FPGA configuration bitstream protection using multiple keys

US 9,208,357 B1
Filed: 08/28/2014
Issued: 12/08/2015
Est. Priority Date: 01/25/2005
Status: Active Grant

First Claim

Patent Images

1. A method of processing a configuration bitstream at a computing device comprising:

obtaining, at the computing device, a plurality of encryption keys and the configuration bitstream;

encoding the configuration bitstream using an encoded key produced from the plurality of encryption keys to generate an encrypted bit stream;

providing the encrypted bit stream to a first memory external to the computing device; and

providing the plurality of encryption keys to a second memory external to the computing device.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Circuits, methods, and apparatus that prevent detection and erasure of encoding or encryption keys. These encoding keys may be used to encode a configuration bitstream or other data for an FPGA or other device. An exemplary embodiment of the present invention masks a first key to form an encoding key in order to prevent detection of the first key. In a specific embodiment, the first key is encoded using a second key. The encoded key is used to encode a configuration bitstream or other data. The encoded key is stored on an FPGA or other device. When the device is to be configured, the encoded key is retrieved and used to decode the bitstream or other data. A further embodiment stores an encryption key in a one-time programmable memory (OTP) array to prevent its erasure or modification. The encoding key may be further obfuscated before storage.

Citations

18 Claims

1. A method of processing a configuration bitstream at a computing device comprising:
- obtaining, at the computing device, a plurality of encryption keys and the configuration bitstream;
  
  encoding the configuration bitstream using an encoded key produced from the plurality of encryption keys to generate an encrypted bit stream;
  
  providing the encrypted bit stream to a first memory external to the computing device; and
  
  providing the plurality of encryption keys to a second memory external to the computing device.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein a configuration device comprises the first memory and an integrated circuit comprises the second memory.
  - 3. The method of claim 1, wherein an integrated device comprises the second memory, and wherein the integrated device is configurable by the encrypted bit stream stored in the first memory.
  - 4. The method of claim 1, wherein the encoding is performed using an encryption function selected from a group consisting of a triple data encryption standard (3DES) and an advanced encryption standard (AES).
  - 5. The method of claim 1, wherein the configuration bitstream is in the form of VHDL code or Verilog code.
  - 6. The method of claim 1, wherein the providing of the plurality of encryption keys to the second memory is performed in response to detection of a power up phase of an integrated circuit comprising the second memory.
  - 7. The method of claim 1, wherein the providing of the plurality of encryption keys to the second memory is performed in response to detection of an error condition during operation of an integrated circuit comprising the second memory.

8. A method of processing a configuration bitstream at a computing device comprising:
- obtaining, at the computing device, a plurality of encryption keys and the configuration bitstream;
  
  processing the configuration bit stream based, at least in part, on an encoded key produced from the plurality of encryption keys to generate an encrypted bit stream;
  
  providing the encrypted bit stream to a configuration device external to the computing device; and
  
  providing the plurality of encryption keys to an integrated circuit external to the computing device.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The method of claim 8, wherein processing the configuration bit stream comprises:
    - applying a function to the plurality of encryption keys to produce the encoded key; and
      
      providing the encoded key and the configuration bitstream to an encoder to produce the encrypted bit stream.
  - 10. The method of claim 8, wherein the configuration bitstream is in the form of VHDL code or Verilog code.
  - 11. The method of claim 9, wherein the function is equivalent to a corresponding function used in the integrated circuit communicatively coupled to the configuration device.
  - 12. The method of claim 9, wherein the encrypted bit stream is encoded based on a triple encryption standard (3DES).
  - 13. The method of claim 11, wherein the encrypted bit stream is provided to the configuration device in response to detection of a power up phase of the integrated circuit.

14. A computing device comprising:
- a software module configured to;
  
  receive a plurality of encryption keys; and
  
  process the plurality of encryption keys according to a function to produce an encoded key;
  
  an encoder configured to;
  
  receive a configuration bitstream; and
  
  process the configuration bitstream using the encoded key to produce an encrypted bit stream;
  
  a first interface configured to provide the encrypted bit stream to a first memory external to the computing device; and
  
  a second interface configured to provide at least one encryption key of the plurality of encryption keys to a second memory external to the computing device.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The computing device of claim 14, wherein the configuration bitstream is in the form of VHDL code or Verilog code.
  - 16. The computing device of claim 14, wherein the function is equivalent to a corresponding function used in an integrated circuit comprising the second memory communicatively coupled to the configuration device.
  - 17. The computing device of claim 14, wherein the computing device is further configured to provide the at least one encryption key of the plurality of encryption keys to an integrated circuit comprising the second memory in response to detection of an error condition during operation of the integrated circuit.
  - 18. The computing device of claim 14, wherein the computing device is further configured to provide the at least one encryption key of the plurality of encryption keys to the integrated circuit comprising the second memory in response to detection of a fault during operation of the integrated circuit.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Altera Corporation (Intel Corporation)
Original Assignee
Altera Corporation (Intel Corporation)
Inventors
Langhammer, Martin, Joyce, Juju, Streicher, Keone, Jefferson, David, Reddy, Srinivas, Prasad, Nitin
Primary Examiner(s)
Zee, Edward

Application Number

US14/471,574
Time in Patent Office

467 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/60   Protecting data

G06F 21/76   in application-specific int...

H04L 2209/12   Details relating to cryptog...

H04L 2209/16   Obfuscation or hiding, e.g....

H04L 2209/26   Testing cryptographic entit...

H04L 9/065   Encryption by serially and ...

H04L 9/0877   using additional device, e....

H04L 9/14   using a plurality of keys o...

FPGA configuration bitstream protection using multiple keys

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

FPGA configuration bitstream protection using multiple keys

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links