A new technical paper titled “Calibration and Performance Evaluation of a Superconducting Quantum Processor in an HPC Center” was published by researchers at Leibniz Supercomputing Centre, IQM Quantum Computers, and Technical University of Munich.

Abstract

“As quantum computers mature, they migrate from laboratory environments to HPC centers. This movement enables large-scale deployments, greater access to the technology, and deep integration into HPC in the form of quantum acceleration. In laboratory environments, specialists directly control the systems’ environments and operations at any time with hands-on access, while HPC centers require remote and autonomous operations with minimal physical contact. The requirement for automation of the calibration process needed by all current quantum systems relies on maximizing their coherence times and fidelities and, with that, their best performance. It is, therefore, of great significance to establish a standardized and automatic calibration process alongside unified evaluation standards for quantum computing performance to evaluate the success of the calibration and operation of the system. In this work, we characterize our in-house superconducting quantum computer, establish an automatic calibration process, and evaluate its performance through quantum volume and an application-specific algorithm. We also analyze readout errors and improve the readout fidelity, leaning on error mitigation.”

Find the technical paper here. Published May 2024.

X. Deng, S. Pogorzalek, F. Vigneau, P. Yang, M. Schulz and L. Schulz, “Calibration and Performance Evaluation of a Superconducting Quantum Processor in an HPC Center,” ISC High Performance 2024 Research Paper Proceedings (39th International Conference), Hamburg, Germany, 2024, pp. 1-9, doi: 10.23919/ISC.2024.10528924.

The post Characterizing and Evaluating A Quantum Processor Unit In A HPC Center appeared first on Semiconductor Engineering.

A new technical paper titled “Vertical-Stack Nanowire Structure of MOS Inverter and TFET Inverter in Low-temperature Application” was published by researchers at National Tsing Hua University and National United University in Taiwan.

Abstract
“Tunneling field effect transistors (TFET) have emerged as promising candidates for integrated circuits beyond conventional metal oxide semiconductor field effect transistors (MOSFET) and could overcome the physical limit, which results in the subthreshold swing (SS) < 60mV/dec at room temperature. In this study, we compare the complementary TFET (CTFET) with complementary metal oxide semiconductor (CMOS) at low temperatures (70K) by using the Gate-All-Around (GAA) architecture. The experiment result clearly shows that the CTEFT inverter has better characteristics than the CMOS inverter in various temperatures. While operating at a fixed temperature, the CMOS inverter performs an excellent on/off ratio and SS, etc. However, when a CMOS inverter operates at varying temperatures, CMOS performs worse than CTFET. This is attributed to the influence of lattice scattering, leading to the instability of CMOS characteristics. Therefore, the CTFET inverter is suitable for operation in environments with varying temperatures, exhibiting high stability, which can be applied in space technology. The simulation tool TCAD has been used to investigate the characteristics of CMOS and CTFET at low temperatures.”

Find the technical paper here. Published June 2024.

C. -C. Tien and Y. -H. Lin, “Vertical-Stack Nanowire Structure of MOS Inverter and TFET Inverter in Low-temperature Application,” in IEEE Access, doi: 10.1109/ACCESS.2024.3410677.

The post Device Characteristics of GAA-Structured CMOS and CTFET Under Varying Temperatures appeared first on Semiconductor Engineering.

A new technical paper titled “xTern: Energy-Efficient Ternary Neural Network Inference on RISC-V-Based Edge Systems” was published by researchers at ETH Zurich and Universita di Bologna.

Abstract
“Ternary neural networks (TNNs) offer a superior accuracy-energy trade-off compared to binary neural networks. However, until now, they have required specialized accelerators to realize their efficiency potential, which has hindered widespread adoption. To address this, we present xTern, a lightweight extension of the RISC-V instruction set architecture (ISA) targeted at accelerating TNN inference on general-purpose cores. To complement the ISA extension, we developed a set of optimized kernels leveraging xTern, achieving 67% higher throughput than their 2-bit equivalents. Power consumption is only marginally increased by 5.2%, resulting in an energy efficiency improvement by 57.1%. We demonstrate that the proposed xTern extension, integrated into an octa-core compute cluster, incurs a minimal silicon area overhead of 0.9% with no impact on timing. In end-to-end benchmarks, we demonstrate that xTern enables the deployment of TNNs achieving up to 1.6 percentage points higher CIFAR-10 classification accuracy than 2-bit networks at equal inference latency. Our results show that xTern enables RISC-V-based ultra-low-power edge AI platforms to benefit from the efficiency potential of TNNs.”

Find the technical paper here. Published May 2024.

Rutishauser, Georg, Joan Mihali, Moritz Scherer, and Luca Benini. “xTern: Energy-Efficient Ternary Neural Network Inference on RISC-V-Based Edge Systems.” arXiv preprint arXiv:2405.19065 (2024).

The post Efficient TNN Inference on RISC-V Processing Cores With Minimal HW Overhead appeared first on Semiconductor Engineering.

A technical paper titled “Chiplets on Wheels: Review Paper on Holistic Chiplet Solutions for Autonomous Vehicles” was published by researchers at the Indian Institute of Technology, Madras.

Abstract
“On the advent of the slow death of Moore’s law, the silicon industry is moving towards a new era of chiplets. The automotive industry is experiencing a profound transformation towards software-defined vehicles, fueled by the surging demand for automotive compute chips, expected to reach 20-22 billion by 2030. High-performance compute (HPC) chips become instrumental in meeting the soaring demand for computational power. Various strategies, including centralized electrical and electronic architecture and the innovative Chiplet Systems, are under exploration. The latter, breaking down System-on-Chips (SoCs) into functional units, offers unparalleled customization and integration possibilities. The research accentuates the crucial open Chiplet ecosystem, fostering collaboration and enhancing supply chain resilience. In this paper, we address the unique challenges that arise when attempting to leverage chiplet-based architecture to design a holistic silicon solution for the automotive industry. We propose a throughput-oriented micro-architecture for ADAS and infotainment systems alongside a novel methodology to evaluate chiplet architectures. Further, we develop in-house simulation tools leveraging the gem5 framework to simulate latency and throughput. Finally, we perform an extensive design of thermally-aware chiplet placement and develop a micro-fluids-based cooling design.”

Find the technical paper here. Published May 2024.

Narashiman, Swathi, Divyaratna Joshi, Deepak Sridhar, Harish Rajesh, Sanjay Sattva, and Varun Manjunath. “Chiplets on Wheels: Review Paper on Holistic Chiplet Solutions for Autonomous Vehicles.” arXiv preprint arXiv:2406.00182 (2024).

The post Adoption of Chiplet Technology in the Automotive Industry appeared first on Semiconductor Engineering.

One of the big challenges for IC test is making sense of mountains of data, a direct result of more features being packed onto a single die, or multiple chiplets being assembled into an advanced package. Collecting all that data through various agents and building models on the tester no longer makes sense for a couple reasons — there is too much data, and there are multiple customers using the same equipment. Steve Zamek, director of product management at PDF Solutions, and Eli Roth, product manager at Teradyne, explain how to optimize testing around different data sources, how to partition that data between the edge and the cloud, and how to ensure it remains secure.

The post Making Adaptive Test Work Better appeared first on Semiconductor Engineering.

Back in March, I wrote up an article here that looked at how a proxy circuit could be used to measure variations in circuit performance as conditions changed in the operating environment. There were a couple of recent presentations on margin sensors at two of the big EDA vendors’ customer engineering forums that we’ll look at as well as another product with an upcoming presentation at DAC. Margin sensors have applications for silicon health and performance monitoring for SoCs, characterization, yield, reliability, safety, power, and performance. How they are configured, though, determines their best suited tasks.

The first presentation was given at Synopsys’ SNUG Silicon Valley on March 20, 2024, titled “Diagnosis of Timing Margin on Silicon with PMM (Path Margin Monitor)”, by Gurnrack Moon, Principal Engineer at Samsung. One of the key aspects of the PMM that Samsung appreciated was the closer correlation between the PMM and the actual paths versus, say, using a Ring Oscillator approach.

Fig. 1: Synopsys Path Margin Monitor diagram. (Source: Synopsys)

My previous article described how the “Monitor Logic” portion of the PMM diagram shown above in figure 1 would conceptually work. Taps taken along the synthetic circuit of buffers could be compared to see how far the signal made it down the path and thus determine how much margin is available. A strength of this approach is that it allows one PMM to be used on multiple paths. It does have a disadvantage, though, of introducing additional control overhead and adding additional delay components in to the monitor path.

The PMMs on the chip are connected in a daisy-chain fashion which reduces the number of signals needed to send information from the PMMs to the Path Margin Monitor Controller. This also reduces the number of signals for communication. This setup efficiently uses chip area to provide information about the state of the silicon. Typically, one might expect this type of capability to be exercised in a “diagnostic” mode where data would be captured, analyzed, and then used to determine appropriate voltage and frequency settings as opposed to a more dynamic or adaptive approach.

Samsung appreciated being able to “determine if there are problems or what is different from what is designed, and what needs to be improved. In addition, PMM data fed to the Synopsys Silicon.da analytics platform provides rich analytics, shortening the debug/analysis time.” This was used on production silicon. Synopsys also has other blog articles here and here for the interested reader.

The second presentation was given at CadenceLIVE Silicon Valley, April 17, 2024, titled “Challenges in Datacenters: Search for Advanced Power Management Mechanisms”, and presented by Ziv Paz, Vice President of Business Development at proteanTecs. His presentation focused on proteanTecs’ Margin Agents and noted how these sensors were sensitive to process, aging, workload stress, latent defects, operating conditions, DC IR drops, and local Vdroops.

Fig. 2: Reducing voltage while staying within margin. (Source: proteanTecs, CadenceLIVE)

Figure 2 shows how designers must handle “worst-case” scenarios and often do so by creating enough margin to operate under those conditions. In the diagram shown here, that margin shows up as a higher operating V_DD. If the normal operating mode is 650mV with an allowance for a -10% change in V_DD then the design is implemented to run at 585mV (90% * 650mV). Most of the time though, the circuitry will operate properly below 650mV so that running at 650mV is just wasting energy.

proteanTecs then presented a case study that was designed using TSMC’s 5nm technology. The chip incorporated 448 margin agents consisting of buffers with a unit delay of 7ps.

Fig. 3: Example margin agents and corresponding voltage. (Source: proteanTecs, CadenceLIVE)

Figure 3 above shows the margin agents (all 448) on the left side with the thicker black line showing the worst case for all 448. The right side shows the voltage. It also demonstrates that when the threshold is lowered the voltage will now drop to 614mV and the design continues to operate properly.

Fig. 4: Example margin agents with droop and corresponding voltage. (Source: proteanTecs, CadenceLIVE)

Figure 4 shows that as the voltage on the right drops that the worst-case margin agent values also drop and once they cross the yellow(-ish) line the voltage is signaled to return to the pre-AVS voltage of 650mV. The margin agent values then improve and the AVS voltage of 614mV will kick back in. By reacting when the margin agents cross the yellow line, it allows time for the voltage to increase and adjust before the voltage hits the red (585mV) line, thus always keeping it in the proper operating zone.

For this case, proteanTecs saw a 10.77% power saving and said that they’ve typically seen savings in the 9%-14% range. For this data center-oriented customer, this was important because of a limited power budget per rack, cooling limitations, carbon neutrality requirements (PUE), and a high CAPEX. Other benefits are a higher MTTF, lower maintenance costs, and a prolonged system lifetime. proteanTecs claimed a minimal impact on area and that currently most of their designs are in 7nm, 5nm, and below.

The third vendor announced their Aeonic Insight product line including a droop detector on November 14, 2023. Movellus’ Michael Durr, Director of Application Engineering is scheduled to give a talk at DAC on Wednesday, June 26, 2024, titled “Droop! There it is!” Movellus has been long known for their digital clock generation IP and, as one might guess, their design uses a synthetic circuit for detecting changes in the operating environment. Leveraging their clock generation expertise, they are initially targeting an adaptive frequency (or clock) scaling (AFS) approach that also leverages their digital clock generation IP.

The post Margin Sensors In The Wild appeared first on Semiconductor Engineering.

New technical papers added to Semiconductor Engineering’s library this week.

More Reading
Technical Paper Library home

The post Chip Industry Technical Paper Roundup: June 10 appeared first on Semiconductor Engineering.

Rapidus and IBM are jointly developing mass production capabilities for chiplet-based advanced packages. The collaboration builds on an existing agreement to develop 2nm process technology.

Vanguard and NXP will jointly establish VisionPower Semiconductor Manufacturing Company (VSMC) in Singapore to build a $7.8 billion, 12-inch wafer plant. This is part of a global supply chain shift “Out of China, Out of Taiwan,” according to TrendForce.

Alphawave joined forces with Arm to develop an advanced chiplet based on Arm’s Neoverse Compute Subystems for AI/ML. The chiplet contains the Neoverse N3 CPU core cluster and Arm Coherent Mesh Network, and will be targeted at HPC in data centers, AI/ML applications, and 5G/6G infrastructure.

ElevATE Semiconductor and GlobalFoundries will partner for high-voltage chips to be produced at GF’s facility in Essex Junction, Vermont, which GF bought from IBM. The chips are essential for semiconductor testing equipment, aerospace, and defense systems.

NVIDIA, OpenAI, and Microsoft are under investigation by the U.S. Federal Trade Commission and Justice Department for violation of antitrust laws in the generative AI industry, according to the New York Times.

Quick links to more news:

Market Reports
Global
In-Depth
Education and Training
Security
Product News
Research
Events and Further Reading

Global

Apollo Global Management will invest $11 billion in Intel’s Fab 34 in Ireland, thereby acquiring a 49% stake in Intel’s Irish manufacturing operations.

imec and ASML opened their jointly run High-NA EUV Lithography Lab in Veldhoven, the Netherlands. The lab will be used to prepare  the next-generation litho for high-volume manufacturing, expected to begin in 2025 or 2026.

Expedera opened a new semiconductor IP design center in India. The location, the sixth of its kind for the company, is aimed at helping to make up for a shortfall in trained technicians, researchers, and engineers in the semiconductor sector.

Foxconn will build an advanced computing center in Taiwan with NVIDIA’s Blackwell platform at its core. The site will feature GB200 servers, which consist of 64 racks and 4,608 GPUs, and will be completed by 2026.

Intel and its 14 partner companies in Japan will use Sharp‘s LCD plants to research semiconductor production technology, a cost reduction move that should also produce income for Sharp, according to Nikkei Asia.

Japan is considering legislation to support the commercial production of advanced semiconductors, per Reuters.

Saudi Arabia aims to establish at least 50 semiconductor design companies as part of a new National Semiconductor Hub, funded with over $266 million.

Air Liquide is opening a new industrial gas production facility in Idaho, which will produce ultra-pure nitrogen and other gases for Micron’s new fab.

Microsoft will invest 33.7 billion Swedish crowns ($3.2 billion) to expand its cloud and AI infrastructure in Sweden over a two-year period, reports Bloomberg. The company also will invest $1 billion to establish a new data center in northwest Indiana.

AI data centers could consume as much as 9.1% of the electricity generated in the U.S. by 2030, according to a white paper published by the Electric Power Research Institute. That would more than double the electricity currently consumed by data centers, though EPRI notes this is a worst case scenario and advances in efficiency could be a mitigating factor.

Markets and Money

The Semiconductor Industry Association (SIA) announced global semiconductor sales increased 15.8% year-over-year in April, and the group projected a market growth of 16% in 2024. Conversely, global semiconductor equipment billings contracted 2% year-over-year to US$26.4 billion in Q1 2024, while quarter-over-quarter billings dropped 6% during the same period, according to SEMI‘s Worldwide Semiconductor Equipment Market Statistics (WWSEMS) Report.

Cadence completed its acquisition of BETA CAE Systems International, a provider of multi-domain, engineering simulation solutions.

Cisco‘s investment arm launched a $1 billion fund to aid AI startups as part of its AI innovation strategy. Nearly $200 million has already been earmarked.

The power and RF GaN markets will grow beyond US$2.45 billion and US$1.9 billion in 2029, respectively, according to Yole, which is offering a webinar on the topic.

The micro LED chip market is predicted to reach $580 million by 2028, driven by head-mounted devices and automotive applications, according to TrendForce. The cost of Micro LED chips may eventually come down due to size miniaturization.

In-Depth

Semiconductor Engineering published its Automotive, Security, and Pervasive Computing newsletter this week, featuring these top stories:

• The Uncertainty Of Certifying AI For Automotive
• Why It’s So Hard To Secure AI Chips
• Toward A Software-Defined Hardware World

More reporting this week:

• Chip Design Digs Deeper Into AI
• Why IC Design Safety Nets Have Limits
• Opportunities Grow For GPU Acceleration

Security

Scott Best, Rambus senior director of Silicon Security Products, delivered a keynote at the Hardwear.io conference this week (below), detailing a $60 billion reverse engineering threat for hardware in just three markets — $30 billion for printer consumables, $20 billion for rechargeable batteries with some type of authentication, and $10 billion for medical devices such as sonogram probes.

Photo source: Ed Sperling/Semiconductor Engineering

wolfSSL debuted wolfHSM for automotive hardware security modules, with its cryptographic library ported to run in automotive HSMs like Infineon’s Aurix Tricore TC3XX.

Cisco integrated AMD Pensando data processing units (DPUs) with its Hypershield security architecture for defending AI-scale data centers.

OMNIVISION released an intelligent CMOS image sensor for human presence detection, infrared facial authentication, and always-on technology with a single sensing camera. And two new image sensors for industrial and consumer security surveillance cameras.

Digital Catapult announced a new cohort of companies will join Digital Security by Design’s Technology Access Program, gaining access to an Arm Morello prototype evaluation hardware kit based on Capability Hardware Enhanced RISC Instructions (CHERI), to find applications across critical UK sectors.

University of Southampton researchers used formal verification to evaluate the hardware reliability of a RISC-V ibex core in the presence of soft errors.

Several institutions published their students’ master’s and PhD work:

• Virginia Tech published a dissertation proposing sPACtre, a defense mechanism that aims to prevent Spectre control-flow attacks on existing hardware.
• Wright State University published a thesis proposing an approach that uses various machine learning models to bring an improvement in hardware Trojan identification with power signal side channel analysis
• Wright State University published a thesis examining the effect of aging on the reliability of SRAM PUFs used for secure and trusted microelectronics IC applications.
• Nanyang Technological University published a Final Year Project proposing a novel SAT-based circuit preprocessing attack based on the concept of logic cones to enhance the efficacy of SAT attacks on complex circuits like multipliers.

The Cybersecurity and Infrastructure Security Agency (CISA) issued a number of alerts/advisories.

Education and Training

Renesas and the Indian Institute of Technology Hyderabad (IIT Hyderabad) signed a three-year MoU to collaborate on VLSI and embedded semiconductor systems, with a focus on R&D and academic interactions to advance the “Make in India” strategy.

Charlie Parker, senior machine learning engineer at Tignis, presented a talk on “Why Every Fab Should Be Using AI.”

Penn State and the National Sun Yat-Sen University (NSYSU) in Taiwan partnered to develop educational and research programs focused on semiconductors and photonics.

Rapidus and Hokkaido University partnered on education and research to enhance Japan’s scientific and technological capabilities and develop human resources for the semiconductor industry.

The University of Minnesota named Steve Koester its first “Chief Semiconductor Officer,” and launched a website devoted to semiconductor and microelectronics research and education.

The state of Michigan invested $10 million toward semiconductor workforce development.

Product News

Siemens reported breakthroughs in high-level C++ verification that will be used in conjunction with its Catapult software. Designers will be able to use formal property checking via the Catapult Formal Assert software and reachability coverage analysis through Catapult Formal CoverCheck.

Infineon released several products:

• 600 V CoolMOS 8 high voltage superjunction (SJ) MOSFET product family.
• CoolGaN bidirectional switch (BDS) and CoolGaN Smart Sense device.
• New CoolSiC MOSFET discretes 650 V, with two product families housed in the Thin-TOLL 8×8 and TOLT packages to increase system power density.

Augmental, an MIT Media Lab spinoff, released a tongue-based computer controller, dubbed the MouthPad.

NVIDIA revealed a new line of products that will form the basis of next-gen AI data centers. Along with partners ASRock Rack, ASUS, GIGABYTE, Ingrasys, and others, the NVIDIA GPUs and networking tech will offer cloud, on-premises, embedded, and edge AI systems. NVIDIA founder and CEO Jensen Huang showed off the company’s upcoming Rubin platform, which will succeed its current Blackwell platform. The new system will feature new GPUs, an Arm-based CPU and advanced networking with NVLink 6, CX9 SuperNIC and X1600 converged InfiniBand/Ethernet switch.

Intel showed off its Xeon 6 processors at Computex 2024. The company also unveiled architectural details for its Lunar Lake client computing processor, which will use 40% less SoC power, as well as a new NPU, and X2 graphic processing unit cores for gaming.

Research

imec released a roadmap for superconducting digital technology to revolutionize AI/ML.

CEA-Leti reported breakthroughs in three projects it considers key to the next generation of CMOS image sensors. The projects involved embedding AI in the CIS and stacking multiple dies to create 3D architectures.

Researchers from MIT’s Computer Science & Artificial Intelligence Laboratory (MIT-CSAIL) used a type of generative AI, known as diffusion models, to train multi-purpose robots, and designed the Grasping Neural Process for more intelligent robotic grasping.

IBM and Pasqal partnered to develop a common approach to quantum-centric supercomputing and to promote application research in chemistry and materials science.

Stanford University and Q-NEXT researchers investigated diamond to find the source of its temperamental nature when it comes to emitting quantum signals.

TU Wien researchers investigated how AI categorizes images.

In Canada:

• Simon Fraser University received funding of over $80 million from various sources to upgrade the supercomputing facility at the Cedar National Host Site.
• The Digital Research Alliance of Canada announced $10.28 million to renew the University of Victoria’s Arbutus cloud infrastructure.
• The Canadian government invested $18.4 million in quantum research at the University of Waterloo.

Events and Further Reading

Find upcoming chip industry events here, including:

Upcoming webinars are here.

Semiconductor Engineering’s latest newsletters:

Automotive, Security and Pervasive Computing
Systems and Design
Low Power-High Performance
Test, Measurement and Analytics
Manufacturing, Packaging and Materials

The post Chip Industry Week In Review appeared first on Semiconductor Engineering.

You’ve probably been hearing a lot lately about the quantum-computing threat to cryptography. If so, you probably also have a lot of questions about what this “quantum threat” is and how it will impact your cryptographic solutions. Let’s take a look at some of the most common questions about quantum computing and its impact on cryptography.

What is a quantum computer?

A quantum computer is not a very fast general-purpose supercomputer, nor can it magically operate in a massively parallel manner. Instead, it efficiently executes unique quantum algorithms. These algorithms can in theory perform certain very specific computations much more efficiently than any traditional computer could.

However, the development of a meaningful quantum computer, i.e., one that can in practice outperform a modern traditional computer, is exceptionally difficult. Quantum computing technology has been in development since the 1980s, with gradually improving operational quantum computers since the 2010s. However, even extrapolating the current state of the art into the future, and assuming an exponential improvement equivalent to Moore’s law for traditional computers, experts estimate that it will still take at least 15 to 20 years for a meaningful quantum computer to become a reality. ^{1, 2}

What is the quantum threat to cryptography?

In the 1990s, it was discovered that some quantum algorithms can impact the security of certain traditional cryptographic techniques. Two quantum algorithms have raised concern:

• Shor’s algorithm, invented in 1994 by Peter Shor, is an efficient quantum algorithm for factoring large integers, and for solving a few related number-theoretical problems. Currently, there are no known efficient-factoring algorithms for traditional computers, a fact that provides the basis of security for several classic public-key cryptographic techniques.
• Grover’s algorithm, invented in 1996 by Lov Grover, is a quantum algorithm that can search for the inverse of a generic function quadratically faster than a traditional computer can. In cryptographic terms, searching for inverses is equivalent to a brute-force attack (e.g., on an unknown secret key value). The difficulty of such attacks forms the basis of security for most symmetric cryptography primitives.

These quantum algorithms, if they can be executed on a meaningful quantum computer, will impact the security of current cryptographic techniques.

What is the impact on public-key cryptography solutions?

By far the most important and most widely used public-key primitives today are based on RSA, discrete-logarithm, or elliptic curve cryptography. When meaningful quantum computers become operational, all of these can be efficiently solved by Shor’s algorithm. This will make virtually all public-key cryptography in current use insecure.

For the affected public-key encryption and key exchange primitives, this threat is already real today. An attacker capturing and storing encrypted messages exchanged now (or in the past), could decrypt them in the future when meaningful quantum computers are operational. So, highly sensitive and/or long-term secrets communicated up to today are already at risk.

If you use the affected signing primitives in short-term commitments of less than 15 years, the problem is less urgent. However, if meaningful quantum computers become available, the value of any signature will be voided from that point. So, you shouldn’t use the affected primitives for signing long-term commitments that still need to be verifiable in 15-20 years or more. This is already an issue for some use cases, e.g., for the security of secure boot and update solutions of embedded systems with a long lifetime.

Over the last decade, the cryptographic community has designed new public-key primitives that are based on mathematical problems that cannot be solved by Shor’s algorithm (or any other known efficient algorithm, quantum or otherwise). These algorithms are generally referred to as postquantum cryptography. NIST’s announcement on a selection of these algorithms for standardization¹, after years of public scrutiny, is the latest culmination of that field-wide exercise. For protecting the firmware of embedded systems in the short term, the NSA recommends the use of existing post-quantum secure hash-based signature schemes¹².

What is the impact on my symmetric cryptography solutions?

The security level of a well-designed symmetric key primitive is equivalent to the effort needed for brute-forcing the secret key. On a traditional computer, the effort of brute-forcing a secret key is directly exponential in the key’s length. When a meaningful quantum computer can be used, Grover’s algorithm can speed up the brute-force attack quadratically. The needed effort remains exponential, though only in half of the key’s length. So, Grover’s algorithm could be said to reduce the security of any given-length algorithm by 50%.

However, there are some important things to keep in mind:

• Grover’s algorithm is an optimal brute-force strategy (quantum or otherwise),⁴so the quadratic speed-up is the worst-case security impact.
• There are strong indications that it is not possible to meaningfully parallelize the execution of Grover’s algorithm.^2,5,6,7In a traditional brute-force attack, doubling the number of computers used will cut the computation time in half. Such a scaling is not possible for Grover’s algorithm on a quantum computer, which makes its use in a brute-force attack very impractical.
• Before Grover’s algorithm can be used to perform real-world brute-force attacks on 128-bit keys, the performance of quantum computers must improve tremendously. Very modern traditional supercomputers can barely perform computations with a complexity exponential in 128/2=64 bits in a practically feasible time (several months). Based on their current state and rate of progress, it will be much, much more than 20 years before quantum computers could be at that same level ⁶.

The practical impact of quantum computers on symmetric cryptography is, for the moment, very limited. Worst-case, the security strength of currently used primitives is reduced by 50% (of their key length), but due to the limitations of Grover’s algorithm, that is an overly pessimistic assumption for the near future. Doubling the length of symmetric keys to withstand quantum brute-force attacks is a very broad blanket measure that will certainly solve the problem, but is too conservative. Today, there are no mandated requirement for quantum-hardening symmetric-key cryptography, and 128-bit security strength primitives like AES-128 or SHA-256 are considered safe to use now. For the long-term, moving from 128-bit to 256-bit security strength algorithms is guaranteed to solve any foreseeable issues. ¹²

Is there an impact on information-theoretical security?

Information-theoretically secure methods (also called unconditional or perfect security) are algorithmic techniques for which security claims are mathematically proven. Some important information-theoretically secure constructions and primitives include the Vernam cipher, Shamir’s secret sharing, quantum key distribution⁸ (not to be confused with post-quantum cryptography), entropy sources and physical unclonable functions (PUFs), and fuzzy commitment schemes⁹.

Because an information-theoretical proof demonstrates that an adversary does not have sufficient information to break the security claim, regardless of its computing power – quantum or otherwise – information-theoretically secure constructions are not impacted by the quantum threat.

PUFs: An antidote for post-quantum security uncertainty

SRAM PUFs

The core technology underpinning all Synopsys products is an SRAM PUF. Like other PUFs, an SRAM PUF generates device-unique responses that stem from unpredictable variations originating in the production process of silicon chips. The operation of an SRAM PUF is based on a conventional SRAM circuit readily available in virtually all digital chips.

Based on years of continuous measurements and analysis, Synopsys has developed stochastic models that describe the behavior of its SRAM PUFs very accurately¹⁰. Using these models, we can determine tight bounds on the unpredictability of SRAM PUFs. These unpredictability bounds are expressed in terms of entropy, and are fundamental in nature, and cannot be overcome by any amount of computation, quantum or otherwise.

Synopsys PUF IP

Synopsys PUF IP is a security solution based on SRAM PUF technology. The central component of Synopsys PUF IP is a fuzzy commitment scheme⁹ that protects a root key with an SRAM PUF response and produces public helper data. It is information-theoretically proven that the helper data discloses zero information on the root key, so the fact that the helper data is public has no impact on the root key’s security.

Fig. 1: High-level architecture of Synopsys PUF IP.

This no-leakage proof – kept intact over years of field deployment on hundreds of millions of devices – relies on the PUF employed by the system to be an entropy source, as expressed by its stochastic model. Synopsys PUF IP uses its entropy source to initialize its root key for the very first time, which is subsequently protected by the fuzzy commitment scheme.

In addition to the fuzzy commitment scheme and the entropy source, Synopsys PUF IP also implements cryptographic operations based on certified standard-compliant constructions making use of standard symmetric crypto primitives, particularly AES and SHA-256¹¹. These operations include:

• a key derivation function (KDF) that uses the root key protected by the fuzzy commitment scheme as a key derivation key.
• a deterministic random bit generator (DRBG) that is initially seeded by a high-entropy seed coming from the entropy source.
• key wrapping functionality, essentially a form of authenticated encryption, for the protection of externally provided application keys using a key-wrapping key derived from the root key protected by the fuzzy commitment scheme.

Conclusion

The security architecture of Synopsys PUF IP is based on information-theoretically secure components for the generation and protection of a root key, and on established symmetric cryptography for other cryptographic functions. Information-theoretically secure constructions are impervious to quantum attacks. The impact of the quantum threat on symmetric cryptography is very limited and does not require any remediation now or in the foreseeable future. Importantly, Synopsys PUF IP does not deploy any quantum-vulnerable public-key cryptographic primitives.

All variants of Synopsys PUF IP are quantum-secure and in accordance with recommended post-quantum guidelines. The use of the 256-bit security strength variant of Synopsys PUF IP will offer strong quantum resistance, even in a distant future, but also the 128-bit variant is considered perfectly safe to use now and in the foreseeable time to come.

References

1. “Report on Post-Quantum Cryptography”, NIST Information Technology Laboratory, NISTIR 8105, April 2016,
2. “2021 Quantum Threat Timeline Report”, Global Risk Institute (GRI), M. Mosca and M. Piani, January, 2022,
3. “PQC Standardization Process: Announcing Four Candidates to be Standardized, Plus Fourth Round Candidates”, NIST Information Technology Laboratory, July 5, 2022,
4. “Grover’s quantum searching algorithm is optimal”, C. Zalka, Phys. Rev. A 60, 2746, October 1, 1999, https://journals.aps.org/pra/abstract/10.1103/PhysRevA.60.2746
5. “Reassessing Grover’s Algorithm”, S. Fluhrer, IACR ePrint 2017/811,
6. “NIST’s pleasant post-quantum surprise”, Bas Westerbaan, CloudFlare, July 8, 2022,
7. “Post-Quantum Cryptography – FAQs: To protect against the threat of quantum computers, should we double the key length for AES now? (added 11/18/18)”, NIST Information Technology Laboratory,
8. “Quantum cryptography: Public key distribution and coin tossing”, C. H. Bennett and G. Brassard, Proceedings of the IEEE International Conference on Computers, Systems and Signal Processing, December, 1984,
9. “A fuzzy commitment scheme”, A. Juels and M. Wattenberg, Proceedings of the 6th ACM conference on Computer and Communications Security, November, 1999,
10. “An Accurate Probabilistic Reliability Model for Silicon PUFs”, R. Maes, Proceedings of the International Workshop on Cryptographic Hardware and Embedded Systems, 2013,
11. NIST Information Technology Laboratory, Cryptographic Algorithm Validation Program CAVP, validation #A2516, https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?validation=35127
12. “Announcing the Commercial National Security Algorithm Suite 2.0”, National Security Agency, Cybersecurity Advisory https://media.defense.gov/2022/Sep/07/2003071834/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS_.PDF

The post Addressing Quantum Computing Threats With SRAM PUFs appeared first on Semiconductor Engineering.

As systems-on-chips (SoCs) become increasingly complex, security functions must grow accordingly to protect the semiconductor devices themselves and the sensitive information residing on or passing through them. While a Root of Trust security solution built into the SoCs can protect the chip and data resident therein (data at rest), many other threats exist which target interception, theft or tampering with the valuable information in off-chip memory (data in use).

Many isolation technologies exist for memory protection, however, with the discovery of the Meltdown and Spectre vulnerabilities in 2018, and attacks like row hammer targeting DRAM, security architects realize there are practical threats that can bypass these isolation technologies.

One of the techniques to prevent data being accessed across different guests/domains/zones/realms is memory encryption. With memory encryption in place, even if any of the isolation techniques have been compromised, the data being accessed is still protected by cryptography. To ensure the confidentiality of data, each user has their own protected key. Memory encryption can also prevent physical attacks like hardware bus probing on the DRAM bus interface. It can also prevent tampering with control plane information like the MPU/MMU control bits in DRAM and prevent the unauthorized movement of protected data within the DRAM.

Memory encryption technology must ensure confidentiality of the data. If a “lightweight” algorithm is used, there are no guarantees the data will be protected from mathematic cryptanalysts given that the amount of data used in memory encryption is typically huge. Well known, proven algorithms are either the NIST approved AES or OSCAA approved SM4 algorithms.

The recommended key length is also an important aspect defining the security strength. AES offers 128, 192 or 256-bit security, and SM4 offers 128-bit security. Advanced memory encryption technologies also involve integrity and protocol level anti-replay techniques for high-end use-cases. Proven hash algorithms like SHA-2, SHA-3, SM3 or (AES-)GHASH can be used for integrity protection purposes.

Once one or more of the cipher algorithms are selected, the choice of secure modes of operation must be made. Block Cipher algorithms need to be used in certain specific modes to encrypt bulk data larger than a single block of just 128 bits.

XTS mode, which stands for “XEX (Xor-Encrypt-Xor) with tweak and CTS (Cipher Text Stealing)” mode has been widely adopted for disk encryption. CTS is a clever technique which ensures the number of bytes in the encrypted payload is the same as the number of bytes in the plaintext payload. This is particularly important in storage to ensure the encrypted payload can fit in the same location as would the unencrypted version.

XTS/XEX uses two keys, one key for block encryption, and another key to process a “tweak.” The tweak ensures every block of memory is encrypted differently. Any changes in the plaintext result in a complete change of the ciphertext, preventing an attacker from obtaining any information about the plaintext.

While memory encryption is a critical aspect of security, there are many challenges to designing and implementing a secure memory encryption solution. Rambus is a leading provider of both memory and security technologies and understands the challenges from both the memory and security viewpoints. Rambus provides state-of-the-art Inline Memory Encryption (IME) IP that enables chip designers to build high-performance, secure, and scalable memory encryption solutions.

Additional information:

• Rambus Inline Memory Encryption Engines
• Inline Memory Encryption (IME) to Enable Confidential Computing for Data Center Designs

The post The Importance Of Memory Encryption For Protecting Data In Use appeared first on Semiconductor Engineering.