Can We Use Analog Circuits for Cryptography?

In some recent posts, we have touched on the subject of cryptography; in particular the inclusion of cryptographic engines in SoC (System on Chip) designs for smart metering. (See: SoC Is Hot for Smart Metering and Smart Grid Needs Smart Meter SoC, Part 2.) In those contexts, the focus was on integrating analog sections like analog front ends, ADCs, and signal conditioning with digital sections, including the cryptographic engine and microprocessors. The convergence of ubiquitous communication technologies with demand for industrial sensing and analysis has heightened awareness of security issues. Security now permeates discussions in traditional industrial monitoring as well as new areas like smart energy and the Internet of Things.

For example, this site's parent, UBM, devotes significant coverage to information security under the Light Reading brand, as well as the entire focus of Dark Reading. The parent company also operates conferences like the International Fire and Security Exhibition and Conference (IFSEC), which includes such far ranging categories as access control and biometrics, IP security, and intelligent buildings.

For additional background on growing needs in security for smart grid and industrial applications, see this white paper from Maxim Integrated. (Maxim is a Planet Analog site sponsor.) To quote the paper, “Cyber attacks, theft of IP, disruption to productivity — all these threats are rising in both smart grid and industrial-control systems.”

Many electronics designers are aware of security needs and encryption methods. Most designers probably view encryption as a digital problem in that it requires manipulation of numbers via the running of algorithms, and thus processing power. In most of our Internet-enabled society that is a fair view. However, there are many interesting applications that don't have a lot of computing power or memory available, such as smart credit cards.

These needs, as well as the broader need for information security, have led to some interesting concepts using analog devices as the heart of encryption/authentication systems. Some designs for analog cryptographic devices use the inherent randomness of certain attributes of a circuit array to create a Physical Unclonable Function (PUF). In an early paper in the field, scientists at MIT described various approaches to realize PUFs, which they called Physical Random Functions.

An important concept in cryptography is that of one-way random functions (see this paper by Holenstein). A one-way function is one that is easy to calculate but hard to invert. A one-way random function generates random outputs from inputs (but is reproducible). Without reviewing the plentiful literature on cryptographic primitives (see, for example, papers by Calloway, Gupta, and many others), we can appreciate that such a function might be useful to create encrypted information that was indistinguishable from random bits. In 2009, Csaba, et al. discussed using so-called Cellular Non-Linear Networks (CNNs) as PUFs.

The basic unit of the CNNs they described comprised 3 op-amps and passives. By suitable combination of these units, non-linear behavior producing pseudo-random output could be observed. This approach is also the subject of a patent application; Figure 1 is reproduced from the application showing the unit of the CNN.

Figure 1

A proposed unit cell of a Cellular Non-Linear Network. (Source: patent application EP2230793 A8)

A proposed unit cell of a Cellular Non-Linear Network.
(Source: patent application EP2230793 A8)

Analog cryptographic primitives are not foolproof, and as with code-based cryptography, it is essential that any implementation be designed to resist known attack methods. An interesting topic in cryptography has to do with side-channel attacks; a simple example is that a process that takes in a cipher-text (encrypted plain-text information of some sort) and checks if it has the proper authentication can be hacked if it always returns false faster than it returns true.

This slight non-random bias can be used to mount an attack in a feasible amount of time with finite resources. Another side-channel attack can be mounted by measuring the power consumed by a circuit used in encryption/decryption. Again, if there is any bias (i.e., if it uses more power to decrypt a valid message than to reject an invalid one), it can be hacked. It is evident that an analog chip being used as a PUF could be susceptible to some side-channel attacks. From this limited discussion you can imagine that an implementation must be done with care to avoid exposing any non-random bias.

There are other approaches to use analog circuits as PUFs. If you consider any large collection of devices in an IC, there may be certain measurable values, given a known input, which are unique to a given IC because the values of passives (resistance, capacitance, and inductance) as well as interconnect properties (effective resistances, etc.) vary randomly from chip to chip. So what might be unwanted variation in one application could be used to generate unique random functions using analog ICs.

Have you worked on any crypto-projects and made use of these properties?

Related posts:

21 comments on “Can We Use Analog Circuits for Cryptography?

  1. eafpres
    December 12, 2013

    One area this method might be particularly well suited for is private key schemes.  In those schemes, the key is a secret, and since it is indistinguishable from a randome number, the brute force attack requires at least O(2^n) trials where n is teh number of bits in the key.  Concpetually an analog circuit with millions of junctions woudl then be very hard to brute force (i.e. try all possible values from 0 to 2^n.).

  2. Netcrawl
    December 13, 2013

    @easpres goods point, @Blaine that was great! thanks for a great article, @Blaine most of today's cryptographics RFID are based on ciphers and we got some serious challenges because adversaries are making some great advances when it comes to seeking new ways in extracting crucial info and keys, side-channel attack is a serious stuff its target the physical implementation (looking for flaw)of a cipher.      

  3. Victor Lorenzo
    December 13, 2013

    @Blaine, “(…)if it has the proper authentication can be hacked if it always returns false faster than it returns true

    Not exactly that way. By itself, the resulting time for the algorithm execution is not enough for inferring the secret key. It is almost meaningless if the cypher/decypher block/function is not part of the previous knowledge about the system's security architecture.

    But it does provides extra information for improving the strategy in some other types of attacks.

  4. Victor Lorenzo
    December 13, 2013

    @eafpres: “the brute force attack requires at least O(2^n) trials where n is teh number of bits in the key “. Depending on the (de)cyphering algorithm some key bits are combined with others or simply ignored (like in DES). That reduces the key values space and is generally considered a weakness. Some relatively new cryptographic algorithms effectively address that issue.

  5. Victor Lorenzo
    December 13, 2013

    @Netcrawl, “most of today's cryptographics RFID are based on ciphers

    Some Cryptographic RFIDs (like TI's) are being reported cracked down from 2005 (or even earlier in some other cases). Some tag security schemes were broken due to the fact that they were not using robust cipher/decipher algorithms, some others for using unidirectional ciphered/MACed messages (without using mutual three pass authentication for generating a session key), some because of the usage of non true random generators for generating the challenges and some others by using some side channel attacks like DPA in the case of the DESFire D40.

  6. eafpres
    December 13, 2013

    Hi Victor–thanks for all your comments.  I think over time it will become required in many engineering curriculae to have at least introductory cryptography.  As more and more things are connected somewhere, and much over internet, security issues keep growing.

    In my remarks I admit I was being simplistic; my point is that side channel attacks result from introducing some non-random bias that is detectable; once an attacker has that, they gain “advantage” (in the language of crypto) meaning that there is some path of discovery that is easier or less computationally intensive than a brute force attack.  The particular details are sometimes quite amazing; there are some very, very smart bad guys out there.

    My overall message is that there could be routes in the future using analog cryptography that are better for certain steps of a secure process, whether that is AES or some future scheme.  The main goal is around finding a function which is as indistinguishable from random as possible.  This is where prime factorization and elliptic curves come in.  If you can do it with just a measurement of a chip, for certain applications that has merit.

  7. Victor Lorenzo
    December 14, 2013

    Hi Blane, I agree with you in that “The main goal is around finding a function which is as indistinguishable from random as possible “. Something that is currently in use and adds strength to overall system security is using variable secret keys, keys that change on every block cipher run, this adds another level of entropy to resulting ciphered text. This way the resulting ciphered texts for two (consecutive or not) cipher runs on the same plain-text message produce two different results.

  8. Victor Lorenzo
    December 14, 2013

    @Blane, I also agree with you on that “As more and more things are connected somewhere, and much over internet, security issues keep growing “. We've seen several studies regarding security in in-car networks. It's scaring to see how easy it is to make the car controls do really crazy and dangerous things. And part of it's root cause resides in that, perhaps, the designers did not pay enough attention to security vulnerabilities in their code/implementations and possible attacks.

    Thanks for the post!

  9. eafpres
    December 14, 2013

    @Victor–related to your point about car network security, I won't be installing a front door lock that can be opened by my smartphone and is connected to the WiFi for exactly these reasons.  The maturity of the industry pushing hard for IoT is not sufficient, in my opinion, in many cases.  The do it yourself (DIY) products being sold at the consumer level I expect will be shown at risk in the future.

  10. etnapowers
    December 16, 2013

    @Blaine, good point: the presence of a  front door lock that can be opened by a smartphone could be utilized by the  thieves to intercept the signal if a proper level of security is not guaranteed. 

  11. etnapowers
    December 16, 2013

    At big companies the theft of IP is a big issue according to me. A special dedicated security software, useful to the protection of the internal database containing the IP both from inside the company and from outside is absolutely required. A identification of the user that are reading , downloading or modifying an IP would help to enhance the security.

  12. eafpres
    December 16, 2013

    @etnapowers–and for those who think cell phone communication is more secure than, say, WiFi, read this article:


    NSA cracks commonly used cell phone security


  13. Victor Lorenzo
    December 16, 2013

    @etnapowers, “the presence of a  front door lock that can be opened by a smartphone could be utilized by the  thieves to intercept the signal if a proper level of security is not guaranteed

    I agree with you on that.

    Depending on the air interface used for the key/lock communication it will make it more easier, or more difficult ;), for the attacker to compromise the access security. If the RF field is confined to a few centimeters (at most 3-to-7cm) it will be very difficult to sniff into the communication at a distant point.

    It is not too difficult to create a very strong multi-pass authentication/encryption application for securing the door lock using the Android phone NFC APIs as the key, an NFC reader chip (TRF7970A) and some solenoide driver.

  14. Victor Lorenzo
    December 16, 2013

    @eafpres, “NSA cracks commonly used cell phone security

    Perhaps not only NSA, there has been 'some' activity on breaking the GSM security protocols:

  15. etnapowers
    December 18, 2013

    Hi Blaine, I think that the National Security Agency will use this only for security purpose, and this is good, thank you for your link, it's really interesting, in particular I want to report a sentence of this article:

    “The agency's ability to crack encryption used by the majority of cellphones in the world offers it wide-ranging powers to listen in on private conversations.”


  16. etnapowers
    December 18, 2013

    @Victor: I agree with you on your sentence: “If the RF field is confined to a few centimeters (at most 3-to-7cm) it will be very difficult to sniff into the communication at a distant point.”

    That's right to me, but some white noise generator utilized to interfer with the signal could be used despite of it is generated in a quite distant point.

    The application NFC based sounds very interesting, is there any link available that deals such an application?


  17. Victor Lorenzo
    December 18, 2013

    @etnapowers, “(…)is there any link available that deals such an application?

    The information is a little bit disperse as it covers many aspects.

    In TI's e2e forum ( several threads cover the topics about card emulation (CE) using TI's TRF7970A NFC reader chip, some posts include archives with sample CE code.

    You might want to take a look at TRF7970A's support page, specially to the Design Kits and Evaluation Modules section and the NFCLINK firmware in the Software section. I used the sample code and sample SPI captures provided by one TI engineer only as reference as in our case we developed our own hardware with a more powerfull CPU.

    There's a book named “Protocols for authentication and key establishment” that lists a number of protocols for implementing the two way authentication as well as the session key derivation, but for one conceptually simple two way authentication procedure implementation you could take a look at the MIFARE DESFire authentication protocol.

  18. eafpres
    December 18, 2013

    Hi Victor–your point is quite valid.  I have heard of ones using the home WiFi to allow the owner to control the lock while away via the internet.  That gives me worries 2x over–hacking the communication over the internet and gaining the accss information for the door lock, and/or hacking the WiFi router which is relatively easy in many cases.

    On the other hand the RFID type solution is very solid and has been used in industrial buildings etc., but it is not straightforward to take that and provide internet access without opening up again.  

    So my point was really about the IoT concept where everything has an IP address; the other more localized technologies are quite mature.

  19. etnapowers
    December 19, 2013

    @Victor: thank you very much for the details that you provided, I have read in the TRF7970A's support page  that the Analog front end supports the Near Field Communication (NFC) Standards NFCIP-1 (ISO/IEC 18092) and NFCIP 2 (ISO/IEC 21481).

    It's very interesting to me.

  20. Victor Lorenzo
    December 19, 2013

    You're wellcome, @etnapowers.

  21. Navelpluis
    December 20, 2013

    For all engineers new on the cryptology topic: It is wise to know and respect the old stuff first, the same as with measuring equipment 😉

    Look here:

    I am sure a couple of folks around here will have a great X-mas due to these pages 😉

    Have fun,



Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.