FPGA configuration bitstream encryption using modified key
First Claim
1. A method of decrypting a configuration bitstream that configures an integrated circuit, the method comprising:
- receiving a first key on the integrated circuit;
performing a function on the first key a first number of times to generate a second key;
storing the second key in a memory on the integrated circuit;
at power up of the integrated circuit, retrieving the second key from the memory;
subsequent to retrieving the second key, performing the function on the second key a second number of times to generate a third key, wherein the third key is different from the first key; and
using the third key to decrypt the configuration bitstream.
1 Assignment
0 Petitions
Accused Products
Abstract
Circuits, methods, and apparatus that prevent detection and erasure of a configuration bitstream or other data for an FPGA or other device. An exemplary embodiment of the present invention masks a user key in order to prevent its detection. In a specific embodiment, the user key is masked by software that performs a function on it a first number of times. The result is used to encrypt a configuration bitstream. The user key is also provided to an FPGA or other device, where the function is performed a second number of times and the result stored. When the device is configured, the result is retrieved, the function is performed on it the first number of times less the second number of times and then it is used to decrypt the configuration bitstream. A further embodiment uses a one-time programmable fuse (OTP) array to prevent erasure or modification.
47 Citations
20 Claims
-
1. A method of decrypting a configuration bitstream that configures an integrated circuit, the method comprising:
-
receiving a first key on the integrated circuit; performing a function on the first key a first number of times to generate a second key; storing the second key in a memory on the integrated circuit; at power up of the integrated circuit, retrieving the second key from the memory; subsequent to retrieving the second key, performing the function on the second key a second number of times to generate a third key, wherein the third key is different from the first key; and using the third key to decrypt the configuration bitstream. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method of decrypting a configuration bitstream comprising:
-
receiving, at a first time, a first key using an integrated circuit; performing a function on the first key a first number of times to generate a second key; using the second key to set a first number of non-volatile memory locations wherein the first number of non-volatile memory locations configure a decoder circuit; receiving, at a second time, the first key using the integrated circuit; decoding the first key using the configured decoder circuit to generate a third key; performing the function on the third key the first number of times to generate a fourth key; storing the fourth key in a second number of non-volatile memory locations; and decrypting the configuration bitstream using a fifth key derived from the fourth key. - View Dependent Claims (11, 12, 13, 14, 15)
-
-
16. An integrated circuit that decrypts a configuration bitstream that configures the integrated circuit, the integrated circuit comprising:
-
an input for receiving a first key; a first circuit that performs a function on the first key a first number of times to generate a second key and that stores the second key in a memory; a second circuit that, at power up of the integrated circuit, retrieves the second key from the memory and that performs the function on the second key a second number of times to generate a third key, wherein the third key is different from the first key; and a decryption circuit that uses the third key to decrypt the configuration bitstream. - View Dependent Claims (17)
-
-
18. An integrated circuit that decrypts a configuration bitstream that configures the integrated circuit, the integrate circuit comprising:
-
an input for receiving a first key a first time; a first circuit that performs a function on the first key a first number of times to generate a second key; a first number of non-volatile memory locations that are set using the second key; a decoding circuit that is configured by the first number of non-volatile memory locations and that decodes the first key using the configured decoder circuit to generate a third key; a second circuit that performs a function on the third key the first number of times to generate a fourth key; and a second number of non-volatile memory locations that store the fourth key; a decryption circuit that uses a fifth key, derived from the fourth key, to decrypt the configuration bitstream. - View Dependent Claims (19, 20)
-
Specification