Randomness is Secure with SiFive Shield HCA

Building a secure foundation using the concept of randomness seems, on the surface, counter-intuitive.

As an aspect of entropy, randomness enables the generation of cryptographic methods to protect data, chips, and systems. By harnessing the nature of randomness as the basis of a secure system, it is possible to enhance the security of computer systems and protect vital information.

In July, SiFive introduced the SiFive Shield hardware cryptographic accelerator (HCA), as part of the improvements contained in the SiFive 20G1 release. The SiFive Shield HCA block consists of the necessary elements to accelerate cryptography to securely boot an SoC, protect communications, and restrict access to the debug interface.

I’m pleased to share with you that the SiFive HCA IP block includes a 100% digital true random number generator (TRNG) that has successfully passed a conformance evaluation against the stringent NIST SP-800-90B recommendation for entropy sources used for random bit generation.

The SiFive HCA TRNG is a fully-digital IP block that offers customization options for the entropy source, including customization of the entropy rate. SiFive’s selected independent partner, Penumbra Security, Inc. (Penumbra) is a NVLAP-accredited Cryptographic and Security Testing laboratory under the Cryptographic Module Validation Program (CMVP) at National Institute of Standards and Technology (NIST).

Happily, Penumbra asserts that SiFive’s method of customizing the entropy rate is effective, and demonstrated targeted entropy rates between 64.9% entropy and 92.4% entropy with the predicted entropy rates aligning with the actual entropy rates. Once integrated, the TRNG can be evaluated and certified against NIST SP-800-90C standard since through an additional SP-800-90A conditioning step enabled via SiFive software library that leverages the SiFive HCA hardware SHA/AES.

The SiFive HCA block can be added into SiFive RISC-V processor cores, alongside other SiFive Shield components such as SiFive WorldGuard. SiFive WorldGuard enables true multi-domain security with multiple hardware enforced domains available for securely processing data across the whole SoC, even in multi-core designs with many primary bus controllers. SiFive Shield is portable and scalable with broad process technology support to ensure consistency over time.

The SiFive 20G1 release with SiFive HCA block is available now. You can read more about the SiFive 20G1 release in our blog, here.