(Design-Reuse) Crypto Quantique, a specialist in quantum-driven cybersecurity for the internet of things (IoT), has announced independent verification that its CMOS semiconductor IP for second-generation, physically unclonable functions (PUFs) is immune to side-channel attacks when used to create unique, immutable and unforgeable fingerprints for CMOS chips. A 3-month study was conducted by eShard, an independent cybersecurity testing house. “Our security analyst probed near-field electromagnetic emissions over the Crypto Quantique test chip and concluded that with respect to the QDID analog IP, the product shows resistance to high attack potential required for EAL4+ certification”, eShard’s CEO, Hugues Thiebeauld, stated. Evaluation Assurance Level (EAL) is assigned to a product or system after a Common Criteria security evaluation.
Crypto Quantique’s CEO, Shahram Mossayebi, said, “Side-channel attacks on device identities and cryptography keys are the biggest threat to the security of IoT edge devices. This evaluation has demonstrated independently that the semiconductors at the heart of IoT devices can be designed to achieve EAL4+ security easily and at low cost by using quantum-driven entropy to generate secure identities and cryptographic keys. All of these truly random numbers are generated on demand and do not need to be stored, eliminating a significant security weakness of key injection.”
The company’s PUF, called QDID, measures minute quantum tunnelling currents making it more robust than other chip security technologies, many of which are susceptible to side-channel attacks.
Side-channel attacks exploit key-dependent variables to extract bit values. For example, if a cell consumes more power when settling at a 1 state than at a 0, measuring the difference can reveal identity and cryptographic key secrets within the semiconductor. Technologies exist to mitigate this problem, but they can be prohibitively expensive to deploy. QDID eliminates the problem, offering semiconductor manufacturers a simpler, lower-cost route to meeting the most demanding IoT device security requirements and enabling them to achieve EAL4+ security for their devices without expensive additional measures.
QDID fingerprints are random numbers, or seeds, that are used to produce device identities and cryptographic keys on demand. The identities and keys together form a hardware root-of-trust (RoT) for the chip or device in which it is used, which is a cornerstone of IoT device security.
QDID IP produces 64 x 64 arrays of cells, each cell consisting of two transistors. The technology then exploits the quantum tunnelling that occurs through the CMOS oxide layer. Electrons propagate through this layer to varying degrees, depending on its thickness and the atomic structure at particular points. Variations in these physical characteristics are completely random and unavoidable in manufacturing. The currents involved are in the order of femtoamps (10-15 amps), or a few tens of electrons. QDID accurately measures these electron flows to generate random 1s or 0s based on readings of adjacent cells.