CSE 690 Spring 2010 Harish Lakshminarasimhan
FPGA design encryption using a
128 bit Rijndael Cipher
CSE - 690
Spring 2010
Harish Lakshminarasimhan
SUID: 319764839
1
CSE 690 Spring 2010 Harish Lakshminarasimhan
Acknowledgements:
I wish to thank Prof. Fred Schlereth for his valuable assistance during and after class to
help me finish my project and coursework. I learned a lot about FPGA’s and their practical
applications. Thanks a lot sir for always being there to help me out.
Also thanks to Parija and Ronak who were always there to help me if we had any doubts or
clarifications during the coursework.
Thanks,
Harish Lakshminarasimhan
Final Report CSE 690
2
CSE 690 Spring 2010 Harish Lakshminarasimhan
Index
Table of Contents
Objectives and Goals 5
Brief Overview on FPGA’s 6
Why circuit encryption is important………………………………………………………………………………………………………………………7
What is the Rijndael Cipher? 10
AES and its applications 11
Background on AES 12
Rijndael Cipher in AES 13
Rijndael Cipher 14
Background 14
Rijndael Cipher Architecture 14
Cipher Block 15
Block Diagram 15
Components 15
I/O Blocks 17
Signals 18
Inverse Cipher Block 19
Block Diagram 20
Components 20
I/O Blocks 21
Signals 21
Encryption Logic 22
Initial Round 22
3
CSE 690 Spring 2010 Harish Lakshminarasimhan
Sub Byte Step 23
Shift Row Step 23
Mix column Step 24
Timing Logic and Signal Flow 26
Timing signals 27
Working of AES based on timing and signal charts 29
Simulation and Screenshots 30
How I simulated the design 32
Screenshots from ModelSim……………………………………………………………………………………………………..…………………………33
Screen shots showing encryption of my design 35
Design Implementation on FPGA (Altera) Chip 36
Steps involved in transferring the design 39
Screenshots from Quartus 40
Final device configuration menu 46
Advantages of Circuit encryption…………………………………………………………………………………………………………………….…….47
Conclusion………………………………………………………………………………………………………………………………………………………………48
Result and Summary 49
Objectives and Goals:
OBJECTIVE
4
CSE 690 Spring 2010 Harish Lakshminarasimhan
The objective of my project was to learn the practical application based scenarios on FPGA design
and to design, compile and create an FPGA design on a FPGA chip for a small application.
I chose the Rijndael’s algorithm since it was a popular cryptographic tool to transfer data in a
secure fashion over different channels and medium for all sorts of applications.
The main goal was to write the algorithm using a HDL like VHDL or Verilog and to design and
compile and design, and if found working fine, I had to transfer the design onto an FPGA block.
PURPOSE
To design an FPGA based Rijndael algorithm having a functional encryption and decryption block with a
separate key validation block to encrypt and decrypt keys with a length of 128 bits and to achieve the
expected results as set by the Rijndael standard on my FPGA circuit.
GOAL
To implement the Rijndael cipher algorithm on an FPGA circuit after synthesizing the code and testing it
using Verilog HDL and download it on an FPGA circuit using the SPARTAN 3E kit.
TASKS
Develop the design using HDL (Verilog).
Simulate the HDL to verify the code.
Synthesize the code.
Download the design to FPGA.
Test the FPGA.
SCHEDULE
Design Documentation - September end
Development of HDL (Phase 1) - October second week
Development of HDL (Phase 2) - October end
Development of HDL (Phase 3) - November second week
Simulation, synthesis and downloading the design to FPGA - November third week
Testing the FPGA – December first week
5
CSE 690 Spring 2010 Harish Lakshminarasimhan
Report - December THIRD week
Brief Overview on FPGA’s:
A field-programmable gate array (FPGA) is an integrated circuit designed to be configured by the
customer or designer after manufacturing—hence "field-programmable".
The FPGA configuration is generally specified using a hardware description language (HDL), similar
to that used for an application-specific integrated circuit (ASIC) (circuit diagrams were previously
used to specify the configuration, as they were for ASICs, but this is increasingly rare).
FPGAs can be used to implement any logical function that an ASIC could perform. The ability to
update the functionality after shipping, and the low non-recurring engineering costs relative to an
ASIC design, offer advantages for many applications.
FPGAs contain programmable logic components called "logic blocks", and a hierarchy of
reconfigurable interconnects that allow the blocks to be "wired together"—somewhat like a one-
chip programmable breadboard.
Logic blocks can be configured to perform complex combinational functions, or merely simple
logic gates like AND and XOR. In most FPGAs, the logic blocks also include memory elements,
which may be simple flip-flops or more complete blocks of memory.
Why circuit encryption is important?
The global estimated loss to counterfeiting is expected to exceed U.S.$1.5 trillion in 2009. Counterfeiting
impacts all businesses in all markets, from Gucci handbags to computer chips to proprietary algorithms. The threats
to companies’ intellectual property (IP) grow as the global supply chain becomes increasingly complex. Security and
6
CSE 690 Spring 2010 Harish Lakshminarasimhan
protection in the global supply chain is critical to maintaining a competitive advantage, while in some cases it is
required just to stay in business.
The first step towards counterfeit equipment is tampering, which encompasses all forms of obtrusive
efforts to gain access to the system design. Historically, tampering was associated with military equipment;
however, due to the rise of counterfeit electronics, tampering is becoming a critical issue for all manufacturers. The
purpose of anti-tamper is to deter reverse engineering of technology, which would otherwise allow technology
transfer, alteration of system capability, and development of countermeasures.
Governments and corporations invest billions of dollars to develop critical networking infrastructures,
sophisticated weapon systems, and secure banking systems. However, systems that are vulnerable to tampering
can quickly deteriorate, resulting in loss of competitive advantage, lost revenue, brand dilution. The exploitation of
electronic equipment is increasing due to the lucrative margins on counterfeit equipment. These vulnerabilities
make the inclusion of anti-tamper more and more important.
There are four components to creating an anti-tamper solution:
■ Tamper resistance is the ability to resist tamper attempts, and is achieved by specialized features.
■ Tamper detection is the ability to make the system or user aware of the tamper event.
■ Tamper response is the countermeasure procedure that a system must take once tampering is
detected.
■ Tamper evidence must be detectable so authorized personnel inspecting the system can identify
whether the system has been tampered with.
How to protect the designs on an ALTERA FPGA?
Threats to FPGAs
The industrial market is moving towards FPGAs due to their benefits of reprogrammability and proof
against obsolescence. The military market is moving towards commercial off-the-shelf (COTS) products with highly
7
CSE 690 Spring 2010 Harish Lakshminarasimhan
specialized applications, making FPGAs a perfect blend of COTS and customized product. Because online banking
systems have multiple layers of security from locked doors to server locks, the banking industry is looking for
means of pushing the security to lower levels, thus making security inherent to the system. The overall market is
concerned with the proliferation of theft and black market/mislabeled products.
While FPGAs are less vulnerable to the reverse engineering that threatens ASICs, these devices are
susceptible to a different set of threats. The reprogrammable architecture of the FPGA acts as an inherent barrier
to a straightforward tampering attempt to reverse engineer the design. Due to its volatile nature, decapsulating
and deprocessing the die provides a blank map of the FPGA architecture. However, a different set of tampering
activities can affect FPGAs, such as copying and cloning the bitstream during configuration, manipulating the design
through JTAG, and initiating single event upsets (SEUs) to cause functional changes to the design.
Configuration Threats
While reprogrammability is a benefit for the designer, it also creates concern because an external device is
required for configuration. The entire design must be stored in a system memory external to the FPGA, and upon
power-up, transferred from the memory to the FPGA. Designers concerned about IP protection can embed the
traces used for configuration within PCB layers, but this may create other problems in the complex PCB design.
Therefore, there are very few solutions to protect a FPGA design from being copied during configuration.
Encryption Solution
My design protects the bitstream during configuration by including a 128-bit AES encryption engine using a
volatile key. Therefore, even if the bitstream is monitored, the encryption key is necessary to reverse engineer the
design. The specific implementation of the encryption key in a Cyclone III LS FPGA never allows read-back of the
encryption key, so once programmed, the key remains safely stored in the FPGA. Because the encryption key is
volatile, any attempt at destructive analysis results in permanent loss of the key. In addition, I have taken several
steps to help protect the integrity of the encryption key:
■ The key storage is placed under layers of metal to resist physical attacks.
■ The key is obfuscated before it is stored in the FPGA memory.
■ The key bits are distributed among other logic.
■ The volatile key can be erased via JTAG if a tamper event is detected.
8
CSE 690 Spring 2010 Harish Lakshminarasimhan
To reverse-engineer an FPGA design protected by design security, the key must first be obtained to decrypt the
configuration file. However, the key is stored securely within the FPGA, which makes it extremely difficult to obtain
the key. With the volatile key, the user can clear the key when a tamper event is detected. Even if a key was
somehow obtained and the configuration file decrypted, the next step would be to map that configuration file to
the device.
The circuit I am going to encrypt using the AES Algorithm:
I have chosen a simple 4-bit ripple carry adder circuit to be encrypted. The Ripple adder circuit is shown
below in terms of the gate level design.
9
CSE 690 Spring 2010 Harish Lakshminarasimhan
Truth Table and working of Ripple adder:
The truth table for the ripple carry ahead adder is similar to that of any 4 bit adder ciruit with 4 input bits
and a Carry-In (Cin) bit and outputs and a carry out bit (Cout).
10
CSE 690 Spring 2010 Harish Lakshminarasimhan
Truth Table:
The 2 bit inputs are extended to 4 bits and I am using a 8:3 decoder to implement the full adder circuit for
4 bits. Now that this circuit is chosen the goal is to encrypt this circuit.
Implementation of 4-bit adder on an FPGA:
Now this is the easy part of implementing a 4 bit adder circuit on an FPGA. The goal is to encrypt this
design on an FPGA using an AES 128 bit algorithm so that the design cannot be viewed, edited or modified
11
CSE 690 Spring 2010 Harish Lakshminarasimhan
nor copied without keying in the 128 bit key which locks this circuit so that everyone else except the
designer (in this case ME!!) cannot access this design. This is useful for patenting and copyright
protection.
Next, I move to encrypt this design on an FPGA using 128 bit AES algorithm, so that the design is locked
to the designer. But before that, I have used the same notes as in my CSE 791 final project to explain
the working of an 128 bit AES encryption algorithm.
Rijndael’s Cipher
In cryptography, the Advanced Encryption Standard (AES) is an encryption standard adopted by the U.S.
government. The standard comprises three block ciphers, AES-128, AES-192 and AES-256, adopted from a larger
12
CSE 690 Spring 2010 Harish Lakshminarasimhan
collection originally published as Rijndael. Each AES cipher has a 128-bit block size, with key sizes of 128, 192 and
256 bits, respectively. The AES ciphers have been analyzed extensively and are now used worldwide, as was the
case with its predecessor, the Data Encryption Standard (DES).
Why did I choose Rijndael Standard?
The Rijndael standard was chosen overwhelmingly for mainly three reasons
Simple design
Ease of upgradability (key sizes can be varied in multiples of 32 bits within a range of 128 bits to
256 bits)
Very hard to crack
There were a series of tests in which the Rijndael cipher algorithm was subject to Brute force
attacks and Side-channel attacks. But the numbers published show that in a series on 7 million
tests per block of data, only 12 were proven as a successful attack. This test shows the rigidness of
the design and the cipher strength of the algorithm.
AES (Advanced Encryption Standard):
Overview:
13
CSE 690 Spring 2010 Harish Lakshminarasimhan
AES was announced by National Institute of Standards and Technology (NIST) as U.S. FIPS PUB 197
(FIPS 197) on November 26, 2001 after a 5-year standardization process in which fifteen
competing designs were presented and evaluated before Rijndael was selected as the most
suitable (see Advanced Encryption Standard process for more details).
It became effective as a Federal government standard on May 26, 2002 after approval by the
Secretary of Commerce. It is available in many different encryption packages.
AES is the first publicly accessible and open cipher approved by the NSA for top secret
information.
AES is based on a design principle known as a Substitution permutation network. It is fast in both
software and hardware. Unlike its predecessor, DES, AES does not use a Feistel network.
AES has a fixed block size of 128 bits and a key size of 128, 192, or 256 bits, whereas Rijndael can
be specified with block and key sizes in any multiple of 32 bits, with a minimum of 128 bits and a
maximum of 256 bits.
AES operates on a 4×4 array of bytes, termed the state (versions of Rijndael with a larger block
size have additional columns in the state). Most AES calculations are done in a special finite field.
The AES cipher is specified as a number of repetitions of transformation rounds that convert the
input plaintext into the final output of ciphertext. Each round consists of several processing steps,
including one that depends on the encryption key. A set of reverse rounds are applied to
transform ciphertext back into the original plaintext using the same encryption key.
Rijndael’s Cipher in AES:
NIST contest finalists
14
CSE 690 Spring 2010 Harish Lakshminarasimhan
Rijndael Standard
Serpent Standard
Twofish Standard
RC6 Standard
MARS
The Rijndael Cipher was the winner of this contest for a small but very powerful design that was very
strong against brute force attacks. The following FIPS test shows the durability of the Rijndael Algorithm.
The Cryptographic Module Validation Program (CMVP) is operated jointly by the United States
Government's National Institute of Standards and Technology (NIST) Computer Security Division and the
Communications Security Establishment (CSE) of the Government of Canada. The use of validated
cryptographic modules is required by the United States Government for all unclassified uses of
cryptography.
It is rare to find cryptographic modules that are uniquely FIPS 197 validated and NIST itself does not
generally take the time to list FIPS 197 validated modules separately on its public web site. Instead, FIPS
197 validation is typically just listed as an "FIPS approved: AES" notation (with a specific FIPS 197
certificate number) in the current list of FIPS 140 validated cryptographic modules.
Rijndael Cipher Architecture:
15
CSE 690 Spring 2010 Harish Lakshminarasimhan
As we see above, there are 2 I/O blocks and a cipher and inverse cipher block. The storage block is
optional to store the encrypted value which can be retrieved later and decrypted. I have not
included this in my design.
Basically all the encryption operations for the text input is done in the encryption block and this
encrypted value is then decrypted in the inverse cipher (decryption) box.
The input box comprises of two 128 bit inputs, one for the text input and other for the encryption
key which determines how the text input is going to be encrypted.
Cipher Block:
16
CSE 690 Spring 2010 Harish Lakshminarasimhan
The Cipher block is one of the most important components of the Rijndael Cipher. This does all the
encryption using Rijndael’s algorithm using the key input and the text input.
The Cipher block uses Rijndael’s S-box and a series of permutations to encrypt the text input.
Components of Cipher Block:
As shown, the module contains 4 internal modules, key expansion, initial permutation, round
permutation and final permutation.
The “Control” box is used to ready the Cipher block to perform the permutations on the data. So
initially a “1” (high) signal is sent to the Control box to indicate that the key and text_in are ready
to be inserted.
The “KEY” module is the place where the user enters the key, using which the data is to be
encrypted. The key can be either a “Public” key or a “Private” key.
The key size is 128 bits.
17
CSE 690 Spring 2010 Harish Lakshminarasimhan
The text_in signal is used to input the 128 bit data.
The initial, round and final permutations module, perform the iterations on the text_in value
based upon the “key” which the user entered.
All iterations are performed in loops and the data is stored as a STACK (LIFO) structure and fed to
the de-cipher block in reverse order.
Signals used in the Cipher block:
Text input signal denote by “text_in” = 128 bits
Key In indicated by key[0] to key[127] = 128 bits
Control signal denoted by “Id” to indicate that the circuit is ready to perform the
encryption operation. = 1 bit
Inverse Cipher Block: (De-Cipher)
18
CSE 690 Spring 2010 Harish Lakshminarasimhan
The implementation of Rijndael decryption function is similar to that of the encryption function except for the following points: As the keys have to be read in reverse order, they must be calculated prior to applying any input, therefore they are stored in a stack-like buffer. This buffer contains InvMix-Column block that is used before storing the keys in the stack.
Operation:
As soon as the encryption is performed, the Cipher block sends a Done(high) signal to the De-
Cipher block indication that encryption is successful.
Once the permutations are performed by the Cipher block, the LIFO is processed by the de-Cipher
block.
This reversing is done by the key-reversal block.
Using the same logic of the encryption block but in reverse order, the De-cipher block also uses
the same key as specified by the user initially to decrypt the data.
19
CSE 690 Spring 2010 Harish Lakshminarasimhan
Once the data has been de-ciphered, it is passed on to the Output block which sends the output
through the JTAG interface from the FPGA kit back to the Altera interface.
The permutations performed are the heart of this project and these permutations and looping is
performed by the Rijndael algorithm
Signals used in the Cipher block:
Text output signal denote by “text_out” = 128 bits
Control signal denoted by “test_done” to indicate that the circuit has performed the
decryption operation. = 1 bit
20
CSE 690 Spring 2010 Harish Lakshminarasimhan
Encryption Logic:
Key Expansion using Rijndael's key schedule
Initial Round
AddRoundKey
Rounds
Sub Bytes—a non-linear substitution step where each byte is replaced with another
according to a lookup table.
Shift Rows—a transposition step where each row of the state is shifted cyclically a certain
number of steps.
Mix Columns—a mixing operation which operates on the columns of the state, combining
the four bytes in each column
Add Round Key—each byte of the state is combined with the round key; each round key is
derived from the cipher key using a key schedule.
Final Round
SubBytes
Shift Rows
Add Round Key
21
CSE 690 Spring 2010 Harish Lakshminarasimhan
Sub Byte Step:
The SubBytes step
In the SubBytes step, each byte in the state is replaced with its entry in a fixed 8-bit lookup
table, S; bij = S(aij).
In the SubBytes step, each byte in the array is updated using an 8-bit substitution box, the Rijndael
S-box.
This operation provides the non-linearity in the cipher. The S-box used is derived from
the multiplicative inverse over Galois Field (28), known to have good non-linearity properties.
To avoid attacks based on simple algebraic properties, the S-box is constructed by combining the
inverse function with an invertible affine transformation.
22
CSE 690 Spring 2010 Harish Lakshminarasimhan
Shift Row Step:
The Shift Rows step
In the Shift Rows step, bytes in each row of the state are shifted cyclically to the left. The number
of places each byte is shifted differs for each row.
The Shift Rows step operates on the rows of the state; it cyclically shifts the bytes in each row by a
certain offset.
For AES, the first row is left unchanged. Each byte of the second row is shifted one to the left.
Similarly, the third and fourth rows are shifted by offsets of two and three respectively.
In this way, each column of the output state of the Shift Rows step is composed of bytes from
each column of the input state.
23
CSE 690 Spring 2010 Harish Lakshminarasimhan
Mix Column Step:
The Mix Columns step
In the Mix Columns step, each column of the state is multiplied with a fixed polynomial c(x).
In the Mix Columns step, the four bytes of each column of the state are combined using an
invertible linear transformation. The Mix Columns function takes four bytes as input and outputs
four bytes, where each input byte affects all four output bytes. Together with Shift Rows, Mix
Columns provides diffusion in the cipher.
In the MixColumns step, the four bytes of each column of the state are combined using an
invertible linear transformation.
The MixColumns function takes four bytes as input and outputs four bytes, where each input byte
affects all four output bytes. Together with ShiftRows, MixColumns provides diffusion in the
cipher. Each column is treated as a polynomial over GF(28) and is then multiplied modulo x4 +
1 with a fixed polynomial c(x) = 0x03x3 + x2 + x + 0x02. (The coefficients are displayed in their
hexadecimal equivalent of the binary representation of bit polynomials from GF(2)[x].)
The MixColumns step can also be viewed as a multiplication by a particular MDS matrix in Finite
field.
24
CSE 690 Spring 2010 Harish Lakshminarasimhan
Add Round Key step:
The AddRoundKey step
In the AddRoundKey step, each byte of the state is combined with a byte of the round sub key
using the XOR operation (⊕).
In the AddRoundKey step, the sub key is combined with the state.
For each round, a sub key is derived from the main key using Rijndael's key schedule; each sub key
is the same size as the state.
The sub key is added by combining each byte of the state with the corresponding byte of the sub
key using bitwise XOR.
AES has 10 rounds for 128-bit keys, 12 rounds for 192-bit keys, and 14 rounds for 256-bit keys.
25
CSE 690 Spring 2010 Harish Lakshminarasimhan
Timing Logic and Signal Flow:
For any logic block, be it an FPGA or CPLD, it needs to have a timing analysis and signal flow diagram in
order for us to realize that on a hardware.
So, for my project, I include the following timing and signal flow table as seen below:
26
CSE 690 Spring 2010 Harish Lakshminarasimhan
Actual working of the AES using timing and signal charts:
Working of AES Cipher Block
AES Cipher Core
The forward cipher block can perform a complete encrypt sequence in 12 clock cycles (10 cycles
for the 10 rounds, plus one cycle for initial key expansion, and one cycle for the output stage).
The forward cipher block accepts a key and the plain text at the beginning of each encrypt
sequence.
The beginning is always indicated by asserting the ‘ld’ pin high.
When the core completes the encryption sequence it will assert the ‘done’ signal for one clock
cycle to indicate the completion.
Working of AES Inv Cipher Block:
27
CSE 690 Spring 2010 Harish Lakshminarasimhan
AES Inverse Cipher Core
The inverse cipher block can perform a complete decrypt sequence in 12 cycles (10 cycles for the
10 rounds, plus one cycle for initial key loading, and one cycle for the output stage).
The inverse cipher, however, requires that the key is loaded before decryption can be performed.
This is because it uses the last expanded key first and the first expanded key last.
The key is loaded when the ‘kld’ signal is asserted high. Once key expansion sequence is
completed, the ‘kdone’ signal will be asserted for one clock cycle.
The key loading and decryption sequences cannot happen in parallel. A key must always be loaded
before the decryption sequence can be performed.
Simulations and Screen shots:
28
CSE 690 Spring 2010 Harish Lakshminarasimhan
How I simulated the design:
1. Once I got the signal flow and timing chart, I transferred my Verilog code files (*.v) into
Model Sim.
2. I compiled all the codes, checked for any redundancy and then, made sure there were no
errors in the code.
3. I ran the simulation and obtained the following screenshots.
Screen Shots:
1. Text_In when ready signal is high
29
CSE 690 Spring 2010 Harish Lakshminarasimhan
2. Key in when key ready signal is high “kld”
3.After Sub byte, shift Row and Mix Column step
30
CSE 690 Spring 2010 Harish Lakshminarasimhan
4. First batch of encrypted data
31
CSE 690 Spring 2010 Harish Lakshminarasimhan
5. Text Out when test_done2 signal is high
32
CSE 690 Spring 2010 Harish Lakshminarasimhan
6. Encryption of my 4 bit adder circuit using 128 bit AES algoritm.
33
CSE 690 Spring 2010 Harish Lakshminarasimhan
7. Screen Shot showing “Rcon” the bits and design entities of the 4 bit ripple adder have been
successfully encrypted as a design entity:
The white portion represents the 4 bit ripple adder that has been successfully encrypted.
34
CSE 690 Spring 2010 Harish Lakshminarasimhan
8. Throughout simulation error_count is zero
Design implementation on FPGA chip:
35
CSE 690 Spring 2010 Harish Lakshminarasimhan
My next step was to verify the results and transfer the design on to a Cyclone II FPGA kit manufactured by
Altera.
I followed the following steps in order to transfer and test my design on the FPGA chip:
1. Create the design
2. Compile the design
3. Ran timing analysis
4. Run Timing Simulation
5. Configure my device
6. Incremental Compilation
7. Tap II Signal logic Analyzer
I have followed these steps and have taken screen shots for my design including the ones showing the pin
assignment and final design log and logic usage.
Screen Shots:
36
CSE 690 Spring 2010 Harish Lakshminarasimhan
Slack settings: (For AES circuit alone)
37
CSE 690 Spring 2010 Harish Lakshminarasimhan
Slack settings: (For AES circuit and encrypted 4 bit ripple adder)
Slack Bar Diagram:
38
CSE 690 Spring 2010 Harish Lakshminarasimhan
Timing Analysis and Report:
39
CSE 690 Spring 2010 Harish Lakshminarasimhan
Classic Timing analyzer:
40
CSE 690 Spring 2010 Harish Lakshminarasimhan
41
CSE 690 Spring 2010 Harish Lakshminarasimhan
Pin Assignment and Planner:
42
CSE 690 Spring 2010 Harish Lakshminarasimhan
Device planner:
43
CSE 690 Spring 2010 Harish Lakshminarasimhan
Pin Usage statistics:
44
CSE 690 Spring 2010 Harish Lakshminarasimhan
Register Usage Statistics: (for 4 bit adder encrypted within 128 bit AES algorithm)
45
CSE 690 Spring 2010 Harish Lakshminarasimhan
Final device configuration success menu:
46
CSE 690 Spring 2010 Harish Lakshminarasimhan
Results and Summary:
Protection beyond Today’s Threats
The security features in FPGA based hardware encryptions go beyond the immediate needs of the market
to protect the bitstream during configuration and to protect the design from the JTAG port. In addition to these
features, FPGA based hardware encryptions provide tamper-detection capabilities to identify advertent and
inadvertent bitwise manipulation of the design using cyclic redundancy check (CRC) circuitry. The CRC circuit
continuously checks the configuration of the FPGA for single- or multiple-bit changes to the configuration due to a
soft error (or SEU) caused by atmospheric neutrons.
In the case of an error, the system is notified immediately to take corrective action. This ultimate control
over system behavior allows various activities such as error logging or a graceful shutdown. The CRC feature can
also act as an additional layer of anti-tamper protection, alerting the user if the memory contents have changed
since the FPGA was last configured.
The Cyclone III LS FPGA goes beyond specialized features for tamper resistance, to provide an active
tamper response. The safest method of response is to clear all sensitive data from the system before it is
compromised. Though the definition of zeroization involves a clear plus verification that all data was cleared, most
applications will benefit from a zeroization which clears all memory cells of the FPGA. The Cyclone III LS zeroization
solution breaks out the clear function and the verification function to provide the maximum design flexibility to the
user.
By default, the clear function clears the configuration RAM, which contains the design itself, and the
embedded RAM, which contains any design specific data. Additionally, the AES encryption key can be cleared
independently of the rest of the device.
This zeroization capability provides the designer with the ability to trigger corrective action in the case a tamper
event is detected. The zeroization can be triggered by any design input, giving the user maximum flexibility to
47
CSE 690 Spring 2010 Harish Lakshminarasimhan
control the tamper response of the system, and making it difficult to disable the capability before a zeroization can
be completed.
In order to complete zeroization, the verification process involves reloading a benign design, a
reconfiguration cycle, and a subsequent CRC cycle to ensure successful reconfiguration. This benign design can be
set to do anything from creating markers for tamper evidence to continuing the zeroization operation on external
system components.
Furthermore, FPGA based hardware encryptions offer an uninterruptible clock source through an internal
oscillator. This ensures that if the system clock or input clock to the FPGA is manipulated, the system can still
perform health checks, monitor the FPGA configuration through the CRC, and initiate or perform corrective action if
an unexpected event compromises the security of the design. The existence of an internal clock source gives
designers full control over systems in the field, ensuring that the designs can protect themselves in the event of a
threat.
Conclusion:
As counterfeiting and IP theft increase, concerns regarding the security of the design and IP are also on the
rise. In the case of FPGAs, this requires protection of the bitstream and configuration of the device. At odds with
the concerns for security are the economic factors of size, power, and time to market. FPGA based hardware
encryptions were created to bring these two objectives together. FPGA based hardware encryptions offer security
features for a complete anti-tamper solution on a low-power platform, allowing designers to meet constraints and
ship product with confidence that the IP is protected.
48
CSE 690 Spring 2010 Harish Lakshminarasimhan
Summary and Results:
AES was implemented on Cyclone II kit which is the FPGA kit from Altera.
Verilog was used as the HDL
The simulations were done in ModelSim
The actual FPGA architecture was downloaded to Cyclone kit using Quartus 9.1
My architecture used minimal area and maximum clock rate to ensure high speed encryption and
decryption
The 4 bit ripple adder was successfully encrypted using 128 bit AES algorithm
Synthesis was successful and the hardware performed as expected
--------------------------------------------------------END OF REPORT---------------------------------------------------
49
Top Related