FPGA configuration bitstream protection using multiple keys

US 7,725,738 B1
Filed: 01/25/2005
Issued: 05/25/2010
Est. Priority Date: 01/25/2005
Status: Expired due to Fees

First Claim

Patent Images

1. A method of protecting a configuration bitstream comprising:

using a computing device to;

receive a plurality of keys at the computing device;

generate a first key by performing a first function on the plurality of keys received at the computing device;

encoding at least a portion of a configuration bitstream using the first key, as generated using the computing device, to generate an encoded configuration bitstream; and

storing the encoded configuration bitstream in a first memory; and

using an integrated circuit that is external to the computing device to;

receive the plurality of keys at the integrated circuit;

perform a second function on the plurality of keys received at the integrated circuit to generate the first key, wherein the second function is the same function as the first function; and

storing the first key, as generated using the integrated circuit, in a second memory.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Circuits, methods, and apparatus that prevent detection and erasure of encoding or encryption keys. These encoding keys may be used to encode a configuration bitstream or other data for an FPGA or other device. An exemplary embodiment of the present invention masks a first key to form an encoding key in order to prevent detection of the first key. In a specific embodiment, the first key is encoded using a second key. The encoded key is used to encode a configuration bitstream or other data. The encoded key is stored on an FPGA or other device. When the device is to be configured, the encoded key is retrieved and used to decode the bitstream or other data. A further embodiment stores an encryption key in a one-time programmable memory (OTP) array to prevent its erasure or modification. The encoding key may be further obfuscated before storage.

53 Citations

View as Search Results

19 Claims

1. A method of protecting a configuration bitstream comprising:
- using a computing device to;
  
  receive a plurality of keys at the computing device;
  
  generate a first key by performing a first function on the plurality of keys received at the computing device;
  
  encoding at least a portion of a configuration bitstream using the first key, as generated using the computing device, to generate an encoded configuration bitstream; and
  
  storing the encoded configuration bitstream in a first memory; and
  
  using an integrated circuit that is external to the computing device to;
  
  receive the plurality of keys at the integrated circuit;
  
  perform a second function on the plurality of keys received at the integrated circuit to generate the first key, wherein the second function is the same function as the first function; and
  
  storing the first key, as generated using the integrated circuit, in a second memory.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 further comprising:
    - before storing the first key in the second memory, obfuscating the first key.
  - 3. The method of claim 1 further comprising:
    - reading the first key from the second memory;
      
      receiving the encoded configuration bitstream from the first memory;
      
      decoding the encoded configuration bitstream using the first key; and
      
      configuring the integrated circuit using the decoded configuration bitstream.
  - 4. The method of claim 2 further comprising:
    - reading the first key from the second memory;
      
      de-obfuscating the first key;
      
      receiving the encoded configuration bitstream from the first memory;
      
      decoding the encoded configuration bitstream using the de-obfuscated first key; and
      
      configuring the integrated circuit using the decoded configuration bitstream.
  - 5. The method of claim 1 wherein the plurality of keys comprises two keys.
  - 6. The method of claim 5 wherein the first function is an encryption.
  - 7. The method of claim 6 wherein the type of encryption is one of a group consisting of the data encryption standard, the triple data encryption standard, and the advanced encryption standard.

8. An integrated circuit comprising:
- a first circuit configured to receive a plurality of keys and configured to perform a function on the plurality of keys to generate a first key, wherein the plurality of keys are received from a computing device that;
  
  is external to the integrated circuit;
  
  performs the function to generate the first key from the plurality of keys; and
  
  encodes at least a portion of a configuration bitstream using the first key, as generated using the computing device;
  
  a memory circuit configured to store the first key, as generated using the integrated circuit; and
  
  a decoder circuit configured to receive a decoding key and the encoded configuration bitstream and to provide a decoded configuration bitstream, wherein the decoding key is obtained from the first key stored in the memory circuit, and wherein the encoded configuration bitstream is received from a configuration device external from the integrated circuit.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
- - 9. The integrated circuit of claim 8 further comprising:
    - an obfuscation circuit configured to obfuscate the first key before storage.
  - 10. The integrated circuit of claim 9 further comprising:
    - a de-obfuscation circuit configured to retrieve the obfuscated first key and to de-obfuscate the first key.
  - 11. The integrated circuit of claim 10 wherein the first key is the decoding key.
  - 12. The integrated circuit of claim 10 further comprising:
    - a second circuit function block configured to perform a second function on the first key to generate a second key,wherein the second key is the decoding key.
  - 13. The integrated circuit of claim 10 wherein the first circuit performs encryption.
  - 14. The integrated circuit of claim 13 wherein the type of encryption is one of group consisting of the data encryption standard, the triple data encryption standard, and the advanced encryption standard.
  - 15. The integrated circuit of claim 8 wherein the integrated circuit is a field programmable gate array.

16. A method of protecting a configuration bitstream comprising:
- using a computing device to;
  
  receive one or more keys at the computing device;
  
  generate a first key by performing a first function on the one or more keys received at the computing device;
  
  encoding at least a portion of a configuration bitstream using the first key, as generated using the computing device, to generate an encoded configuration bitstream; and
  
  storing the encoded configuration bitstream in a first memory; and
  
  using an integrated circuit that is external to the computing device to;
  
  receive the one or more keys at the integrated circuit;
  
  perform a second function on the one or more keys received at the integrated circuit to generate the first key, wherein the second function is the same function as the first function; and
  
  storing the first key, as generated using the integrated circuit, in a second memory.
- View Dependent Claims (17, 18, 19)
- - 17. The method of claim 16 further comprising:
    - before storing the first key in the second memory, obfuscating the first key.
  - 18. The method of claim 16 further comprising:
    - reading the first key from the second memory;
      
      receiving the encoded configuration bitstream from the first memory;
      
      decoding the encoded configuration bitstream using the first key; and
      
      configuring the integrated circuit using the decoded configuration bitstream.
  - 19. The method of claim 18 further comprising:
    - reading the first key from the second memory;
      
      de-obfuscating the first key;
      
      receiving the encoded configuration bitstream from the first memory;
      
      decoding the encoded configuration bitstream using the de-obfuscated first key; and
      
      configuring the integrated circuit using the decoded configuration bitstream.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Altera Corporation (Intel Corporation)
Original Assignee
Altera Corporation (Intel Corporation)
Inventors
Prasad, Nitin, Reddy, Srinivas, Langhammer, Martin, Jefferson, David, Joyce, Juju, Streicher, Keone
Primary Examiner(s)
Vu; Kimyen
Assistant Examiner(s)
Zee; Edward

Application Number

US11/042,477
Time in Patent Office

1,946 Days
Field of Search

713/189, 713/191, 713/193, 713/194, 726/26, 726/27, 380/44, 380/45, 380/47, 380/281, 380/284
US Class Current

713/191
CPC Class Codes

G06F 21/60   Protecting data

G06F 21/76   in application-specific int...

H04L 2209/12   Details relating to cryptog...

H04L 2209/16   Obfuscation or hiding, e.g....

H04L 2209/26   Testing cryptographic entit...

H04L 9/065   Encryption by serially and ...

H04L 9/0877   using additional device, e....

H04L 9/14   using a plurality of keys o...

FPGA configuration bitstream protection using multiple keys

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

53 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

FPGA configuration bitstream protection using multiple keys

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

53 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links