Contact Us

FortifyIQ Security Validation & Compliance Assurance FAQ FAQ

FortifyIQ delivers cryptographic IP and software libraries, and roots of trust that are validated, documented, and can be configured to help your products meet even the highest standards of security and regulatory compliance. Using our advanced EDA tools and closely guided integration support, we ensure that the protections validated in our labs are preserved in your actual devices. This approach gives you a trusted foundation for NIST FIPS 140-3 level 4, Common Criteria up to EAL6+, and industry-specific certifications, while reducing the complexity, time, and cost of achieving compliance. Together, these validations give customers the confidence that FortifyIQ technology provides enduring security for today and tomorrow, including the post-quantum era.

How do I know FortifyIQ products are secure against advanced attacks?
FortifyIQ products are all designed to meet the highest international security standards. Our cryptographic IPs and libraries are engineered and validated for resistance against advanced attacks (AVA_VAN.5) and conform to FIPS 140-3 Level 4 assurance, the strictest level for cryptographic modules. AVA_VAN.5 represents the highest evaluation level under Common Criteria, ensuring robustness against sophisticated side-channel and fault attacks, while FIPS 140-3 Level 4 guarantees the strongest protections defined by NIST.

It’s a comprehensive framework for verifying that all FortifyIQ software libraries and hardware IPs meet the highest security and compliance requirements. We combine rigorous practical attacks, statistical leakage testing (TVLA), formal proofs in simulation, on an FPGA board, and in silicon (where applicable), and third-party lab validations to ensure resilience against side-channel (SCA) and fault-injection (FIA) attacks, as well as software-level cache attacks. All solutions are engineered to meet or exceed even NIST FIPS 140-3 level 4, Common Criteria AVA_VAN.5, and other industry standards.

Validation is performed using FortifyIQ’s advanced EDA platform, FortiEDA, which supports massive side-channel trace acquisition. Using these traces, we validate our designs through TVLA statistical assessment and by executing a full range of side-channel and fault-injection (SCA and FIA) attacks against our own implementations. We then validate on FPGA boards and, when appropriate, in silicon. Where applicable, we also employ third-party evaluations. For example, our AES algorithm was validated at the highest security level by the Common Criteria–accredited SGS Brightsight laboratory.

Examples:

  • RAMBAM AES IP Core – Validated past 1 billion TVLA traces with clear non-leakage, results published in peer-reviewed academic articles. Independently validated by SGS Brightsight, which concluded that, as a soft macro, the validation holds for any core using the RAMBAM algorithm.                         
  • STORM AES Implementation – Proven secure both with a formal proof and through practical tests; in-silicon validation. Read the security proof.
  • HMAC-SHA2 Implementations
    • TI-based version: Validated against 100 million TVLA traces. Implements the security-proven Threshold Implementation for maximum protection. Read the security proof.
    • Compact/Efficient version: Smaller and faster, with practical security demonstrated against all known attacks on HMAC-SHA2 implemented in HW.

In simple terms, if there is no leakage, there is nothing for an attacker to exploit, and side-channel attacks become impossible. More technically, our pre-silicon assessment applies the same statistical tests used by accredited evaluation labs for FIPS 140-3 and Common Criteria certification. Because the results are validated against real device measurements, a non-leaking outcome in our pre-silicon analysis demonstrates that the design should remain secure post-fabrication.

FortifyIQ solutions are designed to simplify certification and meet security standards:

  • Cryptographic algorithms: AES, HMAC-SHA2, public key cryptography, and post-quantum cryptography (PQC) implementations, all SCA/FIA resistant.
    Side-channel and fault-injection resistance: aligned with ISO/IEC 17825, FIPS 140-3 up to level 4 requirements, and Common Criteria to AVA_VAN.5
  • FortifyIQ solutions provide secure boot and cryptographic integrity verification, aligned with high-assurance standards, such as NIST, EMVCo, and automotive, ensuring tamper-resistant operation across a wide range of devices.
  • Root of Trust (RoT): provides secure key storage, lifecycle state control, secure firmware loading, anti-rollback, attestation, and certain physical tamper detection/zeroization features, meeting regulatory requirements.
  • PQC readiness in hardware and in software, fully resistant to side-channel and fault-injection attacks.

Yes. Official certification requires an accredited third-party evaluation. We provide full documentation to make this easier:

  • Our design’s security specifications: threat models, security requirements, and protection scope.
  • Validation reports: lab results for SCA/FIA and other attacks.
  • Security proofs and demonstrations: peer-reviewed research and practical evidence of non-leakage.
  • Guidance for maintaining compliance: instructions on how to integrate and operate our solutions within regulatory frameworks.
  • Formal academic publications, including two papers providing rigorous mathematical foundations of our AES protections, and additional papers detailing our EDA methodologies for evaluating resistance to side-channel and fault-injection attacks.
  • Full validation reports, including TVLA results and attack coverage
  • Trace analysis charts demonstrating clear non-leakage
  • Compliance mapping to standards (FIPS, CC, NIST, ISO)
  • Integration guidelines to preserve security properties
  • Third-party lab validation reports (e.g., SGS Brightsight) where applicable
  • Comprehensive design and development documentation supporting secure lifecycle and configuration management required for EAL4-6
  • Formal Security Target and assurance case templates
  • Traceability matrices linking requirements to design and test evidence

 

Our documentation package accelerates audits and reduces the risk and cost of certification.

 

A table is provided at the bottom of this page. These certifications provide a certified, standards-based cryptographic foundation. For example:

  • PCI DSS (payments) requires secure cryptography for cardholder data.
  • ISO 21434 (automotive) covers cybersecurity engineering practices, including cryptographic modules.
  • IEC 62304 (medical) covers secure software development, including cryptography.

FortifyIQ products cover the cryptographic and RoT components, which are usually the most technically challenging parts of compliance.

Governments, financial institutions, and critical infrastructure sectors are moving toward mandatory deployment of post-quantum cryptography (PQC) in the coming decade.

FortifyIQ provides both hardware and software PQC implementations that are fully SCA/FIA resistant, giving customers a secure foundation for future-proof compliance. 

Today, there are no regulations that mandate PQC specifically for the semiconductor design/IP sector of the industry. However, several application industries already face binding timelines:

  • Government & Defense (U.S.) – Federal agencies must follow NIST PQC standards (FIPS 203–205), with migration milestones under NSM-10 and CNSA 2.0, beginning in 2026 and extending through 2035.

  • Financial Institutions – Regulators and industry bodies (e.g., FFIEC in the U.S., ECB in Europe) are signaling PQC adoption requirements, since banking is part of critical infrastructure.

  • Critical Infrastructure & Energy (EU) – The EU PQC roadmap requires Member States to begin migration by 2026 and secure critical infrastructure with PQC by 2030.

  • Telecom & Automotive – Early draft standards already call for PQC-ready security in connected devices and networks.

FortifyIQ offers PQC-protected IP cores and assessment tools, scheduled to be ready by the end of 2025. This ensures our customers can meet upcoming mandates across these regulated sectors well before enforcement deadlines.

Our hardware portfolio includes an SCA/FIA-resistant ECC/RSA + PQC IP core and the FortifyIQ Cryptobox, which unifies SCA/FIA-protected AES, HMAC, ECC/RSA, and PQC within one architecture. These hardware IPs fully support hybrid classical + PQC schemes (ML-KEM, ML-DSA) and include integration support for secure migration and key-parameter choices. Our software libraries provide the same ECC/RSA and PQC algorithms, also with SCA/FIA resistance, for deployment on existing devices. 
AES-256 and HMAC-512 are inherently quantum-safe.

Many FortifyIQ products are certification-ready, aligning with FIPS 140-3, Common Criteria, and other relevant standards. While not all products ship with certification, they are validated and documented to enable rapid certification in customer deployments.

Customers receive:

  • Our design’s security specifications: threat models, security requirements, and protection scope.
  • Validation reports: lab results for SCA/FIA and other attacks.
  • Security proofs and demonstrations: peer-reviewed research and practical evidence of non-leakage.
  • Guidance for maintaining compliance: instructions on how to integrate and operate our solutions within regulatory frameworks.
  • Formal academic publications, including two papers providing rigorous mathematical foundations of our AES protections, and additional papers detailing our EDA methodologies for evaluating resistance to side-channel and fault-injection attacks.
  • Full validation reports, including TVLA results and attack coverage
  • Trace analysis charts demonstrating clear non-leakage
  • Compliance mapping to standards (FIPS, CC, NIST, ISO)
  • Integration guidelines to preserve security properties
  • Third-party lab validation reports (e.g., SGS Brightsight) where applicable
  • Comprehensive design and development documentation supporting secure lifecycle and configuration management required for EAL4-6
  • Formal Security Target and assurance case templates
  • Traceability matrices linking requirements to design and test evidence

We offer the following services:

  • Integration consulting to ensure compliance in the end product. The documentation provided should be sufficient.
  • Access to our EDA tools for in-house evaluation after integration. While unnecessary, it is available.
  • Reproducible testing methodologies so customers can replicate validation results
  • Continuous updates to address emerging threats
  • Optional assistance coordinating with certification labs during evaluation phases
  • Optional training and consultancy on certification best practices
  1. Side-Channel Attacks (SCA): FortifyIQ products are resistant to attacks that extract secrets from physical leakages of the device. Covered attacks include:

 

Power Analysis

  • Differential Power Analysis (DPA)
  • Correlation Power Analysis (CPA)
  • Higher-Order DPA/CPA
  • Simple Power Analysis (SPA)

Electromagnetic Analysis

  • Correlation Electromagnetic Analysis (CEMA)
  • Template attacks

Timing and Information-Theoretic Attacks

  • Timing attacks
  • Mutual Information Analysis (MIA)

 

  1. Fault-Injection Attacks (FIA): Protection against attacks that deliberately induce errors to compromise secrets. Covered attacks include:

 

Electrical / Optical Faults

  • Voltage and clock glitching
  • Laser injection
  • Electromagnetic fault injection (EMFI)
  • Optical fault injection

Statistical / Safe-Error Faults

  • Statistical Ineffective Fault Attacks (SIFA) and Light SIFA
  • Safe-error attacks
  • Instruction-skip faults

 

  1. Microarchitectural Attacks: Cache-based side-channel attacks (arising from processor microarchitecture) only apply to software implementations. FortifyIQ software libraries include protections to mitigate these attacks.

 

  1. Known algorithm-specific attacks: e.g., compact HMAC-SHA2 protections against all known attacks on its construction.

Yes. FortifyIQ offers access to its Side-Channel Studio and Fault Injection Studio as a service. Customers can license these EDA tools to perform TVLA testing and run practical SCA/FIA attacks.

FortifyIQ Compliance Matrix

FortifyIQ products are built to meet the most stringent global security standards (while each product is configurable to meet your specific assurance and PPA needs). Internal validation has been performed according to CC AVA_VAN.5 methodology and FIPS 140-3 Level 3/4 requirements. External certifications (Common Criteria EAL, FIPS 140-3 CMVP) are supported on customer request.

Category

Product

Common Criteria

FIPS 140-3

ISO/IEC Standards

NIST Standards & Guidance

Category

Symmetric Cryptography

Product Family

AES (HW & SW)

Common Criteria

AVA_VAN.5

FIPS 140-3

FIPS 197, FIPS 140-3 L4

ISO/IEC Standards

SO/IEC 18033-3, ISO/IEC 19790

NIST Standards & Guidance

SP 800-38A, 38C, 38D/G

Category

Product Family

HMAC-SHA2 (HW & SW)

Common Criteria (CC)

AVA_VAN.5

FIPS 140-3

FIPS 198-1, FIPS 180-4, FIPS 140-3 L4

ISO/IEC Standards

ISO/IEC 10118-3, 9797-2, 19790

NIST Standards & Guidance

SP 800-107, 56C, 185

Category

Asymmetric Cryptography

Product Family

PKA (HW & SW, RSA/ECC)

Common Criteria (CC)

AVA_VAN.5

FIPS 140-3

FIPS 186-5, FIPS 140-3 L4

ISO/IEC Standards

ISO/IEC 14888, 15946

NIST Standards & Guidance

SP 800-56A/B, 57, 131A

Category

Product Family

PQC (HW & SW, KEM/DSA)

Common Criteria (CC)

AVA_VAN.5

FIPS 140-3

FIPS 140-3 (PQC profiles)

ISO/IEC Standards

ISO/IEC 18033-6 draft, 14888-3/4

NIST Standards & Guidance

SP 800-208, NIST PQC (ML-KEM, ML-DSA)

Category

Platforms & Tools

Product Family

Roots of Trust (RoT)

Common Criteria (CC)

AVA_VAN.5

FIPS 140-3

FIPS 140-3 L4, FIPS 186-5, SP 800-90 RNGs

ISO/IEC Standards

ISO/IEC 19790, 15408, 11770

NIST Standards & Guidance

SP 800-57, 90, 63, 193

Category

Product Family

Cryptobox IP (AES, HMAC, PKA, PQC)

Common Criteria (CC)

AVA_VAN.5

FIPS 140-3

FIPS 140-3 L4 composite

ISO/IEC Standards

ISO/IEC 19790, 11770, 14888, 18033

NIST Standards & Guidance

SP 800-56, 57, 131A, PQC suite

Category

Product Family

EDA Tools (SCA/FIA Evaluation)

Common Criteria (CC)

Supports AVA_VAN.5

FIPS 140-3

Pre-certification support for FIPS 140-3 L4

ISO/IEC Standards

ISO/IEC 15408-3, 17825

NIST Standards & Guidance

SP 800-90B, 140C/D/E

Still Have Questions?

Ask us!

FortifyIQ AES Algorithm
AVA_VAN.5 Evaluation & Validation Summary
SGS Brightsight Common Criteria Laboratory
Summary. The leakage analysis (Welch t-test) on over 30 million traces did not show statistically significant first- and second-order differences between trace sets with fixed and random inputs. The template-based DPA analysis, on the pseudo-random trace set for the profiling phase (15 million traces) and on a sub-set of 300k fix input traces for matching phase targeting the first-round S-box output, and template attack on ciphertext, did not indicate any potential information leakage.”
“The results for the soft IP presented in the report were obtained on the TOE which is the basic hardware implementation of the soft IP without additional levels of security (e.g. that are present in a secure silicon layout). Therefore the internal strength of the soft IP itself was evaluated. This indicates that the investigated features and parameters of the soft IP implementation should be robust against SCA and fault injection attacks in different implementations including ASIC. Nevertheless, according to the Common Criteria rules, the strength of the final composite product must be evaluated on its own
Request Technical Details