Programmable devices are well known. In one class of known PLDs, each device has a large number of logic gates, and a user programs the device to assume a particular configuration of those logic gates, typically by receiving configuration data from a configuration device. Configuration data has become increasingly complex in modern PLDs. As such, proprietary configuration data for various commonly-used functions (frequently referred to as “intellectual property cores”) have been sold either by device manufacturers or third parties, freeing the original customer from having to program those functions on its own. If a party provides such proprietary configuration data, it may want to protect this data from being read, as well as any internal data that may reveal the configuration data.
Commonly-assigned U.S. Pat. Nos. 5,768,372, and 5,915,017, each of which is hereby incorporated by reference herein in its respective entirety, describe the encryption of the configuration data and its decryption upon loading into the programmable device, including provision of an indicator to signal to the decryption circuit which of several possible encryption/decryption schemes was used to encrypt the configuration data and therefore should be used to decrypt the configuration data. Commonly-assigned U.S. Pat. No. 7,479,798, which is hereby incorporated by reference herein in its entirety, describes a disabling element that can be used to selectively disable a reading of a data from a device.
Cryptographic algorithms may provide one or more classes of encryption/decryption schemes for securing the configuration data. Encryption is often implemented with a block cipher, e.g., the Advanced Encryption Standard (AES), in which a configuration bitstream is portioned into fixed-sized ciphertext blocks (typically 128-bits), and each block is decrypted with a decryption key. The internal implementation of a block cipher is typically divided into multiple “rounds” per ciphertext block, where every round uses an “expanded” round-key that is derived from the encryption key (AES-256 uses 14 rounds per ciphertext block). Depending on the Mode of Operation, there may also be an Initialization Vector (IV) that is associated with the bitstream. To ensure the confidentiality of the bitstream, the encryption/decryption key is kept secret, and the IV is not reused for encrypting different bitstreams.
The key for decrypting the bitstream is usually stored in the PLD, and generally cannot be read externally of the PLD. However, by using various side-channel analysis (SCA) techniques, an attacker may still be able to determine the value of the internal decryption key. This may be done by applying statistical analysis techniques to side-channel information emitted from the PLD, such as power-supply fluctuations or electromagnetic emanations. Whatever the source of the side-channel information, the resulting side-channel measurement may be used to mount SCA attacks. Such SCA attacks may be done actively (by repeatedly modifying the ciphertext or associated IV), or passively (by observing the side-channel information emitted during the encryption of an unmodified bitstream). These SCA attacks may directly target the key used for encryption, or may target other critical variables that are kept secret to ensure confidentiality (e.g., expanded round keys or intermediate states of the encryption engine). SCA attacks usually leverage the fact that the value of the critical variable being attacked is logically combined multiple times with different values, herein referred to as “challenge vectors.” For example, the NIST Counter mode of encryption algorithm may logically XOR a critical variable (e.g., the encryption key) with many different challenge vectors (e.g., the counter). Alternatively, in some cases, an attacker can directly manipulate the challenge vector, such as when the challenge vector is an IV that the attacker can modify. While the logical combination function is often the XOR operation, any other linear or non-linear logical combination function may also be susceptible to an SCA attack.
Numerous techniques exist in the public literature that describe attempts to prevent SCA attacks against encryption keys. The effectiveness of these techniques is however limited in practice. Some of these techniques attempt to thwart SCA attacks by minimizing the magnitude of the side-channel signal. This might be done by implementing the encryption logic using dual-rail logic, or by isolating the power-supply (such as by using capacitors and filters). Other techniques attempt to obscure the side-channel information by adding random noise to the system (such as by adding explicit noise-generators to the circuitry). Other techniques attempt to randomize the side-channel signal algorithmically based on a randomly generated masking value. Examples of such techniques are described in the following articles: “Overview of Dual Rail with Precharge Logic Styles”, Danger, J.-L., 3rd International Conference on Signals, Circuits and Systems (SCS), 2009; “Correlated Power Noise Generator as a Low Cost DPA Countermeasures to Secure Hardware AES Cipher”, Kamoun, N., 3rd International Conference on Signals, Circuits and Systems (SCS), 2009; and “On Boolean and Arithmetic Masking against Differential Power Analysis”, Jean-Sébastien Coron, Louis Goubin, Proceedings of the Second International Workshop on Cryptographic Hardware and Embedded Systems, p. 231-237, Aug. 17-18, 2000.