to the fourth request 213.
In this embodiment, the RNG 200 is a centralized RNG that receives requests over direct (e.g., point to point) connections with the consumers it is operatively coupled with. An RNG can receive requests over a common connection (e.g., point to multi-point) in other embodiments, such as illustrated in
In another embodiment, the entropy distribution logic 310 can receive one or more requests 303 (illustrated as dashed lines) from one or more cryptographic circuits or cryptographic operations. The one or more requests 303 can be for shared random numbers or non-shared random numbers as described herein. The entropy distribution logic 310 can determine whether multiple requests 303 from different cryptographic circuits or operations can use the same random number. For example, the entropy distribution logic can be configured to operate such that it allows random numbers to be shared as long as the different cryptographic circuits are performing different cryptographic algorithms. The entropy distribution logic 310 can determine whether one or more requests 303 are for unique random numbers that are not shareable. In at least one embodiment, the entropy distribution logic 310 can send one of the incoming requests to the control block 308 to receive a single random number from the control block 308 and distribute the single random number as a shared random number 305 to the requesting cryptographic circuits or operations where the same random number can be used. The entropy distribution logic 310 can receive a non-shared random number from the control block 308 for each requesting cryptographic circuit or operation where the non-shared random number is not shareable and can distribute a non-shared random number 307 to the respective cryptographic circuit or operation. Based upon the amount of sharing allowed, the entropy distribution logic 310 can provide centralized generation and distribution of random numbers and decouple the demand for random numbers in the requests 303 from a number of requesting cryptographic circuits or operations.
In another embodiment, the accumulator 306 could take the output of the digitizer 304 (Entropy output) and eventually generate a random number. This could be delivered to the entropy distribution logic 310 in response to a request from the entropy distribution logic 310 based upon the incoming requests without the control block 308. In another embodiment, when the control block 308 is present, the control block 308 can interact with the accumulator 306 to retrieve a random number and deliver the random number and the distribution information to the entropy distribution logic 310.
In another embodiment, the functionality of the entropy distribution logic 310 can be integrated into the control block 308 as illustrated in the dashed box of control block 308. In this embodiment, the control block 308 receives the multiple requests 303 from different cryptographic circuits or operations and provides either a shared random number 305 or a non-shared random number 307 based on whether the cryptographic circuit or operation can share the random number.
In another embodiment, the entropy distribution logic 410 is similar to the entropy distribution logic 310. The entropy distribution logic 410 receives multiple requests 403 (illustrated as dashed lines) and provides either a shared random number 405 or a non-shared random number 407 based on whether the cryptographic circuit or operation can share the random number. Based upon the amount of sharing allowed, the entropy distribution logic 410 can provide centralized generation and distribution of random numbers and decouple the demand for random numbers in the requests 403 from a number of requesting cryptographic circuits or operations.
In another embodiment, the functionality of the entropy distribution logic 410 can be integrated into the control block 408 as illustrated in the dashed box of control block 408. In this embodiment, the control block 408 receives the multiple requests 403 from different cryptographic circuits or operations and provides either a shared random number 405 or a non-shared random number 407 based on whether the cryptographic circuit or operation can share the random number. In another embodiment, the RNG 400 can operate without the control block 408 and the functionality of the control block 408 can be implemented with the entropy distribution logic 410 as described above.
In the illustrated embodiment, the entropy source 502 is coupled to a second cryptographic circuit 504(2) via the shared connection 512. In this embodiment, the second cryptographic circuit 504(2) is only coupled to the entropy source 502 via the shared connection 512. In other embodiments, the second cryptographic circuit 504(2) can be coupled to the entropy source 502 via a dedicated connection. The second cryptographic circuit 504(2) implements a second cryptographic algorithm that can use a shared random number. The entropy source 502 can provide the shared random number to the second cryptographic circuit 504(2) over the shared connection 512 for the second cryptographic operation.
In the illustrated embodiment, the entropy source 502 is coupled to additional cryptographic circuits, including an Nth cryptographic circuit 504(N) via the shared connection 512 and an Nth dedicated connection 508, where N is a positive integer greater than two. The Nth dedicated connection 508 can be a dedicated communication path. In this embodiment, the Nth cryptographic circuit 504(N) is only coupled to the entropy source 502 via the shared connection 512. The Nth cryptographic circuit 504(N) implements an Nth cryptographic algorithm that needs a non-shared random number (e.g., a unique random number) in a first instance. The entropy source 502 can provide a non-shared random number to the Nth cryptographic circuit 504(N) over the Nth dedicated connection 508 for the Nth cryptographic operation. The Nth cryptographic operation 504(N), at a second instance, can implement an Nth cryptographic operation (or another cryptographic operation) for which a shared random number can be used. The entropy source 502 can provide the shared random number to the Nth cryptographic circuit 504(N) over the shared connection 512 for the Nth cryptographic operation (or the other cryptographic operation).
In at least one embodiment, the entropy distribution logic 210 can determine whether a request is for a non-shared unique random number or a shared random number based on the type of connection from which the request was received. For example, a request for a non-shared random number for the first cryptographic circuit 504(1) can come over the first dedicated connection 506, and a request for a shared random number can come over the shared connection 512. In another embodiment, the entropy distribution logic 210 can receive a request that specifies the requirement of a non-shared random number or a shared random number. In another embodiment, the entropy distribution logic 210 can receive an indication of the requirement in a side-band communication, a stored profile, or from a specified type of cryptographic operation being performed by the requesting cryptographic circuit.
In at least one embodiment, any of the N cryptographic circuits 504(1)-(N) can have both a dedicated connection and a shared connection. In at least one embodiment, any of the N cryptographic circuits 504(1)-(N) can have only a dedicated connection or a shared connection. In other embodiments, any of the N cryptographic circuits 504(1)-(N) can implement more than one cryptographic operation.
Referring to
In at least one embodiment, the first random number is at least one of a mask, a nonce, a seed value, an IV, or a key-wrapping key. The first cryptographic circuit and the second cryptographic circuit can use the first random number in connection with DPA protection of cryptographic operations.
In a further embodiment, the processing logic receives, at the first time, a third request for a random number from a third cryptographic circuit. The processing logic determines that the third request is for a non-shared random number. The processing logic generates a second random number. The processing logic provides the second random number to the third cryptographic circuit in response to the third request.
In a further embodiment, the processing logic receives, receiving, at a second time, a third request for a non-shared random number from the first cryptographic circuit. The processing logic receives, at the second time, a fourth request for a non-shared random number from the second cryptographic circuit. The processing logic generates a second random number and a third random number. The processing logic provides the second random number to the first cryptographic circuit in response to the third request and provides the third random number to the second cryptographic circuit in response to the fourth request.
In a further embodiment, the processing logic receives, at a second time, a third request for a random number from the first cryptographic circuit over a direct connection between the entropy source and the first cryptographic circuit. The processing logic generates a second random number. The processing logic provides the second random number to the first cryptographic circuit only in response to the third request.
In a further embodiment, the processing logic receives, at a second time, a third request for a random number from the first cryptographic circuit over a direct connection between the entropy source and the first cryptographic circuit. The processing logic generates a second random number, and the processing logic only provides the second random number to the first cryptographic circuit in response to the third request.
Referring to
In another embodiment, additional requests that do not require a non-shared random number can be received at the first time. The processing logic provides the first random number to the corresponding cryptographic circuits as well. Similarly, additional requests that require a non-shared random number can be received at the first time. The processing logic can generate a non-shared random number for each of these requests and provides the respective non-shared random number to only the corresponding cryptographic circuit.
In another embodiment, the processing logic receives a fourth request from the first cryptographic circuit that requires a non-shared random number at a second time. In this case, the processing logic generates a non-shared random number and provides it to the first cryptographic circuit in response to the fourth request. Similarly, the processing logic can receive, at the second time or at a third time, a fifth request from the third cryptographic circuit that does not require a non-shared random number. In this case, the processing logic generates a shared random number to provide to the third cryptographic circuit or provides a shared random number that has already been generated for other cryptographic circuits that can share the random number.
In some embodiments, when performing some operations, it can be necessary to use one or more arguments (e.g., key-wrapping keys, masks, entropy, IVs) that have a viable lifespan (time, usage count) limitation. This can be problematic when there is a real-time or high throughput requirement upon such operations. In such scenarios, a timely delivery mechanism is required to guarantee the delivery and usage of valid arguments.
Typically, such “fragile” data is delivered sequentially from the data source to each of its destinations. The transfer can include transmitting or delivering the data from the source to a single destination and waiting for an acknowledgment. Once the acknowledgment has been received, the source then commences the delivery of data to the next destination. The time required to complete all the transfers can potentially exceed the lifespan of the delivered data if there are many destinations or there is a delay in reception for one or more transfer acknowledgments. This has traditionally been addressed by introducing multiple timeout/retry timers and complicated scheduling logic to ensure timely completion of all the transfers and identify anomalous behavior.
In at least one embodiment, the situation can be improved by either broadcasting the data to all the destinations at once, similar to a multi-cast transmission in Ethernet. This can decouple the data delivery and acknowledgment without delaying the delivery of data by a previous destination’s delivery acknowledgment. These approaches can provide some following benefits, as well as others. Broadcasting the data to all destinations at once can remove any limit to the number of destinations that can be supported. The control logic can be simplified. For example, there can be a single time to track the lifespan of data and a single register to track delivery acknowledgment reception. In one embodiment, an incomplete delivery is simply indicated by the register not being fully populated by 1’s (or 0’s if the convention is reversed) at the end of the data timeout period.
It is to be understood that the above description is intended to be illustrative and not restrictive. Many other implementations will be apparent to those of skill in the art upon reading and understanding the above description. Therefore, the disclosure scope should be determined with reference to the appended claims, along with the full scope of equivalents to which such claims are entitled.
In the above description, numerous details are set forth. It will be apparent, however, to one skilled in the art that the aspects of the present disclosure may be practiced without these specific details. In some instances, well-known structures and devices are shown in block diagram form rather than in detail to avoid obscuring the present disclosure.
Some portions of the detailed descriptions above are presented in terms of algorithms and symbolic representations of operations on data bits within a computer memory. These algorithmic descriptions and representations are the means used by those skilled in the data processing arts to most effectively convey the substance of their work to others skilled in the art. An algorithm is here, and generally, conceived to be a self-consistent sequence of steps leading to the desired result. The steps are those requiring physical manipulations of physical quantities. Usually, though not necessarily, these quantities take the form of electrical or magnetic signals capable of being stored, transferred, combined, compared, and otherwise manipulated. It has proven convenient at times, principally for reasons of common usage, to refer to these signals as bits, values, elements, symbols, characters, terms, numbers, or the like.
However, it should be borne in mind that all of these and similar terms are to be associated with the appropriate physical quantities and are merely convenient labels applied to these quantities. Unless specifically stated otherwise, as apparent from the following discussion, it is appreciated that throughout the description, discussions utilizing terms such as “receiving,” “determining,” “selecting,” “storing,” “setting,” or the like, refer to the action and processes of a computer system, or similar electronic computing device, that manipulates and transforms data represented as physical (electronic) quantities within the computer system’s registers and memories into other data similarly represented as physical quantities within the computer system memories or registers or other such information storage, transmission or display devices.
The present disclosure also relates to an apparatus for performing the operations herein. This apparatus may be specially constructed for the required purposes, or it may comprise a general-purpose computer selectively activated or reconfigured by a computer program stored in the computer. Such a computer program may be stored in a computer-readable storage medium, such as, but not limited to, any type of disk, including floppy disks, optical disks, CD-ROMs, and magnetic-optical disks, read-only memories (ROMs), random access memories (RAMs), EPROMs, EEPROMs, magnetic or optical cards, or any type of media suitable for storing electronic instructions, each coupled to a computer system bus.
The algorithms and displays presented herein are not inherently related to any particular computer or other apparatus. Various general-purpose systems may be used with programs in accordance with the teachings herein, or it may prove convenient to construct more specialized apparatuses to perform the required method steps. The required structure for a variety of these systems will appear as set forth in the description. In addition, aspects of the present disclosure are not described with reference to any particular programming language. It will be appreciated that a variety of programming languages may be used to implement the teachings of the present disclosure as described herein.
Aspects of the present disclosure may be provided as a computer program product, or software, that may include a machine-readable medium having stored thereon instructions, which may be used to program a computer system (or other electronic devices) to perform a process according to the present disclosure. A machine-readable medium includes any procedure for storing or transmitting information in a form readable by a machine (e.g., a computer). For example, a machine-readable (e.g., computer-readable) medium includes a machine (e.g., a computer) readable storage medium (e.g., read-only memory (“ROM”), random access memory (“RAM”), magnetic disk storage media, optical storage media, flash memory devices, etc.).
This application claims the benefit of U.S. Provisional Application No. 63/282,134, filed Nov. 22, 2021, the entire contents of which are incorporated by reference.
Number | Date | Country | |
---|---|---|---|
63282134 | Nov 2021 | US |