Jeffrey LewisCentrifuges & Limited Enrichment

Iran’s Chief nuclear negotiator gave an interview to Inter France Radio (in French) that was little noticed until the Iranian Embassy released his remarks.

Here is how IRNA reported his comments:

Larijani said that the best guarantee for peacefulness of the nuclear program of the Islamic Republic of Iran could include the following measures:

  • “Accepting the current IAEA monitoring and verification systems,
  • Use of modern centrifuges, proposed by some American and British scientists, which permit only limited enrichment,
  • participation of interested countries in Iran’s peaceful nuclear activities in the form of a consortium.”

What struck me was the phrase:

Use of modern centrifuges, proposed by some American and British scientists, which permit only limited enrichment,

My initial reaction was “huh?” So I e-mailed a half dozen of the most technically astute folks. Their collective reaction, with somewhat more erudition, was also “huh?”

There is no such thing, boys and girls, as a centrifuge that permits only limited enrichment—file it in the same category as the perpetual watermill (left) and French bands that play rock-and-roll: Total Fantasy.

The general consensus is that Larijani means a deal to allow Iran to keep an enrichment facility that is limited in scale, under IAEA monitoring. The International Crisis Group has just released a report suggesting that Iran be allowed a “delayed limited enrichment” under which the international community recongizes Iran’s “right to enrich” domestically in exchange for agreeing to “a several-year delay in the commencement of its enrichment program, major limitations on its initial size and scope, and a highly intrusive inspections regime.”

The ICG proposal was subjected to a withering assault by David Albright and Corey Hinderstein at ISIS (full text at the bottom), the gist of which is that IGC has dramatically overestimated how close Iran is to enriching uranium:

Under the ICG plan, the time-frame of 5-7 years before Iran could possibly deploy large scale enrichment is roughly the same amount of time Iran would need to reach that capability if it continued on the current path. Therefore, this option could put an international stamp of approval on a path to enrichment that is essentially the same as the one that Iran is already pursuing.

A better, though not perfect, solution was suggested by Geoff Forden and John Thomson in an op-ed in the Financial Times (subscription required). Forden and Thomson propse a multinational consortium that would lease Iran’s nuclear facilities:

We suggest operations owned and controlled by a holding company with governments as shareholders. Initially, these might be Iran and Britain, Germany and France the EU3 with Russia as one possible addition. The shareholders would jointly meet costs and share profits. The holding company would lease all Iranian facilities connected with enrichment, including their existing centrifuges. Similarly, it would lease the latest model of centrifuge from Urenco, the European enrichment group. The plant containing all these centrifuges would be at Iran’s Natanz facility. The product of the operation, low-enriched uranium, would be the property of the holding company and be sold at market rates to any customer observing full IAEA safeguards, including Iran. While the holding company would determine policy, an international management group would run the facilities. All shareholders would have personnel in this group.

Forden and Thoms have a longer article in a forthcoming issue of Jane’s Intelligence Review.

The main problem with this scenario is that Iran could nationalize the facility, throw out the inspectors, and start churning out HEU. (Admittedly, I think such a brazen action is unlikely, but needs to be taken seriously.)

Forden and Thomson propose “built-in self-destructive mechanisms” which strikes me as too clever by half. I would be interested in real-life examples of a large-scale industrial facility that has such mechanisms.

(I presume we are not talking about stacking explosives around with a big red button—Can you imagine the liability waiver for foreign workers enriching uranium in an underground facility wired to blow at a moment’s notice? And, also, I am pretty sure that “I will not include a self-destruct mechanism unless absolutely necessary” is on the The Top 100 Things I’d Do If I Ever Became An Evil Overlord?)

Anyway, one “mechanism” might simply be removing some of the earth above Natanz to make it more vulnerable to an airstrike. (I haven’t really thought about the engineering associated with that, so grain of salt and all …)


ISIS reaction to ICG Report on Iran
February 23, 2006

The report, Iran: Is there a way out of the nuclear impasse? issued today by the International Crisis Group, contains errors of both facts and judgments, some of which result from an apparent lack of understanding of centrifuges and safeguards. This e-mail is not meant as a comprehensive critique, but rather a quick reaction to a couple of the most concerning assertions of the report.

The ICG’s fallback proposal of limited enrichment is not realistically assessed and represents a fundamentally flawed and dangerous recommendation. In particular, this recommendation would not actually significantly delay Iran’s centrifuge development. Under the ICG plan, the time-frame of 5-7 years before Iran could possibly deploy large scale enrichment is roughly the same amount of time Iran would need to reach that capability if it continued on the current path. Therefore, this option could put an international stamp of approval on a path to enrichment that is essentially the same as the one that Iran is already pursuing.

Many of the key claims made by the ICG report to support this recommendation are misleading or wrong, including:

1) Contrary to the ICG claim or implied claim, Iran has not obtained all the information it needs to operate centrifuges or build a centrifuge plant. ICG is speculating, largely based on general media accounts, that Iran has acquired the necessary information to do so. In fact, Iran requires several more years to master the operation of centrifuge cascades and the construction of a centrifuge plant.

2) Iran has spun or enriched uranium in many centrifuges, as ICG reports, but it has done so only as single machines or in small cascades comprising no more than 10-20 machines. Iran still needs to repair and operate its first 164 machine test cascade at the Natanz pilot plant. One of the reasons Iran spun many centrifuges is that they broke or did not work as expected.

3) ICG makes a claim that if Iran operated 500 centrifuges, it would be at least 5-6 years from obtaining enough highly enriched uranium for a nuclear weapon in a break-out strategy.This type of simplistic analysis is wrong, and other than quoting additional non-technical analysis, ICG offers no technical analysis of its own to support its claim.To understand the fallacy of this claim, consider a hypothetical case where Iran operated 500 P1 machines to produce weapon grade uranium (WGU) (90 percent uranium 235) and used a high tails assay consistent with that used initially by most other nuclear weapons programs, i.e. 0.5 percent uranium 235.In this scenario, Iran could produce about 9 kilograms of WGU per year, and have enough for a nuclear weapon (15-20 kilograms) in about two years. If Iran used a previously produced stock of low enriched uranium (5 percent uranium 235), roughly an amount that could be produced in a year or two in the enrichment plant and
realistically may not have been sent overseas or loaded into a reactor, Iran could produce enough WGU for a nuclear weapon in roughly six months. In actual practice, Iran may find it difficult to accomplish such feats, but this hypothetical case highlights the technical flaws that lay at the basis of ICG’s analysis of the limited enrichment option.

4) ICG overestimates the type and capability of safeguards measures that would be deployed by the IAEA to detect undeclared nuclear facilities or materials. ICG appears to believe the IAEA would deploy some type of wide area monitoring plan to detect clandestine production of enriched uranium. Such a scheme has never been discussed for deployment in Iran, has never before been deployed anywhere else in the world, would be unreasonably expensive to deploy effectively. In addition, it would be highly unlikely that Iran would accept such a unique safeguards burden. Finally, such a system may be unable to detect an undeclared Iranian gas centrifuge plant, particularly if the Iranians are experienced at operating such plants, including knowing how to reduce the number of accidents and leaks of uranium hexafluoride from a plant.Given that the limited enrichment option would provide Iran with just that experience at a declared gas centrifuge plant, detection of an undeclared
plant may prove impossible, even in the unlikely case that wide area monitoring could be deployed.

The ICG report is helpful in pointing out that military strikes are unlikely to be effective in resolving the current nuclear crisis with Iran.

The international community needs to be committed to a diplomatic solution that results in an agreement whereby Iran voluntarily forswears having any deployed enrichment capability. This option is stated in the ICG report as preferred, but then the ICG seems to dismiss it as an unreachable goal. It is too soon to reach such a pessimistic opinion.In any case, its limited enrichment offer would neither adequately constrain Iran’s nuclear program nor be effectively verifiable.


  1. John Field (History)

    I would appreciate anyone correcting me if I am mistaken, but…

    Well, you see that the quantity of light/heavy fractions do change depending on the input enrichment level as well as the tailings percentage.

    You also know the separative power of the unit – and therefore roughly optimal flow rates for LEU.

    Normally, I imagine that you would throttle the products and tailings between centrifuges in the cascade and the scoops would be designed to operate over wide ranges of pickup rate – determined by the external throttles.

    But, it seems that this doesn’t have to be so. The throttles could be in the scoops themselves and sealed within carbon fiber rotors so as not to be disassembleable. Then, the ratios would be all wrong for HEU, and it would be necessary to run the centrifuges at some small fraction of available separative power if you wanted HEU. Right?

    As far as a self-destruct mechanism, let me suggest the following:

    I understand that the Urenco centrifuges are these amazing four or more bellows units that run supercritical. I don’t know, but I imagine that such a machine would operate in conjunction with a complicated and high speed servo control specially tuned to damp oscillations as well as facilitate crossing through resonances on spin up and spin down. Even if not, it seems that a machine could be designed which would require such a servo. Indeed, if the servo parameters were tuned individually to the machine rotor – by either happenstance or design – servo coding would be required in the electronics.

    Now, the actual electronic implementation would be inside FPGA devices that could require periodic or even continuous communication with IAEA servers to recover the servo parameters in an two-way handshaken encoded format.

    FPGA devices can be preloaded with the software programs under battery memory store. Any attempt to reverse engineer the devices would result in program loss – and the raw servo parameters wouldn’t exist in their entirety within the FPGAs anyway.

    Presumably, a system like this would be ‘remote crashable’ by the IAEA. Maybe all enrichment facilities should operate this way in the future by international law.

    So, tentatively I think all this can be done.

  2. cs

    I haven’t heard much about really tamper resistant FPGA`s. (Xilinx apparently advertises with “You can make designs substantially more expensive to “reverse” engineer”

    My guess is that the stuff that is out there is designed to make sure a team of fully equipped Chinese reverse engineers working on telecommunications equipment is expensive. At least more expensive than “forward” engineers doing the same (even at western prices). This would be a different order of protection from the one you would want for the “evil genius with oil wealth getting nuke” threat. I think FPGA tamper resistance is in its infancy. Even when compared against the modest successes in making plain old micro controllers tamper resistant.

    Assuming the control parameters can be measured by the IAEA and no other party. Wouldn’t the communication between whatever FPGA or other control system and the servo or other actuator be observable? Even if it weren’t it would be hard to do anything about the magnetic information leakage of electric engines. People have cracked tamper resistant digital systems based on “side channels” that are much harder to detect and interpret. (Think about smartcards and rfid`s all on a satellite TV company or university budget.)

    So, what prevents people from learning enough about the control parameters from observing the control system in action?

    Also, I am pretty sure Iran would dislike a mandatory phone or Internet link with the IAEA. One missed call and the centrifuges come to a halt. That would be many times worse than the big red button marked “self destruct” at the side of your volcano lair. Imagine if not the hero but his romantic interest would destroy the evil lair without getting into the country let alone the volcano using nothing but a pair of toenail clippers 😉

    The though alone brings up interesting question like:
    -Would the toenail clipper wielding secret agents be perceived as much as heroes as the pilots who bombed Osirak?
    -How many intelligence agencies teach electronic warfare using toenail clippers?
    -Which countries had telco`s in bed with sigint agencies?

    Of course by the time you get Iran to trust the IAEA with its centrifuge on/off switch that extra step of also trusting everyone who can get to the phone line with a pair of scissors would seem really big compared to just trusting Russia with the centrifuges.

    But the big problem is the big picture.
    The problem was preventing Dr Evil from getting advanced centrifuge knowledge to fast… now it becomes preventing Dr Evil from getting advanced centrifuge OR control system forward/reverse engineering knowledge to fast. I have a feeling the places where one could learn the tricks in reverse engineering control systems are less watched than the places with centrifuge knowledge. (Though I remember this story of a European engineer who had intelligence agents at his door. They asked him questions about his E-mail PLC programming assistance to a Pakistani “water treatment facility engineer” he met on the net.)

    For Dr Evil the problem was preventing people from bombing the actual centrifuges and preventing the transfer of centrifuges to his volcano… now it becomes all that plus protecting a phone line.

  3. John Field (History)

    Yes, Yes, I think it is most unlikely that Iran would be willing to submit to something like this. But, feasibility…yes, I think. Utility…not sure, perhaps not.

    I consider the most serious objection of all was not mentioned. If they tore the whole system apart, they can figure out exactly what plastics, coatings, plumbing arrangements, filters, oils and greases, etc. to use. This is non-trivial information. And, it would seem that there have been hints that it is important from the Chinese. If you haven’t worked with vacuum technology, you could easily underestimate this challenge.

    Of those mentioned, I think the most serious objection is that the servo control/sensor systems can be observed and an equivalent control system reverse engineered without copying the programming.

    It would have to be done for every centrifuge, and it would require an intimate knowledge of the operation of the thing. And, you’d probably have to take the thing apart to get to the sensors if it were designed to be tamper proof.

    And, how are they going to eject all the IAEA inspectors without a shutdown command being given to the servos? Once the system is stopped – no more observation of servo parameters, right?

    CPLDs contain their programming in a non-volatile state within the chip. This is not suitable for an extreme security application.

    The FPGA solution I proposed above is PROMless. The FPGAs are preprogrammed on the control boards by the IAEA in Vienna. Battery backup power is always applied to the chip. If the power is removed, all state information is lost.

    Reverse engineering access to the device would be either through the back of the chip(top) or front of the chip(bottom) through the 12-layer circuit board below it – all while POWER is applied. I think top side(back of chip) access looks more attractive. Remove the cap, and polish the 500 microns of silicon back to within microns of the chip surface without breaking it. From here, I see at least 4 ways to go after the info – but they are all completely desperate, and subject to countermeasures.

    An emergency spin-down program could be included in the FPGAs to provide for loss of contact situations.

    The protocols can be encrypted, and a two-way handshake is required so that it is not possible to repeat past messages.

  4. Arrigo (History)

    John: regarding the two-way handshake with IAEA I have one objection which is the speed of encryption/decryption.

    If you have to keep such a link up and running at the speeds required by the centrifuge servo-controls I doubt you’d be able to decrypt and authenticate (or encrypt and authenticate) using any reasonable protocol. Definitely forget an equivalent of, say, SSL/TLS.

    What happens when the IAEA tamper-control causes their centrifuges to crash and burn? Can you imagine the political fall-out?

    And if to make it fast you make it weak then the whole toy becomes useless.

  5. John Field (History)

    Xilinx quotes 15 Gb/s for triple DES decode/encode on Virtex II. That’s plenty.

    Latency would necessitate all high-bandwidth operations to take place on site. Slow bandwidth adjustments – e.g. temperature shifts of servo parameters, etc. could be handled from afar.

    As I mentioned above, in the event of mishap, lost connection, etc. a hard stop servo routine could be included in the FPGAs at all times.

    I admit – “the whole thing sucks” – but it could be done.

  6. Arrigo (History)

    John: that’s pretty impressive 3DES performance… but let me continue to be the Devil’s advocate, if only to refine your design.

    What about the initial D-H key exchange?

    You’d have to have the IAEA box on-site which would in turn have to be tamper resistant to the extreme since it contains the private keys for the D-H with which the game is over.

    You also need to consider rekeying since the amount of data will be significant enough and with enough known plaintext to warrant “known plaintext” attacks since you are transmitting servo parameters.

    Re-keying requires D-H which is more challenging than straight 3DES in-flight.

    Besides the above my real question is why attack the centrifuge when the central IAEA key is right there with you?

    To make it work verifiably you’d have to send a heart-beat back to IAEA in Vienna, at least.

    If we want to go esoteric then we can figure out lots of interesting information by doing differential power analysis while the boxes are running. Here’s some nasty reading:

  7. cs

    Arrigo: “You’d have to have the IAEA box on-site which would in turn have to be tamper resistant to the extreme since it contains the private keys for the D-H with which the game is over. “

    I take a day of and and get beaten to this point… Indeed, the tamper resistance doesn’t protect data as much as it protects keys to data. These keys have to be kept in the control system all the time up to destruction. No key, no communication. Also if the centrifuge mechanics can’t cause enough performance deterioration without contact with the IAEA than the tamper resistant system will have to stop/break the centrifuge when contact is lost. If you stop the control system from doing that you got yourself a centrifuge. Tamper resistance should prevent that as well.

    Anyway, why go with asynchronous (“public key”) crypto at all? As long as the keys are put in the tamper resistant environment by the IAEA there is no need for any fancy (Diffie hellman or otherwise) key exchange, is there? And digital signing and key rotation can be done using synchronous crypto as well.

    John Field: “it would require an intimate knowledge of the operation of the thing”

    Armscontrol people tend to be okay with such “knowledge can be more or less kept in a box for a while” idea. Crypto/computer security people not so much. The moment you mention something like this around them they might get “clipper wars” flashbacks, start foaming at the mouth, and shouting “security trough obscurity isn`t!!!” and ““they” cracked purple” … All in all not a pretty sight, but based on real world experiences.

    Arrigo: “If we want to go esoteric then we can figure out lots of interesting information by doing differential power analysis while the boxes are running.”

    That is the conventional way of attacking these chips, and I already wondered if current FPGA`s are gonna be any better than the many attempts at tamper resistant microcontrollers.

    But why bother with millivolts when the motors in the servos are gonna be pretty close to radio transmitters? Unlike the low voltage communication smartcards use, serious currents are presumably used in these servos. And since they have coils in them they are likely electromagnetically noisy. The advantage is that no physical tampering with the control system is needed. (Usefull when inspectors come and look for acid burns on chips an the floor around them)

    The learned data can be used for building a new control system, or a “known plaintext” attack against the communication. When the US couldn’t crack soviet codes at the time of the Cuban missile crisis they tried just catching noise from the electromechanical crypto machines.

    And assuming the mechanical parts of the centrifuge need modification/replacement it would seem the provided control system would not work anymore. So an attack aimed at speeding up the build of a replacement system would be the best you could do. (You could recycle the FPGA`s and surrounding hardware though, they are “field programmable” after all ;-)) You would end up building a centrifuge based around as much salvaged components and materials as possible. This would be many times harder than just following the urenco blueprints, but it would require less procurement.

    And for even more nasty reading I recommend:
    which offers some insight into the limited trust giving to tamper resistance in nuclear treaty verification so far.

  8. Arrigo (History)

    cs: I don’t know if I am just rehashing what you tried to say in your comment but…

    Qould it not be even easier to monitor the workings of the centrifuges by applying sensors to the electromechanical parts and then simply put a new “in the clear” control mechanism in while pulling the cables of the IAEA one?

    To elaborate on the point: you quite rightly say “why bother with hacking the sexy electronics when you have noisy control systems” and I am saying that indeed it is much simpler, to the point that you shouldn’t even try to bother to figure out IAEA’s blackbox but simply look upstream where the “plaintext” is inevitable (you have to spin a centrifuge eventually and that spin can be measured!).

    Then, once you have recorded enough working to “crack” the delicate tuning of the instrument you have the choice of either building new centrifuges with the magic tuning values or bypass IAEA’s altogether .

    The question of how you keep IAEA’s monitoring oblivious to it all is taken care of by working at the motor level. You put the new control signals in parallel, pull wires off to a fake motor and feedback mechanism, unplug IAEA from the real thing and you’re home and dry.

    Of course the technicalities of the “cunning plan” [(c) Baldrick in Blackadder] are not trivial but neither are they insurmountable.

    And the beauty of it all is that ultimately “who cares about the crypto?” which turns into a total irrelvance and, if anything, false security.

    As a final remark: this has been a fascinating thread. Thanks to all the participants.