Creating A Modular And Versatile State-of-the-Art Cryptographic Subsystem

As the demand for secure, high-performance silicon continues to grow, chipmakers are seeking cryptographic subsystems that are not only robust and efficient but also adaptable to a wide range of use cases. Whether targeting defense electronics, automotive systems, or industrial IoT, customers are looking for solutions that deliver certified, trusted, and future-proof security capabilities.

A modern cryptographic subsystem must support a broad spectrum of integration preferences. Some customers prefer a fully turnkey hardware Root of Trust, while others want the flexibility to build their own, leveraging best-in-class cryptographic accelerators. In either case, the ideal subsystem should offer modularity, configurability, and compliance with evolving security standards.

Key features that customers value include:

• Comprehensive Cryptographic Support: A complete suite of symmetric and asymmetric algorithms is essential. This includes RSA, ECC (with support for NIST, Brainpool, and Edwards curves), SM2, and quantum-safe algorithms like ML-DSA, ML-KEM, and SLH-DSA. On the symmetric side, support for AES, SM4, ChaCha20, SHA-2, SHA-3, SHAKE, SM3, and Poly1305 ensures broad applicability.
• Efficient Architecture: High-throughput, low-latency performance is critical. Multi-channel DMA subsystems with virtual command queues and concurrent task processing enable seamless integration into multi-host environments. Features like task prioritization, suspend/resume, and preemption enhance operational flexibility.
• Secure Key Management: Customers expect isolated key storage, local key caches, and the ability to securely share keys across entities. These capabilities are foundational for secure multi-tenant and multi-host deployments.
• Customizability and Side-Channel Protection: The ability to include or exclude specific algorithms based on application needs—such as TLS-focused algorithms for IoT or ISO 21434/26262 compliance for automotive—is a major advantage. Protection against side-channel and fault injection attacks is also increasingly important.
• Certification Readiness: Compliance with standards like FIPS 140-3, SESIP/PSA Level 2 and 3, and automotive safety standards (ASIL-D, CAL4) is often a prerequisite for deployment in regulated industries.
• Software Compatibility: Seamless integration with host-side software stacks—such as ETAS eHSM, Evita, AutoSAR Middleware, and PSA Crypto API—ensures that hardware acceleration and secure key storage can be fully leveraged by system software.

To meet these diverse needs, Rambus developed the CryptoManager Hub—a configurable, high-performance cryptographic engine designed for integration into custom Root of Trust or Hardware Security Module (HSM) architectures. As the middle tier of the Rambus three-tier CryptoManager architecture (with the turnkey CryptoManager Root of Trust being the highest tier), the Hub delivers a powerful combination of flexibility, standards compliance, and performance, providing all the features described above. Whether used as a standalone module or as part of a broader Root of Trust solution, the CryptoManager Hub empowers design teams to tailor their security subsystems to the unique requirements of their applications.

Related resources

• Rambus CryptoManager Hub
• Rambus CryptoManager Hub for Automotive