Encryption key obfuscation and storage

US 7,734,043 B1
Filed: 01/25/2005
Issued: 06/08/2010
Est. Priority Date: 01/25/2005
Status: Expired due to Fees

First Claim

Patent Images

1. A method of protecting a configuration bitstream, the method comprising:

encoding at least a portion of a configuration bitstream using a first key to generate an encoded configuration bitstream;

storing the encoded configuration bitstream in a first memory on a first integrated circuit;

receiving, at a first circuit of a second integrated circuit, the first key, wherein the first key is received at the second integrated circuit from a source external to the second integrated circuit;

obfuscating, with the first circuit, the first key to generate a second key; and

storing the second key in a second memory on the second integrated circuit, wherein the second memory is a non-volatile memory.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Circuits, methods, and apparatus that prevent easy detection and erasure or modification of an encryption or encoding key. This key may be used to encode and decode a configuration bitstream for an FPGA or other programmable or configurable device. One embodiment of the present invention obfuscates a key then stores it in a memory array on an FPGA. This memory array may be a one-time programmable memory to prevent erasure or modification of the key. After retrieval from storage, a reverse or de-obfuscation is performed to recover the key. Further obfuscation may be achieved by proper layout of the relevant circuitry.

Citations

19 Claims

1. A method of protecting a configuration bitstream, the method comprising:
- encoding at least a portion of a configuration bitstream using a first key to generate an encoded configuration bitstream;
  
  storing the encoded configuration bitstream in a first memory on a first integrated circuit;
  
  receiving, at a first circuit of a second integrated circuit, the first key, wherein the first key is received at the second integrated circuit from a source external to the second integrated circuit;
  
  obfuscating, with the first circuit, the first key to generate a second key; and
  
  storing the second key in a second memory on the second integrated circuit, wherein the second memory is a non-volatile memory.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1 further comprising generating the first key by receiving a plurality of keys and performing a function on the plurality of keys.
  - 3. The method of claim 2 wherein the function is encryption.
  - 4. The method of claim 3 wherein the encryption is consistent with one of the group consisting of the data encryption standard, the triple data encryption standard, and the advanced encryption standard.
  - 5. The method of claim 2, wherein the plurality of keys are received by a second circuit of the integrated circuit that performs the function on the plurality of keys.
  - 6. The method of claim 1 wherein the configuration bitstream is encoded by the first key using encryption.
  - 7. The method of claim 6 wherein the encryption is consistent with one of the group consisting of the data encryption standard, the triple data encryption standard, and the advanced encryption standard.
  - 8. The method of claim 1, wherein the second integrated circuit is a field-programmable integrated circuit.
  - 9. The method of claim 1 wherein the first key is obfuscated by permutating and inverting bits of the first key.
  - 10. The method of claim 1 wherein the second memory is a one-time programmable memory.
  - 11. The method of claim 1, further comprising:
    - retrieving the second key from the second memory;
      
      receiving the configuration bitstream at the second integrated circuit; and
      
      decoding the configuration bitstream using a result of a de-obfuscation of the second key, wherein the external source is not coupled with the first circuit during the decoding.

12. An integrated circuit comprising:
- an input interface for receiving a plurality of input keys;
  
  a first function block having an input coupled with the input interface, wherein the first function block generates a key by performing a function on the plurality of input keys;
  
  a first circuit configured to receive the key, and further configured to obfuscate the key;
  
  a memory configured to receive the obfuscated key from the first circuit, and further configured to store the obfuscated key; and
  
  a second circuit configured to receive the obfuscated key from the memory, and further configured to de-obfuscate the obfuscated key.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The integrated circuit of claim 12 wherein the memory is a one-time programmable memory.
  - 14. The integrated circuit of claim 13 wherein the one-time programmable memory comprises a plurality of fuses.
  - 15. The integrated circuit of claim 12 wherein the first circuit comprises permutation and inversion circuits.
  - 16. The integrated circuit of claim 12 wherein the recovered key is used to decode an encoded configuration bitstream.
  - 17. The integrated circuit of claim 16 wherein the integrated circuit is a field programmable gate array.
  - 18. The integrated circuit of claim 12, further comprising:
    - a decoder circuit that receives the key from the second circuit and that decrypts configuration data using the key.

19. A programmable integrated circuit comprising:
- an input interface for receiving a plurality of input keys;
  
  a first function block having an input coupled with the input interface, wherein the first function block generates a first key by performing a function on the plurality of input keys;
  
  a memory configured to receive the first key from the first function block, and further configured to store the first key;
  
  an encryption circuit that receives the first key from the memory and that encrypts the first key with itself to obtain an encryption key, wherein the encryption key is different than any of the input keys; and
  
  a decoding circuit that uses the encryption key to decode configuration data that configures the programmable integrated circuit.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Altera Corporation (Intel Corporation)
Original Assignee
Altera Corporation (Intel Corporation)
Inventors
Langhammer, Martin, Jefferson, David, Joyce, Juju, Streicher, Keone
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
Powers; William S

Application Number

US11/042,032
Time in Patent Office

1,960 Days
Field of Search

380/37, 713/1, 713/189
US Class Current

380/37
CPC Class Codes

G06F 21/76   in application-specific int...

H04L 2209/12   Details relating to cryptog...

H04L 2209/16   Obfuscation or hiding, e.g....

H04L 9/065   Encryption by serially and ...

H04L 9/0894   Escrow, recovery or storing...

Encryption key obfuscation and storage

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Encryption key obfuscation and storage

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links