[Cryptech Tech] ASIC implementation page on wiki

[Bernd Paysan]

Am Mittwoch, 13. August 2014, 14:24:29 schrieb Warren Kumari:
> > * Avalanche diode noise: Depending on the process options, it might be
> > possible to have an internal avalanche diode.  This sort of diodes are
> > often part of the ESD structures in IO pins, so with some knowledge of
> > the process, you just can use that.  In a power management capable
> > process, you can also include the stuff for the step-up converter
> > (excluding coils and capacitors, of course).
> 
> Yes, you might be able to, but personally I'd think that having the
> noise source outside the ASIC would make folk feel better (could
> always do both).

Yes, some people might worry about easy replacement of the diode with a noise-
free one, which is rather hard to do when the diode is on-die (not just a 
simple off-the-shelf component).  An ASIC just gives you more options for on-
chip noise sources, without taking away the options for off-chip sources, 
which I think is good.  And unlike software, where having many options is bad, 
because it increases the attack surface, having more options here is not so 
much of a concern.

> I'm not really sure if it makes *actual* sense, or more of a
> "feeling", but having the entropy source outside the die where I can
> actually look at it would make me feel less like the whole ASIC is a
> magic black box with who knows what going on inside...

Certainly, after having made a dozend or more ASICs, I don't feel it's black 
magic ;-).

> Actually, as it
> is, having the ASIC feels very much black magic to me -- how do I
> audit it? Sure, I could look at the masks, but how do I know that they
> are actually the ones that were exposed?

For a rough check, optical inspection will do.  You can hide a few gates here 
and there from a quick look, but you can't hide bigger blocks.

Testing is important for ASICs, you always have defective chips in mass 
production, and you have to screen them to detect all kinds of failures.  
Knowing what's in a chip by accessing it from the outside is not only 
feasible, but required.

Of course this wouldn't detect replacement chips with trigger backdoors, which 
hide themselves during test.  If you have good equipment, even many-pin ball 
grid array chips don't stop you from unsoldering them and replacing them.  But 
it certainly raises the price for doing a targeted attack, and that's all we 
can do.

> Sure, it is a nice option to have, but my spider sense is shouting
> "Here be dragons" (nothing like mixing idioms / metaphors).

"Here be dragons" is just uncharted water.  The locals already know that 
water, and don't fear the dragons.

-- 
Bernd Paysan
"If you want it done right, you have to do it yourself"
http://bernd-paysan.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cryptech.is/archives/tech/attachments/20140814/120e6d03/attachment.sig>