Crypto to defend chip IP: snake oil or good idea?

Thor Lancelot Simon wrote:
> As Perry said, chip fabs have plenty of diagnostic
equipment that
> would extract an RSA private key every bit as easily as
it would
> extract a private serial number, which means that the
additional cost
> of 20-40 gates, plus IP licensing, plus... for a
cryptographic engine
> is strictly wasted.  I am a happy Certicom customer but
I certainly
> wouldn't buy _this_ product from them.

fab has plenty of equipment ... at some point there needs to
be a little
trust ... the fab could also create copy chips with back
doors that
would enable attackers with the appropriate knowledge to
extract all
private keys from all manufactured chips .... w/o even
requiring
diagnostic equipment. there are audit processes that are
designed to
preclude both the backdoor design scenario as well as the
private key
extraction scenario.

my claim is that whether it is 20-40 gates or 20k-40k gates
would both
be equivalently trivial ... or at least unable to
differentiate the
difference if you are talking about 100 million circuit
chip.

my assertion is that there is incremental benefit of
asymmetric key
operation over straight static serial number. in the
scenario where the
asymmetric key operation is being used as countermeasure to
copy chips
... there may even be incentive for the fab to not
compromise their own
chips.

there are also some interesting processes in fabs around the
poweron/test situation to narrow the vulnerability of
possible private
key extraction (after the key may be generated) ... unless
you are
talking about physical invasive techniques that damage the
chip
(negating the purpose have using the digital signature from
the private
key for proof of a valid, undamaged, working chip).

my assertion is that the cost of the additional gates can be
more than
offset by improving/eliminating other chip processing
related processes
... resulting in a net economic benefit .... this is
improved by
aggresive cost reduction of the additional gates .... so it
might need
to save more than dollar or two in other chip processes for
a net
economic benefit (i.e. it may be able to accomplish
asymmetric key
circuits for pennies)

you seem to be asserting that the complexity of asymmetric
key circuits
would require savings on the order of possibly hundreds of
dollars (per
chip) to show any net economic benefit.

somewhat related is that there are lots of current chip
activity where
they ahve an excess of circuits that they are somewhat
desperately
looking for applications for. if they can front load some
incremental
purpose that uses the excess circuits ... the design costs
are front
loaded and then amortized across hundreds of millions of
chips ...
effectively driving the actual circuit related cost (for the
incremental
feature) to zero. if it doesn't actually increase any post
fab per chip
processing cost ... and can decrease any post fab per chip
processing
cost ... then it actually takes extremely little savings to
show a net
economic infrastructure benefit.

in my scenario ... it takes relatively trivial copy chip
countermeasure
incremental benefit to justify fabs adding the feature to
their chips.

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com

from long ago and far away ....


From: lynn
Date: Wed, 17 Nov 1999 14:13:42 -0800
Subject: Re: a smartcard of a different color

The USB chip is starting to come up higher on peoples'
radar ... bunch
of discussion was kicked off by this posting.

the NACHA announcement talks about not absolutely requiring
chip for
the signing ... however that means that they can't tell
whether it was
chipped signed or not.

Within the AADS infrastructure, it can be a stand-alone AADS
chip
(possibly in as few as 20,000 circuits compared to several
hundred
thousand to tens of million circuits for the smartbrick
chips).

Not only can the AADS chip definition be used for ubiquitous
authentication purposes ... but it is trivial to include
such a small
chip in almost any kind of package ... either as a seperate
chip (say
in a card, USB housing or corner of a PDA or cellphone) ...
or in the
corner of a more complex chip (pentium, k7, strongarm, etc).

In principle, it is technical possible for the same AADS
function/chip
to be used for digital signing (and authenticating) multiple
X9.59
debit&credit accounts, ISP internet login, corporate
intranet login,
webserver access, and business process access.


------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com