Towards digital sovereignty by open source (hardware ... · CHISEL PYTHON GTK-Wave Executable / Debug-Output ASIC-Layout Lattice Bit-File Legacy Code Legacy Code C!ASH MYHDL Debug-Output

ZY

X

W

VU

TS

RQ

PO

N

ML

K J I HG

FE

DC

BA

98

76

5

43

210

C4T

S

PV

6O

0E

KJ

5

Z2

I 1 H RD

8Q

GY

9U

3F

AM

7

NB

WLX

TOWARDS DIGITAL SOVEREIGNTY BYOPEN SOURCE (HARDWARE)2nd Free Silicon Conference, Sorbonne Université, Paris

March 14, 2019

Steffen [email protected]

Theoretische InformatikStudienbereich Angewandte InformatikHochschule RheinMain

THE REAL WORLD

The Real World (Some) Security for Cars The World Is Not Enough Open Source Hardware The Future

WELCOME TO THE DESERT OF THE REAL

Smart City Vulnerability: Experts warn against attack-ing smart cities. Recently, it hit the stormwarning sys-tem in Dallas, which howled abruptly during the night.(Heise, 20.04.2017)

Audi TT: Airbags can be secretly deactivated by soft-ware.(Heise, 27.10.2015)

Fiat Chrysler: Recall of 1.4 million cars to fix remotehack(Slashdot, 24.7.2015)

Attacks on heaters - Hackers freeze Finns: In theeast of Finland unknown people have shut down sev-eral blocks of flats.(Spiegel, 8.11.2016)

3


NEVER TELL ME THE ODDS

Root-shell at hospital: Infusion pump with telnet-security flaw.(Heise, 05.05.2015)

Security researchers: Cars can be hacked via digitalradio(Heise, 26.7.2015)

Security flaw in the pacemaker: A firmware-upgradeshould protect patients with pacemaker against beinghacked. It is not clear whether the devices will be safeafter the update.(Heise, 11.2.2017)

Clearly, we have to fix Soft- and Hardware together (onall levels) to improve the situation!Idea: Clone the success (security!) of BSD & Linux

4


(SOME) REASONS FOR THE SUCCESS OF LINUX & BSD

→ The UNIX became closed source (by AT&T) → Stallmanstarted the GNU-Project (demand)

→ Free and flexible tooling, e.g. the GNU Compilercollection (GCC) (easy to use, expandable, fixable)

→ Fun makes developers successful: ”I’m doing a (free)operating system (just a hobby, won’t be big andprofessional like gnu) for 386(486) AT clones.” (Torvalds)

→ Linux is/was used for research & teaching → theknowledge is transfered from university to industry

→ Broad sharing of costs (cf. Google, Amazon, Facebook,etc.)

We need attractive, portable and productive tooling foryoung developers, a CPU-core and cryptographic sugar.Bad examples (selected): (System-)Verilog, VHDL, Xilinx,Cadence and ARM!

5


SOMEONE HAS TO PAY

Question: Where is Germany successful?

→ renewable energy (claimed)→ mechanical engineering→ chemical industry→ automotive industry (still) / IoT

Idea: Use old concepts, new technology and bettersoftware to build invisible, cheap and "unattractive"hardware for the IoT / automotive market to overcome ourproblems.

Goal: Improve our digital sovereignty by learning andcreating own hardware for our privacy!Claim: On the long run it is possible to use the ideas fromopen source to build open cryptographic hardware.

6

(SOME) SECURITY FOR CARS


I HAD A BAD FEELING ABOUT THAT . . .

A modern car has to solve a lot of critical tasks:

→ ABS / ESP / Airbag / X by Wire→ Engine control unit / Immobilizer→ Odometer (cf. §22b StVG)→ Multimedia / Entertainment

New(er) applications:

→ Car2X→ Charging of electric vehicles→ and even worse: Smart / Autonomous cars

Especially the last topic will cause a huge demand for methodsof IT-security and cryptography!

8


COMPLICATIONS AROSE,

Current asymmetric crypto (cf. digital signatures, certificates,digital cash, etc.) is mainly based on two computationalproblems:

PROBLEM: FACTORINGINPUT: Integer nOUTPUT: Primes p1, . . . ,pl such that p1 · . . . · pl = n

PROBLEM: DLOG(G)INPUT: A generator g of a large cyclic subgroup of G,

b = ga

OUTPUT: Exponent a

It is believed that both problems cannot be solved efficiently,but

9


ENSUED,

capable quantum computers can solve FACTORING andDLOG(G) efficiently (Shor’s Algorithm)!

⇒ we lose nearly all asymmetric algorithms like RSA,Diffie-Hellman key exchange, ElGamal and Elliptic Curvecryptography and all related business models.The following schedule seems realistic:

AtomicQuantumClock

QuantumSensor

IntercityQuantum

Link

QuantumSimulator

QuantumInternet

UniversalQuantumComputer

2015 2035

We need crypto for (classical) embedded systems whichwithstands attacks by quantum computers!

10


WERE OVERCOME

Due to lengthy development time, the automotive industryis in real trouble (also here ;-) and has to find answers!

Maybe we have found an industry with (huge) demand!

We have various methods from post-quantum cryptography:

→ Code-based PQC→ Lattice-based PQC→ Hash-based PQC→ Multivariate PQC→ Supersingular Elliptic-curve Isogeny PQC

Make them work for embedded systems!11


NO SECRETS

Kerckhoffs's principle is fully accepted in cryptography(except for a few fools):

→ Cryptographic algorithms and→ Software and→ applications are created having Kerckhoffs's principle

in mind!

But (cryptographic) hardware is created in a closedprocess.

We have to change this!Everybody should say this again and again, because thecurrent situation is ridiculous!

12

THE WORLD IS NOT ENOUGH


AN OVERSIMPLIFIED IT-SUPPLYCHAIN

Hardware description

(e.g. Verilog, VHDL)

EDA tools(synthesis, place &

route)

Preproduction(e.g. exposure mask)

Manufacturing(semiconductor fab)

Workstation

Embedded system

Hardware Development Hardware Production

Software DevelopmentUser

Applicationprogram

Chip

s

Tapeout

System redesign

Compiler & otherdevelopment tools

Operating System

Any stage of this chain can be attacked!

14


CAPTAIN, YOU ALMOST MAKE ME BELIEVE IN LUCK

Symmetric methods use secret keys:

→ Secure non-volatile on chip memory is needed→ We need secure random numbers→ Nice to have: PUFs (Physically uncloneable functions)

Asymmetric methods (often) need arithmetic with largenatural numbers:

→ powerful (much more than for Elliptic Curves!) µCs oracceleration-units are needed

Hence we really need really cheap hardware (mass-market!)based post-quantum crypto for automotive, the energysector, medical engineering, automation technology, . . .

15

OPEN SOURCE HARDWARE


SOME OPEN-SOURCE TOOLING FOR HARDWARE

We have a surprisingly large number of options:

Hard

war

ePl

ace

& Ro

ute

Synt

hesis

Test

fram

e-w

ork

Sim

ulat

ion

Test

benc

h

Met

a HD

L

Visu

alis

atio

n

Sim

ulat

ion

Debug-Output

YOSYS

SPINAL HDL

ICESTORM

ARACHNE / NEXT PNR

QFLOW

GHDL ICARUS VERILOGVERILATOR

COCOTB

CHISEL PYTHON

GTK-Wave

Executable / Debug-O

utput

AS

IC-Layout

Lattice Bit-File

Legacy Code

Legacy Code

C�ASHMYHDL

Debug-Output

SpinalSim

VHDL

Verilog

PYTHON

17


A NEW HOPE

A project for one semester (computer science) by Lars Müller,Jens Nazarenus, Daniel Schultz and Marius Sternberger led toa VexRISCV derivate with hardware acceleration for thestream cipher ChaCha.The design is completely based on SpinalHDL, VexRISCV,VexRiscv-CCOPI1 (hosted on github):

→ 277 MHz clock→ speed-up (hardware acceleration) ≈ 3→ 1950 LUTs on an Artix-7 FPGA (without acceleration 1670

LUTs)→ modified gcc (intrinsics for ChaCha)

1https://github.com/jens-na/VexRiscv-CCOPI.git18

https://github.com/jens-na/VexRiscv-CCOPI.git


A NEW HOPE (II)

The project delivered an ASIC (simulation at the moment) too:

→ 50 MHz clock→ 35000 Gates / 350 nm→ 2 kB ROM / 4 kB RAM→ 8.9 mm2

Price (Europractice): 8402e for 40 pieces.

→ JTAG needs to befixed!

→ Next project: Port thisdesign to 180nm (moreRAM).

Open Source can build complex crypto-hardware!19


TO BE AND NOT TO BE, THAT IS THE QUANTUM QUESTION

Using VexRISCV Ingo Braun implemented hash-basedpost-quantum algorithms (XMMS2).Use the Murax Soc VexRISCV-variant with mul/div and BarrelShifter (2044 LUTs / 1448 FF) on an Artix7:

→ Keccak-1600: 6110 LUTs, 3115 FF 3115 and FMax 105MHz. One hash-step needes 31 cycles.

→ SHA2-512: 4131 LUTs, 3052 FF and FMax 106 Mhz. Onehash-step needes 71 cycles.

→ Haraka512: 6046 LUTs, 2535 FF and FMax 105 Mhz. Onehash-step needs 17 cycles.

We can build post-quantum enhanced CPUs now!2https://eprint.iacr.org/2011/484.pdf and RFC 8391

20

https://eprint.iacr.org/2011/484.pdf


TOWARDS A LOW-COST SENSOR FOR IOT APPLICATIONS

Reimplementation3 of the J1-CPU from James Bowman(cf. Harris RTX 2010) using the Meta-HDL SpinalHDL (total:1233 LoC) gives:

→ 120 MHz clock (1 cycle per instruction) on a Xilinx Artix7→ Forth-System in 5KB RAM (max. 8KB RAM)→ Resources: approx. 317 LUTs (293 Logic / 24 Memory), 2

BRAMs, total system: 931 LUTs 1.5% of a XilinxArtix7-100)

→ Port to Lattice ICE40HX8K (IcoBoard) 2031 LUTs (max.7680 LUTs), 18 BRAMs (max. 32 BRAMs), 42 MHz clock

→ FORTH-implementation of AES-128 (Encrypt) does 3.2kB/sec@ 100Mhz

3https://github.com/SteffenReith/J1Sc21

https://github.com/SteffenReith/J1Sc

THE FUTURE


DIFFICULT TO SEE. ALWAYS IN MOTION THE FUTURE IS!

Possible ways to improve the (desperate) situation:

→ We need a broad discussion about the fact that wenearly lost control (CPUs / Fabs / KnowHow) onEuropean level. Interestingly China (and Russia) has anown microprocessor family and EDA tooling (why?).

→ We need open, certified (special laws?) and provencomponents to push the local industry (startups!).Prototypes (publicly funded?) of production readyHardware-Security Modules.

→ Back to the roots! Much more computer engineering atuniversity level (bachelor/master/PhD). We don’t haveenough engineers for semiconductor design.

23


WHAT ELSE TO DO

→ Improve the open tooling for making and proving chips(costs are prohibitive for startups / small companies) →new ideas from small groups.

→ Fund (true) startups (established companies have shownthat they cannot improve the situation), create alternativesfor young engineers.

→ A modern and accessible Fab (public infrastructure?).Otherwise we have no control (prize / know-how /hardware trojans). Maybe similar to the idea of PCB-Pool.

→ We need laws that demand to use open hardware forcritical applications → strong impact (cf. RoHS and CE)and equal costs for competitors on the market.

→ Work together! The advantage of the other regions ishuge. One (big) company / university cannot do this alone.

24


FURTHER READING

SECURITY, SAFETY AND FAIR MARKET ACCESS BY OPENNESS AND CONTROL OF THE SUPPLY CHAIN

SOVEREIGNTY IN INFORMATION TECHNOLOGY

WHITE PAPER V1.0, MARCH 2018

Arnd WeberSteffen ReithMichael KasperDirk KuhlmannJean-Pierre SeifertChristoph Krauß

http://www.itas.kit.edu/pub/v/2018/weua18a.pdf25

http://www.itas.kit.edu/pub/v/2018/weua18a.pdf


Thank You!

26

The Real World(Some) Security for CarsThe World Is Not EnoughOpen Source HardwareThe Future

Documents

Towards digital sovereignty by open source (hardware ... · CHISEL PYTHON GTK-Wave Executable / Debug-Output ASIC-Layout Lattice Bit-File Legacy Code Legacy Code C!ASH MYHDL Debug-Output