Preventing Piracy and Reverse Engineering of SRAM FPGAs Bitstream Lilian Bossuet 1, Guy Gogniat 1, Wayne Burleson 2 1 LESTER Lab Université de Bretagne Sud Lorient, France 2 Department of Electrical and Computer Engineering University of Massachusetts, Amherst, USA

2 Outline u Design Security u Actual Solutions u Propositions u Conclusion

3 FPGA and Security … Protecting FPGA data and resources System Security using FPGA FPGA Design Security Protect the FPGA configuration Bitstream encryption Watermarking Protect the FPGA Data encryption scheme Protection against hardware damage Use the FPGA to protect Network isolation (firewalls) Smart cards Sensor networks FPGA Design Security

4 Design Security

5 Need for Design Security Protection against è Cloning A competitor makes copy of the boot ROM or intercepts the bitstream and copies the code. è Reverse Engineering A competitor copies a design by reconstructing a “schematic” or netlist level representation; in the process, he understands how the design works and how to improve it, or modify it with malicious intent Attack Types è Noninvasive Monitored by external means such as brute force key generation, changing voltages to discover hidden test modes, etc è Invasive Decapped and then microprobed using focused ion beams, or other sophisticated techniques to determine the contents of the device

6 Levels of Semiconductor Security u #3 Can be broken into in a government sponsored lab (e.g. USA NSA or France DGA) u #2 Can theoretically be broken into with time and expensive equipment u #1 Not secure, easily compromised with low costs tools #3 #2 #1 Time Cost Source : IBM systems journal Vol. 30 No D. G. Abraham, G. M. Dolan, G. P. Double, J. V. Stevens. Transaction Security System

7 Actual Semiconductor Level of Security Source : ACTEL DEVICESSECURITY u SRAM FPGALEVEL 1 u ASIC Gate ArrayLEVEL 2 - u Cell-Based ASIC LEVEL 2 - u SRAM FPGA with Bitstream encryptionLEVEL 2 u Flash FPGALEVEL 2 + u Antifuse FPGALEVEL 2 +

8 Actual Solutions

9 u Very good for design security è No bitstream can be intercepted in the field (no bitstream transfer, no external configuration device) è Need a Scanning Electron Microscope (SEM) to try to know the antifuse states (an Actel AX2OOO antifuse FPGA contains 53 million antifuses with only 2-5% programmed in an average design) u BUT not really “reconfigurable” just configurable... Flash and Antifuses FPGA ©ACTEL Flash and Antifuse FPGA  10 % SRAM FPGA  90 %

Xilinx Solution u Need of an external battery to save the keys u The decryption circuit takes FPGA resources (silicon)… u No flexibility for the decryption algorithm u Partial reconfiguration is no more available encrypted configuration EPROM FPGA Virtex -II decryption circuit keys storage +- external battery CAD TOOL configuration generator encryption software secret keys (Triple DES - 3 x 56 bits) configuration memory secret keys (Triple DES - 3 x 56 bits) Protection against cloning and reverse engineering

Altera Solution u The decryption circuit takes FPGA resources (silicon)… u No flexibility for the decryption algorithm encrypted configuration EPROM FPGA Stratix -II decryption circuit keys storage CAD TOOL configuration generator encryption software secret key (AES 128 bits) configuration memory secret key (AES 128 bits)

Algotronix (U.K.) Proposition Tom Kean. Secure Configuration of a Field Programmable Gate Array. FPL 2001 and FCCM u A secret cryptographic key can be stored on each FPGA u No need for the CAD tools or any person to have knowledge of the key u The Encryption Decryption circuit takes FPGA resources (silicon)… u No flexibility for the decryption algorithm encrypted configuration FLASH Serial EPROM FPGA encryption circuit secret key configuration circuit configuration memory JTAG encrypted configuration FLASH Serial EPROM FPGA decryption circuit secret key configuration circuit configuration memory a) Initial programming of secure FPGA b) Normal configuration of secure FPGA

Propositions...

Desirable Characteristics u Strong protection against cloning and reverse engineering for SRAM FPGA u No additional battery => the key is embedded (laser) u Choice of the suitable encryption algorithm and architecture (security policy) u No use of FPGA application-dedicated resources

IP1 IP3 IP5 IP2 IP4 Security Policy Actual solutions: the whole design (all IPs) has the same security policy IP1 IP3 IP5 IP2 IP4 Proposition: Each IP can be encrypted with its own algorithm

Security Policy u Application partitioning with necessary security levels u All of the application doesn’t need to be encrypted (free available IP) Security-Critical Part: your Intellectual property which needs higher security due to development cost potential security breach No critical Parts: Generic functions and cores such as communication protocols, etc. IP1 (SCP) IP3 IP5 IP2 (SCP) IP4

Encryption - Decryption management u Once the FPGA is configured encryption and decryption circuits do not use FPGA resources u Use of partial dynamic reconfiguration u Use of self-reconfiguration (to configure each IP with the corresponding decryption circuit) u Embedded secret key

Encryption Management (in the lab.) IP1 (SCP1) algorithm 1 IP3 (NCP) IP2 (SCP2) algorithm 2 FPGA : secret KEY Encryption circuit1 Encryption circuit1 SCP1 Encrypted SCP1 Encrypted EPROM Decryption circuit1 Decryption circuit1

Encryption Management (in the lab.) IP1 (SCP1) algorithm 1 IP3 (NCP) IP2 (SCP2) algorithm 2 FPGA : secret KEY Encryption circuit2 Encryption circuit2 SCP1 Encrypted SCP1 Encrypted EPROM Decryption circuit1 Decryption circuit1 SCP2 Encrypted SCP2 Encrypted Decryption circuit2 Decryption circuit2

Encryption Management (in the lab.) IP1 (SCP1) algorithm 1 IP3 (NCP) IP2 (SCP2) algorithm 2 FPGA : secret KEY SCP1 Encrypted SCP1 Encrypted EPROM Decryption circuit1 Decryption circuit1 SCP2 Encrypted SCP2 Encrypted Decryption circuit2 Decryption circuit2 NCP

Decryption circuit1 Decryption Management (at power up) SCP1 Encrypted SCP1 Encrypted EPROM Decryption circuit1 Decryption circuit1 SCP2 Encrypted SCP2 Encrypted Decryption circuit2 Decryption circuit2 NCP FPGA : secret KEY Configuration Controller

Decryption Management (at power up) SCP1 Encrypted SCP1 Encrypted EPROM Decryption circuit1 Decryption circuit1 SCP2 Encrypted SCP2 Encrypted Decryption circuit2 Decryption circuit2 NCP IP1 Decryption circuit1 FPGA : secret KEY Configuration Controller u Partial and self reconfiguration

Decryption circuit2 Decryption Management (at power up) SCP1 Encrypted SCP1 Encrypted EPROM Decryption circuit1 Decryption circuit1 SCP2 Encrypted SCP2 Encrypted Decryption circuit2 Decryption circuit2 NCP FPGA : secret KEY IP1 Configuration Controller u Partial and self reconfiguration u The decryption circuit1 is replaced by the decryption circuit2

IP2 Decryption circuit2 Decryption Management (at power up) SCP1 Encrypted SCP1 Encrypted EPROM Decryption circuit1 Decryption circuit1 SCP2 Encrypted SCP2 Encrypted Decryption circuit2 Decryption circuit2 NCP FPGA : secret KEY IP1 Configuration Controller u Partial and self reconfiguration u The decryption circuit1 is replaced by the decryption circuit2

IP2 IP3 Decryption Management (at power up) Configuration Controller SCP1 Encrypted SCP1 Encrypted EPROM Decryption circuit1 Decryption circuit1 SCP2 Encrypted SCP2 Encrypted Decryption circuit2 Decryption circuit2 NCP FPGA : secret KEY IP1 u Partial and self reconfiguration u The decryption circuit1 is replaced by the decryption circuit2 u The decryption circuit2 is replaced by the non critical part that is not encrypted

Main issues u Partial and self-reconfiguration u Area related to the decryption algorithms u Keys management for each encryption/decryption circuit u Configuration controller to perform the configuration management

Area related to the decryption algorithms u Once the last encrypted bitstream is configured the last decryption algorithm can be replace by non critical parts u ICAP performance: 66 Mbits/s, throughput is not the major concern but area Algorithm#slices of the cryptographic core Rijndael Serpent RC Twofish ~ 100 Mbits/s< Throughput < ~400 Mbiys/s

Keys management u Secret key is define during the fabrication process (laser) u Define a large key e.g bits that is used to generate each secret key (56 bits, 128 bits) u Hardwired key generator u Hardwired mechanism to authenticate each decryption circuit and encrypted bitstream (signature)

Configuration Controller IP2 IP3 Configuration Controller SCP1 Encrypted SCP1 Encrypted EPROM Decryption circuit1 Decryption circuit1 SCP2 Encrypted SCP2 Encrypted Decryption circuit2 Decryption circuit2 NCP FPGA : secret KEY IP1

Advantages / Inconveniences u The encryption/decryption circuit doesn’t take FPGA resources u Choice of a suitable encryption algorithm and architecture ( to obtain a required security level) u Only designer knows the chosen algorithm and architecture u The system can be upgraded with new encryption algorithms u No additional battery with an embedded secret key u Complex system, keys management u Management of partial, self and dynamic reconfiguration u Take time during the system set up

Conclusion...

Conclusion u In consequence of the rise of the FPGA, it is necessary to prevent piracy and reverse engineering of FPGA Bistream u Existing SRAM FPGA are insecure u We propose original solutions that take advantage of the partial and dynamic FPGA configuration, with a no-fixed encryption algorithm and architecture u It is a first step toward security policy for FPGA and the solutions still to be improved...

Comments? Questions? Thank you