Crypto to defend chip IP: snake oil or good idea?

Sat Jul 29 00:36:58 EDT 2006

Thor Lancelot Simon wrote:
> As Perry said, chip fabs have plenty of diagnostic equipment that
> would extract an RSA private key every bit as easily as it would
> extract a private serial number, which means that the additional cost
> of 20-40 gates, plus IP licensing, plus... for a cryptographic engine
> is strictly wasted.  I am a happy Certicom customer but I certainly
> wouldn't buy _this_ product from them.

fab has plenty of equipment ... at some point there needs to be a little
trust ... the fab could also create copy chips with back doors that
would enable attackers with the appropriate knowledge to extract all
private keys from all manufactured chips .... w/o even requiring
diagnostic equipment. there are audit processes that are designed to
preclude both the backdoor design scenario as well as the private key
extraction scenario.

my claim is that whether it is 20-40 gates or 20k-40k gates would both
be equivalently trivial ... or at least unable to differentiate the
difference if you are talking about 100 million circuit chip.

my assertion is that there is incremental benefit of asymmetric key
operation over straight static serial number. in the scenario where the
asymmetric key operation is being used as countermeasure to copy chips
... there may even be incentive for the fab to not compromise their own
chips.

there are also some interesting processes in fabs around the
poweron/test situation to narrow the vulnerability of possible private
key extraction (after the key may be generated) ... unless you are
talking about physical invasive techniques that damage the chip
(negating the purpose have using the digital signature from the private
key for proof of a valid, undamaged, working chip).

my assertion is that the cost of the additional gates can be more than
offset by improving/eliminating other chip processing related processes
... resulting in a net economic benefit .... this is improved by
aggresive cost reduction of the additional gates .... so it might need
to save more than dollar or two in other chip processes for a net
economic benefit (i.e. it may be able to accomplish asymmetric key
circuits for pennies)

you seem to be asserting that the complexity of asymmetric key circuits
would require savings on the order of possibly hundreds of dollars (per
chip) to show any net economic benefit.

somewhat related is that there are lots of current chip activity where
they ahve an excess of circuits that they are somewhat desperately
looking for applications for. if they can front load some incremental
purpose that uses the excess circuits ... the design costs are front
loaded and then amortized across hundreds of millions of chips ...
effectively driving the actual circuit related cost (for the incremental
feature) to zero. if it doesn't actually increase any post fab per chip
processing cost ... and can decrease any post fab per chip processing
cost ... then it actually takes extremely little savings to show a net
economic infrastructure benefit.

in my scenario ... it takes relatively trivial copy chip countermeasure
incremental benefit to justify fabs adding the feature to their chips.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com