Security IP | CryptoCell-700 family

Getting Started

The Arm CryptoCell-700 family is an embedded security platform for high performance SoCs. It offers a deep level of security for mobile, DTV and STB. It enables secure machine learning solutions such as face ID and object detection. The CryptoCell-700 family can protect against a broad set of threats (including ones involving physical tampering with the device) while, at the same time, addressing the challenging requirements for increased system complexity, high performance, low power consumption and small footprint.

The multi-layered hardware and middleware architecture combines hardware accelerators, root-of-trust control hardware with a rich layer of security middleware and software tools for the IC and device production process.

The CryptoCell-700 family takes cryptographic instructions from the System Control Processor (SCP) during boot, or from software applications – either trusted (running within the TEE) or normal - running on the main application processor(s). It processes the data and puts the results back into system or internal memory.

Specifications

	CryptoCell-712	CryptoCell-703	CryptoCell-713
Platform security services (Secure Boot, Secure debug, etc.)
FIPS 140-2 certifiable symmetric crypto (AES, DES, SHA)
FIPS 140-2 certifiable asymmetric crypto (RSA, ECDSA, DH, ECDH)
GM/T 0028-2014 certifiable crypto (SM2, SM3, SM4)
Optional side channel attack countermeasures

Arm TrustZone CryptoCell-712 FIPS 140-2 Non-Proprietary Security Policy

Start designing now

Arm Flexible Access gives you quick and easy access to this IP, relevant tools and models, and valuable support. You can evaluate and design solutions before committing to production, and only pay when you’re ready to manufacture.

Learn more

AES Engine (REE and TEE)
- Confidentiality modes: ECB, CBC, CBC-CTS, OFB and CTR
- Storage modes: ESSIV, BitLocker and XTS
- Message Authentication Codes (MAC): CBC-MAC, CMAC and XCBC-MAC
- Authenticated Encryption with Associated Data (AEAD) modes: CCM and GCM key sizes of 128, 192 and 256 bits
- Software and Hardware introduced keys
- Fast (20 SBOXes) core
DES/TDES Engine (REE and TEE)
- DES: ECB and CBC modes
- TDES: EDE and DED modes
HASH Engine (REE and TEE)
- SHA-1, SHA-256, SHA-384, SHA-512 and MD5 modes, as well as HMAC
- Automatic padding
PKA Engine (TEE Access only)
- Public-key crypto based on the Discrete Logarithm problem, the Elliptic Curve Discrete Logarithm problem, and the Integer Factorization problem.
- Supports integers in the range of 128 bits and 4K bits in size (in steps of 32 bits)
KDF (TEE Access Only)
- ASN.1 encoding (HASH based)
- KDF1 (HASH based)
- KDF2 (HASH based)
- AES-CMAC-CTR based KDF

Security Lifecycle

Enforcement of different security policies based on the affiliation of the SoC to “real world” entities (e.g.: Chip Manufacturer, OEM, etc.)
Roots of Trust Management
Exclusive management of on-die Non-Volatile Memory, where the following items are stored:
- A Device unique Secret Key
- A Provisioning renewability secret
- A Signature of the Public code distribution Key
- Indexes of the minimal Trusted and non-trusted SW versions
- A Code-decryption key
Secure Code Loading

Code trustworthiness achieved by authenticity and integrity checks (certificates based) ran on the loaded software images.
Secure Debug

Debug trustworthiness achieved by authenticity checks of the debugging entity.
Random Number Generator
A Random Number Generator comprised of a:
- True Random Number Generator, providing some assured level of entropy (analyzed by Entropy Estimation logic).
- Deterministic Random Bit Generator (DRBG) ‘seeded’ by the TRNG.
Secure Timer

A permanently powered hardware timer that provides the system the elapsed time in msec granularity.
Secure Provisioning

Secure the delivery of sensitive assets even when communicated over "hostile" environment (can be untrusted production/assembly floor or even the internet).
RPMB Key Management

Per-Boot RPMB key derivation by a deterministic KDF (based on the Device unique Secret Key).
FIPS 140-2
- A FIPS 140-2 compliant mode of operation (for TEE and REE)
- Certification completed: Cryptographic Module Validation Program Certificate

Code Signing Utility

OEM utility for code signing and certificate creation.
DES/TDES Engine (REE and TEE)
- DES: ECB and CBC modes
- TDES: EDE and DED modes
Code Manufacturing Utility

Silicon partner utility for population of the on-die Non-Volatile Memory assets managed by CryptoCell during Chip manufacturing.
Asset Provisioning Utility

OEM utility for wrapping sensitive assets prior to being communicated over "hostile" environment.

Community Blogs

Validating your IoT system with PSA and MDK

Learn how to validate your IoT system with PSA and MDK in this Arm tutorial. API test, timing verification, and power analysis enable secure, low-power IoT end nodes.

1 months ago by Christopher Seidl

Latest Development Studio released to support DSTREAM-HT

Arm has released the latest Development Studio update to add support for the new DSTREAM-HT high-speed serial trace probe for enhanced debugging.

1 months ago by Ronan Synnott

Configuring Armv8-M systems with CMSIS-Zone

Learn how to configure Armv8-M systems with CMSIS-Zone in this tutorial from Arm.

1 months ago by Christopher Seidl

Heterogeneous development made easy: STM32MP1 device support within Arm…

Learn about Arm development tools solutions for STM32MP1 heterogeneous devices.

2 months ago by Ronan Synnott

Faster debug with fewer pins: Introducing DSTREAM-HT serial trace (HSSTP)…

Faster debug with fewer pins. Used with Arm Development Studio, DSTREAM-HT is a high performance debug and serial trace solution for all Arm processors.

2 months ago by Ronan Synnott

Using Terraform To Deploy Arm EC2 Instances On AWS

In this post, we'll discuss using Terraform to deploy Arm EC2 instances on AWS.

2 months ago by Julio Suarez

Community Forums

Answered	Where do I find presentations and photos from SC'18?	2 votes	1375 views	0 replies	Started 9 months ago by John Linford	Answer this
Suggested answer	STM32F4 memcpy arry to structure other name addr hard-fault?	0 votes	128 views	3 replies	Latest 5 hours ago by John Morris	Answer this
Not answered	tech help support	0 votes	9 views	0 replies	Started 6 hours ago by chris1522	Answer this
Suggested answer	NVIC_EnableIRQ : enables only one interrupt at a time?	0 votes	117 views	4 replies	Latest 6 hours ago by ArmAsking	Answer this
Not answered	Connecting Custom IP with ARM CortexM1 IP from DesignStart	0 votes	4 views	0 replies	Started 7 hours ago by josina	Answer this
Answered	The boundary of stack	0 votes	138 views	4 replies	Latest 11 hours ago by Oscar Huang	Answer this

Answered	Where do I find presentations and photos from SC'18? Started 9 months ago by John Linford	0 replies 1375 views
Suggested answer	STM32F4 memcpy arry to structure other name addr hard-fault? Latest 5 hours ago by John Morris	3 replies 128 views
Not answered	tech help support Started 6 hours ago by chris1522	0 replies 9 views
Suggested answer	NVIC_EnableIRQ : enables only one interrupt at a time? Latest 6 hours ago by ArmAsking	4 replies 117 views
Not answered	Connecting Custom IP with ARM CortexM1 IP from DesignStart Started 7 hours ago by josina	0 replies 4 views
Answered	The boundary of stack Latest 11 hours ago by Oscar Huang	4 replies 138 views

	28nm HPC	16nm FFp
Frequency	400MHz	500MHz
Area	0.222mm²	0.095mm²
AES Throughput	560MB/s	700MB/s

CryptoCell-700 family

Getting Started

Specifications

Start designing now

CryptoCell-700 Performance

Crypto Acceleration

Security Resources

Get support

Arm support

Resources

Useful Information

Related Products

Want to know more about Security on Arm?

Community Blogs

Community Forums

Getting Started

Specifications

Start designing now

CryptoCell-700 Performance

Crypto Acceleration

Security Resources

Get support

Arm support

Resources

Useful Information

Related Products

Want to know more about Security on Arm?

Community Blogs

Community Forums

Stay Informed