The chip is connected to the host through an SPI interface. After we get a physical chip into our hands we will go more in depth about the possible attacks and behavior of the interface.
Communication with the chip
One of the main features of TROPIC01 is the choice of ECC cryptography instead of supporting legacy RSA (why you should not be using RSA keys today, I explained last time at BoF Hackathon). TROPIC01 supports two ECC curves, P-256 (EcDSA) and Ed25519 (EdDSA).
I would like to take a closer look at the actual security level provided by the TROPIC01 specific implementation. The theoretical strength of Ed25519 and P-256 is 128 bit security level. So far we are not aware of any known successful mathematical attack on the algorithm itself. Ed25519 achieves EUF-CMA and Ed25519-IETF achieves SUF-CMA (6),(7). At the moment we can assume it is safe for classical computing.
However since 2017 there have been several papers(3),(4),(5) on attacking Ed25519 which mostly exploit physical side-channel or pseudo-random-number generators. In other words, they are attacks on specific implementations of the algorithms, not general attacks on the algorithms themselves. Luckily the TROPIC01 chip, based on its specifications, should be resistant to these sorts of attacks.
The TROPIC01 chip features two NIST800-90b, AIS31 compliant true random number generators to ensure a quality source of entropy. PUF capability protects against reusing information gained from the physical attacks on one TROPIC01 chip to compromise another TROPIC01 chip. Every TROPIC01 therefore has different memory scrambling. I am only focusing on countermeasures relevant for Ed25519 and ECC cryptography. A complete list of features is provided at https://tropicsquare.com/product website.
Let’s review the software side of things.
Although the Ed25519 cipher is safe, there are other factors allowing the successful attack such as quality of software libraries. For reference there is a list of curated libraries which are suffering from faulty implementation of EdDSA signing function. They allow the attacker to pass different public keys to the signing function which helps to reveal the private key. Luckily the Trezor library used in libtropic has already received a fix(9) and it is safe but we found that the Chip simulator in Tropic SDK wasn’t. Tropic Square had in the meanwhile fixed the problem in the Chip simulator based on our recommendation.
Ed25519 Security
All Tropic chips are, at manufacturing time, equipped with an X509 certificate to prove they are genuine.
Id,Chip serial,Timestamp,Admin Key
1,1234567890,12345,5a80062cfbbf9b75975a85879932a8db92f8d62d21250f222f9c014f0a7e9a6d3597d9225a10e4a3d257e03ab1f5f1a7dffdcc9c5196b30cba985f72956502af
2,1234567891,12346,9867e79f51add4da506f52f2c19b310e2549eee10203ffee84b1167f3aff5535f858d8215f499497b1b44f6fac9417f92887f27f493aeeb381a80c484c6baf76
3,1234567892,12347,4509efe08515c00dc8180bde1b90d9079780ed73579fbf1088f9e8a56298d2829c3fb50a3fadfaf2eca61d49a3bd21efc6f51b0e3968033d93f5ac2d40a833c0
4,1234567893,12348,660e0a3d43b0f1806cc772455947556f7783984e8716adb6f79570502b0662c116599884698c06f964bf3f4f840a5e7024dd38544ad3ab4e6c9485aa800b9d46
5,1234567894,12349,7fa363e2f24ed4d3140697f1f110ae8475da71bf30d0650c8ead60ad763ec21ad2477280eed5d38bc71bc961ea50a0a329d4cf45e46871f68a17e6a72d210bf4
The output is:
import hmac
import datetime as dt
masterkey = 9876543210
serial = 1234567890
nonce = 12345
print("Id,Chip serial,Timestamp,Admin Key")
for i in range(1,6):
chipserial = hex(serial).encode('utf-8')
session_nonce = hex(nonce).encode('utf-8')
key = bytes(chipserial+session_nonce)
adminkey = hmac.new(key, digestmod='sha512')
adminkey.update(hex(masterkey).encode('utf-8'))
print(f"{i},{serial},{nonce},{adminkey.hexdigest()}")
serial = serial + 1
nonce = nonce + 1
Here is a small Python snippet to generate admin seeds(1):

TROPIC01 offers a well thought out ownership and permission scheme.
If we are entrusting our secrets to a secure element, one shall be sure we are only one with access. This is perfectly fulfilled by multiple pairing key slots which are assigned specific privileges at the time of ownership transfer.
At production time, Tropic Square generates an X25519 keypair. The public key is saved to pairing key slot 0 of TROPIC01 and the customer receives a private key to access the chip.Following this scheme(1) we suggest generating an “admin” key per chip (for example using a hashing function not known to the attacker) to transfer the ownership and set the initial configuration. Such an admin key can be easily reconstructed by the owner to change the configuration if necessary and at the same time it is preventing global security breach if one admin key is leaked.
In our example we generate the key as shown on the schema below.
Root of Trust
As we can see on the schema there are few interesting sections such as upgradable ECC Engine, two Truly Random Number Generators (TRNGs), Physically Unclonable Function (PUF), and anti-tamper functionality. The SDK supplied by Tropic Square consists of two parts, a libtropic library and a chip simulator written in Python.

The TROPIC01 Secure Element caught our attention last year at the Embedded World Exhibition in Nuremberg.
We like Elliptic Curve Cryptography (ECC) due to its simplicity, speed and small keys.
We also like open source.
The TROPIC01 chip combines both these characteristics along with some nice protection mechanisms on a hardware level. As we regularly work on security related projects, we decided it would be a good idea to give this chip a try.
The nice people at Tropic Square were kind enough to supply us a preliminary version of their Software Development Kit (SDK) with chip simulator and also promised a physical chip as soon as it is available. (Stay tuned for the second installment of this review featuring real hardware).
I will start with a basic overview of chip capabilities and then go deeper in specific features and in the end compare it with the competitors.
Here is the block schema of TROPIC01

A Deep Dive Review
Part 1
feature | NXP EdgeLock SE050C | ST Microelectronics STSAFE A120 | Tropic Square TROPIC01 |
---|---|---|---|
ECC | ECDSA, ECDSA, ECDHE, ECDAA, ECDH | ECDSA, EdDSA, ECDH | ECDSA, EdDSA, ECDH, ISAP |
ECC Curves | NIST P-256/384/512, Brainpool P-256/384/512, Koblitz 160/256, Edwards 25519, Curve25519, Curve 448 | NIST P-256/384/512, Brainpool P-256/384/512, Edwards 25519, Curve25519 | NIST P-256, Edwards 25519 |
MAC | HMAC, GMAC, CMA | HMAC | TMAC, Keccak |
HASH | SHA-1 224/256/384/512 | SHA-2 256/384/512, SHA-3 256/384/512 | SHA256 & SHA512 |
Key Derivation | HKDF, PBKDF2, PRF (TLS-PSK), MIFARE-AES-KDF | HKDF | Planned for upcoming release of TROPIC01 FW |
AES | AES CBC/ECB/CTR/CCM/GCM 128/192/256 bit | AES CCM/GCM/ECB 128/192/256 bit | AES GCM |
TRNG | NIST SP800-90B, AIS31 | NIST SP 800-90B | 2 x NIST800-90b, AIS31 |
DRBG | NIST SP800-90A, AIS20 | Not available | Not available |
Interface | I2C, NFC | I2C | SPI |
Secure Channel | AES-128 | AES-128/256 | NOISE protocol |
Memory | 50 kB | 16 kB | 238 kB |
Memory reliability | 100 Mio write cycles / 25 years data retention | 500k erase/write cycles at 25°C / 25 years data retention | 100k erase/write cycles at 85C / 10 years retention |
Certification | CC EAL6+ (HW+JCOP), FIPS 140-2 | CC EAL5+ AVA_VAN.5 and ALC_DVS.2 | Collecting the data |
Operating Parameters | Voltage: 1.62V – 3.6V (6V Max) Operating Temperature: -40 to +105 °C | Voltage: 2.7V – 5.5V Operating Temperature: -40°C to +105°C | Voltage: 3.0V - 3.6V Operating Temperature: -20°C to 105°C |
Physical Protection | Logical and physical protection layers, including metal shielding, end-to-end encryption, memory encryption, tamper detection, protection from Power Analysis and Fault Attacks | Active shield, Monitoring of environmental parameters, Protection mechanism against fault injection, Protection against side-channel attacks | Active shield, Monitoring of environmental parameters, Protection mechanism against side-channel attacks, Glitching attacks,Laser and EM fault injections attacks, Micro-probing attacks |
Comparison Table
In our past projects we’ve had the chance to work with different secure elements and I would like to compare this experience with TROPIC01. In general, both comparison products are of high quality and well established in the market. They have their strong points and use so I want to focus mostly on relevant differences with TROPIC01.
Both NXP EdgeLock SE050C and ST Microelectronics STSAFE A120 are offering a significant amount of cryptographic functions but it also means they have larger attack surface. Their secure channel implementation differs too where NXP SE050C offers AES-128, STSAFE A120 has AES-128/256.
In contrast, the TROPIC01 is using the NOISE framework for secure channels which is in my eyes a better solution. One interesting function of NXP SE050C is the ability to communicate via NFC which opens up scenarios which other two chips can’t do.
Although the memory reliability and durability is great for both SE050C and STSAFE A120 its size is quite lacking compared to the TROPIC01. The TROPIC01 provides 238 kB which is nearly 4.5 times more than the 50 kB of SE050C. For many applications, and especially for crypto wallets, this makes quite a difference.
Comparison with other products
One of very interesting features of TROPIC01 is the possibility to upgrade the RISC-V chip firmware and its ECC implementation. In principle this means future bugs or zero day exploits can be patched by a firmware upgrade. I see even more potential for customizations by extending the current functionality as the underlying RISC-V core is capable of generic computations.
As a set of natural extensions, I would propose an expansion of ECC logic to support Schnorkell SR25519 key generation and signing. After studying the firmware, I think it should be possible. Except the obvious security improvements coming from Mike Hamburg's Decaf paper like elimination of Small-subgroup attacks.
Advantages of upgradeable firmware
I would like to talk a bit about practical experience using the TROPIC01 SDK. The provided libtropic library implements the three levels of communication with the chip.
-
Physical (L1)
-
Data Link (L2)
-
Secure Session (L3)
TROPIC01 has a unique way of establishing a secure channel using the NOISE framework. This framework takes ideas from Global Platform Secure Channel Protocol 11(10) and promises following features:
-
mutual and optional authentication
-
identity hiding
-
perfect forward secrecy
-
zero round-trip encryption
The Noise_KK1_25519_AESGCM_SHA256 handshake algorithm is closely described in the Noise Secure Channel in Open Hardware Case Study presentation by Stanislav Jerabek from Tropic Square. For the developer this means that any Level 3 communication is happening through the secure channel with perfect forward secrecy.
Structure of libtropic enables anyone with a bit of C knowledge to quickly create a new project and begin the communication with the chip (simulator). There are examples included to show how to communicate on all three layers, and there is proper documentation.
I love that Tropic Square is taking the open source spirit of their project seriously and availability of their code makes for the transparency and auditability of the whole solution.
Practical functionality of the SDK
References
All three chips are very sound options for real-world solutions. Obviously the devil is in the details and they by themselves do not guarantee the effective security of your solutions.
NXP Edgelock SE50C is a Jack-of-all trades and provides a vast amount of features from diverse crypto functions and NFC up to high-level integrations through Java-card applets and Matter support.
ST Microelectronics STSAFE A120 is focused on durability and stability. There are no surprises but that is actually a good thing.
TROPIC01 is a new kid on the block and while it may not have most features, the ones it does are well chosen, provide less attack surface, and much more memory for your secrets. That being said, this review is not over yet. We are preparing a second part where we will test an actual physical TROPIC01 chip.
Stay tuned and keep safe.