A post quantum chip with hardware trojans

Hacker attacks on industrial plants are no longer fiction. Attackers can steal information about production processes or paralyze entire factories. To prevent this, chips in individual plant components already communicate with each other in encrypted form. However, many encryption algorithms will soon no longer offer protection: While today's computers cannot crack established procedures, quantum computers would certainly be able to do so. This is particularly critical for long-lived devices such as industrial plants.

For this reason, security experts around the world are busy developing technical standards for "post-quantum cryptography". One of the challenges here is the high computational requirements of these encryption methods. A team led by Georg Sigl, Professor of Security in Information Technology at TUM, has now designed and had manufactured a chip that implements post-quantum cryptography particularly effectively.

Fast and flexible through combination of hardware and software

Sigl and his team rely on hardware-software co-design. Here, specialized components and control software complement each other. "Our chip is the first to consistently rely on a hardware-software co-design for post-quantum cryptography," says Prof. Sigl.

"This allows him to use encryption with Kyber - one of the most promising candidates for post-quantum cryptography - about ten times as fast as chips that rely on software-only solutions, consumes about eight times less energy and is almost as flexible."

Based on open source standard

The chip is a so-called "application-specific integrated circuit", or ASIC for short. Such specialized microcontrollers are often manufactured in large numbers according to the specifications of companies. The TUM team modified an open-source chip design based on the open-source RISC-V standard. This standard is being used by more and more chip manufacturers and could replace proprietary approaches by large companies in many areas. The chip is made post-quantum cryptography-capable by modifying the computer core and special instructions that accelerate the necessary computing operations.

Secondly, the design has been expanded to include a hardware accelerator developed in-house. This not only enables the chip to use so-called lattice-based post-quantum cryptography algorithms such as Kyber, but could also work with the SIKE algorithm. This involves significantly more computational effort. According to the team, the chip developed at TUM can implement it around 21 times faster than chips that rely only on software for encryption. SIKE is seen as a promising alternative should grid-based approaches prove to be no longer secure at some point. Such safeguards make sense wherever chips are used over a long period of time.

Hardware Trojans Subvert Post-Quantum Cryptography

In addition to the number of conventional hacker attacks, the threat from so-called hardware Trojans is also increasing. Computer chips are usually manufactured to the specifications of companies in specialized factories. If attackers manage to sneak Trojan circuitry into the chip design before or during manufacturing, the consequences could be severe. Just as with a hacker attack from outside, factories could be paralyzed or production secrets stolen. What's more, if the Trojan is already built into the hardware, post-quantum cryptography can also be subverted.

"So far, we know very little about how hardware Trojans are used by real attackers," explains Georg Sigl. "In order to develop protective measures, we have to put ourselves in the shoes of attackers, so to speak, and develop and hide Trojans ourselves. In our post-quantum chip, we have therefore built in four Trojans that we have developed and that work quite differently."

Chip is tested and then disassembled

In the coming months, Sigl and his team will intensively test the chip's cryptographic capabilities and the function and detectability of the hardware Trojans. The chip will then be destroyed - for research purposes. In a complex process, the conductor paths will be ground down layer by layer, and each individual layer will be photographed. The aim is to test new AI methods developed at the chair of Prof. Sigl, which can be used to reconstruct the exact functioning of chips, even if no documentation is available.

"Such reconstructions can help identify components of a chip whose function has nothing to do with its actual tasks and which may have been smuggled in," says Georg Sigl. "Such methods could one day become standard for random sampling in large chip orders. Together with effective post-quantum cryptography, we can thus make hardware in industrial plants but also in cars, for example, more secure."

Source: TU Munich