IP Catalog > Security IP > Root of Trust IP > Programmable Root of Trust Family With DPA & Quantum Safe Cryptography

Programmable Root of Trust Family With DPA & Quantum Safe Cryptography

Overview

The RT-65x Root of Trust IP are fully programmable, FIPS 140-3 compliant hardware security anti-tamper cores offering security by design for government and mission-critical applications. The RT-650 protects against a wide range of hardware and software attacks with state-of-the-art anti-tamper security techniques. Government hardware require the highest security protections due to sensitive information being stored and processed. The RT-650 is a security co-processor, built on a custom-designed 32-bit RISC-V architecture, along with dedicated secure memories.

The RT-650 offers superior anti-tamper attack protection through the implementation of Differential Power Analysis (DPA) countermeasures. The RT-650 implements DPA protected AES, RSA, and ECC cryptographic accelerator cores. The RT-650 provides hardware implementations of a NIST SP800-90a/b/c compliant TRNG (true random number generator), Public Key Engine (RSA up to 8192 bits and ECC up to 521 bits), AES (all modes), HMAC and SHA-2/-3 crypto accelerators.

The RT-651 adds the OSCCA SM2/3/4 Chinese cryptographic accelerators. The RT-654 takes the robust feature set of the RT-650 and adds a Quantum Safe Engine with FIPS 203 ML-KEM (CRYSTALS-Kyber) and FIPS 204 ML-DSA (CRYSTALS-Dilithium), as well as XMSS and LMS stateful hash acceleration, to safeguard against quantum computer attacks. 

The RT-65x Root of Trust IP are the ideal choice for chip and system architects designing FPGA and ASIC solutions for applications requiring the highest level of security.

How the Root of Trust Works

While built upon a RISC-V architecture, the RT-650 RISC-V CPU is a custom implementation designed specifically for security use cases. Rambus employed over 20 years of device security experience to build a co-processor providing the highest levels of siloed and layered security. The RT-650 is designed for integration into government ASICs and FPGAs, offering secure execution of authenticated user applications, tamper detection and protection, and secure storage and handling of keys and security assets.

The Root of Trust offers a siloed approach to security. While located on the same silicon as the main processor, the secure processing core is physically separated. A layered security approach enforces access to crypto modules, memory ranges, I/O pins, and other resources, and assures critical keys are available through hardware only with no access by software. The Rambus Root of Trust RT-650 supports all commonly deployed host SoC processor architectures, including ARM, RISC-V, x86 and others.

The Rambus Root of Trust supports multi-tenant deployments by offering true multiple root of trust capabilities. Each individual Secure Application can be assigned its own unique keys, meaning permissions and access levels are set completely independent of others. Secure Applications are siloed from each other, ensuring the best approach to security. OEMs can determine access levels and permissions for each and all processes operating within the secure processor.

Secure Applications

Included with the RT-65x Hardware Root of Trust IP are a series of standard secure applications (“containers”) to speed development, including secure boot, identity management, HSM reference, and others. A container development kit (CSDK) is also included to allow the development of custom containers for specific use cases.

Rambus can optionally offer dedicated FIPS 140-3 support packages to its licensees that provide FIPS 140-3 related certification documentation, FIPS test scripts, and dedicated FIPS support.

Deep Anti-Tamper Experience

As the inventor and pioneer of DPA and an acknowledged leader in device security, Rambus is uniquely qualified to provide anti-tamper solutions for the most stringent requirements. Rambus technologies protect more than 9 billion chips per year, and as a US-based, independent company, Rambus has the experience and pedigree to be the solution provider of choice. Rambus has for more than 20 years supplied solutions for government and defense applications, including anti-tamper cores, software libraries, and testing workstations.

Key Features

  • Superior Security
    • Hardware Root of Trust employing a custom 32-bit RISC-V processor
    • Multi-layered security model provides protection of all components in the core
    • NIST CAVP and CMVP compliant for FIPS 140-3 validation
    • State-of-the-art anti tamper techniques
    • DPA-resistant cryptographic accelerators
    • Caliptra Root of Trust for Measurement with DICE and X.509 support
    • TRNG and PUF entropy sources
    • Quantum Safe Engine (QSE)
    • Secure lifecycle management
    • Secure provisioning with Rambus CryptoManager Root Server (CMRS)
  • Enhanced Flexibility
    • 3rd-party applications run securely within trusted boundary, each with its own assigned security permissions
    • Complete development environment allows OEMs and users to easily develop secure applications (”containers”); standard use case application containers provided
    • Support for secure provisioning of keys and firmware at manufacturing or in the field
    • Support for multiple roots of trust within a single secure core
    • Secure applications can be assigned unique keys, allowing independent permissions and access levels
  • Security Models
    • Hierarchical privilege
    • Secure key management policy
    • Hardware-enforced isolation/access control/protection
    • Error management policy
  • Cryptographic Accelerators
    • RT-650: NIST CAVP hardware cryptographic accelerators, including AES (all modes), HMAC, SHA-2/3 (all modes), RSA up to 4096 or 8192 bits, ECC up to 521 bits, a NIST SP 800-90a/b/c Random Bit Generator, LMS and XMSS hash-based signature schemes, and SHAKE XOF
    • RT-651: As per RT-650 + Chinese Encryption with OSCCA SM2/3/4
    • RT-654: As per RT-650+ Quantum Safe Engine with CRYSTALS-Kyber and CRYSTALS-Dilithium
  • Security Modules
    • Canary logic for protection against glitching and overclocking
    • Secure key derivation and key transport
    • Life cycle management
    • Secure test and debug
    • Feature management

Block Diagram

Programmable Root of Trust Family With DPA & Quantum Safe Cryptography Block Diagram

Applications

  • Government

Deliverables

  • Complete Documentation
    • Integration guides
    • Reference manuals
    • Programming guides
  • RTL and FW Package
    • Verilog RTL for synthesis and simulation
    • Standard EDA tool flow scripts and support files
    • Verification test bench and test vectors
    • Boot loaders and secure RTOS and security monitor firmware
    • HLOS APIs for accessing RT-65x capabilities
  • SW SDK Package
    • SDK including the development environment, complete emulation with debugging capabilities of the RISC-V and crypto cores on QEMU
    • One-step install emulation with multiple samples and reference code to help customers kickstart their secure application development
  • FIPS 140-3 Support Package (Optional)
    • FIPS 140-3 test scripts
    • FIPS 140-3 related certification documentation
    • FIPS 140-3 support

Technical Specifications

Foundry, Node
Any
Maturity
In production
Availability
Now
Request Info

Related IPs

×
Semiconductor IP