CrypTech Open Source Cryptography Project

By Phil Roberts - CrypTech

2019 ARIN Community Grant Program Recipient Report

Overview

The CrypTech Project has developed an open-source hardware cryptographic engine design to meet the needs of high assurance Internet infrastructure systems that use cryptography. Our open-source hardware designs are aimed to be of general use to the broad Internet community, covering needs such as securing email, web, Domain Name System Security Extensions (DNSSEC), Public Key Infrastructure (PKI), etc.  The ARIN Community Grant enabled us to complete work on the latest release and design work on our next board revision.

All of our hardware designs are published publicly as open source under Berkeley Software Distribution (BSD) licensing. All of our software is published similarly. Those are available on the project wiki. The main applications are for DNSSEC and RPKI. These have been validated with all the standard open signing applications.

Project Results

We achieved a 10x improvement in public-key RSA signing speed with the refactoring of the RSA software. We have moved our open source hardware designs to KiCad and have updated the designs with a new FPGA (Field Programmable Gate Arrays)-based Master Key Memory.

This summer, the Cryptech Project announced that version 4 of our firmware and software package that runs on the Alpha board is now available.

Highlights from this release include:

  • New high speed ModExpNG core with CRT and RSA blinding factor support
  • Clock FPGA synchronously from FMC bus with multipliers, to eliminate clock domain crossing bottlenecks
  • New AES-keywrap core with direct connection to master key memory
  • AES performance improvements
  • SHA-2 timing fixes to support higher clock rates
  • Redesign EC cores, adding support for ECDH (P-256 & P-384) and Ed25519
  • Support for hash-based signatures
  • Various I/O speedups on FMC bus
  • Various fixes to Verilog synthesis placement and routing issues
  • Faster prime generation algorithm (RSA key generation)
  • API hardening and code cleanup in various Verilog and C modules
  • Profiling and timing code to see where the HSM is spending its time

Benefits to the Internet industry in the ARIN region

RSA signing remains the main use case (80 sigs/sec RSA-2048) since we have published our open source hardware and software. We have shipped devices through CrowdSupply to a number of users, and the open source design has been picked up by a few people in North America through what we have learned from these sales. We have completed the next phase of hardware design and hope to validate it through prototypes this fall. The technology could be usable by anyone doing RSA signing operations.

All of the design and code we generate are available to everyone (as open source) on our wiki. CrypTech thanks the ARIN community for its support!

POST WRITTEN BY:

Phil Roberts

CrypTech
Phil Roberts works with CrypTech, an international project creating an open source hardware and software cryptographic engine. He is also an independent consultant, providing consulting services on Internet technology and security, business development, and business management.
Any views, positions, statements or opinions of a guest blog post are those of the author alone and do not represent those of ARIN. ARIN does not guarantee the accuracy, completeness or validity of any claims or statements, nor shall ARIN be liable for any representations, omissions or errors contained in a guest blog post.