Introduction

In the hardware secure element market, security by obscurity has become the norm. Legacy vendors protect their designs behind non-disclosure agreements (NDAs) and offer minimal insight into their architecture or implementation. While this approach is primarily intended to guard intellectual property from competitors, it comes at a cost to companies that integrate these secure elements and to end users who rely on the products built with them.

Without transparency, it’s impossible to independently verify whether a solution is secure. Users must take the vendor’s word that there are no vulnerabilities or hidden backdoors. Even certifications like Common Criteria offer no absolute guarantees, and they often fall short of evaluating whether a solution is fit for a specific use case.

At Tropic Square, we’re taking a different approach. We view Kerckhoffs’ Principle—the idea that a system should remain secure even if everything about it, except the key, is public—not as academic theory, but as the foundation for our design philosophy. Our secure element, TROPIC01, is built on the principles of open architecture and open design. We believe our users deserve the right to audit the chip’s design and implementation to verify that it meets their security needs—free from hidden flaws or undisclosed compromises.

Why Secure Elements Matter

As digital technologies evolve, so do the threats they face. Cyberattacks have grown more sophisticated, targeting not just traditional IT infrastructure but also a wide range of IoT devices. This growing threat landscape has led to the emergence of new security tools—chief among them: secure elements.

Secure elements are dedicated hardware components that serve as a Root-of-Trust (RoT) within a system. They perform a variety of critical security functions, including:

• Generating and securely storing cryptographic keys and sensitive data
• Establishing chains of trust within embedded systems
• Digitally signing data and transactions
• Encrypting and decrypting communications
• Verifying digital signatures using immutable keys and certificates

By isolating these functions in a secure hardware environment, secure elements are essential to building products that can withstand modern cyber threats.

The Problem with Security by Obscurity

Most hardware secure element vendors treat their designs as proprietary secrets. To avoid intellectual property theft, they adopt a “black box” approach—offering little to no insight into how their systems work, what technologies they use, or how they're implemented.

Developers are expected to trust vendor claims like “military-grade security” or “the highest level of protection”—claims that cannot be independently verified. Even when vulnerabilities are discovered during research or development, NDAs often prevent those findings from being shared, hindering broader security progress.

This lack of transparency forces customers to operate on blind trust, an increasingly untenable position in today’s threat environment.

The Case for Transparency

The alternative is Security Through Transparency, grounded in Kerckhoffs’ principle. This approach assumes that attackers may understand the system’s design, so security must rely solely on protecting the keys.

At Tropic Square, we are building a new class of secure elements using open-source software and open hardware architecture. We publish our technical documentation openly—without requiring an NDA—and invite researchers, penetration testers, and ethical hackers to evaluate our platform and share their findings.

While some third-party components like TRNGs, PUFs, anti-tamper sensors, and memories require NDA-protected details, our goal is to make all other parts of the system fully transparent and accessible for public scrutiny.

By opening our designs, we allow anyone to audit, test, and validate our claims. Third-party experts and compliance organizations are empowered to independently verify our security posture.

Responding to Vulnerabilities

Transparency does not mean a system is automatically secure. Any system, open or closed, can contain unknown vulnerabilities. New threats and attack vectors continue to emerge, challenging even the most robust designs.

That’s why we practice responsible disclosure. We regularly publish information about known vulnerabilities on our developer portal and work quickly to provide software patches or firmware updates when issues are discovered. In some rare cases, vulnerabilities may require hardware modifications. In such instances, we still communicate transparently with our customers so they can make informed decisions.

Transparency ensures that our users are never kept in the dark. They are partners in security, not passive consumers.

Conclusion

At Tropic Square, Security Through Transparency isn’t just a tagline, it’s a new way of building trust. We’re not just opening access to source code, documentation, and architecture; we’re redefining the relationship between hardware vendors and the community. Our open approach invites scrutiny, collaboration, and verification from all stakeholders, customers, partners, developers, and researchers alike.

With TROPIC01, our first open-architecture secure element, we’re putting these values into practice. All design details are publicly available via our website and GitHub—no NDA required. Every claim we make about security, implementation, and technology can be independently verified.

To summarize: Security Through Transparency is more than open documentation. It’s about replacing blind trust with verifiable trust. It’s about working together to solve complex security challenges. And it’s about giving users control—the power to verify, not just believe.

With transparency, you earn trust. At Tropic Square, we're eliminating the black box and inviting the world in.

‍